search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Comment remaining CBT functions.
[tor/rransom.git] / src / or / circuitbuild.c
blobb49b7e08d2ec8419802a38b0aa18954a4c98245c
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2011, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file circuitbuild.c
9 * \brief The actual details of building circuits.
10 **/
11
12 #define CIRCUIT_PRIVATE
13
14 #include "or.h"
15 #include "circuitbuild.h"
16 #include "circuitlist.h"
17 #include "circuituse.h"
18 #include "config.h"
19 #include "connection.h"
20 #include "connection_edge.h"
21 #include "connection_or.h"
22 #include "control.h"
23 #include "directory.h"
24 #include "main.h"
25 #include "networkstatus.h"
26 #include "onion.h"
27 #include "policies.h"
28 #include "relay.h"
29 #include "rephist.h"
30 #include "router.h"
31 #include "routerlist.h"
32 #include "routerparse.h"
33 #include "crypto.h"
34 #undef log
35 #include <math.h>
36
37 #ifndef MIN
38 #define MIN(a,b) ((a)<(b)?(a):(b))
39 #endif
40
41 #define CBT_BIN_TO_MS(bin) ((bin)*CBT_BIN_WIDTH + (CBT_BIN_WIDTH/2))
42
43 /********* START VARIABLES **********/
44 /** Global list of circuit build times */
45 // FIXME: Add this as a member for entry_guard_t instead of global?
46 // Then we could do per-guard statistics, as guards are likely to
47 // vary in their own latency. The downside of this is that guards
48 // can change frequently, so we'd be building a lot more circuits
49 // most likely.
50 circuit_build_times_t circ_times;
51
52 /** A global list of all circuits at this hop. */
53 extern circuit_t *global_circuitlist;
54
55 /** An entry_guard_t represents our information about a chosen long-term
56 * first hop, known as a "helper" node in the literature. We can't just
57 * use a routerinfo_t, since we want to remember these even when we
58 * don't have a directory. */
59 typedef struct {
60 char nickname[MAX_NICKNAME_LEN+1];
61 char identity[DIGEST_LEN];
62 time_t chosen_on_date; /**< Approximately when was this guard added?
63 * "0" if we don't know. */
64 char *chosen_by_version; /**< What tor version added this guard? NULL
65 * if we don't know. */
66 unsigned int made_contact : 1; /**< 0 if we have never connected to this
67 * router, 1 if we have. */
68 unsigned int can_retry : 1; /**< Should we retry connecting to this entry,
69 * in spite of having it marked as unreachable?*/
70 time_t bad_since; /**< 0 if this guard is currently usable, or the time at
71 * which it was observed to become (according to the
72 * directory or the user configuration) unusable. */
73 time_t unreachable_since; /**< 0 if we can connect to this guard, or the
74 * time at which we first noticed we couldn't
75 * connect to it. */
76 time_t last_attempted; /**< 0 if we can connect to this guard, or the time
77 * at which we last failed to connect to it. */
78 } entry_guard_t;
79
80 /** A list of our chosen entry guards. */
81 static smartlist_t *entry_guards = NULL;
82 /** A value of 1 means that the entry_guards list has changed
83 * and those changes need to be flushed to disk. */
84 static int entry_guards_dirty = 0;
85
86 /** If set, we're running the unit tests: we should avoid clobbering
87 * our state file or accessing get_options() or get_or_state() */
88 static int unit_tests = 0;
89
90 /********* END VARIABLES ************/
91
92 static int circuit_deliver_create_cell(circuit_t *circ,
93 uint8_t cell_type, const char *payload);
94 static int onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit);
95 static crypt_path_t *onion_next_hop_in_cpath(crypt_path_t *cpath);
96 static int onion_extend_cpath(origin_circuit_t *circ);
97 static int count_acceptable_routers(smartlist_t *routers);
98 static int onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice);
99
100 static void entry_guards_changed(void);
101
102 /**
103 * This function decides if CBT learning should be disabled. It returns
104 * true if one or more of the following four conditions are met:
105 *
106 * 1. If the cbtdisabled consensus parameter is set.
107 * 2. If the torrc option LearnCircuitBuildTimeout is false.
108 * 3. If we are a directory authority
109 * 4. If we fail to write circuit build time history to our state file.
110 */
111 static int
112 circuit_build_times_disabled(void)
113 {
114 if (unit_tests) {
115 return 0;
116 } else {
117 int consensus_disabled = networkstatus_get_param(NULL, "cbtdisabled",
118 0, 0, 1);
119 int config_disabled = !get_options()->LearnCircuitBuildTimeout;
120 int dirauth_disabled = get_options()->AuthoritativeDir;
121 int state_disabled = (get_or_state()->LastWritten == -1);
122
123 if (consensus_disabled || config_disabled || dirauth_disabled ||
124 state_disabled) {
125 log_info(LD_CIRC,
126 "CircuitBuildTime learning is disabled. "
127 "Consensus=%d, Config=%d, AuthDir=%d, StateFile=%d",
128 consensus_disabled, config_disabled, dirauth_disabled,
129 state_disabled);
130 return 1;
131 } else {
132 return 0;
133 }
134 }
135 }
136
137 /**
138 * Retrieve and bounds-check the cbtmaxtimeouts consensus paramter.
139 *
140 * Effect: When this many timeouts happen in the last 'cbtrecentcount'
141 * circuit attempts, the client should discard all of its history and
142 * begin learning a fresh timeout value.
143 */
144 static int32_t
145 circuit_build_times_max_timeouts(void)
146 {
147 return networkstatus_get_param(NULL, "cbtmaxtimeouts",
148 CBT_DEFAULT_MAX_RECENT_TIMEOUT_COUNT,
149 CBT_MIN_MAX_RECENT_TIMEOUT_COUNT,
150 CBT_MAX_MAX_RECENT_TIMEOUT_COUNT);
151 }
152
153 /**
154 * Retrieve and bounds-check the cbtnummodes consensus paramter.
155 *
156 * Effect: This value governs how many modes to use in the weighted
157 * average calculation of Pareto parameter Xm. A value of 3 introduces
158 * some bias (2-5% of CDF) under ideal conditions, but allows for better
159 * performance in the event that a client chooses guard nodes of radically
160 * different performance characteristics.
161 */
162 static int32_t
163 circuit_build_times_default_num_xm_modes(void)
164 {
165 int32_t num = networkstatus_get_param(NULL, "cbtnummodes",
166 CBT_DEFAULT_NUM_XM_MODES,
167 CBT_MIN_NUM_XM_MODES,
168 CBT_MAX_NUM_XM_MODES);
169 return num;
170 }
171
172 /**
173 * Retrieve and bounds-check the cbtmincircs consensus paramter.
174 *
175 * Effect: This is the minimum number of circuits to build before
176 * computing a timeout.
177 */
178 static int32_t
179 circuit_build_times_min_circs_to_observe(void)
180 {
181 int32_t num = networkstatus_get_param(NULL, "cbtmincircs",
182 CBT_DEFAULT_MIN_CIRCUITS_TO_OBSERVE,
183 CBT_MIN_MIN_CIRCUITS_TO_OBSERVE,
184 CBT_MAX_MIN_CIRCUITS_TO_OBSERVE);
185 return num;
186 }
187
188 /** Return true iff <b>cbt</b> has recorded enough build times that we
189 * want to start acting on the timeout it implies. */
190 int
191 circuit_build_times_enough_to_compute(circuit_build_times_t *cbt)
192 {
193 return cbt->total_build_times >= circuit_build_times_min_circs_to_observe();
194 }
195
196 /**
197 * Retrieve and bounds-check the cbtquantile consensus paramter.
198 *
199 * Effect: This is the position on the quantile curve to use to set the
200 * timeout value. It is a percent (10-99).
201 */
202 double
203 circuit_build_times_quantile_cutoff(void)
204 {
205 int32_t num = networkstatus_get_param(NULL, "cbtquantile",
206 CBT_DEFAULT_QUANTILE_CUTOFF,
207 CBT_MIN_QUANTILE_CUTOFF,
208 CBT_MAX_QUANTILE_CUTOFF);
209 return num/100.0;
210 }
211
212 int
213 circuit_build_times_get_bw_scale(networkstatus_t *ns)
214 {
215 return networkstatus_get_param(ns, "bwweightscale",
216 BW_WEIGHT_SCALE,
217 BW_MIN_WEIGHT_SCALE,
218 BW_MAX_WEIGHT_SCALE);
219 }
220
221 /**
222 * Retrieve and bounds-check the cbtclosequantile consensus paramter.
223 *
224 * Effect: This is the position on the quantile curve to use to set the
225 * timeout value to use to actually close circuits. It is a percent
226 * (0-99).
227 */
228 static double
229 circuit_build_times_close_quantile(void)
230 {
231 int32_t param;
232 /* Cast is safe - circuit_build_times_quantile_cutoff() is capped */
233 int32_t min = (int)tor_lround(100*circuit_build_times_quantile_cutoff());
234 param = networkstatus_get_param(NULL, "cbtclosequantile",
235 CBT_DEFAULT_CLOSE_QUANTILE,
236 CBT_MIN_CLOSE_QUANTILE,
237 CBT_MAX_CLOSE_QUANTILE);
238 if (param < min) {
239 log_warn(LD_DIR, "Consensus parameter cbtclosequantile is "
240 "too small, raising to %d", min);
241 param = min;
242 }
243 return param / 100.0;
244 }
245
246 /**
247 * Retrieve and bounds-check the cbttestfreq consensus paramter.
248 *
249 * Effect: Describes how often in seconds to build a test circuit to
250 * gather timeout values. Only applies if less than 'cbtmincircs'
251 * have been recorded.
252 */
253 static int32_t
254 circuit_build_times_test_frequency(void)
255 {
256 int32_t num = networkstatus_get_param(NULL, "cbttestfreq",
257 CBT_DEFAULT_TEST_FREQUENCY,
258 CBT_MIN_TEST_FREQUENCY,
259 CBT_MAX_TEST_FREQUENCY);
260 return num;
261 }
262
263 /**
264 * Retrieve and bounds-check the cbtmintimeout consensus paramter.
265 *
266 * Effect: This is the minimum allowed timeout value in milliseconds.
267 * The minimum is to prevent rounding to 0 (we only check once
268 * per second).
269 */
270 static int32_t
271 circuit_build_times_min_timeout(void)
272 {
273 int32_t num = networkstatus_get_param(NULL, "cbtmintimeout",
274 CBT_DEFAULT_TIMEOUT_MIN_VALUE,
275 CBT_MIN_TIMEOUT_MIN_VALUE,
276 CBT_MAX_TIMEOUT_MIN_VALUE);
277 return num;
278 }
279
280 /**
281 * Retrieve and bounds-check the cbtinitialtimeout consensus paramter.
282 *
283 * Effect: This is the timeout value to use before computing a timeout,
284 * in milliseconds.
285 */
286 int32_t
287 circuit_build_times_initial_timeout(void)
288 {
289 int32_t min = circuit_build_times_min_timeout();
290 int32_t param = networkstatus_get_param(NULL, "cbtinitialtimeout",
291 CBT_DEFAULT_TIMEOUT_INITIAL_VALUE,
292 CBT_MIN_TIMEOUT_INITIAL_VALUE,
293 CBT_MAX_TIMEOUT_INITIAL_VALUE);
294 if (param < min) {
295 log_warn(LD_DIR, "Consensus parameter cbtinitialtimeout is too small, "
296 "raising to %d", min);
297 param = min;
298 }
299 return param;
300 }
301
302 /**
303 * Retrieve and bounds-check the cbtrecentcount consensus paramter.
304 *
305 * Effect: This is the number of circuit build times to keep track of
306 * for deciding if we hit cbtmaxtimeouts and need to reset our state
307 * and learn a new timeout.
308 */
309 static int32_t
310 circuit_build_times_recent_circuit_count(networkstatus_t *ns)
311 {
312 return networkstatus_get_param(ns, "cbtrecentcount",
313 CBT_DEFAULT_RECENT_CIRCUITS,
314 CBT_MIN_RECENT_CIRCUITS,
315 CBT_MAX_RECENT_CIRCUITS);
316 }
317
318 /**
319 * This function is called when we get a consensus update.
320 *
321 * It checks to see if we have changed any consensus parameters
322 * that require reallocation or discard of previous stats.
323 */
324 void
325 circuit_build_times_new_consensus_params(circuit_build_times_t *cbt,
326 networkstatus_t *ns)
327 {
328 int32_t num = circuit_build_times_recent_circuit_count(ns);
329
330 if (num > 0 && num != cbt->liveness.num_recent_circs) {
331 int8_t *recent_circs;
332 log_notice(LD_CIRC, "The Tor Directory Consensus has changed how many "
333 "circuits we must track to detect network failures from %d "
334 "to %d.", cbt->liveness.num_recent_circs, num);
335
336 tor_assert(cbt->liveness.timeouts_after_firsthop);
337
338 /*
339 * Technically this is a circular array that we are reallocating
340 * and memcopying. However, since it only consists of either 1s
341 * or 0s, and is only used in a statistical test to determine when
342 * we should discard our history after a sufficient number of 1's
343 * have been reached, it is fine if order is not preserved or
344 * elements are lost.
345 *
346 * cbtrecentcount should only be changing in cases of severe network
347 * distress anyway, so memory correctness here is paramount over
348 * doing acrobatics to preserve the array.
349 */
350 recent_circs = tor_malloc_zero(sizeof(int8_t)*num);
351 memcpy(recent_circs, cbt->liveness.timeouts_after_firsthop,
352 sizeof(int8_t)*MIN(num, cbt->liveness.num_recent_circs));
353
354 // Adjust the index if it needs it.
355 if (num < cbt->liveness.num_recent_circs) {
356 cbt->liveness.after_firsthop_idx = MIN(num-1,
357 cbt->liveness.after_firsthop_idx);
358 }
359
360 tor_free(cbt->liveness.timeouts_after_firsthop);
361 cbt->liveness.timeouts_after_firsthop = recent_circs;
362 cbt->liveness.num_recent_circs = num;
363 }
364 }
365
366 /** Make a note that we're running unit tests (rather than running Tor
367 * itself), so we avoid clobbering our state file. */
368 void
369 circuitbuild_running_unit_tests(void)
370 {
371 unit_tests = 1;
372 }
373
374 /**
375 * Return the initial default or configured timeout in milliseconds
376 */
377 static double
378 circuit_build_times_get_initial_timeout(void)
379 {
380 double timeout;
381 if (!unit_tests && get_options()->CircuitBuildTimeout) {
382 timeout = get_options()->CircuitBuildTimeout*1000;
383 if (timeout < circuit_build_times_min_timeout()) {
384 log_warn(LD_CIRC, "Config CircuitBuildTimeout too low. Setting to %ds",
385 circuit_build_times_min_timeout()/1000);
386 timeout = circuit_build_times_min_timeout();
387 }
388 } else {
389 timeout = circuit_build_times_initial_timeout();
390 }
391 return timeout;
392 }
393
394 /**
395 * Reset the build time state.
396 *
397 * Leave estimated parameters, timeout and network liveness intact
398 * for future use.
399 */
400 void
401 circuit_build_times_reset(circuit_build_times_t *cbt)
402 {
403 memset(cbt->circuit_build_times, 0, sizeof(cbt->circuit_build_times));
404 cbt->total_build_times = 0;
405 cbt->build_times_idx = 0;
406 cbt->have_computed_timeout = 0;
407 }
408
409 /**
410 * Initialize the buildtimes structure for first use.
411 *
412 * Sets the initial timeout values based on either the config setting,
413 * the consensus param, or the default (CBT_DEFAULT_TIMEOUT_INITIAL_VALUE).
414 */
415 void
416 circuit_build_times_init(circuit_build_times_t *cbt)
417 {
418 memset(cbt, 0, sizeof(*cbt));
419 cbt->liveness.num_recent_circs =
420 circuit_build_times_recent_circuit_count(NULL);
421 cbt->liveness.timeouts_after_firsthop = tor_malloc_zero(sizeof(int8_t)*
422 cbt->liveness.num_recent_circs);
423 cbt->close_ms = cbt->timeout_ms = circuit_build_times_get_initial_timeout();
424 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_RESET);
425 }
426
427 #if 0
428 /**
429 * Rewind our build time history by n positions.
430 */
431 static void
432 circuit_build_times_rewind_history(circuit_build_times_t *cbt, int n)
433 {
434 int i = 0;
435
436 cbt->build_times_idx -= n;
437 cbt->build_times_idx %= CBT_NCIRCUITS_TO_OBSERVE;
438
439 for (i = 0; i < n; i++) {
440 cbt->circuit_build_times[(i+cbt->build_times_idx)
441 %CBT_NCIRCUITS_TO_OBSERVE]=0;
442 }
443
444 if (cbt->total_build_times > n) {
445 cbt->total_build_times -= n;
446 } else {
447 cbt->total_build_times = 0;
448 }
449
450 log_info(LD_CIRC,
451 "Rewound history by %d places. Current index: %d. "
452 "Total: %d", n, cbt->build_times_idx, cbt->total_build_times);
453 }
454 #endif
455
456 /**
457 * Add a new build time value <b>time</b> to the set of build times. Time
458 * units are milliseconds.
459 *
460 * circuit_build_times <b>cbt</a> is a circular array, so loop around when
461 * array is full.
462 */
463 int
464 circuit_build_times_add_time(circuit_build_times_t *cbt, build_time_t time)
465 {
466 if (time <= 0 || time > CBT_BUILD_TIME_MAX) {
467 log_warn(LD_BUG, "Circuit build time is too large (%u)."
468 "This is probably a bug.", time);
469 tor_fragile_assert();
470 return -1;
471 }
472
473 log_debug(LD_CIRC, "Adding circuit build time %u", time);
474
475 cbt->circuit_build_times[cbt->build_times_idx] = time;
476 cbt->build_times_idx = (cbt->build_times_idx + 1) % CBT_NCIRCUITS_TO_OBSERVE;
477 if (cbt->total_build_times < CBT_NCIRCUITS_TO_OBSERVE)
478 cbt->total_build_times++;
479
480 if ((cbt->total_build_times % CBT_SAVE_STATE_EVERY) == 0) {
481 /* Save state every n circuit builds */
482 if (!unit_tests && !get_options()->AvoidDiskWrites)
483 or_state_mark_dirty(get_or_state(), 0);
484 }
485
486 return 0;
487 }
488
489 /**
490 * Return maximum circuit build time
491 */
492 static build_time_t
493 circuit_build_times_max(circuit_build_times_t *cbt)
494 {
495 int i = 0;
496 build_time_t max_build_time = 0;
497 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
498 if (cbt->circuit_build_times[i] > max_build_time
499 && cbt->circuit_build_times[i] != CBT_BUILD_ABANDONED)
500 max_build_time = cbt->circuit_build_times[i];
501 }
502 return max_build_time;
503 }
504
505 #if 0
506 /** Return minimum circuit build time */
507 build_time_t
508 circuit_build_times_min(circuit_build_times_t *cbt)
509 {
510 int i = 0;
511 build_time_t min_build_time = CBT_BUILD_TIME_MAX;
512 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
513 if (cbt->circuit_build_times[i] && /* 0 <-> uninitialized */
514 cbt->circuit_build_times[i] < min_build_time)
515 min_build_time = cbt->circuit_build_times[i];
516 }
517 if (min_build_time == CBT_BUILD_TIME_MAX) {
518 log_warn(LD_CIRC, "No build times less than CBT_BUILD_TIME_MAX!");
519 }
520 return min_build_time;
521 }
522 #endif
523
524 /**
525 * Calculate and return a histogram for the set of build times.
526 *
527 * Returns an allocated array of histrogram bins representing
528 * the frequency of index*CBT_BIN_WIDTH millisecond
529 * build times. Also outputs the number of bins in nbins.
530 *
531 * The return value must be freed by the caller.
532 */
533 static uint32_t *
534 circuit_build_times_create_histogram(circuit_build_times_t *cbt,
535 build_time_t *nbins)
536 {
537 uint32_t *histogram;
538 build_time_t max_build_time = circuit_build_times_max(cbt);
539 int i, c;
540
541 *nbins = 1 + (max_build_time / CBT_BIN_WIDTH);
542 histogram = tor_malloc_zero(*nbins * sizeof(build_time_t));
543
544 // calculate histogram
545 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
546 if (cbt->circuit_build_times[i] == 0
547 || cbt->circuit_build_times[i] == CBT_BUILD_ABANDONED)
548 continue; /* 0 <-> uninitialized */
549
550 c = (cbt->circuit_build_times[i] / CBT_BIN_WIDTH);
551 histogram[c]++;
552 }
553
554 return histogram;
555 }
556
557 /**
558 * Return the Pareto start-of-curve parameter Xm.
559 *
560 * Because we are not a true Pareto curve, we compute this as the
561 * weighted average of the N=3 most frequent build time bins.
562 */
563 static build_time_t
564 circuit_build_times_get_xm(circuit_build_times_t *cbt)
565 {
566 build_time_t i, nbins;
567 build_time_t *nth_max_bin;
568 int32_t bin_counts=0;
569 build_time_t ret = 0;
570 uint32_t *histogram = circuit_build_times_create_histogram(cbt, &nbins);
571 int n=0;
572 int num_modes = circuit_build_times_default_num_xm_modes();
573
574 // Only use one mode if < 1000 buildtimes. Not enough data
575 // for multiple.
576 if (cbt->total_build_times < CBT_NCIRCUITS_TO_OBSERVE)
577 num_modes = 1;
578
579 nth_max_bin = (build_time_t*)tor_malloc_zero(num_modes*sizeof(build_time_t));
580
581 for (i = 0; i < nbins; i++) {
582 if (histogram[i] >= histogram[nth_max_bin[0]]) {
583 nth_max_bin[0] = i;
584 }
585
586 for (n = 1; n < num_modes; n++) {
587 if (histogram[i] >= histogram[nth_max_bin[n]] &&
588 (!histogram[nth_max_bin[n-1]]
589 || histogram[i] < histogram[nth_max_bin[n-1]])) {
590 nth_max_bin[n] = i;
591 }
592 }
593 }
594
595 for (n = 0; n < num_modes; n++) {
596 bin_counts += histogram[nth_max_bin[n]];
597 ret += CBT_BIN_TO_MS(nth_max_bin[n])*histogram[nth_max_bin[n]];
598 log_info(LD_CIRC, "Xm mode #%d: %u %u", n, CBT_BIN_TO_MS(nth_max_bin[n]),
599 histogram[nth_max_bin[n]]);
600 }
601
602 ret /= bin_counts;
603 tor_free(histogram);
604 tor_free(nth_max_bin);
605
606 return ret;
607 }
608
609 /**
610 * Output a histogram of current circuit build times to
611 * the or_state_t state structure.
612 */
613 void
614 circuit_build_times_update_state(circuit_build_times_t *cbt,
615 or_state_t *state)
616 {
617 uint32_t *histogram;
618 build_time_t i = 0;
619 build_time_t nbins = 0;
620 config_line_t **next, *line;
621
622 histogram = circuit_build_times_create_histogram(cbt, &nbins);
623 // write to state
624 config_free_lines(state->BuildtimeHistogram);
625 next = &state->BuildtimeHistogram;
626 *next = NULL;
627
628 state->TotalBuildTimes = cbt->total_build_times;
629 state->CircuitBuildAbandonedCount = 0;
630
631 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
632 if (cbt->circuit_build_times[i] == CBT_BUILD_ABANDONED)
633 state->CircuitBuildAbandonedCount++;
634 }
635
636 for (i = 0; i < nbins; i++) {
637 // compress the histogram by skipping the blanks
638 if (histogram[i] == 0) continue;
639 *next = line = tor_malloc_zero(sizeof(config_line_t));
640 line->key = tor_strdup("CircuitBuildTimeBin");
641 line->value = tor_malloc(25);
642 tor_snprintf(line->value, 25, "%d %d",
643 CBT_BIN_TO_MS(i), histogram[i]);
644 next = &(line->next);
645 }
646
647 if (!unit_tests) {
648 if (!get_options()->AvoidDiskWrites)
649 or_state_mark_dirty(get_or_state(), 0);
650 }
651
652 tor_free(histogram);
653 }
654
655 /**
656 * Shuffle the build times array.
