diff options
| author | Micah Elizabeth Scott <beth@torproject.org> | 2023-05-16 16:28:26 -0700 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2023-05-24 11:43:11 -0400 |
| commit | 23f4a28f9755a228ab295d5358298f1a72f8aff1 (patch) | |
| tree | b6ab276b75d9ee5bd8ce693d6f1162ef4a66fe92 /src/test/test_hs_dos.c | |
| parent | a3ff3155c22e7cf093667c6c32166a8f9c77a79a (diff) | |
| download | tor-23f4a28f9755a228ab295d5358298f1a72f8aff1.tar.gz tor-23f4a28f9755a228ab295d5358298f1a72f8aff1.zip | |
token_bucket_ctr: replace 32-bit wallclock time with monotime
This started as a response to ticket #40792 where Coverity is
complaining about a potential year 2038 bug where we cast time_t from
approx_time() to uint32_t for use in token_bucket_ctr.
There was a larger can of worms though, since token_bucket really
doesn't want to be using wallclock time here. I audited the call sites
for approx_time() and changed any that used a 32-bit cast or made
inappropriate use of wallclock time. Things like certificate lifetime,
consensus intervals, etc. need wallclock time. Measurements of rates
over time, however, are better served with a monotonic timer that does
not try and sync with wallclock ever.
Looking closer at token_bucket, its design is a bit odd because it was
initially intended for use with tick units but later forked into
token_bucket_rw which uses ticks to count bytes per second, and
token_bucket_ctr which uses seconds to count slower events. The rates
represented by either token bucket can't be lower than 1 per second, so
the slower timer in 'ctr' is necessary to represent the slower rates of
things like connections or introduction packets or rendezvous attempts.
I considered modifying token_bucket to use 64-bit timestamps overall
instead of 32-bit, but that seemed like an unnecessarily invasive change
that would grant some peace of mind but probably not help much. I was
more interested in removing the dependency on wallclock time. The
token_bucket_rw timer already uses monotonic time. This patch converts
token_bucket_ctr to use monotonic time as well. It introduces a new
monotime_coarse_absolute_sec(), which is currently the same as nsec
divided by a billion but could be optimized easily if we ever need to.
This patch also might fix a rollover bug.. I haven't tested this
extensively but I don't think the previous version of the rollover code
on either token bucket was correct, and I would expect it to get stuck
after the first rollover.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
Diffstat (limited to 'src/test/test_hs_dos.c')
| -rw-r--r-- | src/test/test_hs_dos.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/src/test/test_hs_dos.c b/src/test/test_hs_dos.c index 70f2ef412f..81410f7b9b 100644 --- a/src/test/test_hs_dos.c +++ b/src/test/test_hs_dos.c @@ -16,6 +16,7 @@ #include "test/log_test_helpers.h" #include "app/config/config.h" +#include "lib/time/compat_time.h" #include "core/or/circuitlist.h" #include "core/or/circuituse.h" @@ -45,7 +46,8 @@ free_mock_consensus(void) static void test_can_send_intro2(void *arg) { - uint32_t now = (uint32_t) approx_time(); + static const uint64_t BILLION = 1000000000; + uint64_t now = 12345; or_circuit_t *or_circ = NULL; (void) arg; @@ -55,6 +57,8 @@ test_can_send_intro2(void *arg) get_options_mutable()->ORPort_set = 1; setup_mock_consensus(); + monotime_enable_test_mocking(); + monotime_coarse_set_mock_time_nsec(now); or_circ = or_circuit_new(1, NULL); @@ -68,7 +72,7 @@ test_can_send_intro2(void *arg) /* Simulate that 10 cells have arrived in 1 second. There should be no * refill since the bucket is already at maximum on the first cell. */ - update_approx_time(++now); + monotime_coarse_set_mock_time_nsec(now += BILLION); for (int i = 0; i < 10; i++) { tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); } @@ -76,7 +80,7 @@ test_can_send_intro2(void *arg) get_intro2_burst_consensus_param(NULL) - 10); /* Fully refill the bucket minus 1 cell. */ - update_approx_time(++now); + monotime_coarse_set_mock_time_nsec(now += BILLION); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, get_intro2_burst_consensus_param(NULL) - 1); @@ -84,7 +88,7 @@ test_can_send_intro2(void *arg) /* Receive an INTRODUCE2 at each second. We should have the bucket full * since at every second it gets refilled. */ for (int i = 0; i < 10; i++) { - update_approx_time(++now); + monotime_coarse_set_mock_time_nsec(now += BILLION); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); } /* Last check if we can send the cell decrements the bucket so minus 1. */ @@ -92,7 +96,8 @@ test_can_send_intro2(void *arg) get_intro2_burst_consensus_param(NULL) - 1); /* Manually reset bucket for next test. */ - token_bucket_ctr_reset(&or_circ->introduce2_bucket, now); + token_bucket_ctr_reset(&or_circ->introduce2_bucket, + (uint32_t) monotime_coarse_absolute_sec()); tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, get_intro2_burst_consensus_param(NULL)); @@ -115,7 +120,7 @@ test_can_send_intro2(void *arg) } /* One second has passed, we should have the rate minus 1 cell added. */ - update_approx_time(++now); + monotime_coarse_set_mock_time_nsec(now += BILLION); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, get_intro2_rate_consensus_param(NULL) - 1); @@ -125,6 +130,7 @@ test_can_send_intro2(void *arg) hs_free_all(); free_mock_consensus(); + monotime_disable_test_mocking(); } static void |