/* Copyright (c) 2001 Matej Pfajfar. * Copyright (c) 2001-2004, Roger Dingledine. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. * Copyright (c) 2007-2021, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /** * \file relay.c * \brief Handle relay cell encryption/decryption, plus packaging and * receiving from circuits, plus queuing on circuits. * * This is a core modules that makes Tor work. It's responsible for * dealing with RELAY cells (the ones that travel more than one hop along a * circuit), by: * * * RELAY cells are generated throughout the code at the client or relay side, * using relay_send_command_from_edge() or one of the functions like * connection_edge_send_command() that calls it. Of particular interest is * connection_edge_package_raw_inbuf(), which takes information that has * arrived on an edge connection socket, and packages it as a RELAY_DATA cell * -- this is how information is actually sent across the Tor network. The * cryptography for these functions is handled deep in * circuit_package_relay_cell(), which either adds a single layer of * encryption (if we're an exit), or multiple layers (if we're the origin of * the circuit). After construction and encryption, the RELAY cells are * passed to append_cell_to_circuit_queue(), which queues them for * transmission and tells the circuitmux (see circuitmux.c) that the circuit * is waiting to send something. * * Incoming RELAY cells arrive at circuit_receive_relay_cell(), called from * command.c. There they are decrypted and, if they are for us, are passed to * connection_edge_process_relay_cell(). If they're not for us, they're * re-queued for retransmission again with append_cell_to_circuit_queue(). * * The connection_edge_process_relay_cell() function handles all the different * types of relay cells, launching requests or transmitting data as needed. **/ #define RELAY_PRIVATE #include "core/or/or.h" #include "feature/client/addressmap.h" #include "lib/err/backtrace.h" #include "lib/buf/buffers.h" #include "core/or/channel.h" #include "feature/client/circpathbias.h" #include "core/or/circuitbuild.h" #include "core/or/circuitlist.h" #include "core/or/circuituse.h" #include "core/or/circuitpadding.h" #include "core/or/extendinfo.h" #include "lib/compress/compress.h" #include "app/config/config.h" #include "core/mainloop/connection.h" #include "core/or/connection_edge.h" #include "core/or/connection_or.h" #include "feature/control/control_events.h" #include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_util.h" #include "feature/dircommon/directory.h" #include "feature/relay/dns.h" #include "feature/relay/circuitbuild_relay.h" #include "feature/stats/geoip_stats.h" #include "feature/hs/hs_cache.h" #include "core/mainloop/mainloop.h" #include "feature/nodelist/networkstatus.h" #include "feature/nodelist/nodelist.h" #include "core/or/onion.h" #include "core/or/policies.h" #include "core/or/reasons.h" #include "core/or/relay.h" #include "core/crypto/relay_crypto.h" #include "feature/rend/rendcommon.h" #include "feature/nodelist/describe.h" #include "feature/nodelist/routerlist.h" #include "core/or/scheduler.h" #include "feature/hs/hs_metrics.h" #include "feature/stats/rephist.h" #include "core/or/cell_st.h" #include "core/or/cell_queue_st.h" #include "core/or/cpath_build_state_st.h" #include "feature/dircommon/dir_connection_st.h" #include "core/or/destroy_cell_queue_st.h" #include "core/or/entry_connection_st.h" #include "core/or/extend_info_st.h" #include "core/or/or_circuit_st.h" #include "core/or/origin_circuit_st.h" #include "feature/nodelist/routerinfo_st.h" #include "core/or/socks_request_st.h" #include "core/or/sendme.h" #include "core/or/congestion_control_common.h" #include "core/or/congestion_control_flow.h" #include "core/or/conflux.h" #include "core/or/conflux_util.h" #include "core/or/conflux_pool.h" static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell, cell_direction_t cell_direction, crypt_path_t *layer_hint); static void circuit_resume_edge_reading(circuit_t *circ, crypt_path_t *layer_hint); static int circuit_resume_edge_reading_helper(edge_connection_t *conn, circuit_t *circ, crypt_path_t *layer_hint); static int circuit_consider_stop_edge_reading(circuit_t *circ, crypt_path_t *layer_hint); static int circuit_queue_streams_are_blocked(circuit_t *circ); static void adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ, entry_connection_t *conn, node_t *node, const tor_addr_t *addr); static int connection_edge_process_ordered_relay_cell(cell_t *cell, circuit_t *circ, edge_connection_t *conn, crypt_path_t *layer_hint, relay_header_t *rh); static void set_block_state_for_streams(circuit_t *circ, edge_connection_t *stream_list, int block, streamid_t stream_id); /** Stats: how many relay cells have originated at this hop, or have * been relayed onward (not recognized at this hop)? */ uint64_t stats_n_relay_cells_relayed = 0; /** Stats: how many relay cells have been delivered to streams at this * hop? */ uint64_t stats_n_relay_cells_delivered = 0; /** Stats: how many circuits have we closed due to the cell queue limit being * reached (see append_cell_to_circuit_queue()) */ uint64_t stats_n_circ_max_cell_reached = 0; uint64_t stats_n_circ_max_cell_outq_reached = 0; /** * Update channel usage state based on the type of relay cell and * circuit properties. * * This is needed to determine if a client channel is being * used for application traffic, and if a relay channel is being * used for multihop circuits and application traffic. The decision * to pad in channelpadding.c depends upon this info (as well as * consensus parameters) to decide what channels to pad. */ static void circuit_update_channel_usage(circuit_t *circ, cell_t *cell) { if (CIRCUIT_IS_ORIGIN(circ)) { /* * The client state was first set much earlier in * circuit_send_next_onion_skin(), so we can start padding as early as * possible. * * However, if padding turns out to be expensive, we may want to not do * it until actual application traffic starts flowing (which is controlled * via consensus param nf_pad_before_usage). * * So: If we're an origin circuit and we've created a full length circuit, * then any CELL_RELAY cell means application data. Increase the usage * state of the channel to indicate this. * * We want to wait for CELL_RELAY specifically here, so we know that * the channel was definitely being used for data and not for extends. * By default, we pad as soon as a channel has been used for *any* * circuits, so this state is irrelevant to the padding decision in * the default case. However, if padding turns out to be expensive, * we would like the ability to avoid padding until we're absolutely * sure that a channel is used for enough application data to be worth * padding. * * (So it does not matter that CELL_RELAY_EARLY can actually contain * application data. This is only a load reducing option and that edge * case does not matter if we're desperately trying to reduce overhead * anyway. See also consensus parameter nf_pad_before_usage). */ if (BUG(!circ->n_chan)) return; if (circ->n_chan->channel_usage == CHANNEL_USED_FOR_FULL_CIRCS && cell->command == CELL_RELAY) { circ->n_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC; } } else { /* If we're a relay circuit, the question is more complicated. Basically: * we only want to pad connections that carry multihop (anonymous) * circuits. * * We assume we're more than one hop if either the previous hop * is not a client, or if the previous hop is a client and there's * a next hop. Then, circuit traffic starts at RELAY_EARLY, and * user application traffic starts when we see RELAY cells. */ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); if (BUG(!or_circ->p_chan)) return; if (!channel_is_client(or_circ->p_chan) || (channel_is_client(or_circ->p_chan) && circ->n_chan)) { if (cell->command == CELL_RELAY_EARLY) { if (or_circ->p_chan->channel_usage < CHANNEL_USED_FOR_FULL_CIRCS) { or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_FULL_CIRCS; } } else if (cell->command == CELL_RELAY) { or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC; } } } } /** Receive a relay cell: * - Crypt it (encrypt if headed toward the origin or if we are the * origin; decrypt if we're headed toward the exit). * - Check if recognized (if exitward). * - If recognized and the digest checks out, then find if there's a stream * that the cell is intended for, and deliver it to the right * connection_edge. * - If not recognized, then we need to relay it: append it to the appropriate * cell_queue on circ. * * Return -reason on failure. */ int circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, cell_direction_t cell_direction) { channel_t *chan = NULL; crypt_path_t *layer_hint=NULL; char recognized=0; int reason; tor_assert(cell); tor_assert(circ); tor_assert(cell_direction == CELL_DIRECTION_OUT || cell_direction == CELL_DIRECTION_IN); if (circ->marked_for_close) return 0; if (relay_decrypt_cell(circ, cell, cell_direction, &layer_hint, &recognized) < 0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "relay crypt failed. Dropping connection."); return -END_CIRC_REASON_INTERNAL; } circuit_update_channel_usage(circ, cell); if (recognized) { edge_connection_t *conn = NULL; /* Recognized cell, the cell digest has been updated, we'll record it for * the SENDME if need be. */ sendme_record_received_cell_digest(circ, layer_hint); if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) { if (pathbias_check_probe_response(circ, cell) == -1) { pathbias_count_valid_cells(circ, cell); } /* We need to drop this cell no matter what to avoid code that expects * a certain purpose (such as the hidserv code). */ return 0; } conn = relay_lookup_conn(circ, cell, cell_direction, layer_hint); if (cell_direction == CELL_DIRECTION_OUT) { ++stats_n_relay_cells_delivered; log_debug(LD_OR,"Sending away from origin."); reason = connection_edge_process_relay_cell(cell, circ, conn, NULL); if (reason < 0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "connection_edge_process_relay_cell (away from origin) " "failed."); return reason; } } if (cell_direction == CELL_DIRECTION_IN) { ++stats_n_relay_cells_delivered; log_debug(LD_OR,"Sending to origin."); reason = connection_edge_process_relay_cell(cell, circ, conn, layer_hint); if (reason < 0) { /* If a client is trying to connect to unknown hidden service port, * END_CIRC_AT_ORIGIN is sent back so we can then close the circuit. * Do not log warn as this is an expected behavior for a service. */ if (reason != END_CIRC_AT_ORIGIN) { log_warn(LD_OR, "connection_edge_process_relay_cell (at origin) failed."); } return reason; } } return 0; } /* not recognized. inform circpad and pass it on. */ circpad_deliver_unrecognized_cell_events(circ, cell_direction); if (cell_direction == CELL_DIRECTION_OUT) { cell->circ_id = circ->n_circ_id; /* switch it */ chan = circ->n_chan; } else if (! CIRCUIT_IS_ORIGIN(circ)) { cell->circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; /* switch it */ chan = TO_OR_CIRCUIT(circ)->p_chan; } else { log_fn(LOG_PROTOCOL_WARN, LD_OR, "Dropping unrecognized inbound cell on origin circuit."); /* If we see unrecognized cells on path bias testing circs, * it's bad mojo. Those circuits need to die. * XXX: Shouldn't they always die? */ if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) { TO_ORIGIN_CIRCUIT(circ)->path_state = PATH_STATE_USE_FAILED; return -END_CIRC_REASON_TORPROTOCOL; } else { return 0; } } if (!chan) { // XXXX Can this splice stuff be done more cleanly? if (! CIRCUIT_IS_ORIGIN(circ) && TO_OR_CIRCUIT(circ)->rend_splice && cell_direction == CELL_DIRECTION_OUT) { or_circuit_t *splice_ = TO_OR_CIRCUIT(circ)->rend_splice; tor_assert(circ->purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED); tor_assert(splice_->base_.purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED); cell->circ_id = splice_->p_circ_id; cell->command = CELL_RELAY; /* can't be relay_early anyway */ if ((reason = circuit_receive_relay_cell(cell, TO_CIRCUIT(splice_), CELL_DIRECTION_IN)) < 0) { log_warn(LD_REND, "Error relaying cell across rendezvous; closing " "circuits"); /* XXXX Do this here, or just return -1? */ circuit_mark_for_close(circ, -reason); return reason; } return 0; } if (BUG(CIRCUIT_IS_ORIGIN(circ))) { /* Should be impossible at this point. */ return -END_CIRC_REASON_TORPROTOCOL; } or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); if (++or_circ->n_cells_discarded_at_end == 1) { time_t seconds_open = approx_time() - circ->timestamp_created.tv_sec; log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Didn't recognize a cell, but circ stops here! Closing circuit. " "It was created %ld seconds ago.", (long)seconds_open); } return -END_CIRC_REASON_TORPROTOCOL; } log_debug(LD_OR,"Passing on unrecognized cell."); ++stats_n_relay_cells_relayed; /* XXXX no longer quite accurate {cells} * we might kill the circ before we relay * the cells. */ if (append_cell_to_circuit_queue(circ, chan, cell, cell_direction, 0) < 0) { return -END_CIRC_REASON_RESOURCELIMIT; } return 0; } /** Package a relay cell from an edge: * - Encrypt it to the right layer * - Append it to the appropriate cell_queue on circ. * * Return 1 if the cell was successfully sent as in queued on the circuit. * Return 0 if the cell needs to be dropped as in ignored. * Return -1 on error for which the circuit should be marked for close. */ MOCK_IMPL(int, circuit_package_relay_cell, (cell_t *cell, circuit_t *circ, cell_direction_t cell_direction, crypt_path_t *layer_hint, streamid_t on_stream, const char *filename, int lineno)) { channel_t *chan; /* where to send the cell */ if (circ->marked_for_close) { /* Circuit is marked; send nothing. */ return 0; } if (cell_direction == CELL_DIRECTION_OUT) { chan = circ->n_chan; if (!chan) { log_warn(LD_BUG,"outgoing relay cell sent from %s:%d has n_chan==NULL." " Dropping. Circuit is in state %s (%d), and is " "%smarked for close. (%s:%d, %d)", filename, lineno, circuit_state_to_string(circ->state), circ->state, circ->marked_for_close ? "" : "not ", circ->marked_for_close_file?circ->marked_for_close_file:"", circ->marked_for_close, circ->marked_for_close_reason); if (CIRCUIT_IS_ORIGIN(circ)) { circuit_log_path(LOG_WARN, LD_BUG, TO_ORIGIN_CIRCUIT(circ)); } log_backtrace(LOG_WARN,LD_BUG,""); return 0; /* just drop it */ } if (!CIRCUIT_IS_ORIGIN(circ)) { log_warn(LD_BUG,"outgoing relay cell sent from %s:%d on non-origin " "circ. Dropping.", filename, lineno); log_backtrace(LOG_WARN,LD_BUG,""); return 0; /* just drop it */ } relay_encrypt_cell_outbound(cell, TO_ORIGIN_CIRCUIT(circ), layer_hint); /* Update circ written totals for control port */ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); ocirc->n_written_circ_bw = tor_add_u32_nowrap(ocirc->n_written_circ_bw, CELL_PAYLOAD_SIZE); } else { /* incoming cell */ if (CIRCUIT_IS_ORIGIN(circ)) { /* We should never package an _incoming_ cell from the circuit * origin; that means we messed up somewhere. */ log_warn(LD_BUG,"incoming relay cell at origin circuit. Dropping."); assert_circuit_ok(circ); return 0; /* just drop it */ } or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); relay_encrypt_cell_inbound(cell, or_circ); chan = or_circ->p_chan; } ++stats_n_relay_cells_relayed; return append_cell_to_circuit_queue(circ, chan, cell, cell_direction, on_stream); } /** If cell's stream_id matches the stream_id of any conn that's * attached to circ, return that conn, else return NULL. */ static edge_connection_t * relay_lookup_conn(circuit_t *circ, cell_t *cell, cell_direction_t cell_direction, crypt_path_t *layer_hint) { edge_connection_t *tmpconn; relay_header_t rh; relay_header_unpack(&rh, cell->payload); if (!rh.stream_id) return NULL; /* IN or OUT cells could have come from either direction, now * that we allow rendezvous *to* an OP. */ if (CIRCUIT_IS_ORIGIN(circ)) { for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn; tmpconn=tmpconn->next_stream) { if (rh.stream_id == tmpconn->stream_id && !tmpconn->base_.marked_for_close && edge_uses_cpath(tmpconn, layer_hint)) { log_debug(LD_APP,"found conn for stream %d.", rh.stream_id); return tmpconn; } } } else { for (tmpconn = TO_OR_CIRCUIT(circ)->n_streams; tmpconn; tmpconn=tmpconn->next_stream) { if (rh.stream_id == tmpconn->stream_id && !tmpconn->base_.marked_for_close) { log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id); if (cell_direction == CELL_DIRECTION_OUT || connection_edge_is_rendezvous_stream(tmpconn)) return tmpconn; } } for (tmpconn = TO_OR_CIRCUIT(circ)->resolving_streams; tmpconn; tmpconn=tmpconn->next_stream) { if (rh.stream_id == tmpconn->stream_id && !tmpconn->base_.marked_for_close) { log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id); return tmpconn; } } } return NULL; /* probably a begin relay cell */ } /** Pack the relay_header_t host-order structure src into * network-order in the buffer dest. See tor-spec.txt for details * about the wire format. */ void relay_header_pack(uint8_t *dest, const relay_header_t *src) { set_uint8(dest, src->command); set_uint16(dest+1, htons(src->recognized)); set_uint16(dest+3, htons(src->stream_id)); memcpy(dest+5, src->integrity, 4); set_uint16(dest+9, htons(src->length)); } /** Unpack the network-order buffer src into a host-order * relay_header_t structure dest. */ void relay_header_unpack(relay_header_t *dest, const uint8_t *src) { dest->command = get_uint8(src); dest->recognized = ntohs(get_uint16(src+1)); dest->stream_id = ntohs(get_uint16(src+3)); memcpy(dest->integrity, src+5, 4); dest->length = ntohs(get_uint16(src+9)); } /** Convert the relay command into a human-readable string. */ const char * relay_command_to_string(uint8_t command) { static char buf[64]; switch (command) { case RELAY_COMMAND_BEGIN: return "BEGIN"; case RELAY_COMMAND_DATA: return "DATA"; case RELAY_COMMAND_END: return "END"; case RELAY_COMMAND_CONNECTED: return "CONNECTED"; case RELAY_COMMAND_SENDME: return "SENDME"; case RELAY_COMMAND_EXTEND: return "EXTEND"; case RELAY_COMMAND_EXTENDED: return "EXTENDED"; case RELAY_COMMAND_TRUNCATE: return "TRUNCATE"; case RELAY_COMMAND_TRUNCATED: return "TRUNCATED"; case RELAY_COMMAND_DROP: return "DROP"; case RELAY_COMMAND_RESOLVE: return "RESOLVE"; case RELAY_COMMAND_RESOLVED: return "RESOLVED"; case RELAY_COMMAND_BEGIN_DIR: return "BEGIN_DIR"; case RELAY_COMMAND_ESTABLISH_INTRO: return "ESTABLISH_INTRO"; case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: return "ESTABLISH_RENDEZVOUS"; case RELAY_COMMAND_INTRODUCE1: return "INTRODUCE1"; case RELAY_COMMAND_INTRODUCE2: return "INTRODUCE2"; case RELAY_COMMAND_RENDEZVOUS1: return "RENDEZVOUS1"; case RELAY_COMMAND_RENDEZVOUS2: return "RENDEZVOUS2"; case RELAY_COMMAND_INTRO_ESTABLISHED: return "INTRO_ESTABLISHED"; case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED: return "RENDEZVOUS_ESTABLISHED"; case RELAY_COMMAND_INTRODUCE_ACK: return "INTRODUCE_ACK"; case RELAY_COMMAND_EXTEND2: return "EXTEND2"; case RELAY_COMMAND_EXTENDED2: return "EXTENDED2"; case RELAY_COMMAND_PADDING_NEGOTIATE: return "PADDING_NEGOTIATE"; case RELAY_COMMAND_PADDING_NEGOTIATED: return "PADDING_NEGOTIATED"; case RELAY_COMMAND_CONFLUX_LINK: return "CONFLUX_LINK"; case RELAY_COMMAND_CONFLUX_LINKED: return "CONFLUX_LINKED"; case RELAY_COMMAND_CONFLUX_LINKED_ACK: return "CONFLUX_LINKED_ACK"; case RELAY_COMMAND_CONFLUX_SWITCH: return "CONFLUX_SWITCH"; default: tor_snprintf(buf, sizeof(buf), "Unrecognized relay command %u", (unsigned)command); return buf; } } /** When padding a cell with randomness, leave this many zeros after the * payload. */ #define CELL_PADDING_GAP 4 /** Return the offset where the padding should start. The data_len is * the relay payload length expected to be put in the cell. It can not be * bigger than RELAY_PAYLOAD_SIZE else this function assert(). * * Value will always be smaller than CELL_PAYLOAD_SIZE because this offset is * for the entire cell length not just the data payload length. Zero is * returned if there is no room for padding. * * This function always skips the first 4 bytes after the payload because * having some unused zero bytes has saved us a lot of times in the past. */ STATIC size_t get_pad_cell_offset(size_t data_len) { /* This is never supposed to happen but in case it does, stop right away * because if tor is tricked somehow into not adding random bytes to the * payload with this function returning 0 for a bad data_len, the entire * authenticated SENDME design can be bypassed leading to bad denial of * service attacks. */ tor_assert(data_len <= RELAY_PAYLOAD_SIZE); /* If the offset is larger than the cell payload size, we return an offset * of zero indicating that no padding needs to be added. */ size_t offset = RELAY_HEADER_SIZE + data_len + CELL_PADDING_GAP; if (offset >= CELL_PAYLOAD_SIZE) { return 0; } return offset; } /* Add random bytes to the unused portion of the payload, to foil attacks * where the other side can predict all of the bytes in the payload and thus * compute the authenticated SENDME cells without seeing the traffic. See * proposal 289. */ static void pad_cell_payload(uint8_t *cell_payload, size_t data_len) { size_t pad_offset, pad_len; tor_assert(cell_payload); pad_offset = get_pad_cell_offset(data_len); if (pad_offset == 0) { /* We can't add padding so we are done. */ return; } /* Remember here that the cell_payload is the length of the header and * payload size so we offset it using the full length of the cell. */ pad_len = CELL_PAYLOAD_SIZE - pad_offset; crypto_fast_rng_getbytes(get_thread_fast_rng(), cell_payload + pad_offset, pad_len); } /** Make a relay cell out of relay_command and payload, and send * it onto the open circuit circ. stream_id is the ID on * circ for the stream that's sending the relay cell, or 0 if it's a * control cell. cpath_layer is NULL for OR->OP cells, or the * destination hop for OP->OR cells. * * If you can't send the cell, mark the circuit for close and return -1. Else * return 0. */ MOCK_IMPL(int, relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *orig_circ, uint8_t relay_command, const char *payload, size_t payload_len, crypt_path_t *cpath_layer, const char *filename, int lineno)) { cell_t cell; relay_header_t rh; cell_direction_t cell_direction; circuit_t *circ = orig_circ; /* If conflux is enabled, decide which leg to send on, and use that */ if (orig_circ->conflux && conflux_should_multiplex(relay_command)) { circ = conflux_decide_circ_for_send(orig_circ->conflux, orig_circ, relay_command); if (BUG(!circ)) { log_warn(LD_BUG, "No circuit to send for conflux for relay command %d, " "called from %s:%d", relay_command, filename, lineno); conflux_log_set(LOG_WARN, orig_circ->conflux, CIRCUIT_IS_ORIGIN(orig_circ)); circ = orig_circ; } else { /* Conflux circuits always send multiplexed relay commands to * to the last hop. (Non-multiplexed commands go on their * original circuit and hop). */ cpath_layer = conflux_get_destination_hop(circ); } } /* XXXX NM Split this function into a separate versions per circuit type? */ tor_assert(circ); tor_assert(payload_len <= RELAY_PAYLOAD_SIZE); memset(&cell, 0, sizeof(cell_t)); cell.command = CELL_RELAY; if (CIRCUIT_IS_ORIGIN(circ)) { tor_assert(cpath_layer); cell.circ_id = circ->n_circ_id; cell_direction = CELL_DIRECTION_OUT; } else { tor_assert(! cpath_layer); cell.circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; cell_direction = CELL_DIRECTION_IN; } memset(&rh, 0, sizeof(rh)); rh.command = relay_command; rh.stream_id = stream_id; rh.length = payload_len; relay_header_pack(cell.payload, &rh); if (payload_len) memcpy(cell.payload+RELAY_HEADER_SIZE, payload, payload_len); /* Add random padding to the cell if we can. */ pad_cell_payload(cell.payload, payload_len); log_debug(LD_OR,"delivering %d cell %s.", relay_command, cell_direction == CELL_DIRECTION_OUT ? "forward" : "backward"); /* Tell circpad we're sending a relay cell */ circpad_deliver_sent_relay_cell_events(circ, relay_command); /* If we are sending an END cell and this circuit is used for a tunneled * directory request, advance its state. */ if (relay_command == RELAY_COMMAND_END && circ->dirreq_id) geoip_change_dirreq_state(circ->dirreq_id, DIRREQ_TUNNELED, DIRREQ_END_CELL_SENT); if (cell_direction == CELL_DIRECTION_OUT && circ->n_chan) { /* if we're using relaybandwidthrate, this conn wants priority */ channel_timestamp_client(circ->n_chan); } if (cell_direction == CELL_DIRECTION_OUT) { origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ); if (origin_circ->remaining_relay_early_cells > 0 && (relay_command == RELAY_COMMAND_EXTEND || relay_command == RELAY_COMMAND_EXTEND2 || cpath_layer != origin_circ->cpath)) { /* If we've got any relay_early cells left and (we're sending * an extend cell or we're not talking to the first hop), use * one of them. Don't worry about the conn protocol version: * append_cell_to_circuit_queue will fix it up. */ cell.command = CELL_RELAY_EARLY; /* If we're out of relay early cells, tell circpad */ if (--origin_circ->remaining_relay_early_cells == 0) circpad_machine_event_circ_has_no_relay_early(origin_circ); log_debug(LD_OR, "Sending a RELAY_EARLY cell; %d remaining.", (int)origin_circ->remaining_relay_early_cells); /* Memorize the command that is sent as RELAY_EARLY cell; helps debug * task 878. */ origin_circ->relay_early_commands[ origin_circ->relay_early_cells_sent++] = relay_command; } else if (relay_command == RELAY_COMMAND_EXTEND || relay_command == RELAY_COMMAND_EXTEND2) { /* If no RELAY_EARLY cells can be sent over this circuit, log which * commands have been sent as RELAY_EARLY cells before; helps debug * task 878. */ smartlist_t *commands_list = smartlist_new(); int i = 0; char *commands = NULL; for (; i < origin_circ->relay_early_cells_sent; i++) smartlist_add(commands_list, (char *) relay_command_to_string(origin_circ->relay_early_commands[i])); commands = smartlist_join_strings(commands_list, ",", 0, NULL); log_warn(LD_BUG, "Uh-oh. We're sending a RELAY_COMMAND_EXTEND cell, " "but we have run out of RELAY_EARLY cells on that circuit. " "Commands sent before: %s", commands); tor_free(commands); smartlist_free(commands_list); } /* Let's assume we're well-behaved: Anything that we decide to send is * valid, delivered data. */ circuit_sent_valid_data(origin_circ, rh.length); } int ret = circuit_package_relay_cell(&cell, circ, cell_direction, cpath_layer, stream_id, filename, lineno); if (ret < 0) { circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); return -1; } else if (ret == 0) { /* This means we should drop the cell or that the circuit was already * marked for close. At this point in time, we do NOT close the circuit if * the cell is dropped. It is not the case with arti where each circuit * protocol violation will lead to closing the circuit. */ return 0; } /* At this point, we are certain that the cell was queued on the circuit and * thus will be sent on the wire. */ if (circ->conflux) { conflux_note_cell_sent(circ->conflux, circ, relay_command); } /* If applicable, note the cell digest for the SENDME version 1 purpose if * we need to. This call needs to be after the circuit_package_relay_cell() * because the cell digest is set within that function. */ if (relay_command == RELAY_COMMAND_DATA) { sendme_record_cell_digest_on_circ(circ, cpath_layer); /* Handle the circuit-level SENDME package window. */ if (sendme_note_circuit_data_packaged(circ, cpath_layer) < 0) { /* Package window has gone under 0. Protocol issue. */ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Circuit package window is below 0. Closing circuit."); circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL); return -1; } } return 0; } /** Make a relay cell out of relay_command and payload, and * send it onto the open circuit circ. fromconn is the stream * that's sending the relay cell, or NULL if it's a control cell. * cpath_layer is NULL for OR->OP cells, or the destination hop * for OP->OR cells. * * If you can't send the cell, mark the circuit for close and * return -1. Else return 0. */ int connection_edge_send_command(edge_connection_t *fromconn, uint8_t relay_command, const char *payload, size_t payload_len) { /* XXXX NM Split this function