1 files changed, 138 insertions, 28 deletions

diff --git a/src/or/hibernate.c b/src/or/hibernate.c
index 5ebe5b1c5a..e9be5930d1 100644
--- a/src/or/hibernate.c
+++ b/src/or/hibernate.c
@@ -22,6 +22,12 @@ hibernating, phase 2:
 */
 
 #include "or.h"
+#include "config.h"
+#include "connection.h"
+#include "connection_edge.h"
+#include "hibernate.h"
+#include "main.h"
+#include "router.h"
 
 /** Possible values of hibernate_state */
 typedef enum {
@@ -89,6 +95,13 @@ static uint64_t n_bytes_read_in_interval = 0;
 static uint64_t n_bytes_written_in_interval = 0;
 /** How many seconds have we been running this interval? */
 static uint32_t n_seconds_active_in_interval = 0;
+/** How many seconds were we active in this interval before we hit our soft
+ * limit? */
+static int n_seconds_to_hit_soft_limit = 0;
+/** When in this interval was the soft limit hit. */
+static time_t soft_limit_hit_at = 0;
+/** How many bytes had we read/written when we hit the soft limit? */
+static uint64_t n_bytes_at_soft_limit = 0;
 /** When did this accounting interval start? */
 static time_t interval_start_time = 0;
 /** When will this accounting interval end? */
@@ -182,6 +195,9 @@ accounting_parse_options(or_options_t *options, int validate_only)
   case UNIT_DAY:
     d = 0;
     break;
+    /* Coverity dislikes unreachable default cases; some compilers warn on
+     * switch statements missing a case.  Tell Coverity not to worry. */
+    /* coverity[dead_error_begin] */
   default:
     tor_assert(0);
   }
@@ -332,29 +348,57 @@ start_of_accounting_period_after(time_t now)
   return edge_of_accounting_period_containing(now, 1);
 }
 
+/** Return the length of the accounting period containing the time
+ * <b>now</b>. */
+static long
+length_of_accounting_period_containing(time_t now)
+{
+  return edge_of_accounting_period_containing(now, 1) -
+    edge_of_accounting_period_containing(now, 0);
+}
+
 /** Initialize the accounting subsystem. */
 void
 configure_accounting(time_t now)
 {
+  time_t s_now;
   /* Try to remember our recorded usage. */
   if (!interval_start_time)
     read_bandwidth_usage(); /* If we fail, we'll leave values at zero, and
                              * reset below.*/
-  if (!interval_start_time ||
-      start_of_accounting_period_after(interval_start_time) <= now) {
-    /* We didn't have recorded usage, or we don't have recorded usage
-     * for this interval. Start a new interval. */
+
+  s_now = start_of_accounting_period_containing(now);
+
+  if (!interval_start_time) {
+    /* We didn't have recorded usage; Start a new interval. */
     log_info(LD_ACCT, "Starting new accounting interval.");
     reset_accounting(now);
-  } else if (interval_start_time ==
-        start_of_accounting_period_containing(interval_start_time)) {
+  } else if (s_now == interval_start_time) {
     log_info(LD_ACCT, "Continuing accounting interval.");
     /* We are in the interval we thought we were in. Do nothing.*/
     interval_end_time = start_of_accounting_period_after(interval_start_time);
   } else {
-    log_warn(LD_ACCT,
-             "Mismatched accounting interval; starting a fresh one.");
-    reset_accounting(now);
+    long duration = length_of_accounting_period_containing(now);
+    double delta = ((double)(s_now - interval_start_time)) / duration;
+    if (-0.50 <= delta && delta <= 0.50) {
+      /* The start of the period is now a little later or earlier than we
+       * remembered.  That's fine; we might lose some bytes we could otherwise
+       * have written, but better to err on the side of obeying people's
+       * accounting settings. */
+      log_info(LD_ACCT, "Accounting interval moved by %.02f%%; "
+               "that's fine.", delta*100);
+      interval_end_time = start_of_accounting_period_after(now);
+    } else if (delta >= 0.99) {
+      /* This is the regular time-moved-forward case; don't be too noisy
+       * about it or people will complain */
+      log_info(LD_ACCT, "Accounting interval elapsed; starting a new one");
+      reset_accounting(now);
+    } else {
+      log_warn(LD_ACCT,
+               "Mismatched accounting interval: moved by %.02f%%. "
+               "Starting a fresh one.", delta*100);
+      reset_accounting(now);
+    }
   }
   accounting_set_wakeup_time();
 }
@@ -365,23 +409,42 @@ configure_accounting(time_t now)
 static void
 update_expected_bandwidth(void)
 {
-  uint64_t used, expected;
-  uint64_t max_configured = (get_options()->BandwidthRate * 60);
-
-  if (n_seconds_active_in_interval < 1800) {
+  uint64_t expected;
+  or_options_t *options= get_options();
+  uint64_t max_configured = (options->RelayBandwidthRate > 0 ?
+                             options->RelayBandwidthRate :
+                             options->BandwidthRate) * 60;
+
+#define MIN_TIME_FOR_MEASUREMENT (1800)
+
+  if (soft_limit_hit_at > interval_start_time && n_bytes_at_soft_limit &&
+      (soft_limit_hit_at - interval_start_time) > MIN_TIME_FOR_MEASUREMENT) {
+    /* If we hit our soft limit last time, only count the bytes up to that
+     * time. This is a better predictor of our actual bandwidth than
+     * considering the entirety of the last interval, since we likely started
+     * using bytes very slowly once we hit our soft limit. */
+    expected = n_bytes_at_soft_limit /
+      (soft_limit_hit_at - interval_start_time);
+    expected /= 60;
+  } else if (n_seconds_active_in_interval >= MIN_TIME_FOR_MEASUREMENT) {
+    /* Otherwise, we either measured enough time in the last interval but
+     * never hit our soft limit, or we're using a state file from a Tor that
+     * doesn't know to store soft-limit info.  Just take rate at which
+     * we were reading/writing in the last interval as our expected rate.
+     */
+    uint64_t used = MAX(n_bytes_written_in_interval,
+                        n_bytes_read_in_interval);
+    expected = used / (n_seconds_active_in_interval / 60);
+  } else {
     /* If we haven't gotten enough data last interval, set 'expected'
      * to 0.  This will set our wakeup to the start of the interval.
      * Next interval, we'll choose our starting time based on how much
      * we sent this interval.
      */
     expected = 0;
-  } else {
-    used = n_bytes_written_in_interval < n_bytes_read_in_interval ?
-      n_bytes_read_in_interval : n_bytes_written_in_interval;
-    expected = used / (n_seconds_active_in_interval / 60);
-    if (expected > max_configured)
-      expected = max_configured;
   }
+  if (expected > max_configured)
+    expected = max_configured;
   expected_bandwidth_usage = expected;
 }
 
