commit 57c82b74b43132d34fffd6c03932555bfbf503e1
Author: Suphanat Chunhapanya <haxx.pop(a)gmail.com>
Date: Fri Sep 7 21:29:44 2018 +0700
hs-v3: Shuffle the list of authorized clients
This commit makes it that the authorized clients in the descriptor are in
random order instead of ordered by how they were read on disk.
Fixes #27545
Signed-off-by: David Goulet <dgoulet(a)torproject.org>
---
src/feature/hs/hs_service.c | 5 +++++
1 file changed, 5 …
[View More]insertions(+)
diff --git a/src/feature/hs/hs_service.c b/src/feature/hs/hs_service.c
index 43e5626a5..15f347859 100644
--- a/src/feature/hs/hs_service.c
+++ b/src/feature/hs/hs_service.c
@@ -18,6 +18,7 @@
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/crypt_ops/crypto_ope.h"
+#include "lib/crypt_ops/crypto_rand.h"
#include "feature/dircache/directory.h"
#include "core/mainloop/main.h"
#include "feature/nodelist/networkstatus.h"
@@ -1800,6 +1801,10 @@ build_service_desc_superencrypted(const hs_service_t *service,
smartlist_add(superencrypted->clients, desc_client);
}
+ /* Shuffle the list to prevent the client know the position in the
+ * config. */
+ smartlist_shuffle(superencrypted->clients);
+
return 0;
}
[View Less]
commit ce894e20b597d2d21b56ac8a8f13d1ea4063731d
Author: Mike Perry <mikeperry-git(a)torproject.org>
Date: Tue Aug 7 04:23:33 2018 +0000
Ticket #25573: Count TRUNCATED cells.
TRUNCATED cells were ignored while in path bias. Now they are obeyed, and
cause us to tear down the circuit. The actual impact is minimal, since we
would just wait around for a probe that would never arrive before.
This commit changes client behavior.
---
src/or/circpathbias.c | …
[View More]10 ++++++++++
src/or/circuitbuild.c | 3 +--
src/or/circuitbuild.h | 3 +--
src/or/relay.c | 9 ++++++++-
src/test/test_relaycell.c | 18 ++++++++++++++++++
5 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/src/or/circpathbias.c b/src/or/circpathbias.c
index 923941e5b..3cdd16261 100644
--- a/src/or/circpathbias.c
+++ b/src/or/circpathbias.c
@@ -929,6 +929,16 @@ pathbias_count_valid_cells(circuit_t *circ, const cell_t *cell)
/* Check to see if this is a cell from a previous connection,
* or is a request to close the circuit. */
switch (rh.command) {
+ case RELAY_COMMAND_TRUNCATED:
+ /* Truncated cells can arrive on path bias circs. When they do,
+ * just process them. This closes the circ, but it was junk anyway.
+ * No reason to wait for the probe. */
+ circuit_read_valid_data(ocirc, rh.length);
+ circuit_truncated(TO_ORIGIN_CIRCUIT(circ),
+ get_uint8(cell->payload + RELAY_HEADER_SIZE));
+
+ break;
+
case RELAY_COMMAND_END:
if (connection_half_edge_is_valid_end(ocirc->half_streams,
rh.stream_id)) {
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 3d1c9c1ab..8f17f2786 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -1419,13 +1419,12 @@ circuit_finish_handshake(origin_circuit_t *circ,
* just give up: force circ to close, and return 0.
*/
int
-circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer, int reason)
+circuit_truncated(origin_circuit_t *circ, int reason)
{
// crypt_path_t *victim;
// connection_t *stream;
tor_assert(circ);
- tor_assert(layer);
/* XXX Since we don't send truncates currently, getting a truncated
* means that a connection broke or an extend failed. For now,
diff --git a/src/or/circuitbuild.h b/src/or/circuitbuild.h
index 0184898e2..e3d30c110 100644
--- a/src/or/circuitbuild.h
+++ b/src/or/circuitbuild.h
@@ -37,8 +37,7 @@ int circuit_init_cpath_crypto(crypt_path_t *cpath,
struct created_cell_t;
int circuit_finish_handshake(origin_circuit_t *circ,
const struct created_cell_t *created_cell);
-int circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer,
- int reason);
+int circuit_truncated(origin_circuit_t *circ, int reason);
int onionskin_answer(or_circuit_t *circ,
const struct created_cell_t *created_cell,
const char *keys, size_t keys_len,
diff --git a/src/or/relay.c b/src/or/relay.c
index 13f2b56bc..81bb94d5a 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1748,7 +1748,14 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
"'truncated' unsupported at non-origin. Dropping.");
return 0;
}
- circuit_truncated(TO_ORIGIN_CIRCUIT(circ), layer_hint,
+
+ /* Count the truncated as valid, for completeness. The
+ * circuit is being torn down anyway, though. */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ),
+ rh.length);
+ }
+ circuit_truncated(TO_ORIGIN_CIRCUIT(circ),
get_uint8(cell->payload + RELAY_HEADER_SIZE));
return 0;
case RELAY_COMMAND_CONNECTED:
diff --git a/src/test/test_relaycell.c b/src/test/test_relaycell.c
index 4c406a9b7..3f84ee830 100644
--- a/src/test/test_relaycell.c
+++ b/src/test/test_relaycell.c
@@ -116,6 +116,16 @@ mock_connection_mark_unattached_ap_(entry_connection_t *conn, int endreason,
}
static void
+mock_mark_circ_for_close(circuit_t *circ, int reason, int line,
+ const char *file)
+{
+ (void)reason; (void)line; (void)file;
+
+ circ->marked_for_close = 1;
+ return;
+}
+
+static void
mock_mark_for_close(connection_t *conn,
int line, const char *file)
{
@@ -694,6 +704,7 @@ test_circbw_relay(void *arg)
MOCK(connection_start_reading, mock_start_reading);
MOCK(connection_mark_for_close_internal_, mock_mark_for_close);
MOCK(relay_send_command_from_edge_, mock_send_command);
+ MOCK(circuit_mark_for_close_, mock_mark_circ_for_close);
circ = helper_create_origin_circuit(CIRCUIT_PURPOSE_C_GENERAL, 0);
circ->cpath->state = CPATH_STATE_AWAITING_KEYS;
@@ -856,11 +867,18 @@ test_circbw_relay(void *arg)
if (!subtest_circbw_halfclosed(circ, 6))
goto done;
+ /* Path bias: truncated */
+ tt_int_op(circ->base_.marked_for_close, OP_EQ, 0);
+ PACK_CELL(0, RELAY_COMMAND_TRUNCATED, "Data1234");
+ pathbias_count_valid_cells(circ, &cell);
+ tt_int_op(circ->base_.marked_for_close, OP_EQ, 1);
+
done:
UNMOCK(connection_start_reading);
UNMOCK(connection_mark_unattached_ap_);
UNMOCK(connection_mark_for_close_internal_);
UNMOCK(relay_send_command_from_edge_);
+ UNMOCK(circuit_mark_for_close_);
circuit_free_(TO_CIRCUIT(circ));
connection_free_minimal(ENTRY_TO_CONN(entryconn1));
}
[View Less]
commit 93ff8b411a2ac8eb6c3b58d90e2476d3e0a372ec
Merge: 810152b20 ce894e20b
Author: Mike Perry <mikeperry-git(a)torproject.org>
Date: Wed Aug 29 17:10:06 2018 +0000
Merge branch 'ticket25573-034' into ticket25573-master
changes/ticket25573 | 5 +
src/core/or/circuitbuild.c | 3 +-
src/core/or/circuitbuild.h | 3 +-
src/core/or/circuitlist.c | 9 +
src/core/or/connection_edge.c | 226 ++++++++++++++
src/core/or/connection_edge.h | …
[View More] 11 +
src/core/or/half_edge_st.h | 34 ++
src/core/or/origin_circuit_st.h | 4 +
src/core/or/relay.c | 75 ++++-
src/feature/client/circpathbias.c | 63 ++++
src/feature/client/circpathbias.h | 1 +
src/lib/container/smartlist.c | 2 +-
src/lib/container/smartlist.h | 2 +-
src/test/test_relaycell.c | 640 +++++++++++++++++++++++++++++++++++---
14 files changed, 1033 insertions(+), 45 deletions(-)
diff --cc src/core/or/circuitbuild.c
index 5c3d20944,000000000..205160ed5
mode 100644,000000..100644
--- a/src/core/or/circuitbuild.c
+++ b/src/core/or/circuitbuild.c
@@@ -1,3010 -1,0 +1,3009 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file circuitbuild.c
+ *
+ * \brief Implements the details of building circuits (by chosing paths,
+ * constructing/sending create/extend cells, and so on).