into a separate versions per circuit type? */ circuit_t *circ; crypt_path_t *cpath_layer = fromconn->cpath_layer; tor_assert(fromconn); circ = fromconn->on_circuit; if (fromconn->base_.marked_for_close) { log_warn(LD_BUG, "called on conn that's already marked for close at %s:%d.", fromconn->base_.marked_for_close_file, fromconn->base_.marked_for_close); return 0; } if (!circ) { if (fromconn->base_.type == CONN_TYPE_AP) { log_info(LD_APP,"no circ. Closing conn."); connection_mark_unattached_ap(EDGE_TO_ENTRY_CONN(fromconn), END_STREAM_REASON_INTERNAL); } else { log_info(LD_EXIT,"no circ. Closing conn."); fromconn->edge_has_sent_end = 1; /* no circ to send to */ fromconn->end_reason = END_STREAM_REASON_INTERNAL; connection_mark_for_close(TO_CONN(fromconn)); } return -1; } if (circ->marked_for_close) { /* The circuit has been marked, but not freed yet. When it's freed, it * will mark this connection for close. */ return -1; } #ifdef MEASUREMENTS_21206 /* Keep track of the number of RELAY_DATA cells sent for directory * connections. */ connection_t *linked_conn = TO_CONN(fromconn)->linked_conn; if (linked_conn && linked_conn->type == CONN_TYPE_DIR) { ++(TO_DIR_CONN(linked_conn)->data_cells_sent); } #endif /* defined(MEASUREMENTS_21206) */ return relay_send_command_from_edge(fromconn->stream_id, circ, relay_command, payload, payload_len, cpath_layer); } /** How many times will I retry a stream that fails due to DNS * resolve failure or misc error? */ #define MAX_RESOLVE_FAILURES 3 /** Return 1 if reason is something that you should retry if you * get the end cell before you've connected; else return 0. */ static int edge_reason_is_retriable(int reason) { return reason == END_STREAM_REASON_HIBERNATING || reason == END_STREAM_REASON_RESOURCELIMIT || reason == END_STREAM_REASON_EXITPOLICY || reason == END_STREAM_REASON_RESOLVEFAILED || reason == END_STREAM_REASON_MISC || reason == END_STREAM_REASON_NOROUTE; } /** Called when we receive an END cell on a stream that isn't open yet, * from the client side. * Arguments are as for connection_edge_process_relay_cell(). */ static int connection_ap_process_end_not_open( relay_header_t *rh, cell_t *cell, origin_circuit_t *circ, entry_connection_t *conn, crypt_path_t *layer_hint) { node_t *exitrouter; int reason = *(cell->payload+RELAY_HEADER_SIZE); int control_reason; edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn); (void) layer_hint; /* unused */ if (rh->length > 0) { if (reason == END_STREAM_REASON_TORPROTOCOL || reason == END_STREAM_REASON_DESTROY) { /* Both of these reasons could mean a failed tag * hit the exit and it complained. Do not probe. * Fail the circuit. */ circ->path_state = PATH_STATE_USE_FAILED; return -END_CIRC_REASON_TORPROTOCOL; } else if (reason == END_STREAM_REASON_INTERNAL) { /* We can't infer success or failure, since older Tors report * ENETUNREACH as END_STREAM_REASON_INTERNAL. */ } else { /* Path bias: If we get a valid reason code from the exit, * it wasn't due to tagging. * * We rely on recognized+digest being strong enough to make * tags unlikely to allow us to get tagged, yet 'recognized' * reason codes here. */ pathbias_mark_use_success(circ); } } /* This end cell is now valid. */ circuit_read_valid_data(circ, rh->length); if (rh->length == 0) { reason = END_STREAM_REASON_MISC; } control_reason = reason | END_STREAM_REASON_FLAG_REMOTE; if (edge_reason_is_retriable(reason) && /* avoid retry if rend */ !connection_edge_is_rendezvous_stream(edge_conn)) { const char *chosen_exit_digest = circ->build_state->chosen_exit->identity_digest; log_info(LD_APP,"Address '%s' refused due to '%s'. Considering retrying.", safe_str(conn->socks_request->address), stream_end_reason_to_string(reason)); exitrouter = node_get_mutable_by_id(chosen_exit_digest); switch (reason) { case END_STREAM_REASON_EXITPOLICY: { tor_addr_t addr; tor_addr_make_unspec(&addr); if (rh->length >= 5) { int ttl = -1; tor_addr_make_unspec(&addr); if (rh->length == 5 || rh->length == 9) { tor_addr_from_ipv4n(&addr, get_uint32(cell->payload+RELAY_HEADER_SIZE+1)); if (rh->length == 9) ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5)); } else if (rh->length == 17 || rh->length == 21) { tor_addr_from_ipv6_bytes(&addr, (cell->payload+RELAY_HEADER_SIZE+1)); if (rh->length == 21) ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+17)); } if (tor_addr_is_null(&addr)) { log_info(LD_APP,"Address '%s' resolved to 0.0.0.0. Closing,", safe_str(conn->socks_request->address)); connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); return 0; } if ((tor_addr_family(&addr) == AF_INET && !conn->entry_cfg.ipv4_traffic) || (tor_addr_family(&addr) == AF_INET6 && !conn->entry_cfg.ipv6_traffic)) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got an EXITPOLICY failure on a connection with a " "mismatched family. Closing."); connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); return 0; } if (get_options()->ClientDNSRejectInternalAddresses && tor_addr_is_internal(&addr, 0)) { log_info(LD_APP,"Address '%s' resolved to internal. Closing,", safe_str(conn->socks_request->address)); connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); return 0; } client_dns_set_addressmap(conn, conn->socks_request->address, &addr, conn->chosen_exit_name, ttl); { char new_addr[TOR_ADDR_BUF_LEN]; tor_addr_to_str(new_addr, &addr, sizeof(new_addr), 1); if (strcmp(conn->socks_request->address, new_addr)) { strlcpy(conn->socks_request->address, new_addr, sizeof(conn->socks_request->address)); control_event_stream_status(conn, STREAM_EVENT_REMAP, 0); } } } /* check if the exit *ought* to have allowed it */ adjust_exit_policy_from_exitpolicy_failure(circ, conn, exitrouter, &addr); if (conn->chosen_exit_optional || conn->chosen_exit_retries) { /* stop wanting a specific exit */ conn->chosen_exit_optional = 0; /* A non-zero chosen_exit_retries can happen if we set a * TrackHostExits for this address under a port that the exit * relay allows, but then try the same address with a different * port that it doesn't allow to exit. We shouldn't unregister * the mapping, since it is probably still wanted on the * original port. But now we give away to the exit relay that * we probably have a TrackHostExits on it. So be it. */ conn->chosen_exit_retries = 0; tor_free(conn->chosen_exit_name); /* clears it */ } if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0) return 0; /* else, conn will get closed below */ break; } case END_STREAM_REASON_CONNECTREFUSED: if (!conn->chosen_exit_optional) break; /* break means it'll close, below */ /* Else fall through: expire this circuit, clear the * chosen_exit_name field, and try again. */ FALLTHROUGH; case END_STREAM_REASON_RESOLVEFAILED: case END_STREAM_REASON_TIMEOUT: case END_STREAM_REASON_MISC: case END_STREAM_REASON_NOROUTE: if (client_dns_incr_failures(conn->socks_request->address) < MAX_RESOLVE_FAILURES) { /* We haven't retried too many times; reattach the connection. */ circuit_log_path(LOG_INFO,LD_APP,circ); /* Mark this circuit "unusable for new streams". */ mark_circuit_unusable_for_new_conns(circ); if (conn->chosen_exit_optional) { /* stop wanting a specific exit */ conn->chosen_exit_optional = 0; tor_free(conn->chosen_exit_name); /* clears it */ } if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0) return 0; /* else, conn will get closed below */ } else { log_notice(LD_APP, "Have tried resolving or connecting to address '%s' " "at %d different places. Giving up.", safe_str(conn->socks_request->address), MAX_RESOLVE_FAILURES); /* clear the failures, so it will have a full try next time */ client_dns_clear_failures(conn->socks_request->address); } break; case END_STREAM_REASON_HIBERNATING: case END_STREAM_REASON_RESOURCELIMIT: if (exitrouter) { policies_set_node_exitpolicy_to_reject_all(exitrouter); } if (conn->chosen_exit_optional) { /* stop wanting a specific exit */ conn->chosen_exit_optional = 0; tor_free(conn->chosen_exit_name); /* clears it */ } if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0) return 0; /* else, will close below */ break; } /* end switch */ log_info(LD_APP,"Giving up on retrying; conn can't be handled."); } log_info(LD_APP, "Edge got end (%s) before we're connected. Marking for close.", stream_end_reason_to_string(rh->length > 0 ? reason : -1)); circuit_log_path(LOG_INFO,LD_APP,circ); /* need to test because of detach_retriable */ if (!ENTRY_TO_CONN(conn)->marked_for_close) connection_mark_unattached_ap(conn, control_reason); return 0; } /** Called when we have gotten an END_REASON_EXITPOLICY failure on circ * for conn, while attempting to connect via node. If the node * told us which address it rejected, then addr is that address; * otherwise it is AF_UNSPEC. * * If we are sure the node should have allowed this address, mark the node as * having a reject *:* exit policy. Otherwise, mark the circuit as unusable * for this particular address. **/ static void adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ, entry_connection_t *conn, node_t *node, const tor_addr_t *addr) { int make_reject_all = 0; const sa_family_t family = tor_addr_family(addr); if (node) { tor_addr_t tmp; int asked_for_family = tor_addr_parse(&tmp, conn->socks_request->address); if (family == AF_UNSPEC) { make_reject_all = 1; } else if (node_exit_policy_is_exact(node, family) && asked_for_family != -1 && !conn->chosen_exit_name) { make_reject_all = 1; } if (make_reject_all) { log_info(LD_APP, "Exitrouter %s seems to be more restrictive than its exit " "policy. Not using this router as exit for now.", node_describe(node)); policies_set_node_exitpolicy_to_reject_all(node); } } if (family != AF_UNSPEC) addr_policy_append_reject_addr(&circ->prepend_policy, addr); } /** Helper: change the socks_request->address field on conn to the * dotted-quad representation of new_addr, * and send an appropriate REMAP event. */ static void remap_event_helper(entry_connection_t *conn, const tor_addr_t *new_addr) { tor_addr_to_str(conn->socks_request->address, new_addr, sizeof(conn->socks_request->address), 1); control_event_stream_status(conn, STREAM_EVENT_REMAP, REMAP_STREAM_SOURCE_EXIT); } /** Extract the contents of a connected cell in cell, whose relay * header has already been parsed into rh. On success, set * addr_out to the address we're connected to, and ttl_out to * the ttl of that address, in seconds, and return 0. On failure, return * -1. * * Note that the resulting address can be UNSPEC if the connected cell had no * address (as for a stream to an union service or a tunneled directory * connection), and that the ttl can be absent (in which case ttl_out * is set to -1). */ STATIC int connected_cell_parse(const relay_header_t *rh, const cell_t *cell, tor_addr_t *addr_out, int *ttl_out) { uint32_t bytes; const uint8_t *payload = cell->payload + RELAY_HEADER_SIZE; tor_addr_make_unspec(addr_out); *ttl_out = -1; if (rh->length == 0) return 0; if (rh->length < 4) return -1; bytes = ntohl(get_uint32(payload)); /* If bytes is 0, this is maybe a v6 address. Otherwise it's a v4 address */ if (bytes != 0) { /* v4 address */ tor_addr_from_ipv4h(addr_out, bytes); if (rh->length >= 8) { bytes = ntohl(get_uint32(payload + 4)); if (bytes <= INT32_MAX) *ttl_out = bytes; } } else { if (rh->length < 25) /* 4 bytes of 0s, 1 addr, 16 ipv4, 4 ttl. */ return -1; if (get_uint8(payload + 4) != 6) return -1; tor_addr_from_ipv6_bytes(addr_out, (payload + 5)); bytes = ntohl(get_uint32(payload + 21)); if (bytes <= INT32_MAX) *ttl_out = (int) bytes; } return 0; } /** Drop all storage held by addr. */ STATIC void address_ttl_free_(address_ttl_t *addr) { if (!addr) return; tor_free(addr->hostname); tor_free(addr); } /** Parse a resolved cell in cell, with parsed header in rh. * Return -1 on parse error. On success, add one or more newly allocated * address_ttl_t to addresses_out; set *errcode_out to * one of 0, RESOLVED_TYPE_ERROR, or RESOLVED_TYPE_ERROR_TRANSIENT, and * return 0. */ STATIC int resolved_cell_parse(const cell_t *cell, const relay_header_t *rh, smartlist_t *addresses_out, int *errcode_out) { const uint8_t *cp; uint8_t answer_type; size_t answer_len; address_ttl_t *addr; size_t remaining; int errcode = 0; smartlist_t *addrs; tor_assert(cell); tor_assert(rh); tor_assert(addresses_out); tor_assert(errcode_out); *errcode_out = 0; if (rh->length > RELAY_PAYLOAD_SIZE) return -1; addrs = smartlist_new(); cp = cell->payload + RELAY_HEADER_SIZE; remaining = rh->length; while (remaining) { const uint8_t *cp_orig = cp; if (remaining < 2) goto err; answer_type = *cp++; answer_len = *cp++; if (remaining < 2 + answer_len + 4) { goto err; } if (answer_type == RESOLVED_TYPE_IPV4) { if (answer_len != 4) { goto err; } addr = tor_malloc_zero(sizeof(*addr)); tor_addr_from_ipv4n(&addr->addr, get_uint32(cp)); cp += 4; addr->ttl = ntohl(get_uint32(cp)); cp += 4; smartlist_add(addrs, addr); } else if (answer_type == RESOLVED_TYPE_IPV6) { if (answer_len != 16) goto err; addr = tor_malloc_zero(sizeof(*addr)); tor_addr_from_ipv6_bytes(&addr->addr, cp); cp += 16; addr->ttl = ntohl(get_uint32(cp)); cp += 4; smartlist_add(addrs, addr); } else if (answer_type == RESOLVED_TYPE_HOSTNAME) { if (answer_len == 0) { goto err; } addr = tor_malloc_zero(sizeof(*addr)); addr->hostname = tor_memdup_nulterm(cp, answer_len); cp += answer_len; addr->ttl = ntohl(get_uint32(cp)); cp += 4; smartlist_add(addrs, addr); } else if (answer_type == RESOLVED_TYPE_ERROR_TRANSIENT || answer_type == RESOLVED_TYPE_ERROR) { errcode = answer_type; /* Ignore the error contents */ cp += answer_len + 4; } else { cp += answer_len + 4; } tor_assert(((ssize_t)remaining) >= (cp - cp_orig)); remaining -= (cp - cp_orig); } if (errcode && smartlist_len(addrs) == 0) { /* Report an error only if there were no results. */ *errcode_out = errcode; } smartlist_add_all(addresses_out, addrs); smartlist_free(addrs); return 0; err: /* On parse error, don't report any results */ SMARTLIST_FOREACH(addrs, address_ttl_t *, a, address_ttl_free(a)); smartlist_free(addrs); return -1; } /** Helper for connection_edge_process_resolved_cell: given an error code, * an entry_connection, and