summaryrefslogtreecommitdiff
path: root/src/feature/hs
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2019-11-06 10:23:33 -0500
committerDavid Goulet <dgoulet@torproject.org>2019-11-06 10:23:33 -0500
commit49cb7d6ec4fd57922e80f16f859ef691491a92d7 (patch)
tree879339930f94b2fcd0eebd38329d02797442d977 /src/feature/hs
parent059a5795d32cae9f5801cdc980a7abbd22996ba3 (diff)
parent1407e2b169bf187b77528417882a065a4e8f1e60 (diff)
downloadtor-49cb7d6ec4fd57922e80f16f859ef691491a92d7.tar.gz
tor-49cb7d6ec4fd57922e80f16f859ef691491a92d7.zip
Merge branch 'tor-github/pr/1491'
Diffstat (limited to 'src/feature/hs')
-rw-r--r--src/feature/hs/hs_dos.c27
-rw-r--r--src/feature/hs/hs_dos.h3
2 files changed, 27 insertions, 3 deletions
diff --git a/src/feature/hs/hs_dos.c b/src/feature/hs/hs_dos.c
index 19794e09d3..d36ee97e6b 100644
--- a/src/feature/hs/hs_dos.c
+++ b/src/feature/hs/hs_dos.c
@@ -45,6 +45,9 @@
* introduction DoS defense. Disabled by default. */
#define HS_DOS_INTRODUCE_ENABLED_DEFAULT 0
+/* INTRODUCE2 rejected request counter. */
+static uint64_t intro2_rejected_count = 0;
+
/* Consensus parameters. The ESTABLISH_INTRO DoS cell extension have higher
* priority than these values. If no extension is sent, these are used only by
* the introduction point. */
@@ -163,12 +166,12 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
* This can be set by the consensus, the ESTABLISH_INTRO cell extension or
* the hardcoded values in tor code. */
if (!s_intro_circ->introduce2_dos_defense_enabled) {
- return true;
+ goto allow;
}
/* Should not happen but if so, scream loudly. */
if (BUG(TO_CIRCUIT(s_intro_circ)->purpose != CIRCUIT_PURPOSE_INTRO_POINT)) {
- return false;
+ goto disallow;
}
/* This is called just after we got a valid and parsed INTRODUCE1 cell. The
@@ -189,7 +192,25 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
}
/* Finally, we can send a new INTRODUCE2 if there are still tokens. */
- return token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0;
+ if (token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0) {
+ goto allow;
+ }
+
+ /* Fallthrough is to disallow since this means the bucket has reached 0. */
+ disallow:
+ /* Increment stats counter, we are rejecting the INTRO2 cell. */
+ intro2_rejected_count++;
+ return false;
+
+ allow:
+ return true;
+}
+
+/* Return rolling count of rejected INTRO2. */
+uint64_t
+hs_dos_get_intro2_rejected_count(void)
+{
+ return intro2_rejected_count;
}
/* Initialize the onion service Denial of Service subsystem. */
diff --git a/src/feature/hs/hs_dos.h b/src/feature/hs/hs_dos.h
index ccf4e27179..b9e39aca4e 100644
--- a/src/feature/hs/hs_dos.h
+++ b/src/feature/hs/hs_dos.h
@@ -24,6 +24,9 @@ void hs_dos_consensus_has_changed(const networkstatus_t *ns);
bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ);
void hs_dos_setup_default_intro2_defenses(or_circuit_t *circ);
+/* Statistics. */
+uint64_t hs_dos_get_intro2_rejected_count(void);
+
#ifdef HS_DOS_PRIVATE
#ifdef TOR_UNIT_TESTS