657 *
658 * Stolen from http://en.wikipedia.org/wiki/Fisher\u2013Yates_shuffle
659 */
660 static void
661 circuit_build_times_shuffle_and_store_array(circuit_build_times_t *cbt,
662 build_time_t *raw_times,
663 int num_times)
664 {
665 int n = num_times;
666 if (num_times > CBT_NCIRCUITS_TO_OBSERVE) {
667 log_notice(LD_CIRC, "The number of circuit times that this Tor version "
668 "uses to calculate build times is less than the number stored "
669 "in your state file. Decreasing the circuit time history from "
670 "%d to %d.", num_times, CBT_NCIRCUITS_TO_OBSERVE);
671 }
672
673 /* This code can only be run on a compact array */
674 while (n-- > 1) {
675 int k = crypto_rand_int(n + 1); /* 0 <= k <= n. */
676 build_time_t tmp = raw_times[k];
677 raw_times[k] = raw_times[n];
678 raw_times[n] = tmp;
679 }
680
681 /* Since the times are now shuffled, take a random CBT_NCIRCUITS_TO_OBSERVE
682 * subset (ie the first CBT_NCIRCUITS_TO_OBSERVE values) */
683 for (n = 0; n < MIN(num_times, CBT_NCIRCUITS_TO_OBSERVE); n++) {
684 circuit_build_times_add_time(cbt, raw_times[n]);
685 }
686 }
687
688 /**
689 * Filter old synthetic timeouts that were created before the
690 * new right-censored Pareto calculation was deployed.
691 *
692 * Once all clients before 0.2.1.13-alpha are gone, this code
693 * will be unused.
694 */
695 static int
696 circuit_build_times_filter_timeouts(circuit_build_times_t *cbt)
697 {
698 int num_filtered=0, i=0;
699 double timeout_rate = 0;
700 build_time_t max_timeout = 0;
701
702 timeout_rate = circuit_build_times_timeout_rate(cbt);
703 max_timeout = (build_time_t)cbt->close_ms;
704
705 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
706 if (cbt->circuit_build_times[i] > max_timeout) {
707 build_time_t replaced = cbt->circuit_build_times[i];
708 num_filtered++;
709 cbt->circuit_build_times[i] = CBT_BUILD_ABANDONED;
710
711 log_debug(LD_CIRC, "Replaced timeout %d with %d", replaced,
712 cbt->circuit_build_times[i]);
713 }
714 }
715
716 log_info(LD_CIRC,
717 "We had %d timeouts out of %d build times, "
718 "and filtered %d above the max of %u",
719 (int)(cbt->total_build_times*timeout_rate),
720 cbt->total_build_times, num_filtered, max_timeout);
721
722 return num_filtered;
723 }
724
725 /**
726 * Load histogram from <b>state</b>, shuffling the resulting array
727 * after we do so. Use this result to estimate parameters and
728 * calculate the timeout.
729 *
730 * Return -1 on error.
731 */
732 int
733 circuit_build_times_parse_state(circuit_build_times_t *cbt,
734 or_state_t *state)
735 {
736 int tot_values = 0;
737 uint32_t loaded_cnt = 0, N = 0;
738 config_line_t *line;
739 unsigned int i;
740 build_time_t *loaded_times;
741 int err = 0;
742 circuit_build_times_init(cbt);
743
744 if (circuit_build_times_disabled()) {
745 return 0;
746 }
747
748 /* build_time_t 0 means uninitialized */
749 loaded_times = tor_malloc_zero(sizeof(build_time_t)*state->TotalBuildTimes);
750
751 for (line = state->BuildtimeHistogram; line; line = line->next) {
752 smartlist_t *args = smartlist_create();
753 smartlist_split_string(args, line->value, " ",
754 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
755 if (smartlist_len(args) < 2) {
756 log_warn(LD_GENERAL, "Unable to parse circuit build times: "
757 "Too few arguments to CircuitBuildTime");
758 err = 1;
759 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
760 smartlist_free(args);
761 break;
762 } else {
763 const char *ms_str = smartlist_get(args,0);
764 const char *count_str = smartlist_get(args,1);
765 uint32_t count, k;
766 build_time_t ms;
767 int ok;
768 ms = (build_time_t)tor_parse_ulong(ms_str, 0, 0,
769 CBT_BUILD_TIME_MAX, &ok, NULL);
770 if (!ok) {
771 log_warn(LD_GENERAL, "Unable to parse circuit build times: "
772 "Unparsable bin number");
773 err = 1;
774 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
775 smartlist_free(args);
776 break;
777 }
778 count = (uint32_t)tor_parse_ulong(count_str, 0, 0,
779 UINT32_MAX, &ok, NULL);
780 if (!ok) {
781 log_warn(LD_GENERAL, "Unable to parse circuit build times: "
782 "Unparsable bin count");
783 err = 1;
784 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
785 smartlist_free(args);
786 break;
787 }
788
789 if (loaded_cnt+count+state->CircuitBuildAbandonedCount
790 > state->TotalBuildTimes) {
791 log_warn(LD_CIRC,
792 "Too many build times in state file. "
793 "Stopping short before %d",
794 loaded_cnt+count);
795 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
796 smartlist_free(args);
797 break;
798 }
799
800 for (k = 0; k < count; k++) {
801 loaded_times[loaded_cnt++] = ms;
802 }
803 N++;
804 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
805 smartlist_free(args);
806 }
807 }
808
809 log_info(LD_CIRC,
810 "Adding %d timeouts.", state->CircuitBuildAbandonedCount);
811 for (i=0; i < state->CircuitBuildAbandonedCount; i++) {
812 loaded_times[loaded_cnt++] = CBT_BUILD_ABANDONED;
813 }
814
815 if (loaded_cnt != state->TotalBuildTimes) {
816 log_warn(LD_CIRC,
817 "Corrupt state file? Build times count mismatch. "
818 "Read %d times, but file says %d", loaded_cnt,
819 state->TotalBuildTimes);
820 err = 1;
821 circuit_build_times_reset(cbt);
822 goto done;
823 }
824
825 circuit_build_times_shuffle_and_store_array(cbt, loaded_times, loaded_cnt);
826
827 /* Verify that we didn't overwrite any indexes */
828 for (i=0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
829 if (!cbt->circuit_build_times[i])
830 break;
831 tot_values++;
832 }
833 log_info(LD_CIRC,
834 "Loaded %d/%d values from %d lines in circuit time histogram",
835 tot_values, cbt->total_build_times, N);
836
837 if (cbt->total_build_times != tot_values
838 || cbt->total_build_times > CBT_NCIRCUITS_TO_OBSERVE) {
839 log_warn(LD_CIRC,
840 "Corrupt state file? Shuffled build times mismatch. "
841 "Read %d times, but file says %d", tot_values,
842 state->TotalBuildTimes);
843 err = 1;
844 circuit_build_times_reset(cbt);
845 goto done;
846 }
847
848 circuit_build_times_set_timeout(cbt);
849
850 if (!state->CircuitBuildAbandonedCount && cbt->total_build_times) {
851 circuit_build_times_filter_timeouts(cbt);
852 }
853
854 done:
855 tor_free(loaded_times);
856 return err ? -1 : 0;
857 }
858
859 /**
860 * Estimates the Xm and Alpha parameters using
861 * http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation
862 *
863 * The notable difference is that we use mode instead of min to estimate Xm.
864 * This is because our distribution is frechet-like. We claim this is
865 * an acceptable approximation because we are only concerned with the
866 * accuracy of the CDF of the tail.
867 */
868 int
869 circuit_build_times_update_alpha(circuit_build_times_t *cbt)
870 {
871 build_time_t *x=cbt->circuit_build_times;
872 double a = 0;
873 int n=0,i=0,abandoned_count=0;
874 build_time_t max_time=0;
875
876 /* http://en.wikipedia.org/wiki/Pareto_distribution#Parameter_estimation */
877 /* We sort of cheat here and make our samples slightly more pareto-like
878 * and less frechet-like. */
879 cbt->Xm = circuit_build_times_get_xm(cbt);
880
881 tor_assert(cbt->Xm > 0);
882
883 for (i=0; i< CBT_NCIRCUITS_TO_OBSERVE; i++) {
884 if (!x[i]) {
885 continue;
886 }
887
888 if (x[i] < cbt->Xm) {
889 a += tor_mathlog(cbt->Xm);
890 } else if (x[i] == CBT_BUILD_ABANDONED) {
891 abandoned_count++;
892 } else {
893 a += tor_mathlog(x[i]);
894 if (x[i] > max_time)
895 max_time = x[i];
896 }
897 n++;
898 }
899
900 /*
901 * We are erring and asserting here because this can only happen
902 * in codepaths other than startup. The startup state parsing code
903 * performs this same check, and resets state if it hits it. If we
904 * hit it at runtime, something serious has gone wrong.
905 */
906 if (n!=cbt->total_build_times) {
907 log_err(LD_CIRC, "Discrepancy in build times count: %d vs %d", n,
908 cbt->total_build_times);
909 }
910 tor_assert(n==cbt->total_build_times);
911
912 if (max_time <= 0) {
913 /* This can happen if Xm is actually the *maximum* value in the set.
914 * It can also happen if we've abandoned every single circuit somehow.
915 * In either case, tell the caller not to compute a new build timeout. */
916 log_warn(LD_BUG,
917 "Could not determine largest build time (%d). "
918 "Xm is %dms and we've abandoned %d out of %d circuits.", max_time,
919 cbt->Xm, abandoned_count, n);
920 return 0;
921 }
922
923 a += abandoned_count*tor_mathlog(max_time);
924
925 a -= n*tor_mathlog(cbt->Xm);
926 // Estimator comes from Eq #4 in:
927 // "Bayesian estimation based on trimmed samples from Pareto populations"
928 // by Arturo J. Fernández. We are right-censored only.
929 a = (n-abandoned_count)/a;
930
931 cbt->alpha = a;
932
933 return 1;
934 }
935
936 /**
937 * This is the Pareto Quantile Function. It calculates the point x
938 * in the distribution such that F(x) = quantile (ie quantile*100%
939 * of the mass of the density function is below x on the curve).
940 *
941 * We use it to calculate the timeout and also to generate synthetic
942 * values of time for circuits that timeout before completion.
943 *
944 * See http://en.wikipedia.org/wiki/Quantile_function,
945 * http://en.wikipedia.org/wiki/Inverse_transform_sampling and
946 * http://en.wikipedia.org/wiki/Pareto_distribution#Generating_a_
947 * random_sample_from_Pareto_distribution
948 * That's right. I'll cite wikipedia all day long.
949 *
950 * Return value is in milliseconds.
951 */
952 double
953 circuit_build_times_calculate_timeout(circuit_build_times_t *cbt,
954 double quantile)
955 {
956 double ret;
957 tor_assert(quantile >= 0);
958 tor_assert(1.0-quantile > 0);
959 tor_assert(cbt->Xm > 0);
960
961 ret = cbt->Xm/pow(1.0-quantile,1.0/cbt->alpha);
962 if (ret > INT32_MAX) {
963 ret = INT32_MAX;
964 }
965 tor_assert(ret > 0);
966 return ret;
967 }
968
969 /** Pareto CDF */
970 double
971 circuit_build_times_cdf(circuit_build_times_t *cbt, double x)
972 {
973 double ret;
974 tor_assert(cbt->Xm > 0);
975 ret = 1.0-pow(cbt->Xm/x,cbt->alpha);
976 tor_assert(0 <= ret && ret <= 1.0);
977 return ret;
978 }
979
980 /**
981 * Generate a synthetic time using our distribution parameters.
982 *
983 * The return value will be within the [q_lo, q_hi) quantile points
984 * on the CDF.
985 */
986 build_time_t
987 circuit_build_times_generate_sample(circuit_build_times_t *cbt,
988 double q_lo, double q_hi)
989 {
990 double randval = crypto_rand_double();
991 build_time_t ret;
992 double u;
993
994 /* Generate between [q_lo, q_hi) */
995 /*XXXX This is what nextafter is supposed to be for; we should use it on the
996 * platforms that support it. */
997 q_hi -= 1.0/(INT32_MAX);
998
999 tor_assert(q_lo >= 0);
1000 tor_assert(q_hi < 1);
1001 tor_assert(q_lo < q_hi);
1002
1003 u = q_lo + (q_hi-q_lo)*randval;
1004
1005 tor_assert(0 <= u && u < 1.0);
1006 /* circuit_build_times_calculate_timeout returns <= INT32_MAX */
1007 ret = (build_time_t)
1008 tor_lround(circuit_build_times_calculate_timeout(cbt, u));
1009 tor_assert(ret > 0);
1010 return ret;
1011 }
1012
1013 /**
1014 * Estimate an initial alpha parameter by solving the quantile
1015 * function with a quantile point and a specific timeout value.
1016 */
1017 void
1018 circuit_build_times_initial_alpha(circuit_build_times_t *cbt,
1019 double quantile, double timeout_ms)
1020 {
1021 // Q(u) = Xm/((1-u)^(1/a))
1022 // Q(0.8) = Xm/((1-0.8))^(1/a)) = CircBuildTimeout
1023 // CircBuildTimeout = Xm/((1-0.8))^(1/a))
1024 // CircBuildTimeout = Xm*((1-0.8))^(-1/a))
1025 // ln(CircBuildTimeout) = ln(Xm)+ln(((1-0.8)))*(-1/a)
1026 // -ln(1-0.8)/(ln(CircBuildTimeout)-ln(Xm))=a
1027 tor_assert(quantile >= 0);
1028 tor_assert(cbt->Xm > 0);
1029 cbt->alpha = tor_mathlog(1.0-quantile)/
1030 (tor_mathlog(cbt->Xm)-tor_mathlog(timeout_ms));
1031 tor_assert(cbt->alpha > 0);
1032 }
1033
1034 /**
1035 * Returns true if we need circuits to be built
1036 */
1037 int
1038 circuit_build_times_needs_circuits(circuit_build_times_t *cbt)
1039 {
1040 /* Return true if < MIN_CIRCUITS_TO_OBSERVE */
1041 return !circuit_build_times_enough_to_compute(cbt);
1042 }
1043
1044 /**
1045 * Returns true if we should build a timeout test circuit
1046 * right now.
1047 */
1048 int
1049 circuit_build_times_needs_circuits_now(circuit_build_times_t *cbt)
1050 {
1051 return circuit_build_times_needs_circuits(cbt) &&
1052 approx_time()-cbt->last_circ_at > circuit_build_times_test_frequency();
1053 }
1054
1055 /**
1056 * Called to indicate that the network showed some signs of liveness,
1057 * i.e. we received a cell.
1058 *
1059 * This is used by circuit_build_times_network_check_live() to decide
1060 * if we should record the circuit build timeout or not.
1061 *
1062 * This function is called every time we receive a cell. Avoid
1063 * syscalls, events, and other high-intensity work.
1064 */
1065 void
1066 circuit_build_times_network_is_live(circuit_build_times_t *cbt)
1067 {
1068 time_t now = approx_time();
1069 if (cbt->liveness.nonlive_timeouts > 0) {
1070 log_notice(LD_CIRC,
1071 "Tor now sees network activity. Restoring circuit build "
1072 "timeout recording. Network was down for %d seconds "
1073 "during %d circuit attempts.",
1074 (int)(now - cbt->liveness.network_last_live),
1075 cbt->liveness.nonlive_timeouts);
1076 }
1077 cbt->liveness.network_last_live = now;
1078 cbt->liveness.nonlive_timeouts = 0;
1079 }
1080
1081 /**
1082 * Called to indicate that we completed a circuit. Because this circuit
1083 * succeeded, it doesn't count as a timeout-after-the-first-hop.
1084 *
1085 * This is used by circuit_build_times_network_check_changed() to determine
1086 * if we had too many recent timeouts and need to reset our learned timeout
1087 * to something higher.
1088 */
1089 void
1090 circuit_build_times_network_circ_success(circuit_build_times_t *cbt)
1091 {
1092 cbt->liveness.timeouts_after_firsthop[cbt->liveness.after_firsthop_idx] = 0;
1093 cbt->liveness.after_firsthop_idx++;
1094 cbt->liveness.after_firsthop_idx %= cbt->liveness.num_recent_circs;
1095 }
1096
1097 /**
1098 * A circuit just timed out. If it failed after the first hop, record it
1099 * in our history for later deciding if the network speed has changed.
1100 *
1101 * This is used by circuit_build_times_network_check_changed() to determine
1102 * if we had too many recent timeouts and need to reset our learned timeout
1103 * to something higher.
1104 */
1105 static void
1106 circuit_build_times_network_timeout(circuit_build_times_t *cbt,
1107 int did_onehop)
1108 {
1109 if (did_onehop) {
1110 cbt->liveness.timeouts_after_firsthop[cbt->liveness.after_firsthop_idx]=1;
1111 cbt->liveness.after_firsthop_idx++;
1112 cbt->liveness.after_firsthop_idx %= cbt->liveness.num_recent_circs;
1113 }
1114 }
1115
1116 /**
1117 * A circuit was just forcibly closed. If there has been no recent network
1118 * activity at all, but this circuit was launched back when we thought the
1119 * network was live, increment the number of "nonlive" circuit timeouts.
1120 *
1121 * This is used by circuit_build_times_network_check_live() to decide
1122 * if we should record the circuit build timeout or not.
1123 */
1124 static void
1125 circuit_build_times_network_close(circuit_build_times_t *cbt,
1126 int did_onehop, time_t start_time)
1127 {
1128 time_t now = time(NULL);
1129 /*
1130 * Check if this is a timeout that was for a circuit that spent its
1131 * entire existence during a time where we have had no network activity.
1132 */
1133 if (cbt->liveness.network_last_live < start_time) {
1134 if (did_onehop) {
1135 char last_live_buf[ISO_TIME_LEN+1];
1136 char start_time_buf[ISO_TIME_LEN+1];
1137 char now_buf[ISO_TIME_LEN+1];
1138 format_local_iso_time(last_live_buf, cbt->liveness.network_last_live);
1139 format_local_iso_time(start_time_buf, start_time);
1140 format_local_iso_time(now_buf, now);
1141 log_warn(LD_BUG,
1142 "Circuit somehow completed a hop while the network was "
1143 "not live. Network was last live at %s, but circuit launched "
1144 "at %s. It's now %s.", last_live_buf, start_time_buf,
1145 now_buf);
1146 }
1147 cbt->liveness.nonlive_timeouts++;
1148 if (cbt->liveness.nonlive_timeouts == 1) {
1149 log_notice(LD_CIRC,
1150 "Tor has not observed any network activity for the past %d "
1151 "seconds. Disabling circuit build timeout recording.",
1152 (int)(now - cbt->liveness.network_last_live));
1153 } else {
1154 log_info(LD_CIRC,
1155 "Got non-live timeout. Current count is: %d",
1156 cbt->liveness.nonlive_timeouts);
1157 }
1158 }
1159 }
1160
1161 /**
1162 * When the network is not live, we do not record circuit build times.
1163 *
1164 * The network is considered not live if there has been at least one
1165 * circuit build that began and ended (had its close_ms measurement
1166 * period expire) since we last received a cell.
1167 *
1168 * Also has the side effect of rewinding the circuit time history
1169 * in the case of recent liveness changes.
1170 */
1171 int
1172 circuit_build_times_network_check_live(circuit_build_times_t *cbt)
1173 {
1174 if (cbt->liveness.nonlive_timeouts > 0) {
1175 return 0;
1176 }
1177
1178 return 1;
1179 }
1180
1181 /**
1182 * Returns true if we have seen more than MAX_RECENT_TIMEOUT_COUNT of
1183 * the past RECENT_CIRCUITS time out after the first hop. Used to detect
1184 * if the network connection has changed significantly, and if so,
1185 * resets our circuit build timeout to the default.
1186 *
1187 * Also resets the entire timeout history in this case and causes us
1188 * to restart the process of building test circuits and estimating a
1189 * new timeout.
1190 */
1191 int
1192 circuit_build_times_network_check_changed(circuit_build_times_t *cbt)
1193 {
1194 int total_build_times = cbt->total_build_times;
1195 int timeout_count=0;
1196 int i;
1197
1198 /* how many of our recent circuits made it to the first hop but then
1199 * timed out? */
1200 for (i = 0; i < cbt->liveness.num_recent_circs; i++) {
1201 timeout_count += cbt->liveness.timeouts_after_firsthop[i];
1202 }
1203
1204 /* If 80% of our recent circuits are timing out after the first hop,
1205 * we need to re-estimate a new initial alpha and timeout. */
1206 if (timeout_count < circuit_build_times_max_timeouts()) {
1207 return 0;
1208 }
1209
1210 circuit_build_times_reset(cbt);
1211 memset(cbt->liveness.timeouts_after_firsthop, 0,
1212 sizeof(*cbt->liveness.timeouts_after_firsthop)*
1213 cbt->liveness.num_recent_circs);
1214 cbt->liveness.after_firsthop_idx = 0;
1215
1216 /* Check to see if this has happened before. If so, double the timeout
1217 * to give people on abysmally bad network connections a shot at access */
1218 if (cbt->timeout_ms >= circuit_build_times_get_initial_timeout()) {
1219 if (cbt->timeout_ms > INT32_MAX/2 || cbt->close_ms > INT32_MAX/2) {
1220 log_warn(LD_CIRC, "Insanely large circuit build timeout value. "
1221 "(timeout = %lfmsec, close = %lfmsec)",
1222 cbt->timeout_ms, cbt->close_ms);
1223 } else {
1224 cbt->timeout_ms *= 2;
1225 cbt->close_ms *= 2;
1226 }
1227 } else {
1228 cbt->close_ms = cbt->timeout_ms
1229 = circuit_build_times_get_initial_timeout();
1230 }
1231
1232 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_RESET);
1233
1234 log_notice(LD_CIRC,
1235 "Your network connection speed appears to have changed. Resetting "
1236 "timeout to %lds after %d timeouts and %d buildtimes.",
1237 tor_lround(cbt->timeout_ms/1000), timeout_count,
1238 total_build_times);
1239
1240 return 1;
1241 }
1242
1243 /**
1244 * Count the number of timeouts in a set of cbt data.
1245 */
1246 double
1247 circuit_build_times_timeout_rate(const circuit_build_times_t *cbt)
1248 {
1249 int i=0,timeouts=0;
1250 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
1251 if (cbt->circuit_build_times[i] >= cbt->timeout_ms) {
1252 timeouts++;
1253 }
1254 }
1255
1256 if (!cbt->total_build_times)
1257 return 0;
1258
1259 return ((double)timeouts)/cbt->total_build_times;
1260 }
1261
1262 /**
1263 * Count the number of closed circuits in a set of cbt data.
1264 */
1265 double
1266 circuit_build_times_close_rate(const circuit_build_times_t *cbt)
1267 {
1268 int i=0,closed=0;
1269 for (i = 0; i < CBT_NCIRCUITS_TO_OBSERVE; i++) {
1270 if (cbt->circuit_build_times[i] == CBT_BUILD_ABANDONED) {
1271 closed++;
1272 }
1273 }
1274
1275 if (!cbt->total_build_times)
1276 return 0;
1277
1278 return ((double)closed)/cbt->total_build_times;
1279 }
1280
1281 /**
1282 * Store a timeout as a synthetic value.
1283 *
1284 * Returns true if the store was successful and we should possibly
1285 * update our timeout estimate.