a list of address_ttl_t *, report the best answer * to the entry_connection. */ static void connection_ap_handshake_socks_got_resolved_cell(entry_connection_t *conn, int error_code, smartlist_t *results) { address_ttl_t *addr_ipv4 = NULL; address_ttl_t *addr_ipv6 = NULL; address_ttl_t *addr_hostname = NULL; address_ttl_t *addr_best = NULL; /* If it's an error code, that's easy. */ if (error_code) { tor_assert(error_code == RESOLVED_TYPE_ERROR || error_code == RESOLVED_TYPE_ERROR_TRANSIENT); connection_ap_handshake_socks_resolved(conn, error_code,0,NULL,-1,-1); return; } /* Get the first answer of each type. */ SMARTLIST_FOREACH_BEGIN(results, address_ttl_t *, addr) { if (addr->hostname) { if (!addr_hostname) { addr_hostname = addr; } } else if (tor_addr_family(&addr->addr) == AF_INET) { if (!addr_ipv4 && conn->entry_cfg.ipv4_traffic) { addr_ipv4 = addr; } } else if (tor_addr_family(&addr->addr) == AF_INET6) { if (!addr_ipv6 && conn->entry_cfg.ipv6_traffic) { addr_ipv6 = addr; } } } SMARTLIST_FOREACH_END(addr); /* Now figure out which type we wanted to deliver. */ if (conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) { if (addr_hostname) { connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME, strlen(addr_hostname->hostname), (uint8_t*)addr_hostname->hostname, addr_hostname->ttl,-1); } else { connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_ERROR,0,NULL,-1,-1); } return; } if (conn->entry_cfg.prefer_ipv6) { addr_best = addr_ipv6 ? addr_ipv6 : addr_ipv4; } else { addr_best = addr_ipv4 ? addr_ipv4 : addr_ipv6; } /* Now convert it to the ugly old interface */ if (! addr_best) { connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_ERROR,0,NULL,-1,-1); return; } connection_ap_handshake_socks_resolved_addr(conn, &addr_best->addr, addr_best->ttl, -1); remap_event_helper(conn, &addr_best->addr); } /** Handle a RELAY_COMMAND_RESOLVED cell that we received on a non-open AP * stream. */ STATIC int connection_edge_process_resolved_cell(edge_connection_t *conn, const cell_t *cell, const relay_header_t *rh) { entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn); smartlist_t *resolved_addresses = NULL; int errcode = 0; if (conn->base_.state != AP_CONN_STATE_RESOLVE_WAIT) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got a 'resolved' cell while " "not in state resolve_wait. Dropping."); return 0; } tor_assert(SOCKS_COMMAND_IS_RESOLVE(entry_conn->socks_request->command)); resolved_addresses = smartlist_new(); if (resolved_cell_parse(cell, rh, resolved_addresses, &errcode)) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Dropping malformed 'resolved' cell"); connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); goto done; } if (get_options()->ClientDNSRejectInternalAddresses) { int orig_len = smartlist_len(resolved_addresses); SMARTLIST_FOREACH_BEGIN(resolved_addresses, address_ttl_t *, addr) { if (addr->hostname == NULL && tor_addr_is_internal(&addr->addr, 0)) { log_info(LD_APP, "Got a resolved cell with answer %s; dropping that " "answer.", safe_str_client(fmt_addr(&addr->addr))); address_ttl_free(addr); SMARTLIST_DEL_CURRENT(resolved_addresses, addr); } } SMARTLIST_FOREACH_END(addr); if (orig_len && smartlist_len(resolved_addresses) == 0) { log_info(LD_APP, "Got a resolved cell with only private addresses; " "dropping it."); connection_ap_handshake_socks_resolved(entry_conn, RESOLVED_TYPE_ERROR_TRANSIENT, 0, NULL, 0, TIME_MAX); connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); goto done; } } /* This is valid data at this point. Count it */ if (conn->on_circuit && CIRCUIT_IS_ORIGIN(conn->on_circuit)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(conn->on_circuit), rh->length); } connection_ap_handshake_socks_got_resolved_cell(entry_conn, errcode, resolved_addresses); connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_DONE | END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED); done: SMARTLIST_FOREACH(resolved_addresses, address_ttl_t *, addr, address_ttl_free(addr)); smartlist_free(resolved_addresses); return 0; } /** An incoming relay cell has arrived from circuit circ to * stream conn. * * The arguments here are the same as in * connection_edge_process_relay_cell() below; this function is called * from there when conn is defined and not in an open state. */ static int connection_edge_process_relay_cell_not_open( relay_header_t *rh, cell_t *cell, circuit_t *circ, edge_connection_t *conn, crypt_path_t *layer_hint) { if (rh->command == RELAY_COMMAND_END) { if (CIRCUIT_IS_ORIGIN(circ) && conn->base_.type == CONN_TYPE_AP) { return connection_ap_process_end_not_open(rh, cell, TO_ORIGIN_CIRCUIT(circ), EDGE_TO_ENTRY_CONN(conn), layer_hint); } else { /* we just got an 'end', don't need to send one */ conn->edge_has_sent_end = 1; conn->end_reason = *(cell->payload+RELAY_HEADER_SIZE) | END_STREAM_REASON_FLAG_REMOTE; connection_mark_for_close(TO_CONN(conn)); return 0; } } if (conn->base_.type == CONN_TYPE_AP && rh->command == RELAY_COMMAND_CONNECTED) { tor_addr_t addr; int ttl; entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn); tor_assert(CIRCUIT_IS_ORIGIN(circ)); if (conn->base_.state != AP_CONN_STATE_CONNECT_WAIT) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got 'connected' while not in state connect_wait. Dropping."); return 0; } CONNECTION_AP_EXPECT_NONPENDING(entry_conn); conn->base_.state = AP_CONN_STATE_OPEN; log_info(LD_APP,"'connected' received for circid %u streamid %d " "after %d seconds.", (unsigned)circ->n_circ_id, rh->stream_id, (int)(time(NULL) - conn->base_.timestamp_last_read_allowed)); if (connected_cell_parse(rh, cell, &addr, &ttl) < 0) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got a badly formatted connected cell. Closing."); connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); return 0; } if (tor_addr_family(&addr) != AF_UNSPEC) { /* The family is not UNSPEC: so we were given an address in the * connected cell. (This is normal, except for BEGINDIR and onion * service streams.) */ const sa_family_t family = tor_addr_family(&addr); if (tor_addr_is_null(&addr) || (get_options()->ClientDNSRejectInternalAddresses && tor_addr_is_internal(&addr, 0))) { log_info(LD_APP, "...but it claims the IP address was %s. Closing.", safe_str(fmt_addr(&addr))); connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); return 0; } if ((family == AF_INET && ! entry_conn->entry_cfg.ipv4_traffic) || (family == AF_INET6 && ! entry_conn->entry_cfg.ipv6_traffic)) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got a connected cell to %s with unsupported address family." " Closing.", safe_str(fmt_addr(&addr))); connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL); return 0; } client_dns_set_addressmap(entry_conn, entry_conn->socks_request->address, &addr, entry_conn->chosen_exit_name, ttl); remap_event_helper(entry_conn, &addr); } circuit_log_path(LOG_INFO,LD_APP,TO_ORIGIN_CIRCUIT(circ)); /* don't send a socks reply to transparent conns */ tor_assert(entry_conn->socks_request != NULL); if (!entry_conn->socks_request->has_finished) { connection_ap_handshake_socks_reply(entry_conn, NULL, 0, 0); } /* Was it a linked dir conn? If so, a dir request just started to * fetch something; this could be a bootstrap status milestone. */ log_debug(LD_APP, "considering"); if (TO_CONN(conn)->linked_conn && TO_CONN(conn)->linked_conn->type == CONN_TYPE_DIR) { connection_t *dirconn = TO_CONN(conn)->linked_conn; log_debug(LD_APP, "it is! %d", dirconn->purpose); switch (dirconn->purpose) { case DIR_PURPOSE_FETCH_CERTIFICATE: if (consensus_is_waiting_for_certs()) control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_KEYS, 0); break; case DIR_PURPOSE_FETCH_CONSENSUS: control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_STATUS, 0); break; case DIR_PURPOSE_FETCH_SERVERDESC: case DIR_PURPOSE_FETCH_MICRODESC: if (TO_DIR_CONN(dirconn)->router_purpose == ROUTER_PURPOSE_GENERAL) control_event_boot_dir(BOOTSTRAP_STATUS_LOADING_DESCRIPTORS, count_loading_descriptors_progress()); break; } } /* This is definitely a success, so forget about any pending data we * had sent. */ if (entry_conn->pending_optimistic_data) { buf_free(entry_conn->pending_optimistic_data); entry_conn->pending_optimistic_data = NULL; } /* This is valid data at this point. Count it */ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); /* handle anything that might have queued */ if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) { /* (We already sent an end cell if possible) */ connection_mark_for_close(TO_CONN(conn)); return 0; } return 0; } if (conn->base_.type == CONN_TYPE_AP && rh->command == RELAY_COMMAND_RESOLVED) { return connection_edge_process_resolved_cell(conn, cell, rh); } log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Got an unexpected relay command %d, in state %d (%s). Dropping.", rh->command, conn->base_.state, conn_state_to_string(conn->base_.type, conn->base_.state)); return 0; /* for forward compatibility, don't kill the circuit */ // connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); // connection_mark_for_close(conn); // return -1; } /** Process a SENDME cell that arrived on circ. If it is a stream level * cell, it is destined for the given conn. If it is a circuit level * cell, it is destined for the layer_hint. The domain is the * logging domain that should be used. * * Return 0 if everything went well or a negative value representing a circuit * end reason on error for which the caller is responsible for closing it. */ static int process_sendme_cell(const relay_header_t *rh, const cell_t *cell, circuit_t *circ, edge_connection_t *conn, crypt_path_t *layer_hint, int domain) { int ret; tor_assert(rh); if (!rh->stream_id) { /* Circuit level SENDME cell. */ ret = sendme_process_circuit_level(layer_hint, circ, cell->payload + RELAY_HEADER_SIZE, rh->length); if (ret < 0) { return ret; } /* Resume reading on any streams now that we've processed a valid * SENDME cell that updated our package window. */ circuit_resume_edge_reading(circ, layer_hint); /* We are done, the rest of the code is for the stream level. */ return 0; } /* No connection, might be half edge state. We are done if so. */ if (!conn) { if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (connection_half_edge_is_valid_sendme(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); log_info(domain, "Sendme cell on circ %u valid on half-closed " "stream id %d", ocirc->global_identifier, rh->stream_id); } } log_info(domain, "SENDME cell dropped, unknown stream (streamid %d).", rh->stream_id); return 0; } /* Stream level SENDME cell. */ // TODO: Turn this off for cc_alg=1,2,3; use XON/XOFF instead ret = sendme_process_stream_level(conn, circ, rh->length); if (ret < 0) { /* Means we need to close the circuit with reason ret. */ return ret; } /* We've now processed properly a SENDME cell, all windows have been * properly updated, we'll read on the edge connection to see if we can * get data out towards the end point (Exit or client) since we are now * allowed to deliver more cells. */ if (circuit_queue_streams_are_blocked(circ)) { /* Still waiting for queue to flush; don't touch conn */ return 0; } connection_start_reading(TO_CONN(conn)); /* handle whatever might still be on the inbuf */ if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) { /* (We already sent an end cell if possible) */ connection_mark_for_close(TO_CONN(conn)); return 0; } return 0; } /** A helper for connection_edge_process_relay_cell(): Actually handles the * cell that we received on the connection. * * The arguments are the same as in the parent function * connection_edge_process_relay_cell(), plus the relay header rh as * unpacked by the parent function, and optimistic_data as set by the * parent function. */ STATIC int handle_relay_cell_command(cell_t *cell, circuit_t *circ, edge_connection_t *conn, crypt_path_t *layer_hint, relay_header_t *rh, int optimistic_data) { unsigned domain = layer_hint?LD_APP:LD_EXIT; int reason; tor_assert(rh); /* First pass the cell to the circuit padding subsystem, in case it's a * padding cell or circuit that should be handled there. */ if (circpad_check_received_cell(cell, circ, layer_hint, rh) == 0) { log_debug(domain, "Cell handled as circuit padding"); return 0; } /* Now handle all the other commands */ switch (rh->command) { case RELAY_COMMAND_CONFLUX_LINK: conflux_process_link(circ, cell, rh->length); return 0; case RELAY_COMMAND_CONFLUX_LINKED: conflux_process_linked(circ, layer_hint, cell, rh->length); return 0; case RELAY_COMMAND_CONFLUX_LINKED_ACK: conflux_process_linked_ack(circ); return 0; case RELAY_COMMAND_CONFLUX_SWITCH: return conflux_process_switch_command(circ, layer_hint, cell, rh); case RELAY_COMMAND_BEGIN: case RELAY_COMMAND_BEGIN_DIR: if (layer_hint && circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Relay begin request unsupported at AP. Dropping."); return 0; } if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED && layer_hint != TO_ORIGIN_CIRCUIT(circ)->cpath->prev) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Relay begin request to Hidden Service " "from intermediary node. Dropping."); return 0; } if (conn) { log_fn(LOG_PROTOCOL_WARN, domain, "Begin cell for known stream. Dropping."); return 0; } if (rh->command == RELAY_COMMAND_BEGIN_DIR && circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { /* Assign this circuit and its app-ward OR connection a unique ID, * so that we can measure download times. The local edge and dir * connection will be assigned the same ID when they are created * and linked. */ static uint64_t next_id = 0; circ->dirreq_id = ++next_id; TO_OR_CIRCUIT(circ)->p_chan->dirreq_id = circ->dirreq_id; } return connection_exit_begin_conn(cell, circ); case RELAY_COMMAND_DATA: ++stats_n_data_cells_received; if (rh->stream_id == 0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay data cell with zero " "stream_id. Dropping."); return 0; } else if (!conn) { if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (connection_half_edge_is_valid_data(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); log_info(domain, "data