diff options
| author | David Goulet <dgoulet@torproject.org> | 2019-11-06 10:23:33 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2019-11-06 10:23:33 -0500 |
| commit | 49cb7d6ec4fd57922e80f16f859ef691491a92d7 (patch) | |
| tree | 879339930f94b2fcd0eebd38329d02797442d977 /src/feature | |
| parent | 059a5795d32cae9f5801cdc980a7abbd22996ba3 (diff) | |
| parent | 1407e2b169bf187b77528417882a065a4e8f1e60 (diff) | |
| download | tor-49cb7d6ec4fd57922e80f16f859ef691491a92d7.tar.gz tor-49cb7d6ec4fd57922e80f16f859ef691491a92d7.zip | |
Merge branch 'tor-github/pr/1491'
Diffstat (limited to 'src/feature')
| -rw-r--r-- | src/feature/hs/hs_dos.c | 27 | ||||
| -rw-r--r-- | src/feature/hs/hs_dos.h | 3 |
2 files changed, 27 insertions, 3 deletions
diff --git a/src/feature/hs/hs_dos.c b/src/feature/hs/hs_dos.c index 19794e09d3..d36ee97e6b 100644 --- a/src/feature/hs/hs_dos.c +++ b/src/feature/hs/hs_dos.c @@ -45,6 +45,9 @@ * introduction DoS defense. Disabled by default. */ #define HS_DOS_INTRODUCE_ENABLED_DEFAULT 0 +/* INTRODUCE2 rejected request counter. */ +static uint64_t intro2_rejected_count = 0; + /* Consensus parameters. The ESTABLISH_INTRO DoS cell extension have higher * priority than these values. If no extension is sent, these are used only by * the introduction point. */ @@ -163,12 +166,12 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ) * This can be set by the consensus, the ESTABLISH_INTRO cell extension or * the hardcoded values in tor code. */ if (!s_intro_circ->introduce2_dos_defense_enabled) { - return true; + goto allow; } /* Should not happen but if so, scream loudly. */ if (BUG(TO_CIRCUIT(s_intro_circ)->purpose != CIRCUIT_PURPOSE_INTRO_POINT)) { - return false; + goto disallow; } /* This is called just after we got a valid and parsed INTRODUCE1 cell. The @@ -189,7 +192,25 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ) } /* Finally, we can send a new INTRODUCE2 if there are still tokens. */ - return token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0; + if (token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0) { + goto allow; + } + + /* Fallthrough is to disallow since this means the bucket has reached 0. */ + disallow: + /* Increment stats counter, we are rejecting the INTRO2 cell. */ + intro2_rejected_count++; + return false; + + allow: + return true; +} + +/* Return rolling count of rejected INTRO2. */ +uint64_t +hs_dos_get_intro2_rejected_count(void) +{ + return intro2_rejected_count; } /* Initialize the onion service Denial of Service subsystem. */ diff --git a/src/feature/hs/hs_dos.h b/src/feature/hs/hs_dos.h index ccf4e27179..b9e39aca4e 100644 --- a/src/feature/hs/hs_dos.h +++ b/src/feature/hs/hs_dos.h @@ -24,6 +24,9 @@ void hs_dos_consensus_has_changed(const networkstatus_t *ns); bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ); void hs_dos_setup_default_intro2_defenses(or_circuit_t *circ); +/* Statistics. */ +uint64_t hs_dos_get_intro2_rejected_count(void); + #ifdef HS_DOS_PRIVATE #ifdef TOR_UNIT_TESTS |