1286 */
1287 int
1288 circuit_build_times_count_close(circuit_build_times_t *cbt,
1289 int did_onehop,
1290 time_t start_time)
1291 {
1292 if (circuit_build_times_disabled()) {
1293 cbt->close_ms = cbt->timeout_ms
1294 = circuit_build_times_get_initial_timeout();
1295 return 0;
1296 }
1297
1298 /* Record this force-close to help determine if the network is dead */
1299 circuit_build_times_network_close(cbt, did_onehop, start_time);
1300
1301 /* Only count timeouts if network is live.. */
1302 if (!circuit_build_times_network_check_live(cbt)) {
1303 return 0;
1304 }
1305
1306 circuit_build_times_add_time(cbt, CBT_BUILD_ABANDONED);
1307 return 1;
1308 }
1309
1310 /**
1311 * Update timeout counts to determine if we need to expire
1312 * our build time history due to excessive timeouts.
1313 *
1314 * We do not record any actual time values at this stage;
1315 * we are only interested in recording the fact that a timeout
1316 * happened. We record the time values via
1317 * circuit_build_times_count_close() and circuit_build_times_add_time().
1318 */
1319 void
1320 circuit_build_times_count_timeout(circuit_build_times_t *cbt,
1321 int did_onehop)
1322 {
1323 if (circuit_build_times_disabled()) {
1324 cbt->close_ms = cbt->timeout_ms
1325 = circuit_build_times_get_initial_timeout();
1326 return;
1327 }
1328
1329 /* Register the fact that a timeout just occurred. */
1330 circuit_build_times_network_timeout(cbt, did_onehop);
1331
1332 /* If there are a ton of timeouts, we should reset
1333 * the circuit build timeout. */
1334 circuit_build_times_network_check_changed(cbt);
1335 }
1336
1337 /**
1338 * Estimate a new timeout based on history and set our timeout
1339 * variable accordingly.
1340 */
1341 static int
1342 circuit_build_times_set_timeout_worker(circuit_build_times_t *cbt)
1343 {
1344 build_time_t max_time;
1345 if (!circuit_build_times_enough_to_compute(cbt))
1346 return 0;
1347
1348 if (!circuit_build_times_update_alpha(cbt))
1349 return 0;
1350
1351 cbt->timeout_ms = circuit_build_times_calculate_timeout(cbt,
1352 circuit_build_times_quantile_cutoff());
1353
1354 cbt->close_ms = circuit_build_times_calculate_timeout(cbt,
1355 circuit_build_times_close_quantile());
1356
1357 max_time = circuit_build_times_max(cbt);
1358
1359 /* Sometimes really fast guard nodes give us such a steep curve
1360 * that this ends up being not that much greater than timeout_ms.
1361 * Make it be at least 1 min to handle this case. */
1362 cbt->close_ms = MAX(cbt->close_ms, circuit_build_times_initial_timeout());
1363
1364 if (cbt->timeout_ms > max_time) {
1365 log_notice(LD_CIRC,
1366 "Circuit build timeout of %dms is beyond the maximum build "
1367 "time we have ever observed. Capping it to %dms.",
1368 (int)cbt->timeout_ms, max_time);
1369 cbt->timeout_ms = max_time;
1370 }
1371
1372 if (max_time < INT32_MAX/2 && cbt->close_ms > 2*max_time) {
1373 log_info(LD_CIRC,
1374 "Circuit build measurement period of %dms is more than twice "
1375 "the maximum build time we have ever observed. Capping it to "
1376 "%dms.", (int)cbt->close_ms, 2*max_time);
1377 cbt->close_ms = 2*max_time;
1378 }
1379
1380 cbt->have_computed_timeout = 1;
1381 return 1;
1382 }
1383
1384 /**
1385 * Exposed function to compute a new timeout. Dispatches events and
1386 * also filters out extremely high timeout values.
1387 */
1388 void
1389 circuit_build_times_set_timeout(circuit_build_times_t *cbt)
1390 {
1391 long prev_timeout = tor_lround(cbt->timeout_ms/1000);
1392 double timeout_rate;
1393
1394 if (!circuit_build_times_set_timeout_worker(cbt))
1395 return;
1396
1397 if (cbt->timeout_ms < circuit_build_times_min_timeout()) {
1398 log_warn(LD_CIRC, "Set buildtimeout to low value %lfms. Setting to %dms",
1399 cbt->timeout_ms, circuit_build_times_min_timeout());
1400 cbt->timeout_ms = circuit_build_times_min_timeout();
1401 if (cbt->close_ms < cbt->timeout_ms) {
1402 /* This shouldn't happen because of MAX() in timeout_worker above,
1403 * but doing it just in case */
1404 cbt->close_ms = circuit_build_times_initial_timeout();
1405 }
1406 }
1407
1408 control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_COMPUTED);
1409
1410 timeout_rate = circuit_build_times_timeout_rate(cbt);
1411
1412 if (prev_timeout > tor_lround(cbt->timeout_ms/1000)) {
1413 log_notice(LD_CIRC,
1414 "Based on %d circuit times, it looks like we don't need to "
1415 "wait so long for circuits to finish. We will now assume a "
1416 "circuit is too slow to use after waiting %ld seconds.",
1417 cbt->total_build_times,
1418 tor_lround(cbt->timeout_ms/1000));
1419 log_info(LD_CIRC,
1420 "Circuit timeout data: %lfms, %lfms, Xm: %d, a: %lf, r: %lf",
1421 cbt->timeout_ms, cbt->close_ms, cbt->Xm, cbt->alpha,
1422 timeout_rate);
1423 } else if (prev_timeout < tor_lround(cbt->timeout_ms/1000)) {
1424 log_notice(LD_CIRC,
1425 "Based on %d circuit times, it looks like we need to wait "
1426 "longer for circuits to finish. We will now assume a "
1427 "circuit is too slow to use after waiting %ld seconds.",
1428 cbt->total_build_times,
1429 tor_lround(cbt->timeout_ms/1000));
1430 log_info(LD_CIRC,
1431 "Circuit timeout data: %lfms, %lfms, Xm: %d, a: %lf, r: %lf",
1432 cbt->timeout_ms, cbt->close_ms, cbt->Xm, cbt->alpha,
1433 timeout_rate);
1434 } else {
1435 log_info(LD_CIRC,
1436 "Set circuit build timeout to %lds (%lfms, %lfms, Xm: %d, a: %lf,"
1437 " r: %lf) based on %d circuit times",
1438 tor_lround(cbt->timeout_ms/1000),
1439 cbt->timeout_ms, cbt->close_ms, cbt->Xm, cbt->alpha, timeout_rate,
1440 cbt->total_build_times);
1441 }
1442 }
1443
1444 /** Iterate over values of circ_id, starting from conn-\>next_circ_id,
1445 * and with the high bit specified by conn-\>circ_id_type, until we get
1446 * a circ_id that is not in use by any other circuit on that conn.
1447 *
1448 * Return it, or 0 if can't get a unique circ_id.
1449 */
1450 static circid_t
1451 get_unique_circ_id_by_conn(or_connection_t *conn)
1452 {
1453 circid_t test_circ_id;
1454 circid_t attempts=0;
1455 circid_t high_bit;
1456
1457 tor_assert(conn);
1458 if (conn->circ_id_type == CIRC_ID_TYPE_NEITHER) {
1459 log_warn(LD_BUG, "Trying to pick a circuit ID for a connection from "
1460 "a client with no identity.");
1461 return 0;
1462 }
1463 high_bit = (conn->circ_id_type == CIRC_ID_TYPE_HIGHER) ? 1<<15 : 0;
1464 do {
1465 /* Sequentially iterate over test_circ_id=1...1<<15-1 until we find a
1466 * circID such that (high_bit|test_circ_id) is not already used. */
1467 test_circ_id = conn->next_circ_id++;
1468 if (test_circ_id == 0 || test_circ_id >= 1<<15) {
1469 test_circ_id = 1;
1470 conn->next_circ_id = 2;
1471 }
1472 if (++attempts > 1<<15) {
1473 /* Make sure we don't loop forever if all circ_id's are used. This
1474 * matters because it's an external DoS opportunity.
1475 */
1476 log_warn(LD_CIRC,"No unused circ IDs. Failing.");
1477 return 0;
1478 }
1479 test_circ_id |= high_bit;
1480 } while (circuit_id_in_use_on_orconn(test_circ_id, conn));
1481 return test_circ_id;
1482 }
1483
1484 /** If <b>verbose</b> is false, allocate and return a comma-separated list of
1485 * the currently built elements of circuit_t. If <b>verbose</b> is true, also
1486 * list information about link status in a more verbose format using spaces.
1487 * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
1488 * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
1489 * names.
1490 */
1491 static char *
1492 circuit_list_path_impl(origin_circuit_t *circ, int verbose, int verbose_names)
1493 {
1494 crypt_path_t *hop;
1495 smartlist_t *elements;
1496 const char *states[] = {"closed", "waiting for keys", "open"};
1497 char *s;
1498
1499 elements = smartlist_create();
1500
1501 if (verbose) {
1502 const char *nickname = build_state_get_exit_nickname(circ->build_state);
1503 char *cp;
1504 tor_asprintf(&cp, "%s%s circ (length %d%s%s):",
1505 circ->build_state->is_internal ? "internal" : "exit",
1506 circ->build_state->need_uptime ? " (high-uptime)" : "",
1507 circ->build_state->desired_path_len,
1508 circ->_base.state == CIRCUIT_STATE_OPEN ? "" : ", exit ",
1509 circ->_base.state == CIRCUIT_STATE_OPEN ? "" :
1510 (nickname?nickname:"*unnamed*"));
1511 smartlist_add(elements, cp);
1512 }
1513
1514 hop = circ->cpath;
1515 do {
1516 routerinfo_t *ri;
1517 routerstatus_t *rs;
1518 char *elt;
1519 const char *id;
1520 if (!hop)
1521 break;
1522 if (!verbose && hop->state != CPATH_STATE_OPEN)
1523 break;
1524 if (!hop->extend_info)
1525 break;
1526 id = hop->extend_info->identity_digest;
1527 if (verbose_names) {
1528 elt = tor_malloc(MAX_VERBOSE_NICKNAME_LEN+1);
1529 if ((ri = router_get_by_digest(id))) {
1530 router_get_verbose_nickname(elt, ri);
1531 } else if ((rs = router_get_consensus_status_by_id(id))) {
1532 routerstatus_get_verbose_nickname(elt, rs);
1533 } else if (is_legal_nickname(hop->extend_info->nickname)) {
1534 elt[0] = '$';
1535 base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
1536 elt[HEX_DIGEST_LEN+1]= '~';
1537 strlcpy(elt+HEX_DIGEST_LEN+2,
1538 hop->extend_info->nickname, MAX_NICKNAME_LEN+1);
1539 } else {
1540 elt[0] = '$';
1541 base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
1542 }
1543 } else { /* ! verbose_names */
1544 if ((ri = router_get_by_digest(id)) &&
1545 ri->is_named) {
1546 elt = tor_strdup(hop->extend_info->nickname);
1547 } else {
1548 elt = tor_malloc(HEX_DIGEST_LEN+2);
1549 elt[0] = '$';
1550 base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
1551 }
1552 }
1553 tor_assert(elt);
1554 if (verbose) {
1555 size_t len = strlen(elt)+2+strlen(states[hop->state])+1;
1556 char *v = tor_malloc(len);
1557 tor_assert(hop->state <= 2);
1558 tor_snprintf(v,len,"%s(%s)",elt,states[hop->state]);
1559 smartlist_add(elements, v);
1560 tor_free(elt);
1561 } else {
1562 smartlist_add(elements, elt);
1563 }
1564 hop = hop->next;
1565 } while (hop != circ->cpath);
1566
1567 s = smartlist_join_strings(elements, verbose?" ":",", 0, NULL);
1568 SMARTLIST_FOREACH(elements, char*, cp, tor_free(cp));
1569 smartlist_free(elements);
1570 return s;
1571 }
1572
1573 /** If <b>verbose</b> is false, allocate and return a comma-separated
1574 * list of the currently built elements of circuit_t. If
1575 * <b>verbose</b> is true, also list information about link status in
1576 * a more verbose format using spaces.
1577 */
1578 char *
1579 circuit_list_path(origin_circuit_t *circ, int verbose)
1580 {
1581 return circuit_list_path_impl(circ, verbose, 0);
1582 }
1583
1584 /** Allocate and return a comma-separated list of the currently built elements
1585 * of circuit_t, giving each as a verbose nickname.
1586 */
1587 char *
1588 circuit_list_path_for_controller(origin_circuit_t *circ)
1589 {
1590 return circuit_list_path_impl(circ, 0, 1);
1591 }
1592
1593 /** Log, at severity <b>severity</b>, the nicknames of each router in
1594 * circ's cpath. Also log the length of the cpath, and the intended
1595 * exit point.
1596 */
1597 void
1598 circuit_log_path(int severity, unsigned int domain, origin_circuit_t *circ)
1599 {
1600 char *s = circuit_list_path(circ,1);
1601 tor_log(severity,domain,"%s",s);
1602 tor_free(s);
1603 }
1604
1605 /** Tell the rep(utation)hist(ory) module about the status of the links
1606 * in circ. Hops that have become OPEN are marked as successfully
1607 * extended; the _first_ hop that isn't open (if any) is marked as
1608 * unable to extend.
1609 */
1610 /* XXXX Someday we should learn from OR circuits too. */
1611 void
1612 circuit_rep_hist_note_result(origin_circuit_t *circ)
1613 {
1614 crypt_path_t *hop;
1615 char *prev_digest = NULL;
1616 routerinfo_t *router;
1617 hop = circ->cpath;
1618 if (!hop) /* circuit hasn't started building yet. */
1619 return;
1620 if (server_mode(get_options())) {
1621 routerinfo_t *me = router_get_my_routerinfo();
1622 if (!me)
1623 return;
1624 prev_digest = me->cache_info.identity_digest;
1625 }
1626 do {
1627 router = router_get_by_digest(hop->extend_info->identity_digest);
1628 if (router) {
1629 if (prev_digest) {
1630 if (hop->state == CPATH_STATE_OPEN)
1631 rep_hist_note_extend_succeeded(prev_digest,
1632 router->cache_info.identity_digest);
1633 else {
1634 rep_hist_note_extend_failed(prev_digest,
1635 router->cache_info.identity_digest);
1636 break;
1637 }
1638 }
1639 prev_digest = router->cache_info.identity_digest;
1640 } else {
1641 prev_digest = NULL;
1642 }
1643 hop=hop->next;
1644 } while (hop!=circ->cpath);
1645 }
1646
1647 /** Pick all the entries in our cpath. Stop and return 0 when we're
1648 * happy, or return -1 if an error occurs. */
1649 static int
1650 onion_populate_cpath(origin_circuit_t *circ)
1651 {
1652 int r;
1653 again:
1654 r = onion_extend_cpath(circ);
1655 if (r < 0) {
1656 log_info(LD_CIRC,"Generating cpath hop failed.");
1657 return -1;
1658 }
1659 if (r == 0)
1660 goto again;
1661 return 0; /* if r == 1 */
1662 }
1663
1664 /** Create and return a new origin circuit. Initialize its purpose and
1665 * build-state based on our arguments. The <b>flags</b> argument is a
1666 * bitfield of CIRCLAUNCH_* flags. */
1667 origin_circuit_t *
1668 origin_circuit_init(uint8_t purpose, int flags)
1669 {
1670 /* sets circ->p_circ_id and circ->p_conn */
1671 origin_circuit_t *circ = origin_circuit_new();
1672 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OR_WAIT);
1673 circ->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
1674 circ->build_state->onehop_tunnel =
1675 ((flags & CIRCLAUNCH_ONEHOP_TUNNEL) ? 1 : 0);
1676 circ->build_state->need_uptime =
1677 ((flags & CIRCLAUNCH_NEED_UPTIME) ? 1 : 0);
1678 circ->build_state->need_capacity =
1679 ((flags & CIRCLAUNCH_NEED_CAPACITY) ? 1 : 0);
1680 circ->build_state->is_internal =
1681 ((flags & CIRCLAUNCH_IS_INTERNAL) ? 1 : 0);
1682 circ->_base.purpose = purpose;
1683 return circ;
1684 }
1685
1686 /** Build a new circuit for <b>purpose</b>. If <b>exit</b>
1687 * is defined, then use that as your exit router, else choose a suitable
1688 * exit node.
1689 *
1690 * Also launch a connection to the first OR in the chosen path, if
1691 * it's not open already.
1692 */
1693 origin_circuit_t *
1694 circuit_establish_circuit(uint8_t purpose, extend_info_t *exit, int flags)
1695 {
1696 origin_circuit_t *circ;
1697 int err_reason = 0;
1698
1699 circ = origin_circuit_init(purpose, flags);
1700
1701 if (onion_pick_cpath_exit(circ, exit) < 0 ||
1702 onion_populate_cpath(circ) < 0) {
1703 circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_NOPATH);
1704 return NULL;
1705 }
1706
1707 control_event_circuit_status(circ, CIRC_EVENT_LAUNCHED, 0);
1708
1709 if ((err_reason = circuit_handle_first_hop(circ)) < 0) {
1710 circuit_mark_for_close(TO_CIRCUIT(circ), -err_reason);
1711 return NULL;
1712 }
1713 return circ;
1714 }
1715
1716 /** Start establishing the first hop of our circuit. Figure out what
1717 * OR we should connect to, and if necessary start the connection to
1718 * it. If we're already connected, then send the 'create' cell.
1719 * Return 0 for ok, -reason if circ should be marked-for-close. */
1720 int
1721 circuit_handle_first_hop(origin_circuit_t *circ)
1722 {
1723 crypt_path_t *firsthop;
1724 or_connection_t *n_conn;
1725 int err_reason = 0;
1726 const char *msg = NULL;
1727 int should_launch = 0;
1728
1729 firsthop = onion_next_hop_in_cpath(circ->cpath);
1730 tor_assert(firsthop);
1731 tor_assert(firsthop->extend_info);
1732
1733 /* now see if we're already connected to the first OR in 'route' */
1734 log_debug(LD_CIRC,"Looking for firsthop '%s:%u'",
1735 fmt_addr(&firsthop->extend_info->addr),
1736 firsthop->extend_info->port);
1737
1738 n_conn = connection_or_get_for_extend(firsthop->extend_info->identity_digest,
1739 &firsthop->extend_info->addr,
1740 &msg,
1741 &should_launch);
1742
1743 if (!n_conn) {
1744 /* not currently connected in a useful way. */
1745 const char *name = strlen(firsthop->extend_info->nickname) ?
1746 firsthop->extend_info->nickname : fmt_addr(&firsthop->extend_info->addr);
1747 log_info(LD_CIRC, "Next router is %s: %s ",
1748 safe_str_client(name), msg?msg:"???");
1749 circ->_base.n_hop = extend_info_dup(firsthop->extend_info);
1750
1751 if (should_launch) {
1752 if (circ->build_state->onehop_tunnel)
1753 control_event_bootstrap(BOOTSTRAP_STATUS_CONN_DIR, 0);
1754 n_conn = connection_or_connect(&firsthop->extend_info->addr,
1755 firsthop->extend_info->port,
1756 firsthop->extend_info->identity_digest);
1757 if (!n_conn) { /* connect failed, forget the whole thing */
1758 log_info(LD_CIRC,"connect to firsthop failed. Closing.");
1759 return -END_CIRC_REASON_CONNECTFAILED;
1760 }
1761 }
1762
1763 log_debug(LD_CIRC,"connecting in progress (or finished). Good.");
1764 /* return success. The onion/circuit/etc will be taken care of
1765 * automatically (may already have been) whenever n_conn reaches
1766 * OR_CONN_STATE_OPEN.
1767 */
1768 return 0;
1769 } else { /* it's already open. use it. */
1770 tor_assert(!circ->_base.n_hop);
1771 circ->_base.n_conn = n_conn;
1772 log_debug(LD_CIRC,"Conn open. Delivering first onion skin.");
1773 if ((err_reason = circuit_send_next_onion_skin(circ)) < 0) {
1774 log_info(LD_CIRC,"circuit_send_next_onion_skin failed.");
1775 return err_reason;
1776 }
1777 }
1778 return 0;
1779 }
1780
1781 /** Find any circuits that are waiting on <b>or_conn</b> to become
1782 * open and get them to send their create cells forward.
1783 *
1784 * Status is 1 if connect succeeded, or 0 if connect failed.
1785 */
1786 void
1787 circuit_n_conn_done(or_connection_t *or_conn, int status)
1788 {
1789 smartlist_t *pending_circs;
1790 int err_reason = 0;
1791
1792 log_debug(LD_CIRC,"or_conn to %s/%s, status=%d",
1793 or_conn->nickname ? or_conn->nickname : "NULL",
1794 or_conn->_base.address, status);
1795
1796 pending_circs = smartlist_create();
1797 circuit_get_all_pending_on_or_conn(pending_circs, or_conn);
1798
1799 SMARTLIST_FOREACH_BEGIN(pending_circs, circuit_t *, circ)
1800 {
1801 /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
1802 * leaving them in in case it's possible for the status of a circuit to
1803 * change as we're going down the list. */
1804 if (circ->marked_for_close || circ->n_conn || !circ->n_hop ||
1805 circ->state != CIRCUIT_STATE_OR_WAIT)
1806 continue;
1807
1808 if (tor_digest_is_zero(circ->n_hop->identity_digest)) {
1809 /* Look at addr/port. This is an unkeyed connection. */
1810 if (!tor_addr_eq(&circ->n_hop->addr, &or_conn->_base.addr) ||
1811 circ->n_hop->port != or_conn->_base.port)
1812 continue;
1813 } else {
1814 /* We expected a key. See if it's the right one. */
1815 if (memcmp(or_conn->identity_digest,
1816 circ->n_hop->identity_digest, DIGEST_LEN))
1817 continue;
1818 }
1819 if (!status) { /* or_conn failed; close circ */
1820 log_info(LD_CIRC,"or_conn failed. Closing circ.");
1821 circuit_mark_for_close(circ, END_CIRC_REASON_OR_CONN_CLOSED);
1822 continue;
1823 }
1824 log_debug(LD_CIRC, "Found circ, sending create cell.");
1825 /* circuit_deliver_create_cell will set n_circ_id and add us to
1826 * orconn_circuid_circuit_map, so we don't need to call
1827 * set_circid_orconn here. */
1828 circ->n_conn = or_conn;
1829 extend_info_free(circ->n_hop);
1830 circ->n_hop = NULL;
1831
1832 if (CIRCUIT_IS_ORIGIN(circ)) {
1833 if ((err_reason =
1834 circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ))) < 0) {
1835 log_info(LD_CIRC,
1836 "send_next_onion_skin failed; circuit marked for closing.");
1837 circuit_mark_for_close(circ, -err_reason);
1838 continue;
1839 /* XXX could this be bad, eg if next_onion_skin failed because conn
1840 * died? */
1841 }
1842 } else {
1843 /* pull the create cell out of circ->onionskin, and send it */
1844 tor_assert(circ->n_conn_onionskin);
1845 if (circuit_deliver_create_cell(circ,CELL_CREATE,
1846 circ->n_conn_onionskin)<0) {
1847 circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT);
1848 continue;
1849 }
1850 tor_free(circ->n_conn_onionskin);
1851 circuit_set_state(circ, CIRCUIT_STATE_OPEN);
1852 }
1853 }
1854 SMARTLIST_FOREACH_END(circ);
1855
1856 smartlist_free(pending_circs);
1857 }
1858
1859 /** Find a new circid that isn't currently in use on the circ->n_conn
1860 * for the outgoing
1861 * circuit <b>circ</b>, and deliver a cell of type <b>cell_type</b>
1862 * (either CELL_CREATE or CELL_CREATE_FAST) with payload <b>payload</b>
1863 * to this circuit.
1864 * Return -1 if we failed to find a suitable circid, else return 0.