cell on circ %u valid on half-closed " "stream id %d", ocirc->global_identifier, rh->stream_id); } } log_info(domain,"data cell dropped, unknown stream (streamid %d).", rh->stream_id); return 0; } /* Update our stream-level deliver window that we just received a DATA * cell. Going below 0 means we have a protocol level error so the * stream and circuit are closed. */ if (sendme_stream_data_received(conn) < 0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "(relay data) conn deliver_window below 0. Killing."); connection_edge_end_close(conn, END_STREAM_REASON_TORPROTOCOL); return -END_CIRC_REASON_TORPROTOCOL; } /* Total all valid application bytes delivered */ if (CIRCUIT_IS_ORIGIN(circ) && rh->length > 0) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); } /* For onion service connection, update the metrics. */ if (conn->hs_ident) { hs_metrics_app_write_bytes(&conn->hs_ident->identity_pk, conn->hs_ident->orig_virtual_port, rh->length); } stats_n_data_bytes_received += rh->length; connection_buf_add((char*)(cell->payload + RELAY_HEADER_SIZE), rh->length, TO_CONN(conn)); #ifdef MEASUREMENTS_21206 /* Count number of RELAY_DATA cells received on a linked directory * connection. */ connection_t *linked_conn = TO_CONN(conn)->linked_conn; if (linked_conn && linked_conn->type == CONN_TYPE_DIR) { ++(TO_DIR_CONN(linked_conn)->data_cells_received); } #endif /* defined(MEASUREMENTS_21206) */ if (!optimistic_data) { /* Only send a SENDME if we're not getting optimistic data; otherwise * a SENDME could arrive before the CONNECTED. */ sendme_connection_edge_consider_sending(conn); } return 0; case RELAY_COMMAND_XOFF: if (!conn) { if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (relay_crypt_from_last_hop(ocirc, layer_hint) && connection_half_edge_is_valid_data(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); } } return 0; } if (circuit_process_stream_xoff(conn, layer_hint, cell)) { if (CIRCUIT_IS_ORIGIN(circ)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); } } return 0; case RELAY_COMMAND_XON: if (!conn) { if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (relay_crypt_from_last_hop(ocirc, layer_hint) && connection_half_edge_is_valid_data(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); } } return 0; } if (circuit_process_stream_xon(conn, layer_hint, cell)) { if (CIRCUIT_IS_ORIGIN(circ)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); } } return 0; case RELAY_COMMAND_END: reason = rh->length > 0 ? get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC; if (!conn) { if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (relay_crypt_from_last_hop(ocirc, layer_hint) && connection_half_edge_is_valid_end(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); log_info(domain, "end cell (%s) on circ %u valid on half-closed " "stream id %d", stream_end_reason_to_string(reason), ocirc->global_identifier, rh->stream_id); return 0; } } log_info(domain,"end cell (%s) dropped, unknown stream.", stream_end_reason_to_string(reason)); return 0; } /* XXX add to this log_fn the exit node's nickname? */ log_info(domain,TOR_SOCKET_T_FORMAT": end cell (%s) for stream %d. " "Removing stream.", conn->base_.s, stream_end_reason_to_string(reason), conn->stream_id); if (conn->base_.type == CONN_TYPE_AP) { entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn); if (entry_conn->socks_request && !entry_conn->socks_request->has_finished) log_warn(LD_BUG, "open stream hasn't sent socks answer yet? Closing."); } /* We just *got* an end; no reason to send one. */ conn->edge_has_sent_end = 1; if (!conn->end_reason) conn->end_reason = reason | END_STREAM_REASON_FLAG_REMOTE; if (!conn->base_.marked_for_close) { /* only mark it if not already marked. it's possible to * get the 'end' right around when the client hangs up on us. */ connection_mark_and_flush(TO_CONN(conn)); /* Total all valid application bytes delivered */ if (CIRCUIT_IS_ORIGIN(circ)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); } } return 0; case RELAY_COMMAND_EXTEND: case RELAY_COMMAND_EXTEND2: { static uint64_t total_n_extend=0, total_nonearly=0; total_n_extend++; if (rh->stream_id) { log_fn(LOG_PROTOCOL_WARN, domain, "'extend' cell received for non-zero stream. Dropping."); return 0; } if (cell->command != CELL_RELAY_EARLY && !networkstatus_get_param(NULL,"AllowNonearlyExtend",0,0,1)) { #define EARLY_WARNING_INTERVAL 3600 static ratelim_t early_warning_limit = RATELIM_INIT(EARLY_WARNING_INTERVAL); char *m; if (cell->command == CELL_RELAY) { ++total_nonearly; if ((m = rate_limit_log(&early_warning_limit, approx_time()))) { double percentage = ((double)total_nonearly)/total_n_extend; percentage *= 100; log_fn(LOG_PROTOCOL_WARN, domain, "EXTEND cell received, " "but not via RELAY_EARLY. Dropping.%s", m); log_fn(LOG_PROTOCOL_WARN, domain, " (We have dropped %.02f%% of " "all EXTEND cells for this reason)", percentage); tor_free(m); } } else { log_fn(LOG_WARN, domain, "EXTEND cell received, in a cell with type %d! Dropping.", cell->command); } return 0; } return circuit_extend(cell, circ); } case RELAY_COMMAND_EXTENDED: case RELAY_COMMAND_EXTENDED2: if (!layer_hint) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "'extended' unsupported at non-origin. Dropping."); return 0; } log_debug(domain,"Got an extended cell! Yay."); { extended_cell_t extended_cell; if (extended_cell_parse(&extended_cell, rh->command, (const uint8_t*)cell->payload+RELAY_HEADER_SIZE, rh->length)<0) { log_warn(LD_PROTOCOL, "Can't parse EXTENDED cell; killing circuit."); return -END_CIRC_REASON_TORPROTOCOL; } if ((reason = circuit_finish_handshake(TO_ORIGIN_CIRCUIT(circ), &extended_cell.created_cell)) < 0) { circuit_mark_for_close(circ, -reason); return 0; /* We don't want to cause a warning, so we mark the circuit * here. */ } } if ((reason=circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ)))<0) { log_info(domain,"circuit_send_next_onion_skin() failed."); return reason; } /* Total all valid bytes delivered. */ if (CIRCUIT_IS_ORIGIN(circ)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); } return 0; case RELAY_COMMAND_TRUNCATE: if (layer_hint) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "'truncate' unsupported at origin. Dropping."); return 0; } if (circ->n_hop) { if (circ->n_chan) log_warn(LD_BUG, "n_chan and n_hop set on the same circuit!"); extend_info_free(circ->n_hop); circ->n_hop = NULL; tor_free(circ->n_chan_create_cell); circuit_set_state(circ, CIRCUIT_STATE_OPEN); } if (circ->n_chan) { uint8_t trunc_reason = get_uint8(cell->payload + RELAY_HEADER_SIZE); circuit_synchronize_written_or_bandwidth(circ, CIRCUIT_N_CHAN); circuit_clear_cell_queue(circ, circ->n_chan); channel_send_destroy(circ->n_circ_id, circ->n_chan, trunc_reason); circuit_set_n_circid_chan(circ, 0, NULL); } log_debug(LD_EXIT, "Processed 'truncate', replying."); { char payload[1]; payload[0] = (char)END_CIRC_REASON_REQUESTED; relay_send_command_from_edge(0, circ, RELAY_COMMAND_TRUNCATED, payload, sizeof(payload), NULL); } return 0; case RELAY_COMMAND_TRUNCATED: if (!layer_hint) { log_fn(LOG_PROTOCOL_WARN, LD_EXIT, "'truncated' unsupported at non-origin. Dropping."); return 0; } /* Count the truncated as valid, for completeness. The * circuit is being torn down anyway, though. */ if (CIRCUIT_IS_ORIGIN(circ)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length); } circuit_truncated(TO_ORIGIN_CIRCUIT(circ), get_uint8(cell->payload + RELAY_HEADER_SIZE)); return 0; case RELAY_COMMAND_CONNECTED: if (conn) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "'connected' unsupported while open. Closing circ."); return -END_CIRC_REASON_TORPROTOCOL; } if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (connection_half_edge_is_valid_connected(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); log_info(domain, "connected cell on circ %u valid on half-closed " "stream id %d", ocirc->global_identifier, rh->stream_id); return 0; } } log_info(domain, "'connected' received on circid %u for streamid %d, " "no conn attached anymore. Ignoring.", (unsigned)circ->n_circ_id, rh->stream_id); return 0; case RELAY_COMMAND_SENDME: return process_sendme_cell(rh, cell, circ, conn, layer_hint, domain); case RELAY_COMMAND_RESOLVE: if (layer_hint) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "resolve request unsupported at AP; dropping."); return 0; } else if (conn) { log_fn(LOG_PROTOCOL_WARN, domain, "resolve request for known stream; dropping."); return 0; } else if (circ->purpose != CIRCUIT_PURPOSE_OR) { log_fn(LOG_PROTOCOL_WARN, domain, "resolve request on circ with purpose %d; dropping", circ->purpose); return 0; } return connection_exit_begin_resolve(cell, TO_OR_CIRCUIT(circ)); case RELAY_COMMAND_RESOLVED: if (conn) { log_fn(LOG_PROTOCOL_WARN, domain, "'resolved' unsupported while open. Closing circ."); return -END_CIRC_REASON_TORPROTOCOL; } if (CIRCUIT_IS_ORIGIN(circ)) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (relay_crypt_from_last_hop(ocirc, layer_hint) && connection_half_edge_is_valid_resolved(ocirc->half_streams, rh->stream_id)) { circuit_read_valid_data(ocirc, rh->length); log_info(domain, "resolved cell on circ %u valid on half-closed " "stream id %d", ocirc->global_identifier, rh->stream_id); return 0; } } log_info(domain, "'resolved' received, no conn attached anymore. Ignoring."); return 0; case RELAY_COMMAND_ESTABLISH_INTRO: case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: case RELAY_COMMAND_INTRODUCE1: case RELAY_COMMAND_INTRODUCE2: case RELAY_COMMAND_INTRODUCE_ACK: case RELAY_COMMAND_RENDEZVOUS1: case RELAY_COMMAND_RENDEZVOUS2: case RELAY_COMMAND_INTRO_ESTABLISHED: case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED: rend_process_relay_cell(circ, layer_hint, rh->command, rh->length, cell->payload+RELAY_HEADER_SIZE); return 0; } log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Received unknown relay command %d. Perhaps the other side is using " "a newer version of Tor? Dropping.", rh->command); return 0; /* for forward compatibility, don't kill the circuit */ } /** An incoming relay cell has arrived on circuit circ. If * conn is NULL this is a control cell, else cell is * destined for conn. * * If layer_hint is defined, then we're the origin of the * circuit, and it specifies the hop that packaged cell. * * Return -reason if you want to warn and tear down the circuit, else 0. */ STATIC int connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, edge_connection_t *conn, crypt_path_t *layer_hint) { static int num_seen=0; relay_header_t rh; unsigned domain = layer_hint?LD_APP:LD_EXIT; tor_assert(cell); tor_assert(circ); relay_header_unpack(&rh, cell->payload); // log_fn(LOG_DEBUG,"command %d stream %d", rh.command, rh.stream_id); num_seen++; log_debug(domain, "Now seen %d relay cells here (command %d, stream %d).", num_seen, rh.command, rh.stream_id); if (rh.length > RELAY_PAYLOAD_SIZE) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay cell length field too long. Closing circuit."); return - END_CIRC_REASON_TORPROTOCOL; } if (rh.stream_id == 0) { switch (rh.command) { case RELAY_COMMAND_BEGIN: case RELAY_COMMAND_CONNECTED: case RELAY_COMMAND_END: case RELAY_COMMAND_RESOLVE: case RELAY_COMMAND_RESOLVED: case RELAY_COMMAND_BEGIN_DIR: log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero " "stream_id. Dropping.", (int)rh.command); return 0; default: ; } } /* Regardless of conflux or not, we always decide to send a SENDME * for RELAY_DATA immediately */ if (rh.command == RELAY_COMMAND_DATA) { /* Update our circuit-level deliver window that we received a DATA cell. * If the deliver window goes below 0, we end the circuit and stream due * to a protocol failure. */ if (sendme_circuit_data_received(circ, layer_hint) < 0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "(relay data) circ deliver_window below 0. Killing."); connection_edge_end_close(conn, END_STREAM_REASON_TORPROTOCOL); return -END_CIRC_REASON_TORPROTOCOL; } /* Consider sending a circuit-level SENDME cell. */ sendme_circuit_consider_sending(circ, layer_hint); /* Continue on to process the data cell via conflux or not */ } /* Conflux handling: If conflux is disabled, or the relay command is not * multiplexed across circuits, then process it immediately. * * Otherwise, we need to process the relay cell against our conflux * queues, and if doing so results in ordered cells to deliver, we * dequeue and process those in-order until there are no more. */ if (!circ->conflux || !conflux_should_multiplex(rh.command)) { return connection_edge_process_ordered_relay_cell(cell, circ, conn, layer_hint, &rh); } else { // If conflux says this cell is in-order, then begin processing // cells from queue until there are none. Otherwise, we do nothing // until further cells arrive. if (conflux_process_cell(circ->conflux, circ, layer_hint, cell)) { conflux_cell_t *c_cell = NULL; int ret = 0; /* First, process this cell */ if ((ret = connection_edge_process_ordered_relay_cell(cell, circ, conn, layer_hint, &rh)) < 0) { return ret; } /* Now, check queue for more */ while ((c_cell = conflux_dequeue_cell(circ->conflux))) { relay_header_unpack(&rh, c_cell->cell.payload); conn = relay_lookup_conn(circ, &c_cell->cell, CELL_DIRECTION_OUT, layer_hint); if ((ret = connection_edge_process_ordered_relay_cell(&c_cell->cell, circ, conn, layer_hint, &rh)) < 0) { /* Negative return value is a fatal error. Return early and tear down * circuit */ tor_free(c_cell); return ret; } tor_free(c_cell); } } } return 0; } /** * Helper function to process a relay cell that is in the proper order * for processing right now. */ static int connection_edge_process_ordered_relay_cell(cell_t *cell, circuit_t *circ, edge_connection_t *conn, crypt_path_t *layer_hint, relay_header_t *rh) { int optimistic_data = 0; /* Set to 1 if we receive data on a stream * that's in the EXIT_CONN_STATE_RESOLVING * or EXIT_CONN_STATE_CONNECTING states. */ /* Tell circpad that we've received a recognized cell */ circpad_deliver_recognized_relay_cell_events(circ, rh->command, layer_hint); /* either conn is NULL, in which case we've got a control cell, or