@@ -399,6 +462,9 @@ reset_accounting(time_t now)
   n_bytes_read_in_interval = 0;
   n_bytes_written_in_interval = 0;
   n_seconds_active_in_interval = 0;
+  n_bytes_at_soft_limit = 0;
+  soft_limit_hit_at = 0;
+  n_seconds_to_hit_soft_limit = 0;
 }
 
 /** Return true iff we should save our bandwidth usage to disk. */
@@ -456,7 +522,7 @@ accounting_set_wakeup_time(void)
   uint64_t time_to_exhaust_bw;
   int time_to_consider;
 
-  if (! identity_key_is_set()) {
+  if (! server_identity_key_is_set()) {
     if (init_keys() < 0) {
       log_err(LD_BUG, "Error initializing keys");
       tor_assert(0);
@@ -464,7 +530,7 @@ accounting_set_wakeup_time(void)
   }
 
   format_iso_time(buf, interval_start_time);
-  crypto_pk_get_digest(get_identity_key(), digest);
+  crypto_pk_get_digest(get_server_identity_key(), digest);
 
   d_env = crypto_new_digest_env();
   crypto_digest_add_bytes(d_env, buf, ISO_TIME_LEN);
@@ -559,6 +625,10 @@ accounting_record_bandwidth_usage(time_t now, or_state_t *state)
   state->AccountingSecondsActive = n_seconds_active_in_interval;
   state->AccountingExpectedUsage = expected_bandwidth_usage;
 
+  state->AccountingSecondsToReachSoftLimit = n_seconds_to_hit_soft_limit;
+  state->AccountingSoftLimitHitAt = soft_limit_hit_at;
+  state->AccountingBytesAtSoftLimit = n_bytes_at_soft_limit;
+
   or_state_mark_dirty(state,
                       now+(get_options()->AvoidDiskWrites ? 7200 : 60));
 
@@ -582,10 +652,6 @@ read_bandwidth_usage(void)
   if (!state)
     return -1;
 