1865 */
1866 static int
1867 circuit_deliver_create_cell(circuit_t *circ, uint8_t cell_type,
1868 const char *payload)
1869 {
1870 cell_t cell;
1871 circid_t id;
1872
1873 tor_assert(circ);
1874 tor_assert(circ->n_conn);
1875 tor_assert(payload);
1876 tor_assert(cell_type == CELL_CREATE || cell_type == CELL_CREATE_FAST);
1877
1878 id = get_unique_circ_id_by_conn(circ->n_conn);
1879 if (!id) {
1880 log_warn(LD_CIRC,"failed to get unique circID.");
1881 return -1;
1882 }
1883 log_debug(LD_CIRC,"Chosen circID %u.", id);
1884 circuit_set_n_circid_orconn(circ, id, circ->n_conn);
1885
1886 memset(&cell, 0, sizeof(cell_t));
1887 cell.command = cell_type;
1888 cell.circ_id = circ->n_circ_id;
1889
1890 memcpy(cell.payload, payload, ONIONSKIN_CHALLENGE_LEN);
1891 append_cell_to_circuit_queue(circ, circ->n_conn, &cell,
1892 CELL_DIRECTION_OUT, 0);
1893
1894 if (CIRCUIT_IS_ORIGIN(circ)) {
1895 /* mark it so it gets better rate limiting treatment. */
1896 circ->n_conn->client_used = time(NULL);
1897 }
1898
1899 return 0;
1900 }
1901
1902 /** We've decided to start our reachability testing. If all
1903 * is set, log this to the user. Return 1 if we did, or 0 if
1904 * we chose not to log anything. */
1905 int
1906 inform_testing_reachability(void)
1907 {
1908 char dirbuf[128];
1909 routerinfo_t *me = router_get_my_routerinfo();
1910 if (!me)
1911 return 0;
1912 control_event_server_status(LOG_NOTICE,
1913 "CHECKING_REACHABILITY ORADDRESS=%s:%d",
1914 me->address, me->or_port);
1915 if (me->dir_port) {
1916 tor_snprintf(dirbuf, sizeof(dirbuf), " and DirPort %s:%d",
1917 me->address, me->dir_port);
1918 control_event_server_status(LOG_NOTICE,
1919 "CHECKING_REACHABILITY DIRADDRESS=%s:%d",
1920 me->address, me->dir_port);
1921 }
1922 log_notice(LD_OR, "Now checking whether ORPort %s:%d%s %s reachable... "
1923 "(this may take up to %d minutes -- look for log "
1924 "messages indicating success)",
1925 me->address, me->or_port,
1926 me->dir_port ? dirbuf : "",
1927 me->dir_port ? "are" : "is",
1928 TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT/60);
1929
1930 return 1;
1931 }
1932
1933 /** Return true iff we should send a create_fast cell to start building a given
1934 * circuit */
1935 static INLINE int
1936 should_use_create_fast_for_circuit(origin_circuit_t *circ)
1937 {
1938 or_options_t *options = get_options();
1939 tor_assert(circ->cpath);
1940 tor_assert(circ->cpath->extend_info);
1941
1942 if (!circ->cpath->extend_info->onion_key)
1943 return 1; /* our hand is forced: only a create_fast will work. */
1944 if (!options->FastFirstHopPK)
1945 return 0; /* we prefer to avoid create_fast */
1946 if (server_mode(options)) {
1947 /* We're a server, and we know an onion key. We can choose.
1948 * Prefer to blend in. */
1949 return 0;
1950 }
1951
1952 return 1;
1953 }
1954
1955 /** Return true if <b>circ</b> is the type of circuit we want to count
1956 * timeouts from. In particular, we want it to have not completed yet
1957 * (already completing indicates we cannibalized it), and we want it to
1958 * have exactly three hops.
1959 */
1960 int
1961 circuit_timeout_want_to_count_circ(origin_circuit_t *circ)
1962 {
1963 return !circ->has_opened
1964 && circ->build_state->desired_path_len == DEFAULT_ROUTE_LEN;
1965 }
1966
1967 /** This is the backbone function for building circuits.
1968 *
1969 * If circ's first hop is closed, then we need to build a create
1970 * cell and send it forward.
1971 *
1972 * Otherwise, we need to build a relay extend cell and send it
1973 * forward.
1974 *
1975 * Return -reason if we want to tear down circ, else return 0.
1976 */
1977 int
1978 circuit_send_next_onion_skin(origin_circuit_t *circ)
1979 {
1980 crypt_path_t *hop;
1981 routerinfo_t *router;
1982 char payload[2+4+DIGEST_LEN+ONIONSKIN_CHALLENGE_LEN];
1983 char *onionskin;
1984 size_t payload_len;
1985
1986 tor_assert(circ);
1987
1988 if (circ->cpath->state == CPATH_STATE_CLOSED) {
1989 int fast;
1990 uint8_t cell_type;
1991 log_debug(LD_CIRC,"First skin; sending create cell.");
1992 if (circ->build_state->onehop_tunnel)
1993 control_event_bootstrap(BOOTSTRAP_STATUS_ONEHOP_CREATE, 0);
1994 else
1995 control_event_bootstrap(BOOTSTRAP_STATUS_CIRCUIT_CREATE, 0);
1996
1997 router = router_get_by_digest(circ->_base.n_conn->identity_digest);
1998 fast = should_use_create_fast_for_circuit(circ);
1999 if (!fast) {
2000 /* We are an OR and we know the right onion key: we should
2001 * send an old slow create cell.
2002 */
2003 cell_type = CELL_CREATE;
2004 if (onion_skin_create(circ->cpath->extend_info->onion_key,
2005 &(circ->cpath->dh_handshake_state),
2006 payload) < 0) {
2007 log_warn(LD_CIRC,"onion_skin_create (first hop) failed.");
2008 return - END_CIRC_REASON_INTERNAL;
2009 }
2010 note_request("cell: create", 1);
2011 } else {
2012 /* We are not an OR, and we're building the first hop of a circuit to a
2013 * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
2014 * and a DH operation. */
2015 cell_type = CELL_CREATE_FAST;
2016 memset(payload, 0, sizeof(payload));
2017 crypto_rand((char*) circ->cpath->fast_handshake_state,
2018 sizeof(circ->cpath->fast_handshake_state));
2019 memcpy(payload, circ->cpath->fast_handshake_state,
2020 sizeof(circ->cpath->fast_handshake_state));
2021 note_request("cell: create fast", 1);
2022 }
2023
2024 if (circuit_deliver_create_cell(TO_CIRCUIT(circ), cell_type, payload) < 0)
2025 return - END_CIRC_REASON_RESOURCELIMIT;
2026
2027 circ->cpath->state = CPATH_STATE_AWAITING_KEYS;
2028 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_BUILDING);
2029 log_info(LD_CIRC,"First hop: finished sending %s cell to '%s'",
2030 fast ? "CREATE_FAST" : "CREATE",
2031 router ? router->nickname : "<unnamed>");
2032 } else {
2033 tor_assert(circ->cpath->state == CPATH_STATE_OPEN);
2034 tor_assert(circ->_base.state == CIRCUIT_STATE_BUILDING);
2035 log_debug(LD_CIRC,"starting to send subsequent skin.");
2036 hop = onion_next_hop_in_cpath(circ->cpath);
2037 if (!hop) {
2038 /* done building the circuit. whew. */
2039 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
2040 if (circuit_timeout_want_to_count_circ(circ)) {
2041 struct timeval end;
2042 long timediff;
2043 tor_gettimeofday(&end);
2044 timediff = tv_mdiff(&circ->_base.highres_created, &end);
2045
2046 /*
2047 * If the circuit build time is much greater than we would have cut
2048 * it off at, we probably had a suspend event along this codepath,
2049 * and we should discard the value.
2050 */
2051 if (timediff < 0 || timediff > 2*circ_times.close_ms+1000) {
2052 log_notice(LD_CIRC, "Strange value for circuit build time: %ldmsec. "
2053 "Assuming clock jump. Purpose %d", timediff,
2054 circ->_base.purpose);
2055 } else if (!circuit_build_times_disabled()) {
2056 /* Only count circuit times if the network is live */
2057 if (circuit_build_times_network_check_live(&circ_times)) {
2058 circuit_build_times_add_time(&circ_times, (build_time_t)timediff);
2059 circuit_build_times_set_timeout(&circ_times);
2060 }
2061
2062 if (circ->_base.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
2063 circuit_build_times_network_circ_success(&circ_times);
2064 }
2065 }
2066 }
2067 log_info(LD_CIRC,"circuit built!");
2068 circuit_reset_failure_count(0);
2069 if (circ->build_state->onehop_tunnel)
2070 control_event_bootstrap(BOOTSTRAP_STATUS_REQUESTING_STATUS, 0);
2071 if (!can_complete_circuit && !circ->build_state->onehop_tunnel) {
2072 or_options_t *options = get_options();
2073 can_complete_circuit=1;
2074 /* FFFF Log a count of known routers here */
2075 log_notice(LD_GENERAL,
2076 "Tor has successfully opened a circuit. "
2077 "Looks like client functionality is working.");
2078 control_event_bootstrap(BOOTSTRAP_STATUS_DONE, 0);
2079 control_event_client_status(LOG_NOTICE, "CIRCUIT_ESTABLISHED");
2080 if (server_mode(options) && !check_whether_orport_reachable()) {
2081 inform_testing_reachability();
2082 consider_testing_reachability(1, 1);
2083 }
2084 }
2085 circuit_rep_hist_note_result(circ);
2086 circuit_has_opened(circ); /* do other actions as necessary */
2087
2088 /* We're done with measurement circuits here. Just close them */
2089 if (circ->_base.purpose == CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT)
2090 circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);
2091 return 0;
2092 }
2093
2094 if (tor_addr_family(&hop->extend_info->addr) != AF_INET) {
2095 log_warn(LD_BUG, "Trying to extend to a non-IPv4 address.");
2096 return - END_CIRC_REASON_INTERNAL;
2097 }
2098
2099 set_uint32(payload, tor_addr_to_ipv4n(&hop->extend_info->addr));
2100 set_uint16(payload+4, htons(hop->extend_info->port));
2101
2102 onionskin = payload+2+4;
2103 memcpy(payload+2+4+ONIONSKIN_CHALLENGE_LEN,
2104 hop->extend_info->identity_digest, DIGEST_LEN);
2105 payload_len = 2+4+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN;
2106
2107 if (onion_skin_create(hop->extend_info->onion_key,
2108 &(hop->dh_handshake_state), onionskin) < 0) {
2109 log_warn(LD_CIRC,"onion_skin_create failed.");
2110 return - END_CIRC_REASON_INTERNAL;
2111 }
2112
2113 log_info(LD_CIRC,"Sending extend relay cell.");
2114 note_request("cell: extend", 1);
2115 /* send it to hop->prev, because it will transfer
2116 * it to a create cell and then send to hop */
2117 if (relay_send_command_from_edge(0, TO_CIRCUIT(circ),
2118 RELAY_COMMAND_EXTEND,
2119 payload, payload_len, hop->prev) < 0)
2120 return 0; /* circuit is closed */
2121
2122 hop->state = CPATH_STATE_AWAITING_KEYS;
2123 }
2124 return 0;
2125 }
2126
2127 /** Our clock just jumped by <b>seconds_elapsed</b>. Assume
2128 * something has also gone wrong with our network: notify the user,
2129 * and abandon all not-yet-used circuits. */
2130 void
2131 circuit_note_clock_jumped(int seconds_elapsed)
2132 {
2133 int severity = server_mode(get_options()) ? LOG_WARN : LOG_NOTICE;
2134 tor_log(severity, LD_GENERAL, "Your system clock just jumped %d seconds %s; "
2135 "assuming established circuits no longer work.",
2136 seconds_elapsed >=0 ? seconds_elapsed : -seconds_elapsed,
2137 seconds_elapsed >=0 ? "forward" : "backward");
2138 control_event_general_status(LOG_WARN, "CLOCK_JUMPED TIME=%d",
2139 seconds_elapsed);
2140 can_complete_circuit=0; /* so it'll log when it works again */
2141 control_event_client_status(severity, "CIRCUIT_NOT_ESTABLISHED REASON=%s",
2142 "CLOCK_JUMPED");
2143 circuit_mark_all_unused_circs();
2144 circuit_expire_all_dirty_circs();
2145 }
2146
2147 /** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
2148 * skin and identity digest for the next hop. If we're already connected,
2149 * pass the onion skin to the next hop using a create cell; otherwise
2150 * launch a new OR connection, and <b>circ</b> will notice when the
2151 * connection succeeds or fails.
2152 *
2153 * Return -1 if we want to warn and tear down the circuit, else return 0.
2154 */
2155 int
2156 circuit_extend(cell_t *cell, circuit_t *circ)
2157 {
2158 or_connection_t *n_conn;
2159 relay_header_t rh;
2160 char *onionskin;
2161 char *id_digest=NULL;
2162 uint32_t n_addr32;
2163 uint16_t n_port;
2164 tor_addr_t n_addr;
2165 const char *msg = NULL;
2166 int should_launch = 0;
2167
2168 if (circ->n_conn) {
2169 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2170 "n_conn already set. Bug/attack. Closing.");
2171 return -1;
2172 }
2173 if (circ->n_hop) {
2174 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2175 "conn to next hop already launched. Bug/attack. Closing.");
2176 return -1;
2177 }
2178
2179 if (!server_mode(get_options())) {
2180 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2181 "Got an extend cell, but running as a client. Closing.");
2182 return -1;
2183 }
2184
2185 relay_header_unpack(&rh, cell->payload);
2186
2187 if (rh.length < 4+2+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) {
2188 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2189 "Wrong length %d on extend cell. Closing circuit.",
2190 rh.length);
2191 return -1;
2192 }
2193
2194 n_addr32 = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE));
2195 n_port = ntohs(get_uint16(cell->payload+RELAY_HEADER_SIZE+4));
2196 onionskin = (char*) cell->payload+RELAY_HEADER_SIZE+4+2;
2197 id_digest = (char*) cell->payload+RELAY_HEADER_SIZE+4+2+
2198 ONIONSKIN_CHALLENGE_LEN;
2199 tor_addr_from_ipv4h(&n_addr, n_addr32);
2200
2201 if (!n_port || !n_addr32) {
2202 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2203 "Client asked me to extend to zero destination port or addr.");
2204 return -1;
2205 }
2206
2207 /* Check if they asked us for 0000..0000. We support using
2208 * an empty fingerprint for the first hop (e.g. for a bridge relay),
2209 * but we don't want to let people send us extend cells for empty
2210 * fingerprints -- a) because it opens the user up to a mitm attack,
2211 * and b) because it lets an attacker force the relay to hold open a
2212 * new TLS connection for each extend request. */
2213 if (tor_digest_is_zero(id_digest)) {
2214 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2215 "Client asked me to extend without specifying an id_digest.");
2216 return -1;
2217 }
2218
2219 /* Next, check if we're being asked to connect to the hop that the
2220 * extend cell came from. There isn't any reason for that, and it can
2221 * assist circular-path attacks. */
2222 if (!memcmp(id_digest, TO_OR_CIRCUIT(circ)->p_conn->identity_digest,
2223 DIGEST_LEN)) {
2224 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2225 "Client asked me to extend back to the previous hop.");
2226 return -1;
2227 }
2228
2229 n_conn = connection_or_get_for_extend(id_digest,
2230 &n_addr,
2231 &msg,
2232 &should_launch);
2233
2234 if (!n_conn) {
2235 log_debug(LD_CIRC|LD_OR,"Next router (%s:%d): %s",
2236 fmt_addr(&n_addr), (int)n_port, msg?msg:"????");
2237
2238 circ->n_hop = extend_info_alloc(NULL /*nickname*/,
2239 id_digest,
2240 NULL /*onion_key*/,
2241 &n_addr, n_port);
2242
2243 circ->n_conn_onionskin = tor_malloc(ONIONSKIN_CHALLENGE_LEN);
2244 memcpy(circ->n_conn_onionskin, onionskin, ONIONSKIN_CHALLENGE_LEN);
2245 circuit_set_state(circ, CIRCUIT_STATE_OR_WAIT);
2246
2247 if (should_launch) {
2248 /* we should try to open a connection */
2249 n_conn = connection_or_connect(&n_addr, n_port, id_digest);
2250 if (!n_conn) {
2251 log_info(LD_CIRC,"Launching n_conn failed. Closing circuit.");
2252 circuit_mark_for_close(circ, END_CIRC_REASON_CONNECTFAILED);
2253 return 0;
2254 }
2255 log_debug(LD_CIRC,"connecting in progress (or finished). Good.");
2256 }
2257 /* return success. The onion/circuit/etc will be taken care of
2258 * automatically (may already have been) whenever n_conn reaches
2259 * OR_CONN_STATE_OPEN.
2260 */
2261 return 0;
2262 }
2263
2264 tor_assert(!circ->n_hop); /* Connection is already established. */
2265 circ->n_conn = n_conn;
2266 log_debug(LD_CIRC,"n_conn is %s:%u",
2267 n_conn->_base.address,n_conn->_base.port);
2268
2269 if (circuit_deliver_create_cell(circ, CELL_CREATE, onionskin) < 0)
2270 return -1;
2271 return 0;
2272 }
2273
2274 /** Initialize cpath-\>{f|b}_{crypto|digest} from the key material in
2275 * key_data. key_data must contain CPATH_KEY_MATERIAL bytes, which are
2276 * used as follows:
2277 * - 20 to initialize f_digest
2278 * - 20 to initialize b_digest
2279 * - 16 to key f_crypto
2280 * - 16 to key b_crypto
2281 *
2282 * (If 'reverse' is true, then f_XX and b_XX are swapped.)
2283 */
2284 int
2285 circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data,
2286 int reverse)
2287 {
2288 crypto_digest_env_t *tmp_digest;
2289 crypto_cipher_env_t *tmp_crypto;
2290
2291 tor_assert(cpath);
2292 tor_assert(key_data);
2293 tor_assert(!(cpath->f_crypto || cpath->b_crypto ||
2294 cpath->f_digest || cpath->b_digest));
2295
2296 cpath->f_digest = crypto_new_digest_env();
2297 crypto_digest_add_bytes(cpath->f_digest, key_data, DIGEST_LEN);
2298 cpath->b_digest = crypto_new_digest_env();
2299 crypto_digest_add_bytes(cpath->b_digest, key_data+DIGEST_LEN, DIGEST_LEN);
2300
2301 if (!(cpath->f_crypto =
2302 crypto_create_init_cipher(key_data+(2*DIGEST_LEN),1))) {
2303 log_warn(LD_BUG,"Forward cipher initialization failed.");
2304 return -1;
2305 }
2306 if (!(cpath->b_crypto =
2307 crypto_create_init_cipher(key_data+(2*DIGEST_LEN)+CIPHER_KEY_LEN,0))) {
2308 log_warn(LD_BUG,"Backward cipher initialization failed.");
2309 return -1;
2310 }
2311
2312 if (reverse) {
2313 tmp_digest = cpath->f_digest;
2314 cpath->f_digest = cpath->b_digest;
2315 cpath->b_digest = tmp_digest;
2316 tmp_crypto = cpath->f_crypto;
2317 cpath->f_crypto = cpath->b_crypto;
2318 cpath->b_crypto = tmp_crypto;
2319 }
2320
2321 return 0;
2322 }
2323
2324 /** A created or extended cell came back to us on the circuit, and it included
2325 * <b>reply</b> as its body. (If <b>reply_type</b> is CELL_CREATED, the body
2326 * contains (the second DH key, plus KH). If <b>reply_type</b> is
2327 * CELL_CREATED_FAST, the body contains a secret y and a hash H(x|y).)
2328 *
2329 * Calculate the appropriate keys and digests, make sure KH is
2330 * correct, and initialize this hop of the cpath.
2331 *
2332 * Return - reason if we want to mark circ for close, else return 0.
2333 */
2334 int
2335 circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
2336 const uint8_t *reply)
2337 {
2338 char keys[CPATH_KEY_MATERIAL_LEN];
2339 crypt_path_t *hop;
2340
2341 if (circ->cpath->state == CPATH_STATE_AWAITING_KEYS)
2342 hop = circ->cpath;
2343 else {
2344 hop = onion_next_hop_in_cpath(circ->cpath);
2345 if (!hop) { /* got an extended when we're all done? */
2346 log_warn(LD_PROTOCOL,"got extended when circ already built? Closing.");
2347 return - END_CIRC_REASON_TORPROTOCOL;
2348 }
2349 }
2350 tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS);
2351
2352 if (reply_type == CELL_CREATED && hop->dh_handshake_state) {
2353 if (onion_skin_client_handshake(hop->dh_handshake_state, (char*)reply,keys,
2354 DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
2355 log_warn(LD_CIRC,"onion_skin_client_handshake failed.");
2356 return -END_CIRC_REASON_TORPROTOCOL;
2357 }
2358 /* Remember hash of g^xy */
2359 memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN);
2360 } else if (reply_type == CELL_CREATED_FAST && !hop->dh_handshake_state) {
2361 if (fast_client_handshake(hop->fast_handshake_state, reply,
2362 (uint8_t*)keys,
2363 DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
2364 log_warn(LD_CIRC,"fast_client_handshake failed.");
2365 return -END_CIRC_REASON_TORPROTOCOL;
2366 }
2367 memcpy(hop->handshake_digest, reply+DIGEST_LEN, DIGEST_LEN);
2368 } else {
2369 log_warn(LD_PROTOCOL,"CREATED cell type did not match CREATE cell type.");
2370 return -END_CIRC_REASON_TORPROTOCOL;
2371 }
2372
2373 crypto_dh_free(hop->dh_handshake_state); /* don't need it anymore */
2374 hop->dh_handshake_state = NULL;
2375
2376 memset(hop->fast_handshake_state, 0, sizeof(hop->fast_handshake_state));
2377
2378 if (circuit_init_cpath_crypto(hop, keys, 0)<0) {
2379 return -END_CIRC_REASON_TORPROTOCOL;
2380 }
2381
2382 hop->state = CPATH_STATE_OPEN;
2383 log_info(LD_CIRC,"Finished building %scircuit hop:",
2384 (reply_type == CELL_CREATED_FAST) ? "fast " : "");
2385 circuit_log_path(LOG_INFO,LD_CIRC,circ);
2386 control_event_circuit_status(circ, CIRC_EVENT_EXTENDED, 0);
2387
2388 return 0;
2389 }
2390
2391 /** We received a relay truncated cell on circ.
2392 *
2393 * Since we don't ask for truncates currently, getting a truncated
2394 * means that a connection broke or an extend failed. For now,
2395 * just give up: for circ to close, and return 0.
2396 */
2397 int
2398 circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer)
2399 {
2400 // crypt_path_t *victim;
2401 // connection_t *stream;
2402
2403 tor_assert(circ);
2404 tor_assert(layer);
2405
2406 /* XXX Since we don't ask for truncates currently, getting a truncated
2407 * means that a connection broke or an extend failed. For now,
2408 * just give up.
2409 */
2410 circuit_mark_for_close(TO_CIRCUIT(circ),
2411 END_CIRC_REASON_FLAG_REMOTE|END_CIRC_REASON_OR_CONN_CLOSED);
2412 return 0;
2413
2414 #if 0
2415 while (layer->next != circ->cpath) {
2416 /* we need to clear out layer->next */
2417 victim = layer->next;
2418 log_debug(LD_CIRC, "Killing a layer of the cpath.");
2419
2420 for (stream = circ->p_streams; stream; stream=stream->next_stream) {
2421 if (stream->cpath_layer == victim) {
2422 log_info(LD_APP, "Marking stream %d for close because of truncate.",
2423 stream->stream_id);
2424 /* no need to send 'end' relay cells,
2425 * because the other side's already dead
2426 */
2427 connection_mark_unattached_ap(stream, END_STREAM_REASON_DESTROY);
2428 }
2429 }
2430
2431 layer->next = victim->next;
2432 circuit_free_cpath_node(victim);
2433 }
2434
2435 log_info(LD_CIRC, "finished");
2436 return 0;
2437 #endif
2438 }
2439
2440 /** Given a response payload and keys, initialize, then send a created
2441 * cell back.
