diff options
Diffstat (limited to 'src/core/or/circuituse.c')
| -rw-r--r-- | src/core/or/circuituse.c | 223 |
1 files changed, 142 insertions, 81 deletions
diff --git a/src/core/or/circuituse.c b/src/core/or/circuituse.c index 7273be3510..0f3fc29361 100644 --- a/src/core/or/circuituse.c +++ b/src/core/or/circuituse.c @@ -1,7 +1,7 @@ /* Copyright (c) 2001 Matej Pfajfar. * Copyright (c) 2001-2004, Roger Dingledine. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. - * Copyright (c) 2007-2019, The Tor Project, Inc. */ + * Copyright (c) 2007-2020, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /** @@ -35,13 +35,17 @@ #include "core/or/circuitlist.h" #include "core/or/circuitstats.h" #include "core/or/circuituse.h" +#include "core/or/circuitpadding.h" #include "core/or/connection_edge.h" +#include "core/or/extendinfo.h" #include "core/or/policies.h" +#include "core/or/trace_probes_circuit.h" #include "feature/client/addressmap.h" #include "feature/client/bridges.h" #include "feature/client/circpathbias.h" #include "feature/client/entrynodes.h" -#include "feature/control/control.h" +#include "feature/client/proxymode.h" +#include "feature/control/control_events.h" #include "feature/dircommon/directory.h" #include "feature/hs/hs_circuit.h" #include "feature/hs/hs_client.h" @@ -60,6 +64,7 @@ #include "feature/stats/predict_ports.h" #include "lib/math/fp.h" #include "lib/time/tvdiff.h" +#include "lib/trace/events.h" #include "core/or/cpath_build_state_st.h" #include "feature/dircommon/dir_connection_st.h" @@ -69,7 +74,7 @@ #include "core/or/origin_circuit_st.h" #include "core/or/socks_request_st.h" -static void circuit_expire_old_circuits_clientside(void); +STATIC void circuit_expire_old_circuits_clientside(void); static void circuit_increment_failure_count(void); /** Check whether the hidden service destination of the stream at @@ -177,7 +182,6 @@ circuit_is_acceptable(const origin_circuit_t *origin_circ, purpose == CIRCUIT_PURPOSE_S_HSDIR_POST || purpose == CIRCUIT_PURPOSE_C_HSDIR_GET) { tor_addr_t addr; - const int family = tor_addr_parse(&addr, conn->socks_request->address); if (!exitnode && !build_state->onehop_tunnel) { log_debug(LD_CIRC,"Not considering circuit with unknown router."); return 0; /* this circuit is screwed and doesn't know it yet, @@ -198,9 +202,11 @@ circuit_is_acceptable(const origin_circuit_t *origin_circ, return 0; /* this is a circuit to somewhere else */ if (tor_digest_is_zero(digest)) { /* we don't know the digest; have to compare addr:port */ + const int family = tor_addr_parse(&addr, + conn->socks_request->address); if (family < 0 || - !tor_addr_eq(&build_state->chosen_exit->addr, &addr) || - build_state->chosen_exit->port != conn->socks_request->port) + !extend_info_has_orport(build_state->chosen_exit, &addr, + conn->socks_request->port)) return 0; } } @@ -210,12 +216,14 @@ circuit_is_acceptable(const origin_circuit_t *origin_circ, return 0; } } - if (origin_circ->prepend_policy && family != -1) { - int r = compare_tor_addr_to_addr_policy(&addr, - conn->socks_request->port, - origin_circ->prepend_policy); - if (r == ADDR_POLICY_REJECTED) - return 0; + if (origin_circ->prepend_policy) { + if (tor_addr_parse(&addr, conn->socks_request->address) != -1) { + int r = compare_tor_addr_to_addr_policy(&addr, + conn->socks_request->port, + origin_circ->prepend_policy); + if (r == ADDR_POLICY_REJECTED) + return 0; + } } if (exitnode && !connection_ap_can_use_exit(conn, exitnode)) { /* can't exit from this router */ @@ -543,9 +551,10 @@ circuit_expire_building(void) MAX(get_circuit_build_close_time_ms()*2 + 1000, options->SocksTimeout * 1000)); + bool fixed_time = circuit_build_times_disabled(get_options()); + SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *,victim) { struct timeval cutoff; - bool fixed_time = circuit_build_times_disabled(get_options()); if (!CIRCUIT_IS_ORIGIN(victim) || /* didn't originate here */ victim->marked_for_close) /* don't mess with marked circs */ @@ -727,7 +736,7 @@ circuit_expire_building(void) circuit_build_times_enough_to_compute(get_circuit_build_times())) { log_info(LD_CIRC, - "Deciding to count the timeout for circuit %"PRIu32"\n", + "Deciding to count the timeout for circuit %"PRIu32, TO_ORIGIN_CIRCUIT(victim)->global_identifier); /* Circuits are allowed to last longer for measurement. @@ -770,16 +779,11 @@ circuit_expire_building(void) if (!(TO_ORIGIN_CIRCUIT(victim)->hs_circ_has_timed_out)) { switch (victim->purpose) { case CIRCUIT_PURPOSE_C_REND_READY: - /* We only want to spare a rend circ if it has been specified in - * an INTRODUCE1 cell sent to a hidden service. A circ's - * pending_final_cpath field is non-NULL iff it is a rend circ - * and we have tried to send an INTRODUCE1 cell specifying it. - * Thus, if the pending_final_cpath field *is* NULL, then we - * want to not spare it. */ - if (TO_ORIGIN_CIRCUIT(victim)->build_state && - TO_ORIGIN_CIRCUIT(victim)->build_state->pending_final_cpath == - NULL) + /* We only want to spare a rend circ iff it has been specified in an + * INTRODUCE1 cell sent to a hidden service. */ + if (!hs_circ_is_rend_sent_in_intro1(CONST_TO_ORIGIN_CIRCUIT(victim))) { break; + } FALLTHROUGH; case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT: case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED: @@ -815,7 +819,7 @@ circuit_expire_building(void) log_info(LD_CIRC, "Abandoning circ %u %s:%u (state %d,%d:%s, purpose %d, " "len %d)", TO_ORIGIN_CIRCUIT(victim)->global_identifier, - channel_get_canonical_remote_descr(victim->n_chan), + channel_describe_peer(victim->n_chan), (unsigned)victim->n_circ_id, TO_ORIGIN_CIRCUIT(victim)->has_opened, victim->state, circuit_state_to_string(victim->state), @@ -836,6 +840,7 @@ circuit_expire_building(void) -1); circuit_log_path(LOG_INFO,LD_CIRC,TO_ORIGIN_CIRCUIT(victim)); + tor_trace(TR_SUBSYS(circuit), TR_EV(timeout), TO_ORIGIN_CIRCUIT(victim)); if (victim->purpose == CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) circuit_mark_for_close(victim, END_CIRC_REASON_MEASUREMENT_EXPIRED); else @@ -1425,6 +1430,11 @@ circuit_detach_stream(circuit_t *circ, edge_connection_t *conn) if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED) { hs_dec_rdv_stream_counter(origin_circ); } + + /* If there are no more streams on this circ, tell circpad */ + if (!origin_circ->p_streams) + circpad_machine_event_circ_has_no_streams(origin_circ); + return; } } else { @@ -1465,7 +1475,7 @@ circuit_detach_stream(circuit_t *circ, edge_connection_t *conn) /** Find each circuit that has been unused for too long, or dirty * for too long and has no streams on it: mark it for close. */ -static void +STATIC void circuit_expire_old_circuits_clientside(void) { struct timeval cutoff, now; @@ -1494,8 +1504,11 @@ circuit_expire_old_circuits_clientside(void) circ->purpose); /* Don't do this magic for testing circuits. Their death is governed * by circuit_expire_building */ - if (circ->purpose != CIRCUIT_PURPOSE_PATH_BIAS_TESTING) + if (circ->purpose != CIRCUIT_PURPOSE_PATH_BIAS_TESTING) { + tor_trace(TR_SUBSYS(circuit), TR_EV(idle_timeout), + TO_ORIGIN_CIRCUIT(circ)); circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED); + } } else if (!circ->timestamp_dirty && circ->state == CIRCUIT_STATE_OPEN) { if (timercmp(&circ->timestamp_began, &cutoff, OP_LT)) { if (circ->purpose == CIRCUIT_PURPOSE_C_GENERAL || @@ -1505,6 +1518,7 @@ circuit_expire_old_circuits_clientside(void) circ->purpose == CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT || circ->purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO || circ->purpose == CIRCUIT_PURPOSE_TESTING || + circ->purpose == CIRCUIT_PURPOSE_C_CIRCUIT_PADDING || (circ->purpose >= CIRCUIT_PURPOSE_C_INTRODUCING && circ->purpose <= CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED) || circ->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND) { @@ -1513,6 +1527,8 @@ circuit_expire_old_circuits_clientside(void) " that has been unused for %ld msec.", TO_ORIGIN_CIRCUIT(circ)->global_identifier, tv_mdiff(&circ->timestamp_began, &now)); + tor_trace(TR_SUBSYS(circuit), TR_EV(idle_timeout), + TO_ORIGIN_CIRCUIT(circ)); circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED); } else if (!TO_ORIGIN_CIRCUIT(circ)->is_ancient) { /* Server-side rend joined circuits can end up really old, because @@ -1635,11 +1651,12 @@ static void circuit_testing_opened(origin_circuit_t *circ) { if (have_performed_bandwidth_test || - !check_whether_orport_reachable(get_options())) { + !router_orport_seems_reachable(get_options(), AF_INET)) { /* either we've already done everything we want with testing circuits, - * or this testing circuit became open due to a fluke, e.g. we picked - * a last hop where we already had the connection open due to an - * outgoing local circuit. */ + * OR this IPv4 testing circuit became open due to a fluke, e.g. we picked + * a last hop where we already had the connection open due to a + * outgoing local circuit, OR this is an IPv6 self-test circuit, not + * a bandwidth test circuit. */ circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_AT_ORIGIN); } else if (circuit_enough_testing_circs()) { router_perform_bandwidth_test(NUM_PARALLEL_TESTING_CIRCS, time(NULL)); @@ -1653,7 +1670,8 @@ static void circuit_testing_failed(origin_circuit_t *circ, int at_last_hop) { const or_options_t *options = get_options(); - if (server_mode(options) && check_whether_orport_reachable(options)) + if (server_mode(options) && + router_all_orports_seem_reachable(options)) return; log_info(LD_GENERAL, @@ -1674,7 +1692,8 @@ circuit_testing_failed(origin_circuit_t *circ, int at_last_hop) void circuit_has_opened(origin_circuit_t *circ) { - control_event_circuit_status(circ, CIRC_EVENT_BUILT, 0); + tor_trace(TR_SUBSYS(circuit), TR_EV(opened), circ); + circuit_event_status(circ, CIRC_EVENT_BUILT, 0); /* Remember that this circuit has finished building. Now if we start * it building again later (e.g. by extending it), we will know not @@ -1839,7 +1858,7 @@ circuit_build_failed(origin_circuit_t *circ) "from the first hop (%s). I'm going to try to rotate to a " "better connection.", TO_CIRCUIT(circ)->n_circ_id, circ->global_identifier, - channel_get_canonical_remote_descr(n_chan)); + channel_describe_peer(n_chan)); n_chan->is_bad_for_new_circs = 1; } else { log_info(LD_OR, @@ -1954,23 +1973,61 @@ have_enough_path_info(int need_exit) int circuit_purpose_is_hidden_service(uint8_t purpose) { - if (purpose == CIRCUIT_PURPOSE_HS_VANGUARDS) { - return 1; - } - - /* Client-side purpose */ - if (purpose >= CIRCUIT_PURPOSE_C_HS_MIN_ && - purpose <= CIRCUIT_PURPOSE_C_HS_MAX_) { - return 1; - } - - /* Service-side purpose */ - if (purpose >= CIRCUIT_PURPOSE_S_HS_MIN_ && - purpose <= CIRCUIT_PURPOSE_S_HS_MAX_) { - return 1; - } - - return 0; + /* HS Vanguard purpose. */ + if (circuit_purpose_is_hs_vanguards(purpose)) { + return 1; + } + + /* Client-side purpose */ + if (circuit_purpose_is_hs_client(purpose)) { + return 1; + } + + /* Service-side purpose */ + if (circuit_purpose_is_hs_service(purpose)) { + return 1; + } + + return 0; +} + +/** Return true iff the given circuit is an HS client circuit. */ +bool +circuit_purpose_is_hs_client(const uint8_t purpose) +{ + return (purpose >= CIRCUIT_PURPOSE_C_HS_MIN_ && + purpose <= CIRCUIT_PURPOSE_C_HS_MAX_); +} + +/** Return true iff the given circuit is an HS service circuit. */ +bool +circuit_purpose_is_hs_service(const uint8_t purpose) +{ + return (purpose >= CIRCUIT_PURPOSE_S_HS_MIN_ && + purpose <= CIRCUIT_PURPOSE_S_HS_MAX_); +} + +/** Return true iff the given circuit is an HS Vanguards circuit. */ +bool +circuit_purpose_is_hs_vanguards(const uint8_t purpose) +{ + return (purpose == CIRCUIT_PURPOSE_HS_VANGUARDS); +} + +/** Return true iff the given circuit is an HS v2 circuit. */ +bool +circuit_is_hs_v2(const circuit_t *circ) +{ + return (CIRCUIT_IS_ORIGIN(circ) && + (CONST_TO_ORIGIN_CIRCUIT(circ)->rend_data != NULL)); +} + +/** Return true iff the given circuit is an HS v3 circuit. */ +bool +circuit_is_hs_v3(const circuit_t *circ) +{ + return (CIRCUIT_IS_ORIGIN(circ) && + (CONST_TO_ORIGIN_CIRCUIT(circ)->hs_ident != NULL)); } /** @@ -2047,11 +2104,18 @@ circuit_should_cannibalize_to_build(uint8_t purpose_to_build, } /** Launch a new circuit with purpose <b>purpose</b> and exit node - * <b>extend_info</b> (or NULL to select a random exit node). If flags - * contains CIRCLAUNCH_NEED_UPTIME, choose among routers with high uptime. If - * CIRCLAUNCH_NEED_CAPACITY is set, choose among routers with high bandwidth. - * If CIRCLAUNCH_IS_INTERNAL is true, the last hop need not be an exit node. - * If CIRCLAUNCH_ONEHOP_TUNNEL is set, the circuit will have only one hop. + * <b>extend_info</b> (or NULL to select a random exit node). + * + * If flags contains: + * - CIRCLAUNCH_ONEHOP_TUNNEL: the circuit will have only one hop; + * - CIRCLAUNCH_NEED_UPTIME: choose routers with high uptime; + * - CIRCLAUNCH_NEED_CAPACITY: choose routers with high bandwidth; + * - CIRCLAUNCH_IS_IPV6_SELFTEST: the second-last hop must support IPv6 + * extends; + * - CIRCLAUNCH_IS_INTERNAL: the last hop need not be an exit node; + * - CIRCLAUNCH_IS_V3_RP: the last hop must support v3 onion service + * rendezvous. + * * Return the newly allocated circuit on success, or NULL on failure. */ origin_circuit_t * circuit_launch_by_extend_info(uint8_t purpose, @@ -2150,6 +2214,8 @@ circuit_launch_by_extend_info(uint8_t purpose, tor_fragile_assert(); return NULL; } + + tor_trace(TR_SUBSYS(circuit), TR_EV(cannibalized), circ); return circ; } } @@ -2523,8 +2589,7 @@ circuit_get_open_circ_or_launch(entry_connection_t *conn, circ->rend_data = rend_data_dup(edge_conn->rend_data); } else if (edge_conn->hs_ident) { circ->hs_ident = - hs_ident_circuit_new(&edge_conn->hs_ident->identity_pk, - HS_IDENT_CIRCUIT_INTRO); + hs_ident_circuit_new(&edge_conn->hs_ident->identity_pk); } if (circ->base_.purpose == CIRCUIT_PURPOSE_C_ESTABLISH_REND && circ->base_.state == CIRCUIT_STATE_OPEN) @@ -2567,22 +2632,6 @@ cpath_is_on_circuit(origin_circuit_t *circ, crypt_path_t *crypt_path) return 0; } -/** Return true iff client-side optimistic data is