else * conn points to the recognized stream. */ if (conn && !connection_state_is_open(TO_CONN(conn))) { if (conn->base_.type == CONN_TYPE_EXIT && (conn->base_.state == EXIT_CONN_STATE_CONNECTING || conn->base_.state == EXIT_CONN_STATE_RESOLVING) && rh->command == RELAY_COMMAND_DATA) { /* Allow DATA cells to be delivered to an exit node in state * EXIT_CONN_STATE_CONNECTING or EXIT_CONN_STATE_RESOLVING. * This speeds up HTTP, for example. */ optimistic_data = 1; } else if (rh->stream_id == 0 && rh->command == RELAY_COMMAND_DATA) { log_warn(LD_BUG, "Somehow I had a connection that matched a " "data cell with stream ID 0."); } else { return connection_edge_process_relay_cell_not_open( rh, cell, circ, conn, layer_hint); } } return handle_relay_cell_command(cell, circ, conn, layer_hint, rh, optimistic_data); } /** How many relay_data cells have we built, ever? */ uint64_t stats_n_data_cells_packaged = 0; /** How many bytes of data have we put in relay_data cells have we built, * ever? This would be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if * every relay cell we ever sent were completely full of data. */ uint64_t stats_n_data_bytes_packaged = 0; /** How many relay_data cells have we received, ever? */ uint64_t stats_n_data_cells_received = 0; /** How many bytes of data have we received relay_data cells, ever? This would * be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if every relay cell we * ever received were completely full of data. */ uint64_t stats_n_data_bytes_received = 0; /** * Called when initializing a circuit, or when we have reached the end of the * window in which we need to send some randomness so that incoming sendme * cells will be unpredictable. Resets the flags and picks a new window. */ void circuit_reset_sendme_randomness(circuit_t *circ) { circ->have_sent_sufficiently_random_cell = 0; // XXX: do we need to change this check for congestion control? circ->send_randomness_after_n_cells = CIRCWINDOW_INCREMENT / 2 + crypto_fast_rng_get_uint(get_thread_fast_rng(), CIRCWINDOW_INCREMENT / 2); } /** * Any relay data payload containing fewer than this many real bytes is * considered to have enough randomness to. **/ #define RELAY_PAYLOAD_LENGTH_FOR_RANDOM_SENDMES \ (RELAY_PAYLOAD_SIZE - CELL_PADDING_GAP - 16) /** * Helper. Return the number of bytes that should be put into a cell from a * given edge connection on which n_available bytes are available. */ STATIC size_t connection_edge_get_inbuf_bytes_to_package(size_t n_available, int package_partial, circuit_t *on_circuit) { if (!n_available) return 0; /* Do we need to force this payload to have space for randomness? */ const bool force_random_bytes = (on_circuit->send_randomness_after_n_cells == 0) && (! on_circuit->have_sent_sufficiently_random_cell); /* At most how much would we like to send in this cell? */ size_t target_length; if (force_random_bytes) { target_length = RELAY_PAYLOAD_LENGTH_FOR_RANDOM_SENDMES; } else { target_length = RELAY_PAYLOAD_SIZE; } /* Decide how many bytes we will actually put into this cell. */ size_t package_length; if (n_available >= target_length) { /* A full payload is available. */ package_length = target_length; } else { /* not a full payload available */ if (package_partial) package_length = n_available; /* just take whatever's available now */ else return 0; /* nothing to do until we have a full payload */ } /* If we reach this point, we will be definitely sending the cell. */ tor_assert_nonfatal(package_length > 0); if (package_length <= RELAY_PAYLOAD_LENGTH_FOR_RANDOM_SENDMES) { /* This cell will have enough randomness in the padding to make a future * sendme cell unpredictable. */ on_circuit->have_sent_sufficiently_random_cell = 1; } if (on_circuit->send_randomness_after_n_cells == 0) { /* Either this cell, or some previous cell, had enough padding to * ensure sendme unpredictability. */ tor_assert_nonfatal(on_circuit->have_sent_sufficiently_random_cell); /* Pick a new interval in which we need to send randomness. */ circuit_reset_sendme_randomness(on_circuit); } --on_circuit->send_randomness_after_n_cells; return package_length; } /** If conn has an entire relay payload of bytes on its inbuf (or * package_partial is true), and the appropriate package windows aren't * empty, grab a cell and send it down the circuit. * * If *max_cells is given, package no more than max_cells. Decrement * *max_cells by the number of cells packaged. * * Return -1 (and send a RELAY_COMMAND_END cell if necessary) if conn should * be marked for close, else return 0. */ int connection_edge_package_raw_inbuf(edge_connection_t *conn, int package_partial, int *max_cells) { size_t bytes_to_process, length; char payload[CELL_PAYLOAD_SIZE]; circuit_t *circ; const unsigned domain = conn->base_.type == CONN_TYPE_AP ? LD_APP : LD_EXIT; int sending_from_optimistic = 0; entry_connection_t *entry_conn = conn->base_.type == CONN_TYPE_AP ? EDGE_TO_ENTRY_CONN(conn) : NULL; const int sending_optimistically = entry_conn && conn->base_.type == CONN_TYPE_AP && conn->base_.state != AP_CONN_STATE_OPEN; crypt_path_t *cpath_layer = conn->cpath_layer; tor_assert(conn); if (BUG(conn->base_.marked_for_close)) { log_warn(LD_BUG, "called on conn that's already marked for close at %s:%d.", conn->base_.marked_for_close_file, conn->base_.marked_for_close); return 0; } if (max_cells && *max_cells <= 0) return 0; repeat_connection_edge_package_raw_inbuf: circ = circuit_get_by_edge_conn(conn); if (!circ) { log_info(domain,"conn has no circuit! Closing."); conn->end_reason = END_STREAM_REASON_CANT_ATTACH; return -1; } if (circuit_consider_stop_edge_reading(circ, cpath_layer)) return 0; if (conn->package_window <= 0) { log_info(domain,"called with package_window %d. Skipping.", conn->package_window); connection_stop_reading(TO_CONN(conn)); return 0; } sending_from_optimistic = entry_conn && entry_conn->sending_optimistic_data != NULL; if (PREDICT_UNLIKELY(sending_from_optimistic)) { bytes_to_process = buf_datalen(entry_conn->sending_optimistic_data); if (PREDICT_UNLIKELY(!bytes_to_process)) { log_warn(LD_BUG, "sending_optimistic_data was non-NULL but empty"); bytes_to_process = connection_get_inbuf_len(TO_CONN(conn)); sending_from_optimistic = 0; } } else { bytes_to_process = connection_get_inbuf_len(TO_CONN(conn)); } length = connection_edge_get_inbuf_bytes_to_package(bytes_to_process, package_partial, circ); if (!length) return 0; /* If we reach this point, we will definitely be packaging bytes into * a cell. */ stats_n_data_bytes_packaged += length; stats_n_data_cells_packaged += 1; if (PREDICT_UNLIKELY(sending_from_optimistic)) { /* XXXX We could be more efficient here by sometimes packing * previously-sent optimistic data in the same cell with data * from the inbuf. */ buf_get_bytes(entry_conn->sending_optimistic_data, payload, length); if (!buf_datalen(entry_conn->sending_optimistic_data)) { buf_free(entry_conn->sending_optimistic_data); entry_conn->sending_optimistic_data = NULL; } } else { connection_buf_get_bytes(payload, length, TO_CONN(conn)); } log_debug(domain,TOR_SOCKET_T_FORMAT": Packaging %d bytes (%d waiting).", conn->base_.s, (int)length, (int)connection_get_inbuf_len(TO_CONN(conn))); if (sending_optimistically && !sending_from_optimistic) { /* This is new optimistic data; remember it in case we need to detach and retry */ if (!entry_conn->pending_optimistic_data) entry_conn->pending_optimistic_data = buf_new(); buf_add(entry_conn->pending_optimistic_data, payload, length); } /* Send a data cell. This handles the circuit package window. */ if (connection_edge_send_command(conn, RELAY_COMMAND_DATA, payload, length) < 0 ) { /* circuit got marked for close, don't continue, don't need to mark conn */ return 0; } /* Handle the stream-level SENDME package window. */ if (sendme_note_stream_data_packaged(conn, length) < 0) { connection_stop_reading(TO_CONN(conn)); log_debug(domain,"conn->package_window reached 0."); circuit_consider_stop_edge_reading(circ, cpath_layer); return 0; /* don't process the inbuf any more */ } log_debug(domain,"conn->package_window is now %d",conn->package_window); if (max_cells) { *max_cells -= 1; if (*max_cells <= 0) return 0; } /* handle more if there's more, or return 0 if there isn't */ goto repeat_connection_edge_package_raw_inbuf; } /** The circuit circ has received a circuit-level sendme * (on hop layer_hint, if we're the OP). Go through all the * attached streams and let them resume reading and packaging, if * their stream windows allow it. */ static void circuit_resume_edge_reading(circuit_t *circ, crypt_path_t *layer_hint) { if (circuit_queue_streams_are_blocked(circ)) { log_debug(layer_hint?LD_APP:LD_EXIT,"Too big queue, no resuming"); return; } /* If we have a conflux negotiated, and it still can't send on * any circuit, then do not resume sending. */ if (circ->conflux && !conflux_can_send(circ->conflux)) { log_debug(layer_hint?LD_APP:LD_EXIT, "Conflux can't send, not resuming edges"); return; } log_debug(layer_hint?LD_APP:LD_EXIT,"resuming"); if (CIRCUIT_IS_ORIGIN(circ)) circuit_resume_edge_reading_helper(TO_ORIGIN_CIRCUIT(circ)->p_streams, circ, layer_hint); else circuit_resume_edge_reading_helper(TO_OR_CIRCUIT(circ)->n_streams, circ, layer_hint); } /** A helper function for circuit_resume_edge_reading() above. * The arguments are the same, except that conn is the head * of a linked list of edge streams that should each be considered. */ static int circuit_resume_edge_reading_helper(edge_connection_t *first_conn, circuit_t *circ, crypt_path_t *layer_hint) { edge_connection_t *conn; int n_packaging_streams, n_streams_left; int packaged_this_round; int cells_on_queue; int cells_per_conn; edge_connection_t *chosen_stream = NULL; int max_to_package; if (first_conn == NULL) { /* Don't bother to try to do the rest of this if there are no connections * to resume. */ return 0; } /* Once we used to start listening on the streams in the order they * appeared in the linked list. That leads to starvation on the * streams that appeared later on the list, since the first streams * would always get to read first. Instead, we just pick a random * stream on the list, and enable reading for streams starting at that * point (and wrapping around as if the list were circular). It would * probably be better to actually remember which streams we've * serviced in the past, but this is simple and effective. */ /* Select a stream uniformly at random from the linked list. We * don't need cryptographic randomness here. */ { int num_streams = 0; for (conn = first_conn; conn; conn = conn->next_stream) { num_streams++; if (crypto_fast_rng_one_in_n(get_thread_fast_rng(), num_streams)) { chosen_stream = conn; } /* Invariant: chosen_stream has been chosen uniformly at random from * among the first num_streams streams on first_conn. * * (Note that we iterate over every stream on the circuit, so that after * we've considered the first stream, we've chosen it with P=1; and * after we consider the second stream, we've switched to it with P=1/2 * and stayed with the first stream with P=1/2; and after we've * considered the third stream, we've switched to it with P=1/3 and * remained with one of the first two streams with P=(2/3), giving each * one P=(1/2)(2/3) )=(1/3).) */ } } /* Count how many non-marked streams there are that have anything on * their inbuf, and enable reading on all of the connections. */ n_packaging_streams = 0; /* Activate reading starting from the chosen stream */ for (conn=chosen_stream; conn; conn = conn->next_stream) { /* Start reading for the streams starting from here */ if (conn->base_.marked_for_close || conn->package_window <= 0) continue; if (edge_uses_cpath(conn, layer_hint)) { if (!conn->xoff_received) { connection_start_reading(TO_CONN(conn)); } if (connection_get_inbuf_len(TO_CONN(conn)) > 0) ++n_packaging_streams; } } /* Go back and do the ones we skipped, circular-style */ for (conn = first_conn; conn != chosen_stream; conn = conn->next_stream) { if (conn->base_.marked_for_close || conn->package_window <= 0) continue; if (edge_uses_cpath(conn, layer_hint)) { if (!conn->xoff_received) { connection_start_reading(TO_CONN(conn)); } if (connection_get_inbuf_len(TO_CONN(conn)) > 0) ++n_packaging_streams; } } if (n_packaging_streams == 0) /* avoid divide-by-zero */ return 0; again: /* If we're using conflux, the circuit we decide to send on may change * after we're sending. Get it again, and re-check package windows * for it */ if (circ->conflux) { if (circuit_consider_stop_edge_reading(circ, layer_hint)) return -1; circ = conflux_decide_next_circ(circ->conflux); /* Get the destination layer hint for this circuit */ layer_hint = conflux_get_destination_hop(circ); } /* How many cells do we have space for? It will be the minimum of * the number needed to exhaust the package window, and the minimum * needed to fill the cell queue. */ max_to_package = congestion_control_get_package_window(circ, layer_hint); if (CIRCUIT_IS_ORIGIN(circ)) { cells_on_queue = circ->n_chan_cells.n; } else { or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); cells_on_queue = or_circ->p_chan_cells.n; } if (cell_queue_highwatermark() - cells_on_queue < max_to_package) max_to_package = cell_queue_highwatermark() - cells_on_queue; cells_per_conn = CEIL_DIV(max_to_package, n_packaging_streams); packaged_this_round = 0; n_streams_left = 0; /* Iterate over all connections. Package up to cells_per_conn cells on * each. Update packaged_this_round with the total number of cells * packaged, and n_streams_left with the number that still have data to * package. */ for (conn=first_conn; conn; conn=conn->next_stream) { if (conn->base_.marked_for_close || conn->package_window <= 0) continue; if (edge_uses_cpath(conn, layer_hint)) { int n = cells_per_conn, r; /* handle whatever might still be on the inbuf */ r = connection_edge_package_raw_inbuf(conn, 1, &n); /* Note how many we packaged */ packaged_this_round += (cells_per_conn-n); if (r<0) { /* Problem while packaging. (We already sent an end cell if * possible) */ connection_mark_for_close(TO_CONN(conn)); continue; } /* If