2442 */
2443 int
2444 onionskin_answer(or_circuit_t *circ, uint8_t cell_type, const char *payload,
2445 const char *keys)
2446 {
2447 cell_t cell;
2448 crypt_path_t *tmp_cpath;
2449
2450 tmp_cpath = tor_malloc_zero(sizeof(crypt_path_t));
2451 tmp_cpath->magic = CRYPT_PATH_MAGIC;
2452
2453 memset(&cell, 0, sizeof(cell_t));
2454 cell.command = cell_type;
2455 cell.circ_id = circ->p_circ_id;
2456
2457 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
2458
2459 memcpy(cell.payload, payload,
2460 cell_type == CELL_CREATED ? ONIONSKIN_REPLY_LEN : DIGEST_LEN*2);
2461
2462 log_debug(LD_CIRC,"init digest forward 0x%.8x, backward 0x%.8x.",
2463 (unsigned int)get_uint32(keys),
2464 (unsigned int)get_uint32(keys+20));
2465 if (circuit_init_cpath_crypto(tmp_cpath, keys, 0)<0) {
2466 log_warn(LD_BUG,"Circuit initialization failed");
2467 tor_free(tmp_cpath);
2468 return -1;
2469 }
2470 circ->n_digest = tmp_cpath->f_digest;
2471 circ->n_crypto = tmp_cpath->f_crypto;
2472 circ->p_digest = tmp_cpath->b_digest;
2473 circ->p_crypto = tmp_cpath->b_crypto;
2474 tmp_cpath->magic = 0;
2475 tor_free(tmp_cpath);
2476
2477 if (cell_type == CELL_CREATED)
2478 memcpy(circ->handshake_digest, cell.payload+DH_KEY_LEN, DIGEST_LEN);
2479 else
2480 memcpy(circ->handshake_digest, cell.payload+DIGEST_LEN, DIGEST_LEN);
2481
2482 circ->is_first_hop = (cell_type == CELL_CREATED_FAST);
2483
2484 append_cell_to_circuit_queue(TO_CIRCUIT(circ),
2485 circ->p_conn, &cell, CELL_DIRECTION_IN, 0);
2486 log_debug(LD_CIRC,"Finished sending 'created' cell.");
2487
2488 if (!is_local_addr(&circ->p_conn->_base.addr) &&
2489 !connection_or_nonopen_was_started_here(circ->p_conn)) {
2490 /* record that we could process create cells from a non-local conn
2491 * that we didn't initiate; presumably this means that create cells
2492 * can reach us too. */
2493 router_orport_found_reachable();
2494 }
2495
2496 return 0;
2497 }
2498
2499 /** Choose a length for a circuit of purpose <b>purpose</b>.
2500 * Default length is 3 + the number of endpoints that would give something
2501 * away. If the routerlist <b>routers</b> doesn't have enough routers
2502 * to handle the desired path length, return as large a path length as
2503 * is feasible, except if it's less than 2, in which case return -1.
2504 */
2505 static int
2506 new_route_len(uint8_t purpose, extend_info_t *exit,
2507 smartlist_t *routers)
2508 {
2509 int num_acceptable_routers;
2510 int routelen;
2511
2512 tor_assert(routers);
2513
2514 routelen = DEFAULT_ROUTE_LEN;
2515 if (exit &&
2516 purpose != CIRCUIT_PURPOSE_TESTING &&
2517 purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)
2518 routelen++;
2519
2520 num_acceptable_routers = count_acceptable_routers(routers);
2521
2522 log_debug(LD_CIRC,"Chosen route length %d (%d/%d routers suitable).",
2523 routelen, num_acceptable_routers, smartlist_len(routers));
2524
2525 if (num_acceptable_routers < 2) {
2526 log_info(LD_CIRC,
2527 "Not enough acceptable routers (%d). Discarding this circuit.",
2528 num_acceptable_routers);
2529 return -1;
2530 }
2531
2532 if (num_acceptable_routers < routelen) {
2533 log_info(LD_CIRC,"Not enough routers: cutting routelen from %d to %d.",
2534 routelen, num_acceptable_routers);
2535 routelen = num_acceptable_routers;
2536 }
2537
2538 return routelen;
2539 }
2540
2541 /** Fetch the list of predicted ports, dup it into a smartlist of
2542 * uint16_t's, remove the ones that are already handled by an
2543 * existing circuit, and return it.
2544 */
2545 static smartlist_t *
2546 circuit_get_unhandled_ports(time_t now)
2547 {
2548 smartlist_t *source = rep_hist_get_predicted_ports(now);
2549 smartlist_t *dest = smartlist_create();
2550 uint16_t *tmp;
2551 int i;
2552
2553 for (i = 0; i < smartlist_len(source); ++i) {
2554 tmp = tor_malloc(sizeof(uint16_t));
2555 memcpy(tmp, smartlist_get(source, i), sizeof(uint16_t));
2556 smartlist_add(dest, tmp);
2557 }
2558
2559 circuit_remove_handled_ports(dest);
2560 return dest;
2561 }
2562
2563 /** Return 1 if we already have circuits present or on the way for
2564 * all anticipated ports. Return 0 if we should make more.
2565 *
2566 * If we're returning 0, set need_uptime and need_capacity to
2567 * indicate any requirements that the unhandled ports have.
2568 */
2569 int
2570 circuit_all_predicted_ports_handled(time_t now, int *need_uptime,
2571 int *need_capacity)
2572 {
2573 int i, enough;
2574 uint16_t *port;
2575 smartlist_t *sl = circuit_get_unhandled_ports(now);
2576 smartlist_t *LongLivedServices = get_options()->LongLivedPorts;
2577 tor_assert(need_uptime);
2578 tor_assert(need_capacity);
2579 // Always predict need_capacity
2580 *need_capacity = 1;
2581 enough = (smartlist_len(sl) == 0);
2582 for (i = 0; i < smartlist_len(sl); ++i) {
2583 port = smartlist_get(sl, i);
2584 if (smartlist_string_num_isin(LongLivedServices, *port))
2585 *need_uptime = 1;
2586 tor_free(port);
2587 }
2588 smartlist_free(sl);
2589 return enough;
2590 }
2591
2592 /** Return 1 if <b>router</b> can handle one or more of the ports in
2593 * <b>needed_ports</b>, else return 0.
2594 */
2595 static int
2596 router_handles_some_port(routerinfo_t *router, smartlist_t *needed_ports)
2597 {
2598 int i;
2599 uint16_t port;
2600
2601 for (i = 0; i < smartlist_len(needed_ports); ++i) {
2602 addr_policy_result_t r;
2603 /* alignment issues aren't a worry for this dereference, since
2604 needed_ports is explicitly a smartlist of uint16_t's */
2605 port = *(uint16_t *)smartlist_get(needed_ports, i);
2606 tor_assert(port);
2607 r = compare_addr_to_addr_policy(0, port, router->exit_policy);
2608 if (r != ADDR_POLICY_REJECTED && r != ADDR_POLICY_PROBABLY_REJECTED)
2609 return 1;
2610 }
2611 return 0;
2612 }
2613
2614 /** Return true iff <b>conn</b> needs another general circuit to be
2615 * built. */
2616 static int
2617 ap_stream_wants_exit_attention(connection_t *conn)
2618 {
2619 if (conn->type == CONN_TYPE_AP &&
2620 conn->state == AP_CONN_STATE_CIRCUIT_WAIT &&
2621 !conn->marked_for_close &&
2622 !(TO_EDGE_CONN(conn)->want_onehop) && /* ignore one-hop streams */
2623 !(TO_EDGE_CONN(conn)->use_begindir) && /* ignore targeted dir fetches */
2624 !(TO_EDGE_CONN(conn)->chosen_exit_name) && /* ignore defined streams */
2625 !connection_edge_is_rendezvous_stream(TO_EDGE_CONN(conn)) &&
2626 !circuit_stream_is_being_handled(TO_EDGE_CONN(conn), 0,
2627 MIN_CIRCUITS_HANDLING_STREAM))
2628 return 1;
2629 return 0;
2630 }
2631
2632 /** Return a pointer to a suitable router to be the exit node for the
2633 * general-purpose circuit we're about to build.
2634 *
2635 * Look through the connection array, and choose a router that maximizes
2636 * the number of pending streams that can exit from this router.
2637 *
2638 * Return NULL if we can't find any suitable routers.
2639 */
2640 static routerinfo_t *
2641 choose_good_exit_server_general(routerlist_t *dir, int need_uptime,
2642 int need_capacity)
2643 {
2644 int *n_supported;
2645 int i;
2646 int n_pending_connections = 0;
2647 smartlist_t *connections;
2648 int best_support = -1;
2649 int n_best_support=0;
2650 routerinfo_t *router;
2651 or_options_t *options = get_options();
2652
2653 connections = get_connection_array();
2654
2655 /* Count how many connections are waiting for a circuit to be built.
2656 * We use this for log messages now, but in the future we may depend on it.
2657 */
2658 SMARTLIST_FOREACH(connections, connection_t *, conn,
2659 {
2660 if (ap_stream_wants_exit_attention(conn))
2661 ++n_pending_connections;
2662 });
2663 // log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
2664 // n_pending_connections);
2665 /* Now we count, for each of the routers in the directory, how many
2666 * of the pending connections could possibly exit from that
2667 * router (n_supported[i]). (We can't be sure about cases where we
2668 * don't know the IP address of the pending connection.)
2669 *
2670 * -1 means "Don't use this router at all."
2671 */
2672 n_supported = tor_malloc(sizeof(int)*smartlist_len(dir->routers));
2673 for (i = 0; i < smartlist_len(dir->routers); ++i) {/* iterate over routers */
2674 router = smartlist_get(dir->routers, i);
2675 if (router_is_me(router)) {
2676 n_supported[i] = -1;
2677 // log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
2678 /* XXX there's probably a reverse predecessor attack here, but
2679 * it's slow. should we take this out? -RD
2680 */
2681 continue;
2682 }
2683 if (!router->is_running || router->is_bad_exit) {
2684 n_supported[i] = -1;
2685 continue; /* skip routers that are known to be down or bad exits */
2686 }
2687 if (router_is_unreliable(router, need_uptime, need_capacity, 0) &&
2688 (!options->ExitNodes ||
2689 !routerset_contains_router(options->ExitNodes, router))) {
2690 /* FFFF Someday, differentiate between a routerset that names
2691 * routers, and a routerset that names countries, and only do this
2692 * check if they've asked for specific exit relays. Or if the country
2693 * they ask for is rare. Or something. */
2694 n_supported[i] = -1;
2695 continue; /* skip routers that are not suitable, unless we have
2696 * ExitNodes set, in which case we asked for it */
2697 }
2698 if (!(router->is_valid || options->_AllowInvalid & ALLOW_INVALID_EXIT)) {
2699 /* if it's invalid and we don't want it */
2700 n_supported[i] = -1;
2701 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
2702 // router->nickname, i);
2703 continue; /* skip invalid routers */
2704 }
2705 if (options->ExcludeSingleHopRelays && router->allow_single_hop_exits) {
2706 n_supported[i] = -1;
2707 continue;
2708 }
2709 if (router_exit_policy_rejects_all(router)) {
2710 n_supported[i] = -1;
2711 // log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
2712 // router->nickname, i);
2713 continue; /* skip routers that reject all */
2714 }
2715 n_supported[i] = 0;
2716 /* iterate over connections */
2717 SMARTLIST_FOREACH(connections, connection_t *, conn,
2718 {
2719 if (!ap_stream_wants_exit_attention(conn))
2720 continue; /* Skip everything but APs in CIRCUIT_WAIT */
2721 if (connection_ap_can_use_exit(TO_EDGE_CONN(conn), router, 1)) {
2722 ++n_supported[i];
2723 // log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
2724 // router->nickname, i, n_supported[i]);
2725 } else {
2726 // log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
2727 // router->nickname, i);
2728 }
2729 }); /* End looping over connections. */
2730 if (n_pending_connections > 0 && n_supported[i] == 0) {
2731 /* Leave best_support at -1 if that's where it is, so we can
2732 * distinguish it later. */
2733 continue;
2734 }
2735 if (n_supported[i] > best_support) {
2736 /* If this router is better than previous ones, remember its index
2737 * and goodness, and start counting how many routers are this good. */
2738 best_support = n_supported[i]; n_best_support=1;
2739 // log_fn(LOG_DEBUG,"%s is new best supported option so far.",
2740 // router->nickname);
2741 } else if (n_supported[i] == best_support) {
2742 /* If this router is _as good_ as the best one, just increment the
2743 * count of equally good routers.*/
2744 ++n_best_support;
2745 }
2746 }
2747 log_info(LD_CIRC,
2748 "Found %d servers that might support %d/%d pending connections.",
2749 n_best_support, best_support >= 0 ? best_support : 0,
2750 n_pending_connections);
2751
2752 /* If any routers definitely support any pending connections, choose one
2753 * at random. */
2754 if (best_support > 0) {
2755 smartlist_t *supporting = smartlist_create(), *use = smartlist_create();
2756
2757 for (i = 0; i < smartlist_len(dir->routers); i++)
2758 if (n_supported[i] == best_support)
2759 smartlist_add(supporting, smartlist_get(dir->routers, i));
2760
2761 routersets_get_disjunction(use, supporting, options->ExitNodes,
2762 options->_ExcludeExitNodesUnion, 1);
2763 if (smartlist_len(use) == 0 && options->ExitNodes &&
2764 !options->StrictNodes) { /* give up on exitnodes and try again */
2765 routersets_get_disjunction(use, supporting, NULL,
2766 options->_ExcludeExitNodesUnion, 1);
2767 }
2768 router = routerlist_sl_choose_by_bandwidth(use, WEIGHT_FOR_EXIT);
2769 smartlist_free(use);
2770 smartlist_free(supporting);
2771 } else {
2772 /* Either there are no pending connections, or no routers even seem to
2773 * possibly support any of them. Choose a router at random that satisfies
2774 * at least one predicted exit port. */
2775
2776 int attempt;
2777 smartlist_t *needed_ports, *supporting, *use;
2778
2779 if (best_support == -1) {
2780 if (need_uptime || need_capacity) {
2781 log_info(LD_CIRC,
2782 "We couldn't find any live%s%s routers; falling back "
2783 "to list of all routers.",
2784 need_capacity?", fast":"",
2785 need_uptime?", stable":"");
2786 tor_free(n_supported);
2787 return choose_good_exit_server_general(dir, 0, 0);
2788 }
2789 log_notice(LD_CIRC, "All routers are down or won't exit%s -- "
2790 "choosing a doomed exit at random.",
2791 options->_ExcludeExitNodesUnion ? " or are Excluded" : "");
2792 }
2793 supporting = smartlist_create();
2794 use = smartlist_create();
2795 needed_ports = circuit_get_unhandled_ports(time(NULL));
2796 for (attempt = 0; attempt < 2; attempt++) {
2797 /* try once to pick only from routers that satisfy a needed port,
2798 * then if there are none, pick from any that support exiting. */
2799 for (i = 0; i < smartlist_len(dir->routers); i++) {
2800 router = smartlist_get(dir->routers, i);
2801 if (n_supported[i] != -1 &&
2802 (attempt || router_handles_some_port(router, needed_ports))) {
2803 // log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
2804 // try, router->nickname);
2805 smartlist_add(supporting, router);
2806 }
2807 }
2808
2809 routersets_get_disjunction(use, supporting, options->ExitNodes,
2810 options->_ExcludeExitNodesUnion, 1);
2811 if (smartlist_len(use) == 0 && options->ExitNodes &&
2812 !options->StrictNodes) { /* give up on exitnodes and try again */
2813 routersets_get_disjunction(use, supporting, NULL,
2814 options->_ExcludeExitNodesUnion, 1);
2815 }
2816 /* FFF sometimes the above results in null, when the requested
2817 * exit node is considered down by the consensus. we should pick
2818 * it anyway, since the user asked for it. */
2819 router = routerlist_sl_choose_by_bandwidth(use, WEIGHT_FOR_EXIT);
2820 if (router)
2821 break;
2822 smartlist_clear(supporting);
2823 smartlist_clear(use);
2824 }
2825 SMARTLIST_FOREACH(needed_ports, uint16_t *, cp, tor_free(cp));
2826 smartlist_free(needed_ports);
2827 smartlist_free(use);
2828 smartlist_free(supporting);
2829 }
2830
2831 tor_free(n_supported);
2832 if (router) {
2833 log_info(LD_CIRC, "Chose exit server '%s'", router->nickname);
2834 return router;
2835 }
2836 if (options->ExitNodes && options->StrictNodes) {
2837 log_warn(LD_CIRC,
2838 "No specified exit routers seem to be running, and "
2839 "StrictNodes is set: can't choose an exit.");
2840 }
2841 return NULL;
2842 }
2843
2844 /** Return a pointer to a suitable router to be the exit node for the
2845 * circuit of purpose <b>purpose</b> that we're about to build (or NULL
2846 * if no router is suitable).
2847 *
2848 * For general-purpose circuits, pass it off to
2849 * choose_good_exit_server_general()
2850 *
2851 * For client-side rendezvous circuits, choose a random node, weighted
2852 * toward the preferences in 'options'.
2853 */
2854 static routerinfo_t *
2855 choose_good_exit_server(uint8_t purpose, routerlist_t *dir,
2856 int need_uptime, int need_capacity, int is_internal)
2857 {
2858 or_options_t *options = get_options();
2859 router_crn_flags_t flags = 0;
2860 if (need_uptime)
2861 flags |= CRN_NEED_UPTIME;
2862 if (need_capacity)
2863 flags |= CRN_NEED_CAPACITY;
2864
2865 switch (purpose) {
2866 case CIRCUIT_PURPOSE_C_GENERAL:
2867 if (options->_AllowInvalid & ALLOW_INVALID_MIDDLE)
2868 flags |= CRN_ALLOW_INVALID;
2869 if (is_internal) /* pick it like a middle hop */
2870 return router_choose_random_node(NULL, options->ExcludeNodes, flags);
2871 else
2872 return choose_good_exit_server_general(dir,need_uptime,need_capacity);
2873 case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
2874 if (options->_AllowInvalid & ALLOW_INVALID_RENDEZVOUS)
2875 flags |= CRN_ALLOW_INVALID;
2876 return router_choose_random_node(NULL, options->ExcludeNodes, flags);
2877 }
2878 log_warn(LD_BUG,"Unhandled purpose %d", purpose);
2879 tor_fragile_assert();
2880 return NULL;
2881 }
2882
2883 /** Log a warning if the user specified an exit for the circuit that
2884 * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
2885 static void
2886 warn_if_last_router_excluded(origin_circuit_t *circ, const extend_info_t *exit)
2887 {
2888 or_options_t *options = get_options();
2889 routerset_t *rs = options->ExcludeNodes;
2890 const char *description;
2891 int domain = LD_CIRC;
2892 uint8_t purpose = circ->_base.purpose;
2893
2894 if (circ->build_state->onehop_tunnel)
2895 return;
2896
2897 switch (purpose)
2898 {
2899 default:
2900 case CIRCUIT_PURPOSE_OR:
2901 case CIRCUIT_PURPOSE_INTRO_POINT:
2902 case CIRCUIT_PURPOSE_REND_POINT_WAITING:
2903 case CIRCUIT_PURPOSE_REND_ESTABLISHED:
2904 log_warn(LD_BUG, "Called on non-origin circuit (purpose %d)",
2905 (int)purpose);
2906 return;
2907 case CIRCUIT_PURPOSE_C_GENERAL:
2908 if (circ->build_state->is_internal)
2909 return;
2910 description = "Requested exit node";
2911 rs = options->_ExcludeExitNodesUnion;
2912 break;
2913 case CIRCUIT_PURPOSE_C_INTRODUCING:
2914 case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT:
2915 case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED:
2916 case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
2917 case CIRCUIT_PURPOSE_S_CONNECT_REND:
2918 case CIRCUIT_PURPOSE_S_REND_JOINED:
2919 case CIRCUIT_PURPOSE_TESTING:
2920 return;
2921 case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
2922 case CIRCUIT_PURPOSE_C_REND_READY:
2923 case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED:
2924 case CIRCUIT_PURPOSE_C_REND_JOINED:
2925 description = "Chosen rendezvous point";
2926 domain = LD_BUG;
2927 break;
2928 case CIRCUIT_PURPOSE_CONTROLLER:
2929 rs = options->_ExcludeExitNodesUnion;
2930 description = "Controller-selected circuit target";
2931 break;
2932 }
2933
2934 if (routerset_contains_extendinfo(rs, exit)) {
2935 log_fn(LOG_WARN, domain, "%s '%s' is in ExcludeNodes%s. Using anyway "
2936 "(circuit purpose %d).",
2937 description,exit->nickname,
2938 rs==options->ExcludeNodes?"":" or ExcludeExitNodes",
2939 (int)purpose);
2940 circuit_log_path(LOG_WARN, domain, circ);
2941 }
2942
2943 return;
2944 }
2945
2946 /** Decide a suitable length for circ's cpath, and pick an exit
2947 * router (or use <b>exit</b> if provided). Store these in the
2948 * cpath. Return 0 if ok, -1 if circuit should be closed. */
2949 static int
2950 onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit)
2951 {
2952 cpath_build_state_t *state = circ->build_state;
2953 routerlist_t *rl = router_get_routerlist();
2954
2955 if (state->onehop_tunnel) {
2956 log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel.");
2957 state->desired_path_len = 1;
2958 } else {
2959 int r = new_route_len(circ->_base.purpose, exit, rl->routers);
2960 if (r < 1) /* must be at least 1 */
2961 return -1;
2962 state->desired_path_len = r;
2963 }
2964
2965 if (exit) { /* the circuit-builder pre-requested one */
2966 warn_if_last_router_excluded(circ, exit);
2967 log_info(LD_CIRC,"Using requested exit node '%s'", exit->nickname);
2968 exit = extend_info_dup(exit);
2969 } else { /* we have to decide one */
2970 routerinfo_t *router =
2971 choose_good_exit_server(circ->_base.purpose, rl, state->need_uptime,
2972 state->need_capacity, state->is_internal);
2973 if (!router) {
2974 log_warn(LD_CIRC,"failed to choose an exit server");
2975 return -1;
2976 }
2977 exit = extend_info_from_router(router);
2978 }
2979 state->chosen_exit = exit;
2980 return 0;
2981 }
2982
2983 /** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
2984 * hop to the cpath reflecting this. Don't send the next extend cell --
2985 * the caller will do this if it wants to.
2986 */
2987 int
2988 circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *exit)
2989 {
2990 cpath_build_state_t *state;
2991 tor_assert(exit);
2992 tor_assert(circ);
2993
2994 state = circ->build_state;
2995 tor_assert(state);
2996 extend_info_free(state->chosen_exit);
2997 state->chosen_exit = extend_info_dup(exit);
2998
2999 ++circ->build_state->desired_path_len;
3000 onion_append_hop(&circ->cpath, exit);
3001 return 0;
3002 }
3003
3004 /** Take an open <b>circ</b>, and add a new hop at the end, based on
3005 * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
3006 * send the next extend cell to begin connecting to that hop.
3007 */
3008 int
3009 circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *exit)
3010 {
3011 int err_reason = 0;
3012 warn_if_last_router_excluded(circ, exit);
3013 circuit_append_new_exit(circ, exit);
3014 circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_BUILDING);
3015 if ((err_reason = circuit_send_next_onion_skin(circ))<0) {
3016 log_warn(LD_CIRC, "Couldn't extend circuit to new point '%s'.",
3017 exit->nickname);
3018 circuit_mark_for_close(TO_CIRCUIT(circ), -err_reason);
3019 return -1;
3020 }
3021 return 0;
3022 }
3023
3024 /** Return the number of routers in <b>routers</b> that are currently up
3025 * and available for building circuits through.