supported. */ -static int -optimistic_data_enabled(void) -{ - const or_options_t *options = get_options(); - if (options->OptimisticData < 0) { - /* Note: this default was 0 before #18815 was merged. We can't take the - * parameter out of the consensus until versions before that are all - * obsolete. */ - const int32_t enabled = - networkstatus_get_param(NULL, "UseOptimisticData", /*default*/ 1, 0, 1); - return (int)enabled; - } - return options->OptimisticData; -} - /** Attach the AP stream <b>apconn</b> to circ's linked list of * p_streams. Also set apconn's cpath_layer to <b>cpath</b>, or to the last * hop in circ's cpath if <b>cpath</b> is NULL. @@ -2596,6 +2645,12 @@ link_apconn_to_circ(entry_connection_t *apconn, origin_circuit_t *circ, /* add it into the linked list of streams on this circuit */ log_debug(LD_APP|LD_CIRC, "attaching new conn to circ. n_circ_id %u.", (unsigned)circ->base_.n_circ_id); + + /* If this is the first stream on this circuit, tell circpad + * that streams are attached */ + if (!circ->p_streams) + circpad_machine_event_circ_has_streams(circ); + /* reset it, so we can measure circ timeouts */ ENTRY_TO_CONN(apconn)->timestamp_last_read_allowed = time(NULL); ENTRY_TO_EDGE_CONN(apconn)->next_stream = circ->p_streams; @@ -2629,17 +2684,17 @@ link_apconn_to_circ(entry_connection_t *apconn, origin_circuit_t *circ, exitnode = node_get_by_id(cpath->extend_info->identity_digest); /* See if we can use optimistic data on this circuit */ - if (optimistic_data_enabled() && - (circ->base_.purpose == CIRCUIT_PURPOSE_C_GENERAL || - circ->base_.purpose == CIRCUIT_PURPOSE_C_HSDIR_GET || - circ->base_.purpose == CIRCUIT_PURPOSE_S_HSDIR_POST || - circ->base_.purpose == CIRCUIT_PURPOSE_C_REND_JOINED)) + if (circ->base_.purpose == CIRCUIT_PURPOSE_C_GENERAL || + circ->base_.purpose == CIRCUIT_PURPOSE_C_HSDIR_GET || + circ->base_.purpose == CIRCUIT_PURPOSE_S_HSDIR_POST || + circ->base_.purpose == CIRCUIT_PURPOSE_C_REND_JOINED) apconn->may_use_optimistic_data = 1; else apconn->may_use_optimistic_data = 0; log_info(LD_APP, "Looks like completed circuit to %s %s allow " "optimistic data for connection to %s", - circ->base_.purpose == CIRCUIT_PURPOSE_C_GENERAL ? + (circ->base_.purpose == CIRCUIT_PURPOSE_C_GENERAL || + circ->base_.purpose == CIRCUIT_PURPOSE_CONTROLLER) ? /* node_describe() does the right thing if exitnode is NULL */ safe_str_client(node_describe(exitnode)) : "hidden service", @@ -3070,16 +3125,20 @@ circuit_change_purpose(circuit_t *circ, uint8_t new_purpose) /* Take specific actions if we are repurposing a hidden service circuit. */ if (circuit_purpose_is_hidden_service(circ->purpose) && !circuit_purpose_is_hidden_service(new_purpose)) { - hs_circ_cleanup(circ); + hs_circ_cleanup_on_repurpose(circ); } } old_purpose = circ->purpose; circ->purpose = new_purpose; + tor_trace(TR_SUBSYS(circuit), TR_EV(change_purpose), circ, old_purpose, + new_purpose); if (CIRCUIT_IS_ORIGIN(circ)) { control_event_circuit_purpose_changed(TO_ORIGIN_CIRCUIT(circ), old_purpose); + + circpad_machine_event_circ_purpose_changed(TO_ORIGIN_CIRCUIT(circ)); } } @@ -3113,7 +3172,9 @@ circuit_sent_valid_data(origin_circuit_t *circ, uint16_t relay_body_len) { if (!circ) return; - tor_assert_nonfatal(relay_body_len <= RELAY_PAYLOAD_SIZE); + tor_assertf_nonfatal(relay_body_len <= RELAY_PAYLOAD_SIZE, + "Wrong relay_body_len: %d (should be at most %d)", + relay_body_len, RELAY_PAYLOAD_SIZE); circ->n_delivered_written_circ_bw = tor_add_u32_nowrap(circ->n_delivered_written_circ_bw, relay_body_len); |