-  /* Okay; it looks like the state file is more up-to-date than the
-   * bw_accounting file, or the bw_accounting file is nonexistent,
-   * or the bw_accounting file is corrupt.
-   */
   log_info(LD_ACCT, "Reading bandwidth accounting data from state file");
   n_bytes_read_in_interval = state->AccountingBytesReadInInterval;
   n_bytes_written_in_interval = state->AccountingBytesWrittenInInterval;
@@ -593,6 +659,21 @@ read_bandwidth_usage(void)
   interval_start_time = state->AccountingIntervalStart;
   expected_bandwidth_usage = state->AccountingExpectedUsage;
 
+  /* Older versions of Tor (before 0.2.2.17-alpha or so) didn't generate these
+   * fields. If you switch back and forth, you might get an
+   * AccountingSoftLimitHitAt value from long before the most recent
+   * interval_start_time.  If that's so, then ignore the softlimit-related
+   * values. */
+  if (state->AccountingSoftLimitHitAt > interval_start_time) {
+    soft_limit_hit_at =  state->AccountingSoftLimitHitAt;
+    n_bytes_at_soft_limit = state->AccountingBytesAtSoftLimit;
+    n_seconds_to_hit_soft_limit = state->AccountingSecondsToReachSoftLimit;
+  } else {
+    soft_limit_hit_at = 0;
+    n_bytes_at_soft_limit = 0;
+    n_seconds_to_hit_soft_limit = 0;
+  }
+
   {
     char tbuf1[ISO_TIME_LEN+1];
     char tbuf2[ISO_TIME_LEN+1];
@@ -632,8 +713,27 @@ hibernate_hard_limit_reached(void)
 static int
 hibernate_soft_limit_reached(void)
 {
-  uint64_t soft_limit = DBL_TO_U64(U64_TO_DBL(get_options()->AccountingMax)
-                                   * .95);
+  const uint64_t acct_max = get_options()->AccountingMax;
+#define SOFT_LIM_PCT (.95)
+#define SOFT_LIM_BYTES (500*1024*1024)
+#define SOFT_LIM_MINUTES (3*60)
+  /* The 'soft limit' is a fair bit more complicated now than once it was.
+   * We want to stop accepting connections when ALL of the following are true:
+   *   - We expect to use up the remaining bytes in under 3 hours
+   *   - We have used up 95% of our bytes.
+   *   - We have less than 500MB of bytes left.
+   */
+  uint64_t soft_limit = DBL_TO_U64(U64_TO_DBL(acct_max) * SOFT_LIM_PCT);
+  if (acct_max > SOFT_LIM_BYTES && acct_max - SOFT_LIM_BYTES > soft_limit) {
+    soft_limit = acct_max - SOFT_LIM_BYTES;
+  }
+  if (expected_bandwidth_usage) {
+    const uint64_t expected_usage =
+      expected_bandwidth_usage * SOFT_LIM_MINUTES;
+    if (acct_max > expected_usage && acct_max - expected_usage > soft_limit)
+      soft_limit = acct_max - expected_usage;
+  }
+
   if (!soft_limit)
     return 0;
   return n_bytes_read_in_interval >= soft_limit
@@ -658,6 +758,14 @@ hibernate_begin(hibernate_state_t new_state, time_t now)
     exit(0);
   }
 
+  if (new_state == HIBERNATE_STATE_LOWBANDWIDTH &&
+      hibernate_state == HIBERNATE_STATE_LIVE) {
+    soft_limit_hit_at = now;
+    n_seconds_to_hit_soft_limit = n_seconds_active_in_interval;
+    n_bytes_at_soft_limit = MAX(n_bytes_read_in_interval,
+                                n_bytes_written_in_interval);
+  }
+
   /* close listeners. leave control listener(s). */
   while ((conn = connection_get_by_type(CONN_TYPE_OR_LISTENER)) ||
          (conn = connection_get_by_type(CONN_TYPE_AP_LISTENER)) ||
@@ -860,9 +968,11 @@ consider_hibernation(time_t now)
  * NULL. */
 int
 getinfo_helper_accounting(control_connection_t *conn,
-                          const char *question, char **answer)
+                          const char *question, char **answer,
+                          const char **errmsg)
 {
   (void) conn;
+  (void) errmsg;
   if (!strcmp(question, "accounting/enabled")) {
     *answer = tor_strdup(accounting_is_enabled(get_options()) ? "1" : "0");
   } else if (!strcmp(question, "accounting/hibernating")) {