3026 */
3027 static int
3028 count_acceptable_routers(smartlist_t *routers)
3029 {
3030 int i, n;
3031 int num=0;
3032 routerinfo_t *r;
3033
3034 n = smartlist_len(routers);
3035 for (i=0;i<n;i++) {
3036 r = smartlist_get(routers, i);
3037 // log_debug(LD_CIRC,
3038 // "Contemplating whether router %d (%s) is a new option.",
3039 // i, r->nickname);
3040 if (r->is_running == 0) {
3041 // log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
3042 goto next_i_loop;
3043 }
3044 if (r->is_valid == 0) {
3045 // log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
3046 goto next_i_loop;
3047 /* XXX This clause makes us count incorrectly: if AllowInvalidRouters
3048 * allows this node in some places, then we're getting an inaccurate
3049 * count. For now, be conservative and don't count it. But later we
3050 * should try to be smarter. */
3051 }
3052 num++;
3053 // log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
3054 next_i_loop:
3055 ; /* C requires an explicit statement after the label */
3056 }
3057
3058 return num;
3059 }
3060
3061 /** Add <b>new_hop</b> to the end of the doubly-linked-list <b>head_ptr</b>.
3062 * This function is used to extend cpath by another hop.
3063 */
3064 void
3065 onion_append_to_cpath(crypt_path_t **head_ptr, crypt_path_t *new_hop)
3066 {
3067 if (*head_ptr) {
3068 new_hop->next = (*head_ptr);
3069 new_hop->prev = (*head_ptr)->prev;
3070 (*head_ptr)->prev->next = new_hop;
3071 (*head_ptr)->prev = new_hop;
3072 } else {
3073 *head_ptr = new_hop;
3074 new_hop->prev = new_hop->next = new_hop;
3075 }
3076 }
3077
3078 /** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
3079 * and <b>state</b> and the cpath <b>head</b> (currently populated only
3080 * to length <b>cur_len</b> to decide a suitable middle hop for a
3081 * circuit. In particular, make sure we don't pick the exit node or its
3082 * family, and make sure we don't duplicate any previous nodes or their
3083 * families. */
3084 static routerinfo_t *
3085 choose_good_middle_server(uint8_t purpose,
3086 cpath_build_state_t *state,
3087 crypt_path_t *head,
3088 int cur_len)
3089 {
3090 int i;
3091 routerinfo_t *r, *choice;
3092 crypt_path_t *cpath;
3093 smartlist_t *excluded;
3094 or_options_t *options = get_options();
3095 router_crn_flags_t flags = 0;
3096 tor_assert(_CIRCUIT_PURPOSE_MIN <= purpose &&
3097 purpose <= _CIRCUIT_PURPOSE_MAX);
3098
3099 log_debug(LD_CIRC, "Contemplating intermediate hop: random choice.");
3100 excluded = smartlist_create();
3101 if ((r = build_state_get_exit_router(state))) {
3102 smartlist_add(excluded, r);
3103 routerlist_add_family(excluded, r);
3104 }
3105 for (i = 0, cpath = head; i < cur_len; ++i, cpath=cpath->next) {
3106 if ((r = router_get_by_digest(cpath->extend_info->identity_digest))) {
3107 smartlist_add(excluded, r);
3108 routerlist_add_family(excluded, r);
3109 }
3110 }
3111
3112 if (state->need_uptime)
3113 flags |= CRN_NEED_UPTIME;
3114 if (state->need_capacity)
3115 flags |= CRN_NEED_CAPACITY;
3116 if (options->_AllowInvalid & ALLOW_INVALID_MIDDLE)
3117 flags |= CRN_ALLOW_INVALID;
3118 choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
3119 smartlist_free(excluded);
3120 return choice;
3121 }
3122
3123 /** Pick a good entry server for the circuit to be built according to
3124 * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
3125 * router (if we're an OR), and respect firewall settings; if we're
3126 * configured to use entry guards, return one.
3127 *
3128 * If <b>state</b> is NULL, we're choosing a router to serve as an entry
3129 * guard, not for any particular circuit.
3130 */
3131 static routerinfo_t *
3132 choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state)
3133 {
3134 routerinfo_t *r, *choice;
3135 smartlist_t *excluded;
3136 or_options_t *options = get_options();
3137 router_crn_flags_t flags = CRN_NEED_GUARD;
3138
3139 if (state && options->UseEntryGuards &&
3140 (purpose != CIRCUIT_PURPOSE_TESTING || options->BridgeRelay)) {
3141 return choose_random_entry(state);
3142 }
3143
3144 excluded = smartlist_create();
3145
3146 if (state && (r = build_state_get_exit_router(state))) {
3147 smartlist_add(excluded, r);
3148 routerlist_add_family(excluded, r);
3149 }
3150 if (firewall_is_fascist_or()) {
3151 /*XXXX This could slow things down a lot; use a smarter implementation */
3152 /* exclude all ORs that listen on the wrong port, if anybody notices. */
3153 routerlist_t *rl = router_get_routerlist();
3154 int i;
3155
3156 for (i=0; i < smartlist_len(rl->routers); i++) {
3157 r = smartlist_get(rl->routers, i);
3158 if (!fascist_firewall_allows_or(r))
3159 smartlist_add(excluded, r);
3160 }
3161 }
3162 /* and exclude current entry guards, if applicable */
3163 if (options->UseEntryGuards && entry_guards) {
3164 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3165 {
3166 if ((r = router_get_by_digest(entry->identity))) {
3167 smartlist_add(excluded, r);
3168 routerlist_add_family(excluded, r);
3169 }
3170 });
3171 }
3172
3173 if (state) {
3174 if (state->need_uptime)
3175 flags |= CRN_NEED_UPTIME;
3176 if (state->need_capacity)
3177 flags |= CRN_NEED_CAPACITY;
3178 }
3179 if (options->_AllowInvalid & ALLOW_INVALID_ENTRY)
3180 flags |= CRN_ALLOW_INVALID;
3181
3182 choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
3183 smartlist_free(excluded);
3184 return choice;
3185 }
3186
3187 /** Return the first non-open hop in cpath, or return NULL if all
3188 * hops are open. */
3189 static crypt_path_t *
3190 onion_next_hop_in_cpath(crypt_path_t *cpath)
3191 {
3192 crypt_path_t *hop = cpath;
3193 do {
3194 if (hop->state != CPATH_STATE_OPEN)
3195 return hop;
3196 hop = hop->next;
3197 } while (hop != cpath);
3198 return NULL;
3199 }
3200
3201 /** Choose a suitable next hop in the cpath <b>head_ptr</b>,
3202 * based on <b>state</b>. Append the hop info to head_ptr.
3203 */
3204 static int
3205 onion_extend_cpath(origin_circuit_t *circ)
3206 {
3207 uint8_t purpose = circ->_base.purpose;
3208 cpath_build_state_t *state = circ->build_state;
3209 int cur_len = circuit_get_cpath_len(circ);
3210 extend_info_t *info = NULL;
3211
3212 if (cur_len >= state->desired_path_len) {
3213 log_debug(LD_CIRC, "Path is complete: %d steps long",
3214 state->desired_path_len);
3215 return 1;
3216 }
3217
3218 log_debug(LD_CIRC, "Path is %d long; we want %d", cur_len,
3219 state->desired_path_len);
3220
3221 if (cur_len == state->desired_path_len - 1) { /* Picking last node */
3222 info = extend_info_dup(state->chosen_exit);
3223 } else if (cur_len == 0) { /* picking first node */
3224 routerinfo_t *r = choose_good_entry_server(purpose, state);
3225 if (r)
3226 info = extend_info_from_router(r);
3227 } else {
3228 routerinfo_t *r =
3229 choose_good_middle_server(purpose, state, circ->cpath, cur_len);
3230 if (r)
3231 info = extend_info_from_router(r);
3232 }
3233
3234 if (!info) {
3235 log_warn(LD_CIRC,"Failed to find node for hop %d of our path. Discarding "
3236 "this circuit.", cur_len);
3237 return -1;
3238 }
3239
3240 log_debug(LD_CIRC,"Chose router %s for hop %d (exit is %s)",
3241 info->nickname, cur_len+1, build_state_get_exit_nickname(state));
3242
3243 onion_append_hop(&circ->cpath, info);
3244 extend_info_free(info);
3245 return 0;
3246 }
3247
3248 /** Create a new hop, annotate it with information about its
3249 * corresponding router <b>choice</b>, and append it to the
3250 * end of the cpath <b>head_ptr</b>. */
3251 static int
3252 onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice)
3253 {
3254 crypt_path_t *hop = tor_malloc_zero(sizeof(crypt_path_t));
3255
3256 /* link hop into the cpath, at the end. */
3257 onion_append_to_cpath(head_ptr, hop);
3258
3259 hop->magic = CRYPT_PATH_MAGIC;
3260 hop->state = CPATH_STATE_CLOSED;
3261
3262 hop->extend_info = extend_info_dup(choice);
3263
3264 hop->package_window = circuit_initial_package_window();
3265 hop->deliver_window = CIRCWINDOW_START;
3266
3267 return 0;
3268 }
3269
3270 /** Allocate a new extend_info object based on the various arguments. */
3271 extend_info_t *
3272 extend_info_alloc(const char *nickname, const char *digest,
3273 crypto_pk_env_t *onion_key,
3274 const tor_addr_t *addr, uint16_t port)
3275 {
3276 extend_info_t *info = tor_malloc_zero(sizeof(extend_info_t));
3277 memcpy(info->identity_digest, digest, DIGEST_LEN);
3278 if (nickname)
3279 strlcpy(info->nickname, nickname, sizeof(info->nickname));
3280 if (onion_key)
3281 info->onion_key = crypto_pk_dup_key(onion_key);
3282 tor_addr_copy(&info->addr, addr);
3283 info->port = port;
3284 return info;
3285 }
3286
3287 /** Allocate and return a new extend_info_t that can be used to build a
3288 * circuit to or through the router <b>r</b>. */
3289 extend_info_t *
3290 extend_info_from_router(routerinfo_t *r)
3291 {
3292 tor_addr_t addr;
3293 tor_assert(r);
3294 tor_addr_from_ipv4h(&addr, r->addr);
3295 return extend_info_alloc(r->nickname, r->cache_info.identity_digest,
3296 r->onion_pkey, &addr, r->or_port);
3297 }
3298
3299 /** Release storage held by an extend_info_t struct. */
3300 void
3301 extend_info_free(extend_info_t *info)
3302 {
3303 if (!info)
3304 return;
3305 crypto_free_pk_env(info->onion_key);
3306 tor_free(info);
3307 }
3308
3309 /** Allocate and return a new extend_info_t with the same contents as
3310 * <b>info</b>. */
3311 extend_info_t *
3312 extend_info_dup(extend_info_t *info)
3313 {
3314 extend_info_t *newinfo;
3315 tor_assert(info);
3316 newinfo = tor_malloc(sizeof(extend_info_t));
3317 memcpy(newinfo, info, sizeof(extend_info_t));
3318 if (info->onion_key)
3319 newinfo->onion_key = crypto_pk_dup_key(info->onion_key);
3320 else
3321 newinfo->onion_key = NULL;
3322 return newinfo;
3323 }
3324
3325 /** Return the routerinfo_t for the chosen exit router in <b>state</b>.
3326 * If there is no chosen exit, or if we don't know the routerinfo_t for
3327 * the chosen exit, return NULL.
3328 */
3329 routerinfo_t *
3330 build_state_get_exit_router(cpath_build_state_t *state)
3331 {
3332 if (!state || !state->chosen_exit)
3333 return NULL;
3334 return router_get_by_digest(state->chosen_exit->identity_digest);
3335 }
3336
3337 /** Return the nickname for the chosen exit router in <b>state</b>. If
3338 * there is no chosen exit, or if we don't know the routerinfo_t for the
3339 * chosen exit, return NULL.
3340 */
3341 const char *
3342 build_state_get_exit_nickname(cpath_build_state_t *state)
3343 {
3344 if (!state || !state->chosen_exit)
3345 return NULL;
3346 return state->chosen_exit->nickname;
3347 }
3348
3349 /** Check whether the entry guard <b>e</b> is usable, given the directory
3350 * authorities' opinion about the router (stored in <b>ri</b>) and the user's
3351 * configuration (in <b>options</b>). Set <b>e</b>-&gt;bad_since
3352 * accordingly. Return true iff the entry guard's status changes.
3353 *
3354 * If it's not usable, set *<b>reason</b> to a static string explaining why.
3355 */
3356 /*XXXX take a routerstatus, not a routerinfo. */
3357 static int
3358 entry_guard_set_status(entry_guard_t *e, routerinfo_t *ri,
3359 time_t now, or_options_t *options, const char **reason)
3360 {
3361 char buf[HEX_DIGEST_LEN+1];
3362 int changed = 0;
3363
3364 *reason = NULL;
3365
3366 /* Do we want to mark this guard as bad? */
3367 if (!ri)
3368 *reason = "unlisted";
3369 else if (!ri->is_running)
3370 *reason = "down";
3371 else if (options->UseBridges && ri->purpose != ROUTER_PURPOSE_BRIDGE)
3372 *reason = "not a bridge";
3373 else if (!options->UseBridges && !ri->is_possible_guard &&
3374 !routerset_contains_router(options->EntryNodes,ri))
3375 *reason = "not recommended as a guard";
3376 else if (routerset_contains_router(options->ExcludeNodes, ri))
3377 *reason = "excluded";
3378
3379 if (*reason && ! e->bad_since) {
3380 /* Router is newly bad. */
3381 base16_encode(buf, sizeof(buf), e->identity, DIGEST_LEN);
3382 log_info(LD_CIRC, "Entry guard %s (%s) is %s: marking as unusable.",
3383 e->nickname, buf, *reason);
3384
3385 e->bad_since = now;
3386 control_event_guard(e->nickname, e->identity, "BAD");
3387 changed = 1;
3388 } else if (!*reason && e->bad_since) {
3389 /* There's nothing wrong with the router any more. */
3390 base16_encode(buf, sizeof(buf), e->identity, DIGEST_LEN);
3391 log_info(LD_CIRC, "Entry guard %s (%s) is no longer unusable: "
3392 "marking as ok.", e->nickname, buf);
3393
3394 e->bad_since = 0;
3395 control_event_guard(e->nickname, e->identity, "GOOD");
3396 changed = 1;
3397 }
3398 return changed;
3399 }
3400
3401 /** Return true iff enough time has passed since we last tried to connect
3402 * to the unreachable guard <b>e</b> that we're willing to try again. */
3403 static int
3404 entry_is_time_to_retry(entry_guard_t *e, time_t now)
3405 {
3406 long diff;
3407 if (e->last_attempted < e->unreachable_since)
3408 return 1;
3409 diff = now - e->unreachable_since;
3410 if (diff < 6*60*60)
3411 return now > (e->last_attempted + 60*60);
3412 else if (diff < 3*24*60*60)
3413 return now > (e->last_attempted + 4*60*60);
3414 else if (diff < 7*24*60*60)
3415 return now > (e->last_attempted + 18*60*60);
3416 else
3417 return now > (e->last_attempted + 36*60*60);
3418 }
3419
3420 /** Return the router corresponding to <b>e</b>, if <b>e</b> is
3421 * working well enough that we are willing to use it as an entry
3422 * right now. (Else return NULL.) In particular, it must be
3423 * - Listed as either up or never yet contacted;
3424 * - Present in the routerlist;
3425 * - Listed as 'stable' or 'fast' by the current dirserver consensus,
3426 * if demanded by <b>need_uptime</b> or <b>need_capacity</b>
3427 * (unless it's a configured EntryNode);
3428 * - Allowed by our current ReachableORAddresses config option; and
3429 * - Currently thought to be reachable by us (unless <b>assume_reachable</b>
3430 * is true).
3431 *
3432 * If the answer is no, set *<b>msg</b> to an explanation of why.
3433 */
3434 static INLINE routerinfo_t *
3435 entry_is_live(entry_guard_t *e, int need_uptime, int need_capacity,
3436 int assume_reachable, const char **msg)
3437 {
3438 routerinfo_t *r;
3439 or_options_t *options = get_options();
3440 tor_assert(msg);
3441
3442 if (e->bad_since) {
3443 *msg = "bad";
3444 return NULL;
3445 }
3446 /* no good if it's unreachable, unless assume_unreachable or can_retry. */
3447 if (!assume_reachable && !e->can_retry &&
3448 e->unreachable_since && !entry_is_time_to_retry(e, time(NULL))) {
3449 *msg = "unreachable";
3450 return NULL;
3451 }
3452 r = router_get_by_digest(e->identity);
3453 if (!r) {
3454 *msg = "no descriptor";
3455 return NULL;
3456 }
3457 if (get_options()->UseBridges && r->purpose != ROUTER_PURPOSE_BRIDGE) {
3458 *msg = "not a bridge";
3459 return NULL;
3460 }
3461 if (!get_options()->UseBridges && r->purpose != ROUTER_PURPOSE_GENERAL) {
3462 *msg = "not general-purpose";
3463 return NULL;
3464 }
3465 if (options->EntryNodes &&
3466 routerset_contains_router(options->EntryNodes, r)) {
3467 /* they asked for it, they get it */
3468 need_uptime = need_capacity = 0;
3469 }
3470 if (router_is_unreliable(r, need_uptime, need_capacity, 0)) {
3471 *msg = "not fast/stable";
3472 return NULL;
3473 }
3474 if (!fascist_firewall_allows_or(r)) {
3475 *msg = "unreachable by config";
3476 return NULL;
3477 }
3478 return r;
3479 }
3480
3481 /** Return the number of entry guards that we think are usable. */
3482 static int
3483 num_live_entry_guards(void)
3484 {
3485 int n = 0;
3486 const char *msg;
3487 if (! entry_guards)
3488 return 0;
3489 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3490 {
3491 if (entry_is_live(entry, 0, 1, 0, &msg))
3492 ++n;
3493 });
3494 return n;
3495 }
3496
3497 /** If <b>digest</b> matches the identity of any node in the
3498 * entry_guards list, return that node. Else return NULL. */
3499 static INLINE entry_guard_t *
3500 is_an_entry_guard(const char *digest)
3501 {
3502 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3503 if (!memcmp(digest, entry->identity, DIGEST_LEN))
3504 return entry;
3505 );
3506 return NULL;
3507 }
3508
3509 /** Dump a description of our list of entry guards to the log at level
3510 * <b>severity</b>. */
3511 static void
3512 log_entry_guards(int severity)
3513 {
3514 smartlist_t *elements = smartlist_create();
3515 char *s;
3516
3517 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
3518 {
3519 const char *msg = NULL;
3520 char *cp;
3521 if (entry_is_live(e, 0, 1, 0, &msg))
3522 tor_asprintf(&cp, "%s (up %s)",
3523 e->nickname,
3524 e->made_contact ? "made-contact" : "never-contacted");
3525 else
3526 tor_asprintf(&cp, "%s (%s, %s)",
3527 e->nickname, msg,
3528 e->made_contact ? "made-contact" : "never-contacted");
3529 smartlist_add(elements, cp);
3530 });
3531
3532 s = smartlist_join_strings(elements, ",", 0, NULL);
3533 SMARTLIST_FOREACH(elements, char*, cp, tor_free(cp));
3534 smartlist_free(elements);
3535 log_fn(severity,LD_CIRC,"%s",s);
3536 tor_free(s);
3537 }
3538
3539 /** Called when one or more guards that we would previously have used for some
3540 * purpose are no longer in use because a higher-priority guard has become
3541 * usable again. */
3542 static void
3543 control_event_guard_deferred(void)
3544 {
3545 /* XXXX We don't actually have a good way to figure out _how many_ entries
3546 * are live for some purpose. We need an entry_is_even_slightly_live()
3547 * function for this to work right. NumEntryGuards isn't reliable: if we
3548 * need guards with weird properties, we can have more than that number
3549 * live.
3550 **/
3551 #if 0
3552 int n = 0;
3553 const char *msg;
3554 or_options_t *options = get_options();
3555 if (!entry_guards)
3556 return;
3557 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
3558 {
3559 if (entry_is_live(entry, 0, 1, 0, &msg)) {
3560 if (n++ == options->NumEntryGuards) {
3561 control_event_guard(entry->nickname, entry->identity, "DEFERRED");
3562 return;
3563 }
3564 }
3565 });
3566 #endif
3567 }
3568
3569 /** Add a new (preferably stable and fast) router to our
3570 * entry_guards list. Return a pointer to the router if we succeed,
3571 * or NULL if we can't find any more suitable entries.
3572 *
3573 * If <b>chosen</b> is defined, use that one, and if it's not
3574 * already in our entry_guards list, put it at the *beginning*.