+ *
+ * On the client side, this module handles launching circuits. Circuit
+ * launches are srtarted from circuit_establish_circuit(), called from
+ * circuit_launch_by_extend_info()). To choose the path the circuit will
+ * take, onion_extend_cpath() calls into a maze of node selection functions.
+ *
+ * Once the circuit is ready to be launched, the first hop is treated as a
+ * special case with circuit_handle_first_hop(), since it might need to open a
+ * channel. As the channel opens, and later as CREATED and RELAY_EXTENDED
+ * cells arrive, the client will invoke circuit_send_next_onion_skin() to send
+ * CREATE or RELAY_EXTEND cells.
+ *
+ * On the server side, this module also handles the logic of responding to
+ * RELAY_EXTEND requests, using circuit_extend().
+ **/
+
+#define CIRCUITBUILD_PRIVATE
+
+#include "core/or/or.h"
+#include "feature/client/bridges.h"
+#include "core/or/channel.h"
+#include "feature/client/circpathbias.h"
+#define CIRCUITBUILD_PRIVATE
+#include "core/or/circuitbuild.h"
+#include "core/or/circuitlist.h"
+#include "core/or/circuitstats.h"
+#include "core/or/circuituse.h"
+#include "core/or/command.h"
+#include "app/config/config.h"
+#include "app/config/confparse.h"
+#include "core/mainloop/connection.h"
+#include "core/or/connection_edge.h"
+#include "core/or/connection_or.h"
+#include "feature/control/control.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "feature/dircache/directory.h"
+#include "feature/client/entrynodes.h"
+#include "core/crypto/hs_ntor.h"
+#include "core/mainloop/main.h"
+#include "feature/nodelist/microdesc.h"
+#include "feature/nodelist/networkstatus.h"
+#include "feature/nodelist/nodelist.h"
+#include "core/crypto/onion.h"
+#include "core/crypto/onion_tap.h"
+#include "core/crypto/onion_fast.h"
+#include "core/or/policies.h"
+#include "core/or/relay.h"
+#include "core/crypto/relay_crypto.h"
+#include "feature/rend/rendcommon.h"
+#include "feature/stats/rephist.h"
+#include "feature/relay/router.h"
+#include "feature/nodelist/routerlist.h"
+#include "feature/nodelist/routerparse.h"
+#include "feature/nodelist/routerset.h"
+#include "feature/client/transports.h"
+
+#include "core/or/cell_st.h"
+#include "core/or/cpath_build_state_st.h"
+#include "core/or/entry_connection_st.h"
+#include "core/or/extend_info_st.h"
+#include "feature/nodelist/node_st.h"
+#include "core/or/or_circuit_st.h"
+#include "core/or/origin_circuit_st.h"
+#include "feature/nodelist/microdesc_st.h"
+#include "feature/nodelist/routerinfo_st.h"
+#include "feature/nodelist/routerstatus_st.h"
+
+static channel_t * channel_connect_for_circuit(const tor_addr_t *addr,
+ uint16_t port,
+ const char *id_digest,
+ const ed25519_public_key_t *ed_id);
+static int circuit_deliver_create_cell(circuit_t *circ,
+ const create_cell_t *create_cell,
+ int relayed);
+static crypt_path_t *onion_next_hop_in_cpath(crypt_path_t *cpath);
+STATIC int onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice);
+static int circuit_send_first_onion_skin(origin_circuit_t *circ);
+static int circuit_build_no_more_hops(origin_circuit_t *circ);
+static int circuit_send_intermediate_onion_skin(origin_circuit_t *circ,
+ crypt_path_t *hop);
+static const node_t *choose_good_middle_server(uint8_t purpose,
+ cpath_build_state_t *state,
+ crypt_path_t *head,
+ int cur_len);
+
+/** This function tries to get a channel to the specified endpoint,
+ * and then calls command_setup_channel() to give it the right
+ * callbacks.
+ */
+static channel_t *
+channel_connect_for_circuit(const tor_addr_t *addr, uint16_t port,
+ const char *id_digest,
+ const ed25519_public_key_t *ed_id)
+{
+ channel_t *chan;
+
+ chan = channel_connect(addr, port, id_digest, ed_id);
+ if (chan) command_setup_channel(chan);
+
+ return chan;
+}
+
+/** Search for a value for circ_id that we can use on <b>chan</b> for an
+ * outbound circuit, until we get a circ_id that is not in use by any other
+ * circuit on that conn.
+ *
+ * Return it, or 0 if can't get a unique circ_id.
+ */
+STATIC circid_t
+get_unique_circ_id_by_chan(channel_t *chan)
+{
+/* This number is chosen somewhat arbitrarily; see comment below for more
+ * info. When the space is 80% full, it gives a one-in-a-million failure
+ * chance; when the space is 90% full, it gives a one-in-850 chance; and when
+ * the space is 95% full, it gives a one-in-26 failure chance. That seems
+ * okay, though you could make a case IMO for anything between N=32 and
+ * N=256. */
+#define MAX_CIRCID_ATTEMPTS 64
+ int in_use;
+ unsigned n_with_circ = 0, n_pending_destroy = 0, n_weird_pending_destroy = 0;
+ circid_t test_circ_id;
+ circid_t attempts=0;
+ circid_t high_bit, max_range, mask;
+ int64_t pending_destroy_time_total = 0;
+ int64_t pending_destroy_time_max = 0;
+
+ tor_assert(chan);
+
+ if (chan->circ_id_type == CIRC_ID_TYPE_NEITHER) {
+ log_warn(LD_BUG,
+ "Trying to pick a circuit ID for a connection from "
+ "a client with no identity.");
+ return 0;
+ }
+ max_range = (chan->wide_circ_ids) ? (1u<<31) : (1u<<15);
+ mask = max_range - 1;
+ high_bit = (chan->circ_id_type == CIRC_ID_TYPE_HIGHER) ? max_range : 0;
+ do {
+ if (++attempts > MAX_CIRCID_ATTEMPTS) {
+ /* Make sure we don't loop forever because all circuit IDs are used.
+ *
+ * Once, we would try until we had tried every possible circuit ID. But
+ * that's quite expensive. Instead, we try MAX_CIRCID_ATTEMPTS random
+ * circuit IDs, and then give up.
+ *
+ * This potentially causes us to give up early if our circuit ID space
+ * is nearly full. If we have N circuit IDs in use, then we will reject
+ * a new circuit with probability (N / max_range) ^ MAX_CIRCID_ATTEMPTS.
+ * This means that in practice, a few percent of our circuit ID capacity
+ * will go unused.
+ *
+ * The alternative here, though, is to do a linear search over the
+ * whole circuit ID space every time we extend a circuit, which is
+ * not so great either.