there's still data to read, we'll be coming back to this stream. */ if (connection_get_inbuf_len(TO_CONN(conn))) ++n_streams_left; /* If the circuit won't accept any more data, return without looking * at any more of the streams. Any connections that should be stopped * have already been stopped by connection_edge_package_raw_inbuf. */ if (circuit_consider_stop_edge_reading(circ, layer_hint)) return -1; /* XXXX should we also stop immediately if we fill up the cell queue? * Probably. */ } } /* If we made progress, and we are willing to package more, and there are * any streams left that want to package stuff... try again! */ if (packaged_this_round && packaged_this_round < max_to_package && n_streams_left) { n_packaging_streams = n_streams_left; goto again; } return 0; } /** Check if the package window for circ is empty (at * hop layer_hint if it's defined). * * If yes, tell edge streams to stop reading and return 1. * Else return 0. */ static int circuit_consider_stop_edge_reading(circuit_t *circ, crypt_path_t *layer_hint) { edge_connection_t *conn = NULL; unsigned domain = layer_hint ? LD_APP : LD_EXIT; if (!layer_hint) { or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); log_debug(domain,"considering circ->package_window %d", circ->package_window); if (circuit_get_package_window(circ, layer_hint) <= 0) { log_debug(domain,"yes, not-at-origin. stopped."); for (conn = or_circ->n_streams; conn; conn=conn->next_stream) connection_stop_reading(TO_CONN(conn)); return 1; } return 0; } /* else, layer hint is defined, use it */ log_debug(domain,"considering layer_hint->package_window %d", layer_hint->package_window); if (circuit_get_package_window(circ, layer_hint) <= 0) { log_debug(domain,"yes, at-origin. stopped."); for (conn = TO_ORIGIN_CIRCUIT(circ)->p_streams; conn; conn=conn->next_stream) { if (edge_uses_cpath(conn, layer_hint)) connection_stop_reading(TO_CONN(conn)); } return 1; } return 0; } /** The total number of cells we have allocated. */ static size_t total_cells_allocated = 0; /** Release storage held by cell. */ static inline void packed_cell_free_unchecked(packed_cell_t *cell) { --total_cells_allocated; tor_free(cell); } /** Allocate and return a new packed_cell_t. */ STATIC packed_cell_t * packed_cell_new(void) { ++total_cells_allocated; return tor_malloc_zero(sizeof(packed_cell_t)); } /** Return a packed cell used outside by channel_t lower layer */ void packed_cell_free_(packed_cell_t *cell) { if (!cell) return; packed_cell_free_unchecked(cell); } /** Log current statistics for cell pool allocation at log level * severity. */ void dump_cell_pool_usage(int severity) { int n_circs = 0; int n_cells = 0; SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, c) { n_cells += c->n_chan_cells.n; if (!CIRCUIT_IS_ORIGIN(c)) n_cells += TO_OR_CIRCUIT(c)->p_chan_cells.n; ++n_circs; } SMARTLIST_FOREACH_END(c); tor_log(severity, LD_MM, "%d cells allocated on %d circuits. %d cells leaked.", n_cells, n_circs, (int)total_cells_allocated - n_cells); } /** Allocate a new copy of packed cell. */ static inline packed_cell_t * packed_cell_copy(const cell_t *cell, int wide_circ_ids) { packed_cell_t *c = packed_cell_new(); cell_pack(c, cell, wide_circ_ids); return c; } /** Append cell to the end of queue. */ void cell_queue_append(cell_queue_t *queue, packed_cell_t *cell) { TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next); ++queue->n; } /** Append a newly allocated copy of cell to the end of the * exitward (or app-ward) queue of circ. If * use_stats is true, record statistics about the cell. */ void cell_queue_append_packed_copy(circuit_t *circ, cell_queue_t *queue, int exitward, const cell_t *cell, int wide_circ_ids, int use_stats) { packed_cell_t *copy = packed_cell_copy(cell, wide_circ_ids); (void)circ; (void)exitward; (void)use_stats; copy->inserted_timestamp = monotime_coarse_get_stamp(); cell_queue_append(queue, copy); } /** Initialize queue as an empty cell queue. */ void cell_queue_init(cell_queue_t *queue) { memset(queue, 0, sizeof(cell_queue_t)); TOR_SIMPLEQ_INIT(&queue->head); } /** Remove and free every cell in queue. */ void cell_queue_clear(cell_queue_t *queue) { packed_cell_t *cell; while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) { TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); packed_cell_free_unchecked(cell); } TOR_SIMPLEQ_INIT(&queue->head); queue->n = 0; } /** Extract and return the cell at the head of queue; return NULL if * queue is empty. */ STATIC packed_cell_t * cell_queue_pop(cell_queue_t *queue) { packed_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head); if (!cell) return NULL; TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); --queue->n; return cell; } /** Initialize queue as an empty cell queue. */ void destroy_cell_queue_init(destroy_cell_queue_t *queue) { memset(queue, 0, sizeof(destroy_cell_queue_t)); TOR_SIMPLEQ_INIT(&queue->head); } /** Remove and free every cell in queue. */ void destroy_cell_queue_clear(destroy_cell_queue_t *queue) { destroy_cell_t *cell; while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) { TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); tor_free(cell); } TOR_SIMPLEQ_INIT(&queue->head); queue->n = 0; } /** Extract and return the cell at the head of queue; return NULL if * queue is empty. */ STATIC destroy_cell_t * destroy_cell_queue_pop(destroy_cell_queue_t *queue) { destroy_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head); if (!cell) return NULL; TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next); --queue->n; return cell; } /** Append a destroy cell for circid to queue. */ void destroy_cell_queue_append(destroy_cell_queue_t *queue, circid_t circid, uint8_t reason) { destroy_cell_t *cell = tor_malloc_zero(sizeof(destroy_cell_t)); cell->circid = circid; cell->reason = reason; /* Not yet used, but will be required for OOM handling. */ cell->inserted_timestamp = monotime_coarse_get_stamp(); TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next); ++queue->n; } /** Convert a destroy_cell_t to a newly allocated cell_t. Frees its input. */ static packed_cell_t * destroy_cell_to_packed_cell(destroy_cell_t *inp, int wide_circ_ids) { packed_cell_t *packed = packed_cell_new(); cell_t cell; memset(&cell, 0, sizeof(cell)); cell.circ_id = inp->circid; cell.command = CELL_DESTROY; cell.payload[0] = inp->reason; cell_pack(packed, &cell, wide_circ_ids); tor_free(inp); return packed; } /** Return the total number of bytes used for each packed_cell in a queue. * Approximate. */ size_t packed_cell_mem_cost(void) { return sizeof(packed_cell_t); } /* DOCDOC */ size_t cell_queues_get_total_allocation(void) { return total_cells_allocated * packed_cell_mem_cost(); } /** How long after we've been low on memory should we try to conserve it? */ #define MEMORY_PRESSURE_INTERVAL (30*60) /** The time at which we were last low on memory. */ static time_t last_time_under_memory_pressure = 0; /** Statistics on how many bytes were removed by the OOM per type. */ uint64_t oom_stats_n_bytes_removed_dns = 0; uint64_t oom_stats_n_bytes_removed_cell = 0; uint64_t oom_stats_n_bytes_removed_geoip = 0; uint64_t oom_stats_n_bytes_removed_hsdir = 0; /** Check whether we've got too much space used for cells. If so, * call the OOM handler and return 1. Otherwise, return 0. */ STATIC int cell_queues_check_size(void) { size_t removed = 0; time_t now = time(NULL); size_t alloc = cell_queues_get_total_allocation(); alloc += half_streams_get_total_allocation(); alloc += buf_get_total_allocation(); alloc += tor_compress_get_total_allocation(); const size_t hs_cache_total = hs_cache_get_total_allocation(); alloc += hs_cache_total; const size_t geoip_client_cache_total = geoip_client_cache_total_allocation(); alloc += geoip_client_cache_total; const size_t dns_cache_total = dns_cache_total_allocation(); alloc += dns_cache_total; const size_t conflux_total = conflux_get_total_bytes_allocation(); alloc += conflux_total; if (alloc >= get_options()->MaxMemInQueues_low_threshold) { last_time_under_memory_pressure = approx_time(); if (alloc >= get_options()->MaxMemInQueues) { /* Note this overload down */ rep_hist_note_overload(OVERLOAD_GENERAL); /* If we're spending over 20% of the memory limit on hidden service * descriptors, free them until we're down to 10%. Do the same for geoip * client cache. */ if (hs_cache_total > get_options()->MaxMemInQueues / 5) { const size_t bytes_to_remove = hs_cache_total - (size_t)(get_options()->MaxMemInQueues / 10); removed = hs_cache_handle_oom(now, bytes_to_remove); oom_stats_n_bytes_removed_hsdir += removed; alloc -= removed; } if (geoip_client_cache_total > get_options()->MaxMemInQueues / 5) { const size_t bytes_to_remove = geoip_client_cache_total - (size_t)(get_options()->MaxMemInQueues / 10); removed = geoip_client_cache_handle_oom(now, bytes_to_remove); oom_stats_n_bytes_removed_geoip += removed; alloc -= removed; } if (dns_cache_total > get_options()->MaxMemInQueues / 5) { const size_t bytes_to_remove = dns_cache_total - (size_t)(get_options()->MaxMemInQueues / 10); removed = dns_cache_handle_oom(now, bytes_to_remove); oom_stats_n_bytes_removed_dns += removed; alloc -= removed; } /* Like onion service above, try to go down to 10% if we are above 20% */ if (conflux_total > get_options()->MaxMemInQueues / 5) { const size_t bytes_to_remove = conflux_total - (size_t)(get_options()->MaxMemInQueues / 10); removed = conflux_handle_oom(bytes_to_remove); oom_stats_n_bytes_removed_cell += removed; alloc -= removed; } removed = circuits_handle_oom(alloc); oom_stats_n_bytes_removed_cell += removed; return 1; } } return 0; } /** Return true if we've been under memory pressure in the last * MEMORY_PRESSURE_INTERVAL seconds. */ int have_been_under_memory_pressure(void) { return last_time_under_memory_pressure + MEMORY_PRESSURE_INTERVAL < approx_time(); } /** * Update the number of cells available on the circuit's n_chan or p_chan's * circuit mux. */ void update_circuit_on_cmux_(circuit_t *circ, cell_direction_t direction, const char *file, int lineno) { channel_t *chan = NULL; or_circuit_t *or_circ = NULL; circuitmux_t *cmux = NULL; tor_assert(circ); /* Okay, get the channel */ if (direction == CELL_DIRECTION_OUT) { chan = circ->n_chan; } else { or_circ = TO_OR_CIRCUIT(circ); chan = or_circ->p_chan; } tor_assert(chan); tor_assert(chan->cmux); /* Now get the cmux */ cmux = chan->cmux; /* Cmux sanity check */ if (! circuitmux_is_circuit_attached(cmux, circ)) { log_warn(LD_BUG, "called on non-attached circuit from %s:%d", file, lineno); return; } tor_assert(circuitmux_attached_circuit_direction(cmux, circ) == direction); /* Update the number of cells we have for the circuit mux */ if (direction == CELL_DIRECTION_OUT) { circuitmux_set_num_cells(cmux, circ, circ->n_chan_cells.n); } else { circuitmux_set_num_cells(cmux, circ, or_circ->p_chan_cells.n); } } /** Remove all circuits from the cmux on chan. * * If circuits_out is non-NULL, add all detached circuits to * circuits_out. **/ void channel_unlink_all_circuits(channel_t *chan, smartlist_t *circuits_out) { tor_assert(chan); tor_assert(chan->cmux); circuitmux_detach_all_circuits(chan->cmux, circuits_out); chan->num_n_circuits = 0; chan->num_p_circuits = 0; } /** * Called when a circuit becomes blocked or unblocked due to the channel * cell queue. * * Block (if block is true) or unblock (if block is false) * every edge connection that is using circ to write to chan, * and start or stop reading as appropriate. */ static void set_circuit_blocked_on_chan(circuit_t *circ, channel_t *chan, int block) { edge_connection_t *edge = NULL; if (circ->n_chan == chan) { circ->circuit_blocked_on_n_chan = block; if (CIRCUIT_IS_ORIGIN(circ)) edge = TO_ORIGIN_CIRCUIT(circ)->p_streams; } else { circ->circuit_blocked_on_p_chan = block; tor_assert(!CIRCUIT_IS_ORIGIN(circ)); edge = TO_OR_CIRCUIT(circ)->n_streams; } set_block_state_for_streams(circ, edge, block, 0); } /** * Helper function to block or unblock streams in a stream list. * * If stream_id is 0, apply the block state to all streams * in the stream list. If it is non-zero, only apply to that specific stream. */ static void set_block_state_for_streams(circuit_t *circ, edge_connection_t *stream_list, int block, streamid_t stream_id) { /* If we have a conflux object, we need to examine its status before * blocking and unblocking streams. */ if (circ->conflux) { bool can_send = conflux_can_send(circ->conflux); if (block && can_send) { /* Don't actually block streams, since conflux can send*/ return; } else if (!block && !can_send) { /* Don't actually unblock streams, since conflux still can't send */ return; } } for (edge_connection_t *edge = stream_list; edge; edge = edge->next_stream) { connection_t *conn = TO_CONN(edge); if (stream_id && edge->stream_id != stream_id) continue; if (!conn->read_event || edge->xoff_received || conn->marked_for_close) { /* This connection should not start or stop reading. */ continue; } if (block) { if (connection_is_reading(conn)) connection_stop_reading(conn); } else { /* Is this right? */ if (!connection_is_reading(conn)) connection_start_reading(conn); } } } /** Extract the command from a packed cell. */ uint8_t packed_cell_get_command(const packed_cell_t *cell, int wide_circ_ids) { if (wide_circ_ids) { return get_uint8(cell->body+4); } else { return get_uint8(cell->body+2); } } /** Extract the circuit ID from a packed cell. */ circid_t packed_cell_get_circid(const packed_cell_t *cell, int wide_circ_ids) { if (wide_circ_ids) { return ntohl(get_uint32(cell->body)); } else { return ntohs(get_uint16(cell->body)); } } /** Pull as many cells as possible (but no more than max) from the * queue of the first active circuit on chan, and write them to * chan->outbuf. Return the number of cells written. Advance * the active circuit pointer to the next active circuit in the ring. */ MOCK_IMPL(int, channel_flush_from_first_active_circuit, (channel_t *chan, int max)) { circuitmux_t *cmux = NULL; int n_flushed = 0; cell_queue_t *queue; destroy_cell_queue_t *destroy_queue=NULL; circuit_t *circ; or_circuit_t *or_circ; int circ_blocked; packed_cell_t *cell; /* Get the cmux */ tor_assert(chan); tor_assert(chan->cmux); cmux = chan->cmux; /* Main loop: pick a circuit, send a cell, update the cmux */ while (n_flushed < max) { circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue); if (destroy_queue) { destroy_cell_t *dcell; /* this code is duplicated from some of the logic below. Ugly! XXXX */ /* If we are given a destroy_queue here, then it is required to be * nonempty... */ tor_assert(destroy_queue->n > 0); dcell = destroy_cell_queue_pop(destroy_queue); /* ...and pop() will always yield a cell from a nonempty queue. */ tor_assert(dcell); /* frees dcell */ cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids); /* Send the DESTROY cell. It is very unlikely that this fails but just * in case, get rid of the channel. */ if (channel_write_packed_cell(chan, cell) < 0) { /* The cell has been freed. */ channel_mark_for_close(chan); continue; } /* Update the cmux destroy counter */ circuitmux_notify_xmit_destroy(cmux); cell = NULL; ++n_flushed; continue; } /* If it returns NULL, no cells left to send */ if (!circ) break; if (circ->n_chan == chan) { queue = &circ->n_chan_cells; circ_blocked = circ->circuit_blocked_on_n_chan; } else { or_circ = TO_OR_CIRCUIT(circ); tor_assert(or_circ->p_chan == chan); queue = &TO_OR_CIRCUIT(circ)->p_chan_cells; circ_blocked = circ->circuit_blocked_on_p_chan; } /* Circuitmux told us this was active, so it should have cells. * * Note: In terms of logic and coherence, this should never happen but the * cmux dragon is powerful. Reason is that when the OOM is triggered, when * cleaning up circuits, we mark them for close and then clear their cell * queues. And so, we can have a circuit considered active by the cmux * dragon but without cells. The cmux subsystem is only notified of this * when the circuit is freed which leaves a tiny window between close and * free to end up here. * * We are accepting this as an "ok" race else the changes are likely non * trivial to make the mark for close to set the num cells to 0 and change * the free functions to detach the circuit conditionally without creating * a chain effect of madness. * * The lesson here is arti will prevail and leave the cmux dragon alone. */ if (queue->n == 0) { circuitmux_set_num_cells(cmux, circ, 0); if (! circ->marked_for_close) circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); continue; } tor_assert(queue->n > 0); /* * Get just one cell here; once we've sent it, that can change the circuit * selection, so we have to loop around for another even if this circuit * has more than one. */ cell = cell_queue_pop(queue); /* Calculate the exact time that this cell has spent in the queue. */ if (get_options()->CellStatistics || get_options()->TestingEnableCellStatsEvent) { uint32_t timestamp_now = monotime_coarse_get_stamp(); uint32_t msec_waiting = (uint32_t) monotime_coarse_stamp_units_to_approx_msec( timestamp_now - cell->inserted_timestamp); if (get_options()->CellStatistics && !CIRCUIT_IS_ORIGIN(circ)) { or_circ = TO_OR_CIRCUIT(circ); or_circ->total_cell_waiting_time += msec_waiting; or_circ->processed_cells++; } if (get_options()->TestingEnableCellStatsEvent) { uint8_t command = packed_cell_get_command(cell, chan->wide_circ_ids); testing_cell_stats_entry_t *ent = tor_malloc_zero(sizeof(testing_cell_stats_entry_t)); ent->command = command; ent->waiting_time = msec_waiting / 10; ent->removed = 1; if (circ->n_chan == chan) ent->exitward = 1; if (!circ->testing_cell_stats) circ->testing_cell_stats = smartlist_new(); smartlist_add(circ->testing_cell_stats, ent); } } /* If we just flushed our queue and this circuit is used for a * tunneled directory request, possibly advance its state. */ if (queue->n == 0 && chan->dirreq_id) geoip_change_dirreq_state(chan->dirreq_id, DIRREQ_TUNNELED, DIRREQ_CIRC_QUEUE_FLUSHED); /* Now send the cell. It is very unlikely that this fails but just in * case, get rid of the channel. */ if (channel_write_packed_cell(chan, cell) < 0) { /* The cell has been freed at this point. */ channel_mark_for_close(chan); continue; } cell = NULL; /* * Don't packed_cell_free_unchecked(cell) here because the channel will * do so when it gets out of the channel queue (probably already did, in * which case that was an immediate double-free bug). */ /* Update the counter */ ++n_flushed; /* * Now update the cmux; tell it we've just sent a cell, and how many * we have left. */ circuitmux_notify_xmit_cells(cmux, circ, 1); circuitmux_set_num_cells(cmux, circ, queue->n); if (queue->n == 0) log_debug(LD_GENERAL, "Made a circuit inactive."); /* Is the cell queue low enough to unblock all the streams that are waiting * to write to this circuit? */ if (circ_blocked && queue->n <= cell_queue_lowwatermark()) set_circuit_blocked_on_chan(circ, chan, 0); /* unblock streams */ /* If n_flushed < max still, loop around and pick another circuit */ } /* Okay, we're done sending now */ return n_flushed; } /* Minimum value is the maximum circuit window size. * * This value is set to a lower bound we believe is reasonable with congestion * control and basic network running parameters. * * SENDME cells makes it that we can control how many cells can be inflight on * a circuit from end to end. This logic makes it that on any circuit cell * queue, we have a maximum of cells possible. * * Because the Tor protocol allows for a client to exit at any hop in a * circuit and a circuit can be of a maximum of 8 hops, so in theory the * normal worst case will be the circuit window start value times the maximum * number of hops (8). Having more cells then that means something is wrong. * * However, because padding cells aren't counted in the package window, we set * the maximum size to a reasonably large size for which we expect that we'll * never reach in theory. And if we ever do because of future changes, we'll * be able to control it with a consensus parameter. * * XXX: Unfortunately, END cells aren't accounted for in the circuit window * which means that for instance if a client opens 8001 streams, the 8001 * following END cells will queue up in the circuit which will get closed if * the max limit is 8000. Which is sad because it is allowed by the Tor * protocol. But, we need an upper bound on circuit queue in order to avoid * DoS memory pressure so the default size is a middle ground between not * having any limit and having a very restricted one. This is why we can also * control it through a consensus parameter. */ #define RELAY_CIRC_CELL_QUEUE_SIZE_MIN 50 /* We can't have a consensus parameter above this value. */ #define RELAY_CIRC_CELL_QUEUE_SIZE_MAX INT32_MAX /* Default value is set to a large value so we can handle padding cells * properly which aren't accounted for in the SENDME window. Default is 2500 * allowed cells in the queue resulting in ~1MB. */ #define RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT \ (50 * RELAY_CIRC_CELL_QUEUE_SIZE_MIN) /* The maximum number of cells a circuit queue can contain. This is updated at * every new consensus and controlled by a parameter. */ static int32_t max_circuit_cell_queue_size = RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT; /** Maximum number of cell on an outbound circuit queue. This is updated at * every new consensus and controlled by a parameter. This default is incorrect * and won't be used at all except in unit tests. */ static int32_t max_circuit_cell_queue_size_out = RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT; /** Return consensus parameter "circ_max_cell_queue_size". The given ns can be * NULL. */ static uint32_t get_param_max_circuit_cell_queue_size(const networkstatus_t *ns) { return networkstatus_get_param(ns, "circ_max_cell_queue_size", RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT, RELAY_CIRC_CELL_QUEUE_SIZE_MIN, RELAY_CIRC_CELL_QUEUE_SIZE_MAX); } /** Return consensus parameter "circ_max_cell_queue_size_out". The given ns can * be NULL. */ static uint32_t get_param_max_circuit_cell_queue_size_out(const networkstatus_t *ns) { return networkstatus_get_param(ns, "circ_max_cell_queue_size_out", get_param_max_circuit_cell_queue_size(ns), RELAY_CIRC_CELL_QUEUE_SIZE_MIN, RELAY_CIRC_CELL_QUEUE_SIZE_MAX); } /* Called when the consensus has changed. At this stage, the global consensus * object has NOT been updated. It is called from * notify_before_networkstatus_changes(). */ void relay_consensus_has_changed(const networkstatus_t *ns) { tor_assert(ns); /* Update the circuit max cell queue size from the consensus. */ max_circuit_cell_queue_size = get_param_max_circuit_cell_queue_size(ns); max_circuit_cell_queue_size_out = get_param_max_circuit_cell_queue_size_out(ns); } /** Add cell to the queue of circ writing to chan * transmitting in direction. * * The given cell is copied onto the circuit queue so the caller must * cleanup the memory. * * This function is part of the fast path. * * Return 1 if the cell was successfully sent. * Return 0 if the cell can not be sent. The caller MUST NOT close the circuit. * Return -1 indicating an error and that the caller should mark the circuit * for close. */ int append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan, cell_t *cell, cell_direction_t direction, streamid_t fromstream) { or_circuit_t *orcirc = NULL; edge_connection_t *stream_list = NULL; cell_queue_t *queue; int32_t max_queue_size; int circ_blocked; int exitward; if (circ->marked_for_close) { return 0; } exitward = (direction == CELL_DIRECTION_OUT); if (exitward) { queue = &circ->n_chan_cells; circ_blocked = circ->circuit_blocked_on_n_chan; max_queue_size = max_circuit_cell_queue_size_out; if (CIRCUIT_IS_ORIGIN(circ)) stream_list = TO_ORIGIN_CIRCUIT(circ)->p_streams; } else { orcirc = TO_OR_CIRCUIT(circ); queue = &orcirc->p_chan_cells; circ_blocked = circ->circuit_blocked_on_p_chan; max_queue_size = max_circuit_cell_queue_size; stream_list = TO_OR_CIRCUIT(circ)->n_streams; } if (PREDICT_UNLIKELY(queue->n >= max_queue_size)) { /* This DoS defense only applies at the Guard as in the p_chan is likely * a client IP attacking the network. */ if (exitward && CIRCUIT_IS_ORCIRC(circ)) { stats_n_circ_max_cell_outq_reached++; dos_note_circ_max_outq(CONST_TO_OR_CIRCUIT(circ)->p_chan); } log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "%s circuit has %d cells in its queue, maximum allowed is %d. " "Closing circuit for safety reasons.", (exitward) ? "Outbound" : "Inbound", queue->n, max_queue_size); stats_n_circ_max_cell_reached++; return -1; } /* Very important that we copy to the circuit queue because all calls to * this function use the stack for the cell memory. */ cell_queue_append_packed_copy(circ, queue, exitward, cell, chan->wide_circ_ids, 1); /* Check and run the OOM if needed. */ if (PREDICT_UNLIKELY(cell_queues_check_size())) { /* We ran the OOM handler which might have closed this circuit. */ if (circ->marked_for_close) { return 0; } } /* If we have too many cells on the circuit, note that it should * be blocked from new cells. */ if (!circ_blocked && queue->n >= cell_queue_highwatermark()) set_circuit_blocked_on_chan(circ, chan, 1); if (circ_blocked && fromstream) { /* This edge connection is apparently not blocked; this can happen for * new streams on a blocked circuit, for their CONNECTED response. * block it now, unless we have conflux. */ set_block_state_for_streams(circ, stream_list, 1, fromstream); } update_circuit_on_cmux(circ, direction); if (queue->n == 1) { /* This was the first cell added to the queue. We just made this * circuit active. */ log_debug(LD_GENERAL, "Made a circuit active."); } /* New way: mark this as having waiting cells for the scheduler */ scheduler_channel_has_waiting_cells(chan); return 1; } /** Append an encoded value of addr to payload_out, which must * have at least 18 bytes of free space. The encoding is, as specified in * tor-spec.txt: * RESOLVED_TYPE_IPV4 or RESOLVED_TYPE_IPV6 [1 byte] * LENGTH [1 byte] * ADDRESS [length bytes] * Return the number of bytes added, or -1 on error */ int append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr) { uint32_t a; switch (tor_addr_family(addr)) { case AF_INET: payload_out[0] = RESOLVED_TYPE_IPV4; payload_out[1] = 4; a = tor_addr_to_ipv4n(addr); memcpy(payload_out+2, &a, 4); return 6; case AF_INET6: payload_out[0] = RESOLVED_TYPE_IPV6; payload_out[1] = 16; memcpy(payload_out+2, tor_addr_to_in6_addr8(addr), 16); return 18; case AF_UNSPEC: default: return -1; } } /** Given payload_len bytes at payload, starting with an address * encoded as by append_address_to_payload(), try to decode the address into * *addr_out. Return the next byte in the payload after the address on * success, or NULL on failure. */ const uint8_t * decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload, int payload_len) { if (payload_len < 2) return NULL; if (payload_len < 2+payload[1]) return NULL; switch (payload[0]) { case RESOLVED_TYPE_IPV4: if (payload[1] != 4) return NULL; tor_addr_from_ipv4n(addr_out, get_uint32(payload+2)); break; case RESOLVED_TYPE_IPV6: if (payload[1] != 16) return NULL; tor_addr_from_ipv6_bytes(addr_out, (payload+2)); break; default: tor_addr_make_unspec(addr_out); break; } return payload + 2 + payload[1]; } /** Remove all the cells queued on circ for chan. */ void circuit_clear_cell_queue(circuit_t *circ, channel_t *chan) { cell_queue_t *queue; cell_direction_t direction; if (circ->n_chan == chan) { queue = &circ->n_chan_cells; direction = CELL_DIRECTION_OUT; } else { or_circuit_t *orcirc = TO_OR_CIRCUIT(circ); tor_assert(orcirc->p_chan == chan); queue = &orcirc->p_chan_cells; direction = CELL_DIRECTION_IN; } /* Clear the queue */ cell_queue_clear(queue); /* Update the cell counter in the cmux */ if (chan->cmux && circuitmux_is_circuit_attached(chan->cmux, circ)) update_circuit_on_cmux(circ, direction); } /** Return 1 if we shouldn't restart reading on this circuit, even if * we get a SENDME. Else return 0. */ static int circuit_queue_streams_are_blocked(circuit_t *circ) { if (CIRCUIT_IS_ORIGIN(circ)) { return circ->circuit_blocked_on_n_chan; } else { return circ->circuit_blocked_on_p_chan; } }