3575 * Else, put the one we pick at the end of the list. */
3576 static routerinfo_t *
3577 add_an_entry_guard(routerinfo_t *chosen, int reset_status)
3578 {
3579 routerinfo_t *router;
3580 entry_guard_t *entry;
3581
3582 if (chosen) {
3583 router = chosen;
3584 entry = is_an_entry_guard(router->cache_info.identity_digest);
3585 if (entry) {
3586 if (reset_status) {
3587 entry->bad_since = 0;
3588 entry->can_retry = 1;
3589 }
3590 return NULL;
3591 }
3592 } else {
3593 router = choose_good_entry_server(CIRCUIT_PURPOSE_C_GENERAL, NULL);
3594 if (!router)
3595 return NULL;
3596 }
3597 entry = tor_malloc_zero(sizeof(entry_guard_t));
3598 log_info(LD_CIRC, "Chose '%s' as new entry guard.", router->nickname);
3599 strlcpy(entry->nickname, router->nickname, sizeof(entry->nickname));
3600 memcpy(entry->identity, router->cache_info.identity_digest, DIGEST_LEN);
3601 /* Choose expiry time smudged over the past month. The goal here
3602 * is to a) spread out when Tor clients rotate their guards, so they
3603 * don't all select them on the same day, and b) avoid leaving a
3604 * precise timestamp in the state file about when we first picked
3605 * this guard. For details, see the Jan 2010 or-dev thread. */
3606 entry->chosen_on_date = time(NULL) - crypto_rand_int(3600*24*30);
3607 entry->chosen_by_version = tor_strdup(VERSION);
3608 if (chosen) /* prepend */
3609 smartlist_insert(entry_guards, 0, entry);
3610 else /* append */
3611 smartlist_add(entry_guards, entry);
3612 control_event_guard(entry->nickname, entry->identity, "NEW");
3613 control_event_guard_deferred();
3614 log_entry_guards(LOG_INFO);
3615 return router;
3616 }
3617
3618 /** If the use of entry guards is configured, choose more entry guards
3619 * until we have enough in the list. */
3620 static void
3621 pick_entry_guards(or_options_t *options)
3622 {
3623 int changed = 0;
3624
3625 tor_assert(entry_guards);
3626
3627 while (num_live_entry_guards() < options->NumEntryGuards) {
3628 if (!add_an_entry_guard(NULL, 0))
3629 break;
3630 changed = 1;
3631 }
3632 if (changed)
3633 entry_guards_changed();
3634 }
3635
3636 /** How long (in seconds) do we allow an entry guard to be nonfunctional,
3637 * unlisted, excluded, or otherwise nonusable before we give up on it? */
3638 #define ENTRY_GUARD_REMOVE_AFTER (30*24*60*60)
3639
3640 /** Release all storage held by <b>e</b>. */
3641 static void
3642 entry_guard_free(entry_guard_t *e)
3643 {
3644 if (!e)
3645 return;
3646 tor_free(e->chosen_by_version);
3647 tor_free(e);
3648 }
3649
3650 /** Remove any entry guard which was selected by an unknown version of Tor,
3651 * or which was selected by a version of Tor that's known to select
3652 * entry guards badly. */
3653 static int
3654 remove_obsolete_entry_guards(time_t now)
3655 {
3656 int changed = 0, i;
3657
3658 for (i = 0; i < smartlist_len(entry_guards); ++i) {
3659 entry_guard_t *entry = smartlist_get(entry_guards, i);
3660 const char *ver = entry->chosen_by_version;
3661 const char *msg = NULL;
3662 tor_version_t v;
3663 int version_is_bad = 0, date_is_bad = 0;
3664 if (!ver) {
3665 msg = "does not say what version of Tor it was selected by";
3666 version_is_bad = 1;
3667 } else if (tor_version_parse(ver, &v)) {
3668 msg = "does not seem to be from any recognized version of Tor";
3669 version_is_bad = 1;
3670 } else {
3671 size_t len = strlen(ver)+5;
3672 char *tor_ver = tor_malloc(len);
3673 tor_snprintf(tor_ver, len, "Tor %s", ver);
3674 if ((tor_version_as_new_as(tor_ver, "0.1.0.10-alpha") &&
3675 !tor_version_as_new_as(tor_ver, "0.1.2.16-dev")) ||
3676 (tor_version_as_new_as(tor_ver, "0.2.0.0-alpha") &&
3677 !tor_version_as_new_as(tor_ver, "0.2.0.6-alpha")) ||
3678 /* above are bug 440; below are bug 1217 */
3679 (tor_version_as_new_as(tor_ver, "0.2.1.3-alpha") &&
3680 !tor_version_as_new_as(tor_ver, "0.2.1.23")) ||
3681 (tor_version_as_new_as(tor_ver, "0.2.2.0-alpha") &&
3682 !tor_version_as_new_as(tor_ver, "0.2.2.7-alpha"))) {
3683 msg = "was selected without regard for guard bandwidth";
3684 version_is_bad = 1;
3685 }
3686 tor_free(tor_ver);
3687 }
3688 if (!version_is_bad && entry->chosen_on_date + 3600*24*60 < now) {
3689 /* It's been 2 months since the date listed in our state file. */
3690 msg = "was selected several months ago";
3691 date_is_bad = 1;
3692 }
3693
3694 if (version_is_bad || date_is_bad) { /* we need to drop it */
3695 char dbuf[HEX_DIGEST_LEN+1];
3696 tor_assert(msg);
3697 base16_encode(dbuf, sizeof(dbuf), entry->identity, DIGEST_LEN);
3698 log_fn(version_is_bad ? LOG_NOTICE : LOG_INFO, LD_CIRC,
3699 "Entry guard '%s' (%s) %s. (Version=%s.) Replacing it.",
3700 entry->nickname, dbuf, msg, ver?escaped(ver):"none");
3701 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3702 entry_guard_free(entry);
3703 smartlist_del_keeporder(entry_guards, i--);
3704 log_entry_guards(LOG_INFO);
3705 changed = 1;
3706 }
3707 }
3708
3709 return changed ? 1 : 0;
3710 }
3711
3712 /** Remove all entry guards that have been down or unlisted for so
3713 * long that we don't think they'll come up again. Return 1 if we
3714 * removed any, or 0 if we did nothing. */
3715 static int
3716 remove_dead_entry_guards(time_t now)
3717 {
3718 char dbuf[HEX_DIGEST_LEN+1];
3719 char tbuf[ISO_TIME_LEN+1];
3720 int i;
3721 int changed = 0;
3722
3723 for (i = 0; i < smartlist_len(entry_guards); ) {
3724 entry_guard_t *entry = smartlist_get(entry_guards, i);
3725 if (entry->bad_since &&
3726 entry->bad_since + ENTRY_GUARD_REMOVE_AFTER < now) {
3727
3728 base16_encode(dbuf, sizeof(dbuf), entry->identity, DIGEST_LEN);
3729 format_local_iso_time(tbuf, entry->bad_since);
3730 log_info(LD_CIRC, "Entry guard '%s' (%s) has been down or unlisted "
3731 "since %s local time; removing.",
3732 entry->nickname, dbuf, tbuf);
3733 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3734 entry_guard_free(entry);
3735 smartlist_del_keeporder(entry_guards, i);
3736 log_entry_guards(LOG_INFO);
3737 changed = 1;
3738 } else
3739 ++i;
3740 }
3741 return changed ? 1 : 0;
3742 }
3743
3744 /** A new directory or router-status has arrived; update the down/listed
3745 * status of the entry guards.
3746 *
3747 * An entry is 'down' if the directory lists it as nonrunning.
3748 * An entry is 'unlisted' if the directory doesn't include it.
3749 *
3750 * Don't call this on startup; only on a fresh download. Otherwise we'll
3751 * think that things are unlisted.
3752 */
3753 void
3754 entry_guards_compute_status(or_options_t *options, time_t now)
3755 {
3756 int changed = 0;
3757 int severity = LOG_DEBUG;
3758 digestmap_t *reasons;
3759
3760 if (! entry_guards)
3761 return;
3762
3763 if (options->EntryNodes) /* reshuffle the entry guard list if needed */
3764 entry_nodes_should_be_added();
3765
3766 reasons = digestmap_new();
3767 SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, entry)
3768 {
3769 routerinfo_t *r = router_get_by_digest(entry->identity);
3770 const char *reason = NULL;
3771 if (entry_guard_set_status(entry, r, now, options, &reason))
3772 changed = 1;
3773
3774 if (entry->bad_since)
3775 tor_assert(reason);
3776 if (reason)
3777 digestmap_set(reasons, entry->identity, (char*)reason);
3778 }
3779 SMARTLIST_FOREACH_END(entry);
3780
3781 if (remove_dead_entry_guards(now))
3782 changed = 1;
3783
3784 severity = changed ? LOG_DEBUG : LOG_INFO;
3785
3786 if (changed) {
3787 SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, entry) {
3788 const char *reason = digestmap_get(reasons, entry->identity);
3789 const char *live_msg = "";
3790 routerinfo_t *r = entry_is_live(entry, 0, 1, 0, &live_msg);
3791 log_info(LD_CIRC, "Summary: Entry '%s' is %s, %s%s%s, and %s%s.",
3792 entry->nickname,
3793 entry->unreachable_since ? "unreachable" : "reachable",
3794 entry->bad_since ? "unusable" : "usable",
3795 reason ? ", ": "",
3796 reason ? reason : "",
3797 r ? "live" : "not live / ",
3798 r ? "" : live_msg);
3799 } SMARTLIST_FOREACH_END(entry);
3800 log_info(LD_CIRC, " (%d/%d entry guards are usable/new)",
3801 num_live_entry_guards(), smartlist_len(entry_guards));
3802 log_entry_guards(LOG_INFO);
3803 entry_guards_changed();
3804 }
3805
3806 digestmap_free(reasons, NULL);
3807 }
3808
3809 /** Called when a connection to an OR with the identity digest <b>digest</b>
3810 * is established (<b>succeeded</b>==1) or has failed (<b>succeeded</b>==0).
3811 * If the OR is an entry, change that entry's up/down status.
3812 * Return 0 normally, or -1 if we want to tear down the new connection.
3813 *
3814 * If <b>mark_relay_status</b>, also call router_set_status() on this
3815 * relay.
3816 *
3817 * XXX022 change succeeded and mark_relay_status into 'int flags'.
3818 */
3819 int
3820 entry_guard_register_connect_status(const char *digest, int succeeded,
3821 int mark_relay_status, time_t now)
3822 {
3823 int changed = 0;
3824 int refuse_conn = 0;
3825 int first_contact = 0;
3826 entry_guard_t *entry = NULL;
3827 int idx = -1;
3828 char buf[HEX_DIGEST_LEN+1];
3829
3830 if (! entry_guards)
3831 return 0;
3832
3833 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
3834 {
3835 if (!memcmp(e->identity, digest, DIGEST_LEN)) {
3836 entry = e;
3837 idx = e_sl_idx;
3838 break;
3839 }
3840 });
3841
3842 if (!entry)
3843 return 0;
3844
3845 base16_encode(buf, sizeof(buf), entry->identity, DIGEST_LEN);
3846
3847 if (succeeded) {
3848 if (entry->unreachable_since) {
3849 log_info(LD_CIRC, "Entry guard '%s' (%s) is now reachable again. Good.",
3850 entry->nickname, buf);
3851 entry->can_retry = 0;
3852 entry->unreachable_since = 0;
3853 entry->last_attempted = now;
3854 control_event_guard(entry->nickname, entry->identity, "UP");
3855 changed = 1;
3856 }
3857 if (!entry->made_contact) {
3858 entry->made_contact = 1;
3859 first_contact = changed = 1;
3860 }
3861 } else { /* ! succeeded */
3862 if (!entry->made_contact) {
3863 /* We've never connected to this one. */
3864 log_info(LD_CIRC,
3865 "Connection to never-contacted entry guard '%s' (%s) failed. "
3866 "Removing from the list. %d/%d entry guards usable/new.",
3867 entry->nickname, buf,
3868 num_live_entry_guards()-1, smartlist_len(entry_guards)-1);
3869 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3870 entry_guard_free(entry);
3871 smartlist_del_keeporder(entry_guards, idx);
3872 log_entry_guards(LOG_INFO);
3873 changed = 1;
3874 } else if (!entry->unreachable_since) {
3875 log_info(LD_CIRC, "Unable to connect to entry guard '%s' (%s). "
3876 "Marking as unreachable.", entry->nickname, buf);
3877 entry->unreachable_since = entry->last_attempted = now;
3878 control_event_guard(entry->nickname, entry->identity, "DOWN");
3879 changed = 1;
3880 entry->can_retry = 0; /* We gave it an early chance; no good. */
3881 } else {
3882 char tbuf[ISO_TIME_LEN+1];
3883 format_iso_time(tbuf, entry->unreachable_since);
3884 log_debug(LD_CIRC, "Failed to connect to unreachable entry guard "
3885 "'%s' (%s). It has been unreachable since %s.",
3886 entry->nickname, buf, tbuf);
3887 entry->last_attempted = now;
3888 entry->can_retry = 0; /* We gave it an early chance; no good. */
3889 }
3890 }
3891
3892 /* if the caller asked us to, also update the is_running flags for this
3893 * relay */
3894 if (mark_relay_status)
3895 router_set_status(digest, succeeded);
3896
3897 if (first_contact) {
3898 /* We've just added a new long-term entry guard. Perhaps the network just
3899 * came back? We should give our earlier entries another try too,
3900 * and close this connection so we don't use it before we've given
3901 * the others a shot. */
3902 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e, {
3903 if (e == entry)
3904 break;
3905 if (e->made_contact) {
3906 const char *msg;
3907 routerinfo_t *r = entry_is_live(e, 0, 1, 1, &msg);
3908 if (r && e->unreachable_since) {
3909 refuse_conn = 1;
3910 e->can_retry = 1;
3911 }
3912 }
3913 });
3914 if (refuse_conn) {
3915 log_info(LD_CIRC,
3916 "Connected to new entry guard '%s' (%s). Marking earlier "
3917 "entry guards up. %d/%d entry guards usable/new.",
3918 entry->nickname, buf,
3919 num_live_entry_guards(), smartlist_len(entry_guards));
3920 log_entry_guards(LOG_INFO);
3921 changed = 1;
3922 }
3923 }
3924
3925 if (changed)
3926 entry_guards_changed();
3927 return refuse_conn ? -1 : 0;
3928 }
3929
3930 /** When we try to choose an entry guard, should we parse and add
3931 * config's EntryNodes first? */
3932 static int should_add_entry_nodes = 0;
3933
3934 /** Called when the value of EntryNodes changes in our configuration. */
3935 void
3936 entry_nodes_should_be_added(void)
3937 {
3938 log_info(LD_CIRC, "EntryNodes config option set. Putting configured "
3939 "relays at the front of the entry guard list.");
3940 should_add_entry_nodes = 1;
3941 }
3942
3943 /** Add all nodes in EntryNodes that aren't currently guard nodes to the list
3944 * of guard nodes, at the front. */
3945 static void
3946 entry_guards_prepend_from_config(or_options_t *options)
3947 {
3948 smartlist_t *entry_routers, *entry_fps;
3949 smartlist_t *old_entry_guards_on_list, *old_entry_guards_not_on_list;
3950 tor_assert(entry_guards);
3951
3952 should_add_entry_nodes = 0;
3953
3954 if (!options->EntryNodes) {
3955 /* It's possible that a controller set EntryNodes, thus making
3956 * should_add_entry_nodes set, then cleared it again, all before the
3957 * call to choose_random_entry() that triggered us. If so, just return.
3958 */
3959 return;
3960 }
3961
3962 {
3963 char *string = routerset_to_string(options->EntryNodes);
3964 log_info(LD_CIRC,"Adding configured EntryNodes '%s'.", string);
3965 tor_free(string);
3966 }
3967
3968 entry_routers = smartlist_create();
3969 entry_fps = smartlist_create();
3970 old_entry_guards_on_list = smartlist_create();
3971 old_entry_guards_not_on_list = smartlist_create();
3972
3973 /* Split entry guards into those on the list and those not. */
3974
3975 /* XXXX022 Now that we allow countries and IP ranges in EntryNodes, this is
3976 * potentially an enormous list. For now, we disable such values for
3977 * EntryNodes in options_validate(); really, this wants a better solution.
3978 * Perhaps we should do this calculation once whenever the list of routers
3979 * changes or the entrynodes setting changes.
3980 */
3981 routerset_get_all_routers(entry_routers, options->EntryNodes, 0);
3982 SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri,
3983 smartlist_add(entry_fps,ri->cache_info.identity_digest));
3984 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e, {
3985 if (smartlist_digest_isin(entry_fps, e->identity))
3986 smartlist_add(old_entry_guards_on_list, e);
3987 else
3988 smartlist_add(old_entry_guards_not_on_list, e);
3989 });
3990
3991 /* Remove all currently configured entry guards from entry_routers. */
3992 SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri, {
3993 if (is_an_entry_guard(ri->cache_info.identity_digest)) {
3994 SMARTLIST_DEL_CURRENT(entry_routers, ri);
3995 }
3996 });
3997
3998 /* Now build the new entry_guards list. */
3999 smartlist_clear(entry_guards);
4000 /* First, the previously configured guards that are in EntryNodes. */
4001 smartlist_add_all(entry_guards, old_entry_guards_on_list);
4002 /* Next, the rest of EntryNodes */
4003 SMARTLIST_FOREACH(entry_routers, routerinfo_t *, ri, {
4004 add_an_entry_guard(ri, 0);
4005 });
4006 /* Finally, the remaining previously configured guards that are not in
4007 * EntryNodes, unless we're strict in which case we drop them */
4008 if (options->StrictNodes) {
4009 SMARTLIST_FOREACH(old_entry_guards_not_on_list, entry_guard_t *, e,
4010 entry_guard_free(e));
4011 } else {
4012 smartlist_add_all(entry_guards, old_entry_guards_not_on_list);
4013 }
4014
4015 smartlist_free(entry_routers);
4016 smartlist_free(entry_fps);
4017 smartlist_free(old_entry_guards_on_list);
4018 smartlist_free(old_entry_guards_not_on_list);
4019 entry_guards_changed();
4020 }
4021
4022 /** Return 0 if we're fine adding arbitrary routers out of the
4023 * directory to our entry guard list, or return 1 if we have a
4024 * list already and we'd prefer to stick to it.
4025 */
4026 int
4027 entry_list_is_constrained(or_options_t *options)
4028 {
4029 if (options->EntryNodes)
4030 return 1;
4031 if (options->UseBridges)
4032 return 1;
4033 return 0;
4034 }
4035
4036 /* Are we dead set against changing our entry guard list, or would we
4037 * change it if it means keeping Tor usable? */
4038 static int
4039 entry_list_is_totally_static(or_options_t *options)
4040 {
4041 if (options->EntryNodes && options->StrictNodes)
4042 return 1;
4043 if (options->UseBridges)
4044 return 1;
4045 return 0;
4046 }
4047
4048 /** Pick a live (up and listed) entry guard from entry_guards. If
4049 * <b>state</b> is non-NULL, this is for a specific circuit --
4050 * make sure not to pick this circuit's exit or any node in the
4051 * exit's family. If <b>state</b> is NULL, we're looking for a random
4052 * guard (likely a bridge). */
4053 routerinfo_t *
4054 choose_random_entry(cpath_build_state_t *state)
4055 {
4056 or_options_t *options = get_options();
4057 smartlist_t *live_entry_guards = smartlist_create();
4058 smartlist_t *exit_family = smartlist_create();
4059 routerinfo_t *chosen_exit = state?build_state_get_exit_router(state) : NULL;
4060 routerinfo_t *r = NULL;
4061 int need_uptime = state ? state->need_uptime : 0;
4062 int need_capacity = state ? state->need_capacity : 0;
4063 int preferred_min, consider_exit_family = 0;
4064
4065 if (chosen_exit) {
4066 smartlist_add(exit_family, chosen_exit);
4067 routerlist_add_family(exit_family, chosen_exit);
4068 consider_exit_family = 1;
4069 }
4070
4071 if (!entry_guards)
4072 entry_guards = smartlist_create();
4073
4074 if (should_add_entry_nodes)
4075 entry_guards_prepend_from_config(options);
4076
4077 if (!entry_list_is_constrained(options) &&
4078 smartlist_len(entry_guards) < options->NumEntryGuards)
4079 pick_entry_guards(options);
4080
4081 retry:
4082 smartlist_clear(live_entry_guards);
4083 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
4084 {
4085 const char *msg;
4086 r = entry_is_live(entry, need_uptime, need_capacity, 0, &msg);
4087 if (!r)
4088 continue; /* down, no point */
4089 if (consider_exit_family && smartlist_isin(exit_family, r))
4090 continue; /* avoid relays that are family members of our exit */
4091 if (options->EntryNodes &&
4092 !routerset_contains_router(options->EntryNodes, r)) {
4093 /* We've come to the end of our preferred entry nodes. */
4094 if (smartlist_len(live_entry_guards))
4095 goto choose_and_finish; /* only choose from the ones we like */
4096 if (options->StrictNodes) {
4097 /* in theory this case should never happen, since
4098 * entry_guards_prepend_from_config() drops unwanted relays */
4099 tor_fragile_assert();
4100 } else {
4101 log_info(LD_CIRC,
4102 "No relays from EntryNodes available. Using others.");
4103 }
4104 }
4105 smartlist_add(live_entry_guards, r);
4106 if (!entry->made_contact) {
4107 /* Always start with the first not-yet-contacted entry
4108 * guard. Otherwise we might add several new ones, pick
4109 * the second new one, and now we've expanded our entry
4110 * guard list without needing to. */
4111 goto choose_and_finish;
4112 }
4113 if (smartlist_len(live_entry_guards) >= options->NumEntryGuards)
4114 break; /* we have enough */
4115 });
4116
4117 if (entry_list_is_constrained(options)) {
4118 /* If we prefer the entry nodes we've got, and we have at least
4119 * one choice, that's great. Use it. */
4120 preferred_min = 1;
4121 } else {
4122 /* Try to have at least 2 choices available. This way we don't
4123 * get stuck with a single live-but-crummy entry and just keep
4124 * using him.
4125 * (We might get 2 live-but-crummy entry guards, but so be it.) */
4126 preferred_min = 2;
4127 }
4128
4129 if (smartlist_len(live_entry_guards) < preferred_min) {
4130 if (!entry_list_is_totally_static(options)) {
4131 /* still no? try adding a new entry then */
4132 /* XXX if guard doesn't imply fast and stable, then we need
4133 * to tell add_an_entry_guard below what we want, or it might
4134 * be a long time til we get it. -RD */
4135 r = add_an_entry_guard(NULL, 0);
4136 if (r) {
4137 entry_guards_changed();
4138 /* XXX we start over here in case the new node we added shares
4139 * a family with our exit node. There's a chance that we'll just
4140 * load up on entry guards here, if the network we're using is
4141 * one big family. Perhaps we should teach add_an_entry_guard()
4142 * to understand nodes-to-avoid-if-possible? -RD */
4143 goto retry;
4144 }
4145 }
4146 if (!r && need_uptime) {
4147 need_uptime = 0; /* try without that requirement */
4148 goto retry;
4149 }
4150 if (!r && need_capacity) {
4151 /* still no? last attempt, try without requiring capacity */
4152 need_capacity = 0;
4153 goto retry;
4154 }
4155 if (!r && entry_list_is_constrained(options) && consider_exit_family) {
4156 /* still no? if we're using bridges or have strictentrynodes
4157 * set, and our chosen exit is in the same family as all our
4158 * bridges/entry guards, then be flexible about families. */
4159 consider_exit_family = 0;
4160 goto retry;
4161 }
4162 /* live_entry_guards may be empty below. Oh well, we tried. */
4163 }
4164
4165 choose_and_finish:
4166 if (entry_list_is_constrained(options)) {
4167 /* We need to weight by bandwidth, because our bridges or entryguards
4168 * were not already selected proportional to their bandwidth. */
4169 r = routerlist_sl_choose_by_bandwidth(live_entry_guards, WEIGHT_FOR_GUARD);
4170 } else {
4171 /* We choose uniformly at random here, because choose_good_entry_server()
4172 * already weights its choices by bandwidth, so we don't want to
4173 * *double*-weight our guard selection. */
4174 r = smartlist_choose(live_entry_guards);
4175 }
4176 smartlist_free(live_entry_guards);
4177 smartlist_free(exit_family);
4178 return r;
4179 }
4180
4181 /** Parse <b>state</b> and learn about the entry guards it describes.
4182 * If <b>set</b> is true, and there are no errors, replace the global
4183 * entry_list with what we find.
4184 * On success, return 0. On failure, alloc into *<b>msg</b> a string
4185 * describing the error, and return -1.