+ */
+ int64_t queued_destroys;
+ char *m = rate_limit_log(&chan->last_warned_circ_ids_exhausted,
+ approx_time());
+ if (m == NULL)
+ return 0; /* This message has been rate-limited away. */
+ if (n_pending_destroy)
+ pending_destroy_time_total /= n_pending_destroy;
+ log_warn(LD_CIRC,"No unused circIDs found on channel %s wide "
+ "circID support, with %u inbound and %u outbound circuits. "
+ "Found %u circuit IDs in use by circuits, and %u with "
+ "pending destroy cells. (%u of those were marked bogusly.) "
+ "The ones with pending destroy cells "
+ "have been marked unusable for an average of %ld seconds "
+ "and a maximum of %ld seconds. This channel is %ld seconds "
+ "old. Failing a circuit.%s",
+ chan->wide_circ_ids ? "with" : "without",
+ chan->num_p_circuits, chan->num_n_circuits,
+ n_with_circ, n_pending_destroy, n_weird_pending_destroy,
+ (long)pending_destroy_time_total,
+ (long)pending_destroy_time_max,
+ (long)(approx_time() - chan->timestamp_created),
+ m);
+ tor_free(m);
+
+ if (!chan->cmux) {
+ /* This warning should be impossible. */
+ log_warn(LD_BUG, " This channel somehow has no cmux on it!");
+ return 0;
+ }
+
+ /* analysis so far on 12184 suggests that we're running out of circuit
+ IDs because it looks like we have too many pending destroy
+ cells. Let's see how many we really have pending.
+ */
+ queued_destroys = circuitmux_count_queued_destroy_cells(chan,
+ chan->cmux);
+
+ log_warn(LD_CIRC, " Circuitmux on this channel has %u circuits, "
+ "of which %u are active. It says it has %"PRId64
+ " destroy cells queued.",
+ circuitmux_num_circuits(chan->cmux),
+ circuitmux_num_active_circuits(chan->cmux),
+ (queued_destroys));
+
+ /* Change this into "if (1)" in order to get more information about
+ * possible failure modes here. You'll need to know how to use gdb with
+ * Tor: this will make Tor exit with an assertion failure if the cmux is
+ * corrupt. */
+ if (0)
+ circuitmux_assert_okay(chan->cmux);
+
+ channel_dump_statistics(chan, LOG_WARN);
+
+ return 0;
+ }
+
+ do {
+ crypto_rand((char*) &test_circ_id, sizeof(test_circ_id));
+ test_circ_id &= mask;
+ } while (test_circ_id == 0);
+
+ test_circ_id |= high_bit;
+
+ in_use = circuit_id_in_use_on_channel(test_circ_id, chan);
+ if (in_use == 1)
+ ++n_with_circ;
+ else if (in_use == 2) {
+ time_t since_when;
+ ++n_pending_destroy;
+ since_when =
+ circuit_id_when_marked_unusable_on_channel(test_circ_id, chan);
+ if (since_when) {
+ time_t waiting = approx_time() - since_when;
+ pending_destroy_time_total += waiting;
+ if (waiting > pending_destroy_time_max)
+ pending_destroy_time_max = waiting;
+ } else {
+ ++n_weird_pending_destroy;
+ }
+ }
+ } while (in_use);
+ return test_circ_id;
+}
+
+/** If <b>verbose</b> is false, allocate and return a comma-separated list of
+ * the currently built elements of <b>circ</b>. If <b>verbose</b> is true, also
+ * list information about link status in a more verbose format using spaces.
+ * If <b>verbose_names</b> is false, give nicknames for Named routers and hex
+ * digests for others; if <b>verbose_names</b> is true, use $DIGEST=Name style
+ * names.
+ */
+static char *
+circuit_list_path_impl(origin_circuit_t *circ, int verbose, int verbose_names)
+{
+ crypt_path_t *hop;
+ smartlist_t *elements;
+ const char *states[] = {"closed", "waiting for keys", "open"};
+ char *s;
+
+ elements = smartlist_new();
+
+ if (verbose) {
+ const char *nickname = build_state_get_exit_nickname(circ->build_state);
+ smartlist_add_asprintf(elements, "%s%s circ (length %d%s%s):",
+ circ->build_state->is_internal ? "internal" : "exit",
+ circ->build_state->need_uptime ? " (high-uptime)" : "",
+ circ->build_state->desired_path_len,
+ circ->base_.state == CIRCUIT_STATE_OPEN ? "" : ", last hop ",
+ circ->base_.state == CIRCUIT_STATE_OPEN ? "" :
+ (nickname?nickname:"*unnamed*"));
+ }
+
+ hop = circ->cpath;
+ do {
+ char *elt;
+ const char *id;
+ const node_t *node;
+ if (!hop)
+ break;
+ if (!verbose && hop->state != CPATH_STATE_OPEN)
+ break;
+ if (!hop->extend_info)
+ break;
+ id = hop->extend_info->identity_digest;
+ if (verbose_names) {
+ elt = tor_malloc(MAX_VERBOSE_NICKNAME_LEN+1);
+ if ((node = node_get_by_id(id))) {
+ node_get_verbose_nickname(node, elt);
+ } else if (is_legal_nickname(hop->extend_info->nickname)) {
+ elt[0] = '$';
+ base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
+ elt[HEX_DIGEST_LEN+1]= '~';
+ strlcpy(elt+HEX_DIGEST_LEN+2,
+ hop->extend_info->nickname, MAX_NICKNAME_LEN+1);
+ } else {
+ elt[0] = '$';
+ base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
+ }
+ } else { /* ! verbose_names */
+ elt = tor_malloc(HEX_DIGEST_LEN+2);
+ elt[0] = '$';
+ base16_encode(elt+1, HEX_DIGEST_LEN+1, id, DIGEST_LEN);
+ }
+ tor_assert(elt);
+ if (verbose) {
+ tor_assert(hop->state <= 2);
+ smartlist_add_asprintf(elements,"%s(%s)",elt,states[hop->state]);
+ tor_free(elt);
+ } else {
+ smartlist_add(elements, elt);
+ }
+ hop = hop->next;
+ } while (hop != circ->cpath);
+
+ s = smartlist_join_strings(elements, verbose?" ":",", 0, NULL);
+ SMARTLIST_FOREACH(elements, char*, cp, tor_free(cp));
+ smartlist_free(elements);
+ return s;
+}
+
+/** If <b>verbose</b> is false, allocate and return a comma-separated
+ * list of the currently built elements of <b>circ</b>. If
+ * <b>verbose</b> is true, also list information about link status in
+ * a more verbose format using spaces.
+ */
+char *
+circuit_list_path(origin_circuit_t *circ, int verbose)
+{
+ return circuit_list_path_impl(circ, verbose, 0);
+}
+
+/** Allocate and return a comma-separated list of the currently built elements
+ * of <b>circ</b>, giving each as a verbose nickname.
+ */
+char *
+circuit_list_path_for_controller(origin_circuit_t *circ)
+{
+ return circuit_list_path_impl(circ, 0, 1);
+}
+
+/** Log, at severity <b>severity</b>, the nicknames of each router in
+ * <b>circ</b>'s cpath. Also log the length of the cpath, and the intended
+ * exit point.
+ */
+void
+circuit_log_path(int severity, unsigned int domain, origin_circuit_t *circ)
+{
+ char *s = circuit_list_path(circ,1);
+ tor_log(severity,domain,"%s",s);
+ tor_free(s);
+}
+
+/** Return 1 iff every node in circ's cpath definitely supports ntor. */
+static int
+circuit_cpath_supports_ntor(const origin_circuit_t *circ)
+{
+ crypt_path_t *head, *cpath;
+
+ cpath = head = circ->cpath;
+ do {
+ /* if the extend_info is missing, we can't tell if it supports ntor */
+ if (!cpath->extend_info) {
+ return 0;
+ }
+
+ /* if the key is blank, it definitely doesn't support ntor */
+ if (!extend_info_supports_ntor(cpath->extend_info)) {
+ return 0;
+ }
+ cpath = cpath->next;
+ } while (cpath != head);
+
+ return 1;
+}
+
+/** Pick all the entries in our cpath. Stop and return 0 when we're
+ * happy, or return -1 if an error occurs. */
+static int
+onion_populate_cpath(origin_circuit_t *circ)
+{
+ int r = 0;
+
+ /* onion_extend_cpath assumes these are non-NULL */
+ tor_assert(circ);
+ tor_assert(circ->build_state);
+
+ while (r == 0) {
+ r = onion_extend_cpath(circ);
+ if (r < 0) {
+ log_info(LD_CIRC,"Generating cpath hop failed.");
+ return -1;
+ }
+ }
+
+ /* The path is complete */
+ tor_assert(r == 1);
+
+ /* Does every node in this path support ntor? */
+ int path_supports_ntor = circuit_cpath_supports_ntor(circ);
+
+ /* We would like every path to support ntor, but we have to allow for some
+ * edge cases. */
+ tor_assert(circuit_get_cpath_len(circ));
+ if (circuit_can_use_tap(circ)) {
+ /* Circuits from clients to intro points, and hidden services to rend
+ * points do not support ntor, because the hidden service protocol does
+ * not include ntor onion keys. This is also true for Single Onion
+ * Services. */
+ return 0;
+ }
+
+ if (circuit_get_cpath_len(circ) == 1) {
+ /* Allow for bootstrapping: when we're fetching directly from a fallback,
+ * authority, or bridge, we have no way of knowing its ntor onion key
+ * before we connect to it. So instead, we try connecting, and end up using
+ * CREATE_FAST. */
+ tor_assert(circ->cpath);
+ tor_assert(circ->cpath->extend_info);
+ const node_t *node = node_get_by_id(
+ circ->cpath->extend_info->identity_digest);
+ /* If we don't know the node and its descriptor, we must be bootstrapping.
+ */
+ if (!node || !node_has_preferred_descriptor(node, 1)) {
+ return 0;
+ }
+ }
+
+ if (BUG(!path_supports_ntor)) {
+ /* If we're building a multi-hop path, and it's not one of the HS or
+ * bootstrapping exceptions, and it doesn't support ntor, something has
+ * gone wrong. */
+ return -1;
+ }
+
+ return 0;
+}
+
+/** Create and return a new origin circuit. Initialize its purpose and
+ * build-state based on our arguments. The <b>flags</b> argument is a
+ * bitfield of CIRCLAUNCH_* flags. */
+origin_circuit_t *
+origin_circuit_init(uint8_t purpose, int flags)
+{
+ /* sets circ->p_circ_id and circ->p_chan */
+ origin_circuit_t *circ = origin_circuit_new();
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_CHAN_WAIT);
+ circ->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
+ circ->build_state->onehop_tunnel =
+ ((flags & CIRCLAUNCH_ONEHOP_TUNNEL) ? 1 : 0);
+ circ->build_state->need_uptime =
+ ((flags & CIRCLAUNCH_NEED_UPTIME) ? 1 : 0);
+ circ->build_state->need_capacity =
+ ((flags & CIRCLAUNCH_NEED_CAPACITY) ? 1 : 0);
+ circ->build_state->is_internal =
+ ((flags & CIRCLAUNCH_IS_INTERNAL) ? 1 : 0);
+ circ->base_.purpose = purpose;
+ return circ;
+}
+
+/** Build a new circuit for <b>purpose</b>. If <b>exit</b>
+ * is defined, then use that as your exit router, else choose a suitable
+ * exit node.
+ *
+ * Also launch a connection to the first OR in the chosen path, if
+ * it's not open already.
+ */
+origin_circuit_t *
+circuit_establish_circuit(uint8_t purpose, extend_info_t *exit_ei, int flags)
+{
+ origin_circuit_t *circ;
+ int err_reason = 0;
+ int is_hs_v3_rp_circuit = 0;
+
+ if (flags & CIRCLAUNCH_IS_V3_RP) {
+ is_hs_v3_rp_circuit = 1;
+ }
+
+ circ = origin_circuit_init(purpose, flags);
+
+ if (onion_pick_cpath_exit(circ, exit_ei, is_hs_v3_rp_circuit) < 0 ||
+ onion_populate_cpath(circ) < 0) {
+ circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_NOPATH);
+ return NULL;
+ }
+
+ control_event_circuit_status(circ, CIRC_EVENT_LAUNCHED, 0);
+
+ if ((err_reason = circuit_handle_first_hop(circ)) < 0) {
+ circuit_mark_for_close(TO_CIRCUIT(circ), -err_reason);
+ return NULL;
+ }
+ return circ;
+}
+
+/** Return the guard state associated with <b>circ</b>, which may be NULL. */
+circuit_guard_state_t *
+origin_circuit_get_guard_state(origin_circuit_t *circ)
+{
+ return circ->guard_state;
+}
+
+/** Start establishing the first hop of our circuit. Figure out what
+ * OR we should connect to, and if necessary start the connection to
+ * it. If we're already connected, then send the 'create' cell.
+ * Return 0 for ok, -reason if circ should be marked-for-close. */
+int
+circuit_handle_first_hop(origin_circuit_t *circ)
+{
+ crypt_path_t *firsthop;
+ channel_t *n_chan;
+ int err_reason = 0;
+ const char *msg = NULL;
+ int should_launch = 0;
+ const or_options_t *options = get_options();
+
+ firsthop = onion_next_hop_in_cpath(circ->cpath);
+ tor_assert(firsthop);
+ tor_assert(firsthop->extend_info);
+
+ /* Some bridges are on private addresses. Others pass a dummy private
+ * address to the pluggable transport, which ignores it.
+ * Deny the connection if:
+ * - the address is internal, and
+ * - we're not connecting to a configured bridge, and
+ * - we're not configured to allow extends to private addresses. */
+ if (tor_addr_is_internal(&firsthop->extend_info->addr, 0) &&
+ !extend_info_is_a_configured_bridge(firsthop->extend_info) &&
+ !options->ExtendAllowPrivateAddresses) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to connect directly to a private address");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+
+ /* now see if we're already connected to the first OR in 'route' */
+ log_debug(LD_CIRC,"Looking for firsthop '%s'",
+ fmt_addrport(&firsthop->extend_info->addr,
+ firsthop->extend_info->port));
+
+ n_chan = channel_get_for_extend(firsthop->extend_info->identity_digest,
+ &firsthop->extend_info->ed_identity,
+ &firsthop->extend_info->addr,
+ &msg,
+ &should_launch);
+
+ if (!n_chan) {
+ /* not currently connected in a useful way. */
+ log_info(LD_CIRC, "Next router is %s: %s",
+ safe_str_client(extend_info_describe(firsthop->extend_info)),
+ msg?msg:"???");
+ circ->base_.n_hop = extend_info_dup(firsthop->extend_info);
+
+ if (should_launch) {
+ if (circ->build_state->onehop_tunnel)
+ control_event_bootstrap(BOOTSTRAP_STATUS_CONN_DIR, 0);
+ n_chan = channel_connect_for_circuit(
+ &firsthop->extend_info->addr,
+ firsthop->extend_info->port,
+ firsthop->extend_info->identity_digest,
+ &firsthop->extend_info->ed_identity);
+ if (!n_chan) { /* connect failed, forget the whole thing */
+ log_info(LD_CIRC,"connect to firsthop failed. Closing.");
+ return -END_CIRC_REASON_CONNECTFAILED;
+ }
+ }
+
+ log_debug(LD_CIRC,"connecting in progress (or finished). Good.");
+ /* return success. The onion/circuit/etc will be taken care of
+ * automatically (may already have been) whenever n_chan reaches
+ * OR_CONN_STATE_OPEN.
+ */
+ return 0;
+ } else { /* it's already open. use it. */
+ tor_assert(!circ->base_.n_hop);
+ circ->base_.n_chan = n_chan;
+ log_debug(LD_CIRC,"Conn open. Delivering first onion skin.");
+ if ((err_reason = circuit_send_next_onion_skin(circ)) < 0) {
+ log_info(LD_CIRC,"circuit_send_next_onion_skin failed.");
+ circ->base_.n_chan = NULL;
+ return err_reason;
+ }
+ }
+ return 0;
+}
+
+/** Find any circuits that are waiting on <b>or_conn</b> to become
+ * open and get them to send their create cells forward.
+ *
+ * Status is 1 if connect succeeded, or 0 if connect failed.
+ *
+ * Close_origin_circuits is 1 if we should close all the origin circuits
+ * through this channel, or 0 otherwise. (This happens when we want to retry
+ * an older guard.)
+ */
+void
+circuit_n_chan_done(channel_t *chan, int status, int close_origin_circuits)
+{
+ smartlist_t *pending_circs;
+ int err_reason = 0;
+
+ tor_assert(chan);
+
+ log_debug(LD_CIRC,"chan to %s, status=%d",
+ channel_get_canonical_remote_descr(chan), status);
+
+ pending_circs = smartlist_new();
+ circuit_get_all_pending_on_channel(pending_circs, chan);
+
+ SMARTLIST_FOREACH_BEGIN(pending_circs, circuit_t *, circ)
+ {
+ /* These checks are redundant wrt get_all_pending_on_or_conn, but I'm
+ * leaving them in in case it's possible for the status of a circuit to
+ * change as we're going down the list. */
+ if (circ->marked_for_close || circ->n_chan || !circ->n_hop ||
+ circ->state != CIRCUIT_STATE_CHAN_WAIT)
+ continue;
+
+ if (tor_digest_is_zero(circ->n_hop->identity_digest)) {
+ /* Look at addr/port. This is an unkeyed connection. */
+ if (!channel_matches_extend_info(chan, circ->n_hop))
+ continue;
+ } else {
+ /* We expected a key. See if it's the right one. */
+ if (tor_memneq(chan->identity_digest,
+ circ->n_hop->identity_digest, DIGEST_LEN))
+ continue;
+ }
+ if (!status) { /* chan failed; close circ */
+ log_info(LD_CIRC,"Channel failed; closing circ.");
+ circuit_mark_for_close(circ, END_CIRC_REASON_CHANNEL_CLOSED);
+ continue;
+ }
+ if (close_origin_circuits && CIRCUIT_IS_ORIGIN(circ)) {
+ log_info(LD_CIRC,"Channel deprecated for origin circs; closing circ.");
+ circuit_mark_for_close(circ, END_CIRC_REASON_CHANNEL_CLOSED);
+ continue;
+ }
+ log_debug(LD_CIRC, "Found circ, sending create cell.");
+ /* circuit_deliver_create_cell will set n_circ_id and add us to
+ * chan_circuid_circuit_map, so we don't need to call
+ * set_circid_chan here. */
+ circ->n_chan = chan;
+ extend_info_free(circ->n_hop);
+ circ->n_hop = NULL;
+
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ if ((err_reason =
+ circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ))) < 0) {
+ log_info(LD_CIRC,
+ "send_next_onion_skin failed; circuit marked for closing.");
+ circuit_mark_for_close(circ, -err_reason);
+ continue;
+ /* XXX could this be bad, eg if next_onion_skin failed because conn
+ * died? */
+ }
+ } else {
+ /* pull the create cell out of circ->n_chan_create_cell, and send it */
+ tor_assert(circ->n_chan_create_cell);
+ if (circuit_deliver_create_cell(circ, circ->n_chan_create_cell, 1)<0) {
+ circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT);
+ continue;
+ }
+ tor_free(circ->n_chan_create_cell);
+ circuit_set_state(circ, CIRCUIT_STATE_OPEN);
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+
+ smartlist_free(pending_circs);
+}
+
+/** Find a new circid that isn't currently in use on the circ->n_chan
+ * for the outgoing
+ * circuit <b>circ</b>, and deliver the cell <b>create_cell</b> to this
+ * circuit. If <b>relayed</b> is true, this is a create cell somebody
+ * gave us via an EXTEND cell, so we shouldn't worry if we don't understand
+ * it. Return -1 if we failed to find a suitable circid, else return 0.
+ */
+static int
+circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell,
+ int relayed)
+{
+ cell_t cell;
+ circid_t id;
+ int r;
+
+ tor_assert(circ);
+ tor_assert(circ->n_chan);
+ tor_assert(create_cell);
+ tor_assert(create_cell->cell_type == CELL_CREATE ||
+ create_cell->cell_type == CELL_CREATE_FAST ||
+ create_cell->cell_type == CELL_CREATE2);
+
+ id = get_unique_circ_id_by_chan(circ->n_chan);
+ if (!id) {
+ static ratelim_t circid_warning_limit = RATELIM_INIT(9600);
+ log_fn_ratelim(&circid_warning_limit, LOG_WARN, LD_CIRC,
+ "failed to get unique circID.");
+ goto error;
+ }
+
+ memset(&cell, 0, sizeof(cell_t));
+ r = relayed ? create_cell_format_relayed(&cell, create_cell)
+ : create_cell_format(&cell, create_cell);
+ if (r < 0) {
+ log_warn(LD_CIRC,"Couldn't format create cell");
+ goto error;
+ }
+ log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id);
+ circuit_set_n_circid_chan(circ, id, circ->n_chan);
+ cell.circ_id = circ->n_circ_id;
+
+ append_cell_to_circuit_queue(circ, circ->n_chan, &cell,
+ CELL_DIRECTION_OUT, 0);
+
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ /* Update began timestamp for circuits starting their first hop */
+ if (TO_ORIGIN_CIRCUIT(circ)->cpath->state == CPATH_STATE_CLOSED) {
+ if (!CHANNEL_IS_OPEN(circ->n_chan)) {
+ log_warn(LD_CIRC,
+ "Got first hop for a circuit without an opened channel. "
+ "State: %s.", channel_state_to_string(circ->n_chan->state));
+ tor_fragile_assert();
+ }
+
+ tor_gettimeofday(&circ->timestamp_began);
+ }
+
+ /* mark it so it gets better rate limiting treatment. */
+ channel_timestamp_client(circ->n_chan);
+ }
+
+ return 0;
+ error:
+ circ->n_chan = NULL;
+ return -1;
+}
+
+/** We've decided to start our reachability testing. If all
+ * is set, log this to the user. Return 1 if we did, or 0 if
+ * we chose not to log anything. */
+int
+inform_testing_reachability(void)
+{
+ char dirbuf[128];
+ char *address;
+ const routerinfo_t *me = router_get_my_routerinfo();
+ if (!me)
+ return 0;
+ address = tor_dup_ip(me->addr);
+ control_event_server_status(LOG_NOTICE,
+ "CHECKING_REACHABILITY ORADDRESS=%s:%d",
+ address, me->or_port);
+ if (me->dir_port) {
+ tor_snprintf(dirbuf, sizeof(dirbuf), " and DirPort %s:%d",
+ address, me->dir_port);
+ control_event_server_status(LOG_NOTICE,
+ "CHECKING_REACHABILITY DIRADDRESS=%s:%d",
+ address, me->dir_port);
+ }
+ log_notice(LD_OR, "Now checking whether ORPort %s:%d%s %s reachable... "
+ "(this may take up to %d minutes -- look for log "
+ "messages indicating success)",
+ address, me->or_port,
+ me->dir_port ? dirbuf : "",
+ me->dir_port ? "are" : "is",
+ TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT/60);
+
+ tor_free(address);
+ return 1;
+}
+
+/** Return true iff we should send a create_fast cell to start building a given
+ * circuit */
+static inline int
+should_use_create_fast_for_circuit(origin_circuit_t *circ)
+{
+ const or_options_t *options = get_options();
+ tor_assert(circ->cpath);
+ tor_assert(circ->cpath->extend_info);
+
+ if (!circuit_has_usable_onion_key(circ)) {
+ /* We don't have ntor, and we don't have or can't use TAP,
+ * so our hand is forced: only a create_fast will work. */
+ return 1;
+ }
+ if (public_server_mode(options)) {
+ /* We're a server, and we have a usable onion key. We can choose.
+ * Prefer to blend our circuit into the other circuits we are
+ * creating on behalf of others. */
+ return 0;
+ }
+ return networkstatus_get_param(NULL, "usecreatefast", 0, 0, 1);
+}
+
+/**
+ * Return true if <b>circ</b> is the type of circuit we want to count
+ * timeouts from.
+ *
+ * In particular, we want to consider any circuit that plans to build
+ * at least 3 hops (but maybe more), but has 3 or fewer hops built
+ * so far.
+ *
+ * We still want to consider circuits before 3 hops, because we need
+ * to decide if we should convert them to a measurement circuit in
+ * circuit_build_times_handle_completed_hop(), rather than letting
+ * slow circuits get killed right away.
+ */
+int
+circuit_timeout_want_to_count_circ(const origin_circuit_t *circ)
+{
+ return !circ->has_opened
+ && circ->build_state->desired_path_len >= DEFAULT_ROUTE_LEN
+ && circuit_get_cpath_opened_len(circ) <= DEFAULT_ROUTE_LEN;
+}
+
+/** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b>
+ * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b>
+ * accordingly.
+ * Note that TAP handshakes in CREATE cells are only used for direct
+ * connections:
+ * - from Single Onions to rend points not in the service's consensus.
+ * This is checked in onion_populate_cpath. */
+static void
+circuit_pick_create_handshake(uint8_t *cell_type_out,
+ uint16_t *handshake_type_out,
+ const extend_info_t *ei)
+{
+ /* torspec says: In general, clients SHOULD use CREATE whenever they are
+ * using the TAP handshake, and CREATE2 otherwise. */
+ if (extend_info_supports_ntor(ei)) {
+ *cell_type_out = CELL_CREATE2;
+ *handshake_type_out = ONION_HANDSHAKE_TYPE_NTOR;
+ } else {
+ /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
+ *cell_type_out = CELL_CREATE;
+ *handshake_type_out = ONION_HANDSHAKE_TYPE_TAP;
+ }
+}
+
+/** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b>
+ * and set *<b>handshake_type_out</b> accordingly. Decide whether we should
+ * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b>
+ * and *<b>create_cell_type_out</b> accordingly.
+ * Note that TAP handshakes in EXTEND cells are only used:
+ * - from clients to intro points, and
+ * - from hidden services to rend points.
+ * This is checked in onion_populate_cpath.
+ */
+static void
+circuit_pick_extend_handshake(uint8_t *cell_type_out,
+ uint8_t *create_cell_type_out,
+ uint16_t *handshake_type_out,
+ const extend_info_t *ei)
+{
+ uint8_t t;
+ circuit_pick_create_handshake(&t, handshake_type_out, ei);
+
+ /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP
+ * handshake... In other cases, clients SHOULD use EXTEND2. */
+ if (*handshake_type_out != ONION_HANDSHAKE_TYPE_TAP) {
+ *cell_type_out = RELAY_COMMAND_EXTEND2;
+ *create_cell_type_out = CELL_CREATE2;
+ } else {
+ /* XXXX030 Remove support for deciding to use TAP and EXTEND. */
+ *cell_type_out = RELAY_COMMAND_EXTEND;
+ *create_cell_type_out = CELL_CREATE;
+ }
+}
+
+/**
+ * Return true iff <b>purpose</b> is a purpose for a circuit which is
+ * allowed to have no guard configured, even if the circuit is multihop
+ * and guards are enabled.
+ */
+static int
+circuit_purpose_may_omit_guard(int purpose)
+{
+ switch (purpose) {
+ case CIRCUIT_PURPOSE_TESTING:
+ case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT:
+ /* Testing circuits may omit guards because they're measuring
+ * liveness or performance, and don't want guards to interfere. */
+ return 1;
+ default:
+ /* All other multihop circuits should use guards if guards are
+ * enabled. */
+ return 0;
+ }
+}
+
+/** This is the backbone function for building circuits.
+ *
+ * If circ's first hop is closed, then we need to build a create
+ * cell and send it forward.
+ *
+ * Otherwise, if circ's cpath still has any non-open hops, we need to
+ * build a relay extend cell and send it forward to the next non-open hop.
+ *
+ * If all hops on the cpath are open, we're done building the circuit
+ * and we should do housekeeping for the newly opened circuit.
+ *
+ * Return -reason if we want to tear down circ, else return 0.
+ */
+int
+circuit_send_next_onion_skin(origin_circuit_t *circ)
+{
+ tor_assert(circ);
+
+ if (circ->cpath->state == CPATH_STATE_CLOSED) {
+ /* Case one: we're on the first hop. */
+ return circuit_send_first_onion_skin(circ);
+ }
+
+ tor_assert(circ->cpath->state == CPATH_STATE_OPEN);
+ tor_assert(circ->base_.state == CIRCUIT_STATE_BUILDING);
+
+ crypt_path_t *hop = onion_next_hop_in_cpath(circ->cpath);
+ circuit_build_times_handle_completed_hop(circ);
+
+ if (hop) {
+ /* Case two: we're on a hop after the first. */
+ return circuit_send_intermediate_onion_skin(circ, hop);
+ }
+
+ /* Case three: the circuit is finished. Do housekeeping tasks on it. */
+ return circuit_build_no_more_hops(circ);
+}
+
+/**
+ * Called from circuit_send_next_onion_skin() when we find ourselves connected
+ * to the first hop in <b>circ</b>: Send a CREATE or CREATE2 or CREATE_FAST
+ * cell to that hop. Return 0 on success; -reason on failure (if the circuit
+ * should be torn down).
+ */
+static int
+circuit_send_first_onion_skin(origin_circuit_t *circ)
+{
+ int fast;
+ int len;
+ const node_t *node;
+ create_cell_t cc;
+ memset(&cc, 0, sizeof(cc));
+
+ log_debug(LD_CIRC,"First skin; sending create cell.");
+
+ if (circ->build_state->onehop_tunnel) {
+ control_event_bootstrap(BOOTSTRAP_STATUS_ONEHOP_CREATE, 0);
+ } else {
+ control_event_bootstrap(BOOTSTRAP_STATUS_CIRCUIT_CREATE, 0);
+
+ /* If this is not a one-hop tunnel, the channel is being used
+ * for traffic that wants anonymity and protection from traffic
+ * analysis (such as netflow record retention). That means we want
+ * to pad it.
+ */
+ if (circ->base_.n_chan->channel_usage < CHANNEL_USED_FOR_FULL_CIRCS)
+ circ->base_.n_chan->channel_usage = CHANNEL_USED_FOR_FULL_CIRCS;
+ }
+
+ node = node_get_by_id(circ->base_.n_chan->identity_digest);
+ fast = should_use_create_fast_for_circuit(circ);
+ if (!fast) {
+ /* We know the right onion key: we should send a create cell. */
+ circuit_pick_create_handshake(&cc.cell_type, &cc.handshake_type,
+ circ->cpath->extend_info);
+ } else {
+ /* We don't know an onion key, so we need to fall back to CREATE_FAST. */
+ cc.cell_type = CELL_CREATE_FAST;
+ cc.handshake_type = ONION_HANDSHAKE_TYPE_FAST;
+ }
+
+ len = onion_skin_create(cc.handshake_type,
+ circ->cpath->extend_info,
+ &circ->cpath->handshake_state,
+ cc.onionskin);
+ if (len < 0) {
+ log_warn(LD_CIRC,"onion_skin_create (first hop) failed.");
+ return - END_CIRC_REASON_INTERNAL;
+ }
+ cc.handshake_len = len;
+
+ if (circuit_deliver_create_cell(TO_CIRCUIT(circ), &cc, 0) < 0)
+ return - END_CIRC_REASON_RESOURCELIMIT;
+
+ circ->cpath->state = CPATH_STATE_AWAITING_KEYS;
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_BUILDING);
+ log_info(LD_CIRC,"First hop: finished sending %s cell to '%s'",
+ fast ? "CREATE_FAST" : "CREATE",
+ node ? node_describe(node) : "<unnamed>");
+ return 0;
+}
+
+/**
+ * Called from circuit_send_next_onion_skin() when we find that we have no
+ * more hops: mark the circuit as finished, and perform the necessary
+ * bookkeeping. Return 0 on success; -reason on failure (if the circuit
+ * should be torn down).
+ */
+static int
+circuit_build_no_more_hops(origin_circuit_t *circ)
+{
+ guard_usable_t r;
+ if (! circ->guard_state) {
+ if (circuit_get_cpath_len(circ) != 1 &&
+ ! circuit_purpose_may_omit_guard(circ->base_.purpose) &&
+ get_options()->UseEntryGuards) {
+ log_warn(LD_BUG, "%d-hop circuit %p with purpose %d has no "
+ "guard state",
+ circuit_get_cpath_len(circ), circ, circ->base_.purpose);
+ }
+ r = GUARD_USABLE_NOW;
+ } else {
+ r = entry_guard_succeeded(&circ->guard_state);
+ }
+ const int is_usable_for_streams = (r == GUARD_USABLE_NOW);
+ if (r == GUARD_USABLE_NOW) {
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
+ } else if (r == GUARD_MAYBE_USABLE_LATER) {
+ // Wait till either a better guard succeeds, or till
+ // all better guards fail.
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_GUARD_WAIT);
+ } else {
+ tor_assert_nonfatal(r == GUARD_USABLE_NEVER);
+ return - END_CIRC_REASON_INTERNAL;
+ }
+
+ /* XXXX #21422 -- the rest of this branch needs careful thought!
+ * Some of the things here need to happen when a circuit becomes
+ * mechanically open; some need to happen when it is actually usable.
+ * I think I got them right, but more checking would be wise. -NM
+ */
+
+ log_info(LD_CIRC,"circuit built!");
+ circuit_reset_failure_count(0);
+
+ if (circ->build_state->onehop_tunnel || circ->has_opened) {
+ control_event_bootstrap(BOOTSTRAP_STATUS_REQUESTING_STATUS, 0);
+ }
+
+ pathbias_count_build_success(circ);
+ if (is_usable_for_streams)
+ circuit_has_opened(circ); /* do other actions as necessary */
+
+ if (!have_completed_a_circuit() && !circ->build_state->onehop_tunnel) {
+ const or_options_t *options = get_options();
+ note_that_we_completed_a_circuit();
+ /* FFFF Log a count of known routers here */
+ log_notice(LD_GENERAL,
+ "Tor has successfully opened a circuit. "
+ "Looks like client functionality is working.");
+ if (control_event_bootstrap(BOOTSTRAP_STATUS_DONE, 0) == 0) {
+ log_notice(LD_GENERAL,
+ "Tor has successfully opened a circuit. "
+ "Looks like client functionality is working.");
+ }
+ control_event_client_status(LOG_NOTICE, "CIRCUIT_ESTABLISHED");
+ clear_broken_connection_map(1);
+ if (server_mode(options) && !check_whether_orport_reachable(options)) {
+ inform_testing_reachability();
+ router_do_reachability_checks(1, 1);
+ }
+ }
+
+ /* We're done with measurement circuits here. Just close them */
+ if (circ->base_.purpose == CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
+ circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);
+ }
+ return 0;
+}
+
+/**
+ * Called from circuit_send_next_onion_skin() when we find that we have a hop
+ * other than the first that we need to extend to: use <b>hop</b>'s
+ * information to extend the circuit another step. Return 0 on success;
+ * -reason on failure (if the circuit should be torn down).
+ */
+static int
+circuit_send_intermediate_onion_skin(origin_circuit_t *circ,
+ crypt_path_t *hop)
+{
+ int len;
+ extend_cell_t ec;
+ memset(&ec, 0, sizeof(ec));
+
+ log_debug(LD_CIRC,"starting to send subsequent skin.");
+
+ if (tor_addr_family(&hop->extend_info->addr) != AF_INET) {
+ log_warn(LD_BUG, "Trying to extend to a non-IPv4 address.");
+ return - END_CIRC_REASON_INTERNAL;
+ }
+
+ circuit_pick_extend_handshake(&ec.cell_type,
+ &ec.create_cell.cell_type,
+ &ec.create_cell.handshake_type,
+ hop->extend_info);
+
+ tor_addr_copy(&ec.orport_ipv4.addr, &hop->extend_info->addr);
+ ec.orport_ipv4.port = hop->extend_info->port;
+ tor_addr_make_unspec(&ec.orport_ipv6.addr);
+ memcpy(ec.node_id, hop->extend_info->identity_digest, DIGEST_LEN);
+ /* Set the ED25519 identity too -- it will only get included
+ * in the extend2 cell if we're configured to use it, though. */
+ ed25519_pubkey_copy(&ec.ed_pubkey, &hop->extend_info->ed_identity);
+
+ len = onion_skin_create(ec.create_cell.handshake_type,
+ hop->extend_info,
+ &hop->handshake_state,
+ ec.create_cell.onionskin);
+ if (len < 0) {
+ log_warn(LD_CIRC,"onion_skin_create failed.");
+ return - END_CIRC_REASON_INTERNAL;
+ }
+ ec.create_cell.handshake_len = len;
+
+ log_info(LD_CIRC,"Sending extend relay cell.");
+ {
+ uint8_t command = 0;
+ uint16_t payload_len=0;
+ uint8_t payload[RELAY_PAYLOAD_SIZE];
+ if (extend_cell_format(&command, &payload_len, payload, &ec)<0) {
+ log_warn(LD_CIRC,"Couldn't format extend cell");
+ return -END_CIRC_REASON_INTERNAL;
+ }
+
+ /* send it to hop->prev, because that relay will transfer
+ * it to a create cell and then send to hop */
+ if (relay_send_command_from_edge(0, TO_CIRCUIT(circ),
+ command,
+ (char*)payload, payload_len,
+ hop->prev) < 0)
+ return 0; /* circuit is closed */
+ }
+ hop->state = CPATH_STATE_AWAITING_KEYS;
+ return 0;
+}
+
+/** Our clock just jumped by <b>seconds_elapsed</b>. If <b>was_idle</b> is
+ * true, then the monotonic time matches; otherwise it doesn't. Assume
+ * something has also gone wrong with our network: notify the user, and
+ * abandon all not-yet-used circuits. */
+void
+circuit_note_clock_jumped(int64_t seconds_elapsed, bool was_idle)
+{
+ int severity = server_mode(get_options()) ? LOG_WARN : LOG_NOTICE;
+ if (was_idle) {
+ tor_log(severity, LD_GENERAL, "Tor has been idle for %"PRId64
+ " seconds; assuming established circuits no longer work.",
+ (seconds_elapsed));
+ } else {
+ tor_log(severity, LD_GENERAL,
+ "Your system clock just jumped %"PRId64" seconds %s; "
+ "assuming established circuits no longer work.",
+ (
+ seconds_elapsed >=0 ? seconds_elapsed : -seconds_elapsed),
+ seconds_elapsed >=0 ? "forward" : "backward");
+ }
+ control_event_general_status(LOG_WARN, "CLOCK_JUMPED TIME=%"PRId64
+ " IDLE=%d",
+ (seconds_elapsed), was_idle?1:0);
+ /* so we log when it works again */
+ note_that_we_maybe_cant_complete_circuits();
+ control_event_client_status(severity, "CIRCUIT_NOT_ESTABLISHED REASON=%s",
+ "CLOCK_JUMPED");
+ circuit_mark_all_unused_circs();
+ circuit_mark_all_dirty_circs_as_unusable();
+ if (seconds_elapsed < 0) {
+ /* Restart all the timers in case we jumped a long way into the past. */
+ reset_all_main_loop_timers();
+ }
+}
+
+/** Take the 'extend' <b>cell</b>, pull out addr/port plus the onion
+ * skin and identity digest for the next hop. If we're already connected,
+ * pass the onion skin to the next hop using a create cell; otherwise
+ * launch a new OR connection, and <b>circ</b> will notice when the
+ * connection succeeds or fails.
+ *
+ * Return -1 if we want to warn and tear down the circuit, else return 0.
+ */
+int
+circuit_extend(cell_t *cell, circuit_t *circ)
+{
+ channel_t *n_chan;
+ relay_header_t rh;
+ extend_cell_t ec;
+ const char *msg = NULL;
+ int should_launch = 0;
+
+ if (circ->n_chan) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "n_chan already set. Bug/attack. Closing.");
+ return -1;
+ }
+ if (circ->n_hop) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "conn to next hop already launched. Bug/attack. Closing.");
+ return -1;
+ }
+
+ if (!server_mode(get_options())) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Got an extend cell, but running as a client. Closing.");
+ return -1;
+ }
+
+ relay_header_unpack(&rh, cell->payload);
+
+ if (extend_cell_parse(&ec, rh.command,
+ cell->payload+RELAY_HEADER_SIZE,
+ rh.length) < 0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Can't parse extend cell. Closing circuit.");
+ return -1;
+ }
+
+ if (!ec.orport_ipv4.port || tor_addr_is_null(&ec.orport_ipv4.addr)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to extend to zero destination port or addr.");
+ return -1;
+ }
+
+ if (tor_addr_is_internal(&ec.orport_ipv4.addr, 0) &&
+ !get_options()->ExtendAllowPrivateAddresses) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to extend to a private address");
+ return -1;
+ }
+
+ /* Check if they asked us for 0000..0000. We support using
+ * an empty fingerprint for the first hop (e.g. for a bridge relay),
+ * but we don't want to let clients send us extend cells for empty
+ * fingerprints -- a) because it opens the user up to a mitm attack,
+ * and b) because it lets an attacker force the relay to hold open a
+ * new TLS connection for each extend request. */
+ if (tor_digest_is_zero((const char*)ec.node_id)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to extend without specifying an id_digest.");
+ return -1;
+ }
+
+ /* Fill in ed_pubkey if it was not provided and we can infer it from
+ * our networkstatus */
+ if (ed25519_public_key_is_zero(&ec.ed_pubkey)) {
+ const node_t *node = node_get_by_id((const char*)ec.node_id);
+ const ed25519_public_key_t *node_ed_id = NULL;
+ if (node &&
+ node_supports_ed25519_link_authentication(node, 1) &&
+ (node_ed_id = node_get_ed25519_id(node))) {
+ ed25519_pubkey_copy(&ec.ed_pubkey, node_ed_id);
+ }
+ }
+
+ /* Next, check if we're being asked to connect to the hop that the
+ * extend cell came from. There isn't any reason for that, and it can
+ * assist circular-path attacks. */
+ if (tor_memeq(ec.node_id,
+ TO_OR_CIRCUIT(circ)->p_chan->identity_digest,
+ DIGEST_LEN)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to extend back to the previous hop.");
+ return -1;
+ }
+
+ /* Check the previous hop Ed25519 ID too */
+ if (! ed25519_public_key_is_zero(&ec.ed_pubkey) &&
+ ed25519_pubkey_eq(&ec.ed_pubkey,
+ &TO_OR_CIRCUIT(circ)->p_chan->ed25519_identity)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to extend back to the previous hop "
+ "(by Ed25519 ID).");
+ return -1;
+ }
+
+ n_chan = channel_get_for_extend((const char*)ec.node_id,
+ &ec.ed_pubkey,
+ &ec.orport_ipv4.addr,
+ &msg,
+ &should_launch);
+
+ if (!n_chan) {
+ log_debug(LD_CIRC|LD_OR,"Next router (%s): %s",
+ fmt_addrport(&ec.orport_ipv4.addr,ec.orport_ipv4.port),
+ msg?msg:"????");
+
+ circ->n_hop = extend_info_new(NULL /*nickname*/,
+ (const char*)ec.node_id,
+ &ec.ed_pubkey,
+ NULL, /*onion_key*/
+ NULL, /*curve25519_key*/
+ &ec.orport_ipv4.addr,
+ ec.orport_ipv4.port);
+
+ circ->n_chan_create_cell = tor_memdup(&ec.create_cell,
+ sizeof(ec.create_cell));
+
+ circuit_set_state(circ, CIRCUIT_STATE_CHAN_WAIT);
+
+ if (should_launch) {
+ /* we should try to open a connection */
+ n_chan = channel_connect_for_circuit(&ec.orport_ipv4.addr,
+ ec.orport_ipv4.port,
+ (const char*)ec.node_id,
+ &ec.ed_pubkey);
+ if (!n_chan) {
+ log_info(LD_CIRC,"Launching n_chan failed. Closing circuit.");
+ circuit_mark_for_close(circ, END_CIRC_REASON_CONNECTFAILED);
+ return 0;
+ }
+ log_debug(LD_CIRC,"connecting in progress (or finished). Good.");
+ }
+ /* return success. The onion/circuit/etc will be taken care of
+ * automatically (may already have been) whenever n_chan reaches
+ * OR_CONN_STATE_OPEN.
+ */
+ return 0;
+ }
+
+ tor_assert(!circ->n_hop); /* Connection is already established. */
+ circ->n_chan = n_chan;
+ log_debug(LD_CIRC,
+ "n_chan is %s",
+ channel_get_canonical_remote_descr(n_chan));
+
+ if (circuit_deliver_create_cell(circ, &ec.create_cell, 1) < 0)
+ return -1;
+
+ return 0;
+}
+
+/** Initialize cpath-\>{f|b}_{crypto|digest} from the key material in key_data.
+ *
+ * If <b>is_hs_v3</b> is set, this cpath will be used for next gen hidden
+ * service circuits and <b>key_data</b> must be at least
+ * HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN bytes in length.
+ *
+ * If <b>is_hs_v3</b> is not set, key_data must contain CPATH_KEY_MATERIAL_LEN
+ * bytes, which are used as follows:
+ * - 20 to initialize f_digest
+ * - 20 to initialize b_digest
+ * - 16 to key f_crypto
+ * - 16 to key b_crypto
+ *
+ * (If 'reverse' is true, then f_XX and b_XX are swapped.)
+ *
+ * Return 0 if init was successful, else -1 if it failed.
+ */
+int
+circuit_init_cpath_crypto(crypt_path_t *cpath,
+ const char *key_data, size_t key_data_len,
+ int reverse, int is_hs_v3)
+{
+
+ tor_assert(cpath);
+ return relay_crypto_init(&cpath->crypto, key_data, key_data_len, reverse,
+ is_hs_v3);
+}
+
+/** A "created" cell <b>reply</b> came back to us on circuit <b>circ</b>.
+ * (The body of <b>reply</b> varies depending on what sort of handshake
+ * this is.)
+ *
+ * Calculate the appropriate keys and digests, make sure KH is
+ * correct, and initialize this hop of the cpath.
+ *
+ * Return - reason if we want to mark circ for close, else return 0.
+ */
+int
+circuit_finish_handshake(origin_circuit_t *circ,
+ const created_cell_t *reply)
+{
+ char keys[CPATH_KEY_MATERIAL_LEN];
+ crypt_path_t *hop;
+ int rv;
+
+ if ((rv = pathbias_count_build_attempt(circ)) < 0) {
+ log_warn(LD_CIRC, "pathbias_count_build_attempt failed: %d", rv);
+ return rv;
+ }
+
+ if (circ->cpath->state == CPATH_STATE_AWAITING_KEYS) {
+ hop = circ->cpath;
+ } else {
+ hop = onion_next_hop_in_cpath(circ->cpath);
+ if (!hop) { /* got an extended when we're all done? */
+ log_warn(LD_PROTOCOL,"got extended when circ already built? Closing.");
+ return - END_CIRC_REASON_TORPROTOCOL;
+ }
+ }
+ tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS);
+
+ {
+ const char *msg = NULL;
+ if (onion_skin_client_handshake(hop->handshake_state.tag,
+ &hop->handshake_state,
+ reply->reply, reply->handshake_len,
+ (uint8_t*)keys, sizeof(keys),
+ (uint8_t*)hop->rend_circ_nonce,
+ &msg) < 0) {
+ if (msg)
+ log_warn(LD_CIRC,"onion_skin_client_handshake failed: %s", msg);
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ }
+
+ onion_handshake_state_release(&hop->handshake_state);
+
+ if (circuit_init_cpath_crypto(hop, keys, sizeof(keys), 0, 0)<0) {
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+
+ hop->state = CPATH_STATE_OPEN;
+ log_info(LD_CIRC,"Finished building circuit hop:");
+ circuit_log_path(LOG_INFO,LD_CIRC,circ);
+ control