4186 */
4187 int
4188 entry_guards_parse_state(or_state_t *state, int set, char **msg)
4189 {
4190 entry_guard_t *node = NULL;
4191 smartlist_t *new_entry_guards = smartlist_create();
4192 config_line_t *line;
4193 time_t now = time(NULL);
4194 const char *state_version = state->TorVersion;
4195 digestmap_t *added_by = digestmap_new();
4196
4197 *msg = NULL;
4198 for (line = state->EntryGuards; line; line = line->next) {
4199 if (!strcasecmp(line->key, "EntryGuard")) {
4200 smartlist_t *args = smartlist_create();
4201 node = tor_malloc_zero(sizeof(entry_guard_t));
4202 /* all entry guards on disk have been contacted */
4203 node->made_contact = 1;
4204 smartlist_add(new_entry_guards, node);
4205 smartlist_split_string(args, line->value, " ",
4206 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
4207 if (smartlist_len(args)<2) {
4208 *msg = tor_strdup("Unable to parse entry nodes: "
4209 "Too few arguments to EntryGuard");
4210 } else if (!is_legal_nickname(smartlist_get(args,0))) {
4211 *msg = tor_strdup("Unable to parse entry nodes: "
4212 "Bad nickname for EntryGuard");
4213 } else {
4214 strlcpy(node->nickname, smartlist_get(args,0), MAX_NICKNAME_LEN+1);
4215 if (base16_decode(node->identity, DIGEST_LEN, smartlist_get(args,1),
4216 strlen(smartlist_get(args,1)))<0) {
4217 *msg = tor_strdup("Unable to parse entry nodes: "
4218 "Bad hex digest for EntryGuard");
4219 }
4220 }
4221 SMARTLIST_FOREACH(args, char*, cp, tor_free(cp));
4222 smartlist_free(args);
4223 if (*msg)
4224 break;
4225 } else if (!strcasecmp(line->key, "EntryGuardDownSince") ||
4226 !strcasecmp(line->key, "EntryGuardUnlistedSince")) {
4227 time_t when;
4228 time_t last_try = 0;
4229 if (!node) {
4230 *msg = tor_strdup("Unable to parse entry nodes: "
4231 "EntryGuardDownSince/UnlistedSince without EntryGuard");
4232 break;
4233 }
4234 if (parse_iso_time(line->value, &when)<0) {
4235 *msg = tor_strdup("Unable to parse entry nodes: "
4236 "Bad time in EntryGuardDownSince/UnlistedSince");
4237 break;
4238 }
4239 if (when > now) {
4240 /* It's a bad idea to believe info in the future: you can wind
4241 * up with timeouts that aren't allowed to happen for years. */
4242 continue;
4243 }
4244 if (strlen(line->value) >= ISO_TIME_LEN+ISO_TIME_LEN+1) {
4245 /* ignore failure */
4246 (void) parse_iso_time(line->value+ISO_TIME_LEN+1, &last_try);
4247 }
4248 if (!strcasecmp(line->key, "EntryGuardDownSince")) {
4249 node->unreachable_since = when;
4250 node->last_attempted = last_try;
4251 } else {
4252 node->bad_since = when;
4253 }
4254 } else if (!strcasecmp(line->key, "EntryGuardAddedBy")) {
4255 char d[DIGEST_LEN];
4256 /* format is digest version date */
4257 if (strlen(line->value) < HEX_DIGEST_LEN+1+1+1+ISO_TIME_LEN) {
4258 log_warn(LD_BUG, "EntryGuardAddedBy line is not long enough.");
4259 continue;
4260 }
4261 if (base16_decode(d, sizeof(d), line->value, HEX_DIGEST_LEN)<0 ||
4262 line->value[HEX_DIGEST_LEN] != ' ') {
4263 log_warn(LD_BUG, "EntryGuardAddedBy line %s does not begin with "
4264 "hex digest", escaped(line->value));
4265 continue;
4266 }
4267 digestmap_set(added_by, d, tor_strdup(line->value+HEX_DIGEST_LEN+1));
4268 } else {
4269 log_warn(LD_BUG, "Unexpected key %s", line->key);
4270 }
4271 }
4272
4273 SMARTLIST_FOREACH(new_entry_guards, entry_guard_t *, e,
4274 {
4275 char *sp;
4276 char *val = digestmap_get(added_by, e->identity);
4277 if (val && (sp = strchr(val, ' '))) {
4278 time_t when;
4279 *sp++ = '\0';
4280 if (parse_iso_time(sp, &when)<0) {
4281 log_warn(LD_BUG, "Can't read time %s in EntryGuardAddedBy", sp);
4282 } else {
4283 e->chosen_by_version = tor_strdup(val);
4284 e->chosen_on_date = when;
4285 }
4286 } else {
4287 if (state_version) {
4288 e->chosen_by_version = tor_strdup(state_version);
4289 e->chosen_on_date = time(NULL) - crypto_rand_int(3600*24*30);
4290 }
4291 }
4292 });
4293
4294 if (*msg || !set) {
4295 SMARTLIST_FOREACH(new_entry_guards, entry_guard_t *, e,
4296 entry_guard_free(e));
4297 smartlist_free(new_entry_guards);
4298 } else { /* !err && set */
4299 if (entry_guards) {
4300 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4301 entry_guard_free(e));
4302 smartlist_free(entry_guards);
4303 }
4304 entry_guards = new_entry_guards;
4305 entry_guards_dirty = 0;
4306 /* XXX022 hand new_entry_guards to this func, and move it up a
4307 * few lines, so we don't have to re-dirty it */
4308 if (remove_obsolete_entry_guards(now))
4309 entry_guards_dirty = 1;
4310 }
4311 digestmap_free(added_by, _tor_free);
4312 return *msg ? -1 : 0;
4313 }
4314
4315 /** Our list of entry guards has changed, or some element of one
4316 * of our entry guards has changed. Write the changes to disk within
4317 * the next few minutes.
4318 */
4319 static void
4320 entry_guards_changed(void)
4321 {
4322 time_t when;
4323 entry_guards_dirty = 1;
4324
4325 /* or_state_save() will call entry_guards_update_state(). */
4326 when = get_options()->AvoidDiskWrites ? time(NULL) + 3600 : time(NULL)+600;
4327 or_state_mark_dirty(get_or_state(), when);
4328 }
4329
4330 /** If the entry guard info has not changed, do nothing and return.
4331 * Otherwise, free the EntryGuards piece of <b>state</b> and create
4332 * a new one out of the global entry_guards list, and then mark
4333 * <b>state</b> dirty so it will get saved to disk.
4334 */
4335 void
4336 entry_guards_update_state(or_state_t *state)
4337 {
4338 config_line_t **next, *line;
4339 if (! entry_guards_dirty)
4340 return;
4341
4342 config_free_lines(state->EntryGuards);
4343 next = &state->EntryGuards;
4344 *next = NULL;
4345 if (!entry_guards)
4346 entry_guards = smartlist_create();
4347 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4348 {
4349 char dbuf[HEX_DIGEST_LEN+1];
4350 if (!e->made_contact)
4351 continue; /* don't write this one to disk */
4352 *next = line = tor_malloc_zero(sizeof(config_line_t));
4353 line->key = tor_strdup("EntryGuard");
4354 line->value = tor_malloc(HEX_DIGEST_LEN+MAX_NICKNAME_LEN+2);
4355 base16_encode(dbuf, sizeof(dbuf), e->identity, DIGEST_LEN);
4356 tor_snprintf(line->value,HEX_DIGEST_LEN+MAX_NICKNAME_LEN+2,
4357 "%s %s", e->nickname, dbuf);
4358 next = &(line->next);
4359 if (e->unreachable_since) {
4360 *next = line = tor_malloc_zero(sizeof(config_line_t));
4361 line->key = tor_strdup("EntryGuardDownSince");
4362 line->value = tor_malloc(ISO_TIME_LEN+1+ISO_TIME_LEN+1);
4363 format_iso_time(line->value, e->unreachable_since);
4364 if (e->last_attempted) {
4365 line->value[ISO_TIME_LEN] = ' ';
4366 format_iso_time(line->value+ISO_TIME_LEN+1, e->last_attempted);
4367 }
4368 next = &(line->next);
4369 }
4370 if (e->bad_since) {
4371 *next = line = tor_malloc_zero(sizeof(config_line_t));
4372 line->key = tor_strdup("EntryGuardUnlistedSince");
4373 line->value = tor_malloc(ISO_TIME_LEN+1);
4374 format_iso_time(line->value, e->bad_since);
4375 next = &(line->next);
4376 }
4377 if (e->chosen_on_date && e->chosen_by_version &&
4378 !strchr(e->chosen_by_version, ' ')) {
4379 char d[HEX_DIGEST_LEN+1];
4380 char t[ISO_TIME_LEN+1];
4381 size_t val_len;
4382 *next = line = tor_malloc_zero(sizeof(config_line_t));
4383 line->key = tor_strdup("EntryGuardAddedBy");
4384 val_len = (HEX_DIGEST_LEN+1+strlen(e->chosen_by_version)
4385 +1+ISO_TIME_LEN+1);
4386 line->value = tor_malloc(val_len);
4387 base16_encode(d, sizeof(d), e->identity, DIGEST_LEN);
4388 format_iso_time(t, e->chosen_on_date);
4389 tor_snprintf(line->value, val_len, "%s %s %s",
4390 d, e->chosen_by_version, t);
4391 next = &(line->next);
4392 }
4393 });
4394 if (!get_options()->AvoidDiskWrites)
4395 or_state_mark_dirty(get_or_state(), 0);
4396 entry_guards_dirty = 0;
4397 }
4398
4399 /** If <b>question</b> is the string "entry-guards", then dump
4400 * to *<b>answer</b> a newly allocated string describing all of
4401 * the nodes in the global entry_guards list. See control-spec.txt
4402 * for details.
4403 * For backward compatibility, we also handle the string "helper-nodes".
4404 * */
4405 int
4406 getinfo_helper_entry_guards(control_connection_t *conn,
4407 const char *question, char **answer,
4408 const char **errmsg)
4409 {
4410 (void) conn;
4411 (void) errmsg;
4412
4413 if (!strcmp(question,"entry-guards") ||
4414 !strcmp(question,"helper-nodes")) {
4415 smartlist_t *sl = smartlist_create();
4416 char tbuf[ISO_TIME_LEN+1];
4417 char nbuf[MAX_VERBOSE_NICKNAME_LEN+1];
4418 if (!entry_guards)
4419 entry_guards = smartlist_create();
4420 SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, e) {
4421 size_t len = MAX_VERBOSE_NICKNAME_LEN+ISO_TIME_LEN+32;
4422 char *c = tor_malloc(len);
4423 const char *status = NULL;
4424 time_t when = 0;
4425 routerinfo_t *ri;
4426
4427 if (!e->made_contact) {
4428 status = "never-connected";
4429 } else if (e->bad_since) {
4430 when = e->bad_since;
4431 status = "unusable";
4432 } else {
4433 status = "up";
4434 }
4435
4436 ri = router_get_by_digest(e->identity);
4437 if (ri) {
4438 router_get_verbose_nickname(nbuf, ri);
4439 } else {
4440 nbuf[0] = '$';
4441 base16_encode(nbuf+1, sizeof(nbuf)-1, e->identity, DIGEST_LEN);
4442 /* e->nickname field is not very reliable if we don't know about
4443 * this router any longer; don't include it. */
4444 }
4445
4446 if (when) {
4447 format_iso_time(tbuf, when);
4448 tor_snprintf(c, len, "%s %s %s\n", nbuf, status, tbuf);
4449 } else {
4450 tor_snprintf(c, len, "%s %s\n", nbuf, status);
4451 }
4452 smartlist_add(sl, c);
4453 } SMARTLIST_FOREACH_END(e);
4454 *answer = smartlist_join_strings(sl, "", 0, NULL);
4455 SMARTLIST_FOREACH(sl, char *, c, tor_free(c));
4456 smartlist_free(sl);
4457 }
4458 return 0;
4459 }
4460
4461 /** Information about a configured bridge. Currently this just matches the
4462 * ones in the torrc file, but one day we may be able to learn about new
4463 * bridges on our own, and remember them in the state file. */
4464 typedef struct {
4465 /** Address of the bridge. */
4466 tor_addr_t addr;
4467 /** TLS port for the bridge. */
4468 uint16_t port;
4469 /** Expected identity digest, or all zero bytes if we don't know what the
4470 * digest should be. */
4471 char identity[DIGEST_LEN];
4472 /** When should we next try to fetch a descriptor for this bridge? */
4473 download_status_t fetch_status;
4474 } bridge_info_t;
4475
4476 /** A list of configured bridges. Whenever we actually get a descriptor
4477 * for one, we add it as an entry guard. */
4478 static smartlist_t *bridge_list = NULL;
4479
4480 /** Initialize the bridge list to empty, creating it if needed. */
4481 void
4482 clear_bridge_list(void)
4483 {
4484 if (!bridge_list)
4485 bridge_list = smartlist_create();
4486 SMARTLIST_FOREACH(bridge_list, bridge_info_t *, b, tor_free(b));
4487 smartlist_clear(bridge_list);
4488 }
4489
4490 /** Return a bridge pointer if <b>ri</b> is one of our known bridges
4491 * (either by comparing keys if possible, else by comparing addr/port).
4492 * Else return NULL. */
4493 static bridge_info_t *
4494 get_configured_bridge_by_addr_port_digest(tor_addr_t *addr, uint16_t port,
4495 const char *digest)
4496 {
4497 if (!bridge_list)
4498 return NULL;
4499 SMARTLIST_FOREACH_BEGIN(bridge_list, bridge_info_t *, bridge)
4500 {
4501 if (tor_digest_is_zero(bridge->identity) &&
4502 !tor_addr_compare(&bridge->addr, addr, CMP_EXACT) &&
4503 bridge->port == port)
4504 return bridge;
4505 if (!memcmp(bridge->identity, digest, DIGEST_LEN))
4506 return bridge;
4507 }
4508 SMARTLIST_FOREACH_END(bridge);
4509 return NULL;
4510 }
4511
4512 /** Wrapper around get_configured_bridge_by_addr_port_digest() to look
4513 * it up via router descriptor <b>ri</b>. */
4514 static bridge_info_t *
4515 get_configured_bridge_by_routerinfo(routerinfo_t *ri)
4516 {
4517 tor_addr_t addr;
4518 tor_addr_from_ipv4h(&addr, ri->addr);
4519 return get_configured_bridge_by_addr_port_digest(&addr,
4520 ri->or_port, ri->cache_info.identity_digest);
4521 }
4522
4523 /** Return 1 if <b>ri</b> is one of our known bridges, else 0. */
4524 int
4525 routerinfo_is_a_configured_bridge(routerinfo_t *ri)
4526 {
4527 return get_configured_bridge_by_routerinfo(ri) ? 1 : 0;
4528 }
4529
4530 /** We made a connection to a router at <b>addr</b>:<b>port</b>
4531 * without knowing its digest. Its digest turned out to be <b>digest</b>.
4532 * If it was a bridge, and we still don't know its digest, record it.
4533 */
4534 void
4535 learned_router_identity(tor_addr_t *addr, uint16_t port, const char *digest)
4536 {
4537 bridge_info_t *bridge =
4538 get_configured_bridge_by_addr_port_digest(addr, port, digest);
4539 if (bridge && tor_digest_is_zero(bridge->identity)) {
4540 memcpy(bridge->identity, digest, DIGEST_LEN);
4541 log_notice(LD_DIR, "Learned fingerprint %s for bridge %s:%d",
4542 hex_str(digest, DIGEST_LEN), fmt_addr(addr), port);
4543 }
4544 }
4545
4546 /** Remember a new bridge at <b>addr</b>:<b>port</b>. If <b>digest</b>
4547 * is set, it tells us the identity key too. */
4548 void
4549 bridge_add_from_config(const tor_addr_t *addr, uint16_t port, char *digest)
4550 {
4551 bridge_info_t *b = tor_malloc_zero(sizeof(bridge_info_t));
4552 tor_addr_copy(&b->addr, addr);
4553 b->port = port;
4554 if (digest)
4555 memcpy(b->identity, digest, DIGEST_LEN);
4556 b->fetch_status.schedule = DL_SCHED_BRIDGE;
4557 if (!bridge_list)
4558 bridge_list = smartlist_create();
4559 smartlist_add(bridge_list, b);
4560 }
4561
4562 /** If <b>digest</b> is one of our known bridges, return it. */
4563 static bridge_info_t *
4564 find_bridge_by_digest(const char *digest)
4565 {
4566 SMARTLIST_FOREACH(bridge_list, bridge_info_t *, bridge,
4567 {
4568 if (!memcmp(bridge->identity, digest, DIGEST_LEN))
4569 return bridge;
4570 });
4571 return NULL;
4572 }
4573
4574 /** We need to ask <b>bridge</b> for its server descriptor. <b>address</b>
4575 * is a helpful string describing this bridge. */
4576 static void
4577 launch_direct_bridge_descriptor_fetch(bridge_info_t *bridge)
4578 {
4579 char *address;
4580
4581 if (connection_get_by_type_addr_port_purpose(
4582 CONN_TYPE_DIR, &bridge->addr, bridge->port,
4583 DIR_PURPOSE_FETCH_SERVERDESC))
4584 return; /* it's already on the way */
4585
4586 address = tor_dup_addr(&bridge->addr);
4587 directory_initiate_command(address, &bridge->addr,
4588 bridge->port, 0,
4589 0, /* does not matter */
4590 1, bridge->identity,
4591 DIR_PURPOSE_FETCH_SERVERDESC,
4592 ROUTER_PURPOSE_BRIDGE,
4593 0, "authority.z", NULL, 0, 0);
4594 tor_free(address);
4595 }
4596
4597 /** Fetching the bridge descriptor from the bridge authority returned a
4598 * "not found". Fall back to trying a direct fetch. */
4599 void
4600 retry_bridge_descriptor_fetch_directly(const char *digest)
4601 {
4602 bridge_info_t *bridge = find_bridge_by_digest(digest);
4603 if (!bridge)
4604 return; /* not found? oh well. */
4605
4606 launch_direct_bridge_descriptor_fetch(bridge);
4607 }
4608
4609 /** For each bridge in our list for which we don't currently have a
4610 * descriptor, fetch a new copy of its descriptor -- either directly
4611 * from the bridge or via a bridge authority. */
4612 void
4613 fetch_bridge_descriptors(or_options_t *options, time_t now)
4614 {
4615 int num_bridge_auths = get_n_authorities(BRIDGE_AUTHORITY);
4616 int ask_bridge_directly;
4617 int can_use_bridge_authority;
4618
4619 if (!bridge_list)
4620 return;
4621
4622 SMARTLIST_FOREACH_BEGIN(bridge_list, bridge_info_t *, bridge)
4623 {
4624 if (!download_status_is_ready(&bridge->fetch_status, now,
4625 IMPOSSIBLE_TO_DOWNLOAD))
4626 continue; /* don't bother, no need to retry yet */
4627
4628 /* schedule another fetch as if this one will fail, in case it does */
4629 download_status_failed(&bridge->fetch_status, 0);
4630
4631 can_use_bridge_authority = !tor_digest_is_zero(bridge->identity) &&
4632 num_bridge_auths;
4633 ask_bridge_directly = !can_use_bridge_authority ||
4634 !options->UpdateBridgesFromAuthority;
4635 log_debug(LD_DIR, "ask_bridge_directly=%d (%d, %d, %d)",
4636 ask_bridge_directly, tor_digest_is_zero(bridge->identity),
4637 !options->UpdateBridgesFromAuthority, !num_bridge_auths);
4638
4639 if (ask_bridge_directly &&
4640 !fascist_firewall_allows_address_or(&bridge->addr, bridge->port)) {
4641 log_notice(LD_DIR, "Bridge at '%s:%d' isn't reachable by our "
4642 "firewall policy. %s.", fmt_addr(&bridge->addr),
4643 bridge->port,
4644 can_use_bridge_authority ?
4645 "Asking bridge authority instead" : "Skipping");
4646 if (can_use_bridge_authority)
4647 ask_bridge_directly = 0;
4648 else
4649 continue;
4650 }
4651
4652 if (ask_bridge_directly) {
4653 /* we need to ask the bridge itself for its descriptor. */
4654 launch_direct_bridge_descriptor_fetch(bridge);
4655 } else {
4656 /* We have a digest and we want to ask an authority. We could
4657 * combine all the requests into one, but that may give more
4658 * hints to the bridge authority than we want to give. */
4659 char resource[10 + HEX_DIGEST_LEN];
4660 memcpy(resource, "fp/", 3);
4661 base16_encode(resource+3, HEX_DIGEST_LEN+1,
4662 bridge->identity, DIGEST_LEN);
4663 memcpy(resource+3+HEX_DIGEST_LEN, ".z", 3);
4664 log_info(LD_DIR, "Fetching bridge info '%s' from bridge authority.",
4665 resource);
4666 directory_get_from_dirserver(DIR_PURPOSE_FETCH_SERVERDESC,
4667 ROUTER_PURPOSE_BRIDGE, resource, 0);
4668 }
4669 }
4670 SMARTLIST_FOREACH_END(bridge);
4671 }
4672
4673 /** We just learned a descriptor for a bridge. See if that
4674 * digest is in our entry guard list, and add it if not. */
4675 void
4676 learned_bridge_descriptor(routerinfo_t *ri, int from_cache)
4677 {
4678 tor_assert(ri);
4679 tor_assert(ri->purpose == ROUTER_PURPOSE_BRIDGE);
4680 if (get_options()->UseBridges) {
4681 int first = !any_bridge_descriptors_known();
4682 bridge_info_t *bridge = get_configured_bridge_by_routerinfo(ri);
4683 time_t now = time(NULL);
4684 ri->is_running = 1;
4685
4686 if (bridge) { /* if we actually want to use this one */
4687 /* it's here; schedule its re-fetch for a long time from now. */
4688 if (!from_cache)
4689 download_status_reset(&bridge->fetch_status);
4690
4691 add_an_entry_guard(ri, 1);
4692 log_notice(LD_DIR, "new bridge descriptor '%s' (%s)", ri->nickname,
4693 from_cache ? "cached" : "fresh");
4694 /* set entry->made_contact so if it goes down we don't drop it from
4695 * our entry node list */
4696 entry_guard_register_connect_status(ri->cache_info.identity_digest,
4697 1, 0, now);
4698 if (first)
4699 routerlist_retry_directory_downloads(now);
4700 }
4701 }
4702 }
4703
4704 /** Return 1 if any of our entry guards have descriptors that
4705 * are marked with purpose 'bridge' and are running. Else return 0.
4706 *
4707 * We use this function to decide if we're ready to start building
4708 * circuits through our bridges, or if we need to wait until the
4709 * directory "server/authority" requests finish. */
4710 int
4711 any_bridge_descriptors_known(void)
4712 {
4713 tor_assert(get_options()->UseBridges);
4714 return choose_random_entry(NULL)!=NULL ? 1 : 0;
4715 }
4716
4717 /** Return 1 if there are any directory conns fetching bridge descriptors
4718 * that aren't marked for close. We use this to guess if we should tell
4719 * the controller that we have a problem. */
4720 int
4721 any_pending_bridge_descriptor_fetches(void)
4722 {
4723 smartlist_t *conns = get_connection_array();
4724 SMARTLIST_FOREACH(conns, connection_t *, conn,
4725 {
4726 if (conn->type == CONN_TYPE_DIR &&
4727 conn->purpose == DIR_PURPOSE_FETCH_SERVERDESC &&
4728 TO_DIR_CONN(conn)->router_purpose == ROUTER_PURPOSE_BRIDGE &&
4729 !conn->marked_for_close &&
4730 conn->linked && !conn->linked_conn->marked_for_close) {
4731 log_debug(LD_DIR, "found one: %s", conn->address);
4732 return 1;
4733 }
4734 });
4735 return 0;
4736 }
4737
4738 /** Return 1 if we have at least one descriptor for an entry guard
4739 * (bridge or member of EntryNodes) and all descriptors we know are
4740 * down. Else return 0. If <b>act</b> is 1, then mark the down guards
4741 * up; else just observe and report. */
4742 static int
4743 entries_retry_helper(or_options_t *options, int act)
4744 {
4745 routerinfo_t *ri;
4746 int any_known = 0;
4747 int any_running = 0;
4748 int purpose = options->UseBridges ?
4749 ROUTER_PURPOSE_BRIDGE : ROUTER_PURPOSE_GENERAL;
4750 if (!entry_guards)
4751 entry_guards = smartlist_create();
4752 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4753 {
4754 ri = router_get_by_digest(e->identity);
4755 if (ri && ri->purpose == purpose) {
4756 any_known = 1;
4757 if (ri->is_running)
4758 any_running = 1; /* some entry is both known and running */
4759 else if (act) {
4760 /* Mark all current connections to this OR as unhealthy, since
4761 * otherwise there could be one that started 30 seconds
4762 * ago, and in 30 seconds it will time out, causing us to mark
4763 * the node down and undermine the retry attempt. We mark even
4764 * the established conns, since if the network just came back
4765 * we'll want to attach circuits to fresh conns. */
4766 connection_or_set_bad_connections(ri->cache_info.identity_digest, 1);
4767
4768 /* mark this entry node for retry */
4769 router_set_status(ri->cache_info.identity_digest, 1);
4770 e->can_retry = 1;
4771 e->bad_since = 0;
4772 }
4773 }
4774 });
4775 log_debug(LD_DIR, "%d: any_known %d, any_running %d",
4776 act, any_known, any_running);
4777 return any_known && !any_running;
4778 }
4779
4780 /** Do we know any descriptors for our bridges / entrynodes, and are
4781 * all the ones we have descriptors for down? */
4782 int
4783 entries_known_but_down(or_options_t *options)
4784 {
4785 tor_assert(entry_list_is_constrained(options));
4786 return entries_retry_helper(options, 0);
4787 }
4788
4789 /** Mark all down known bridges / entrynodes up. */
4790 void
4791 entries_retry_all(or_options_t *options)
4792 {
4793 tor_assert(entry_list_is_constrained(options));
4794 entries_retry_helper(options, 1);
4795 }
4796
4797 /** Release all storage held by the list of entry guards and related
4798 * memory structs. */
4799 void
4800 entry_guards_free_all(void)
4801 {
4802 if (entry_guards) {
4803 SMARTLIST_FOREACH(entry_guards, entry_guard_t *, e,
4804 entry_guard_free(e));
4805 smartlist_free(entry_guards);
4806 entry_guards = NULL;
4807 }
4808 clear_bridge_list();
4809 smartlist_free(bridge_list);
4810 bridge_list = NULL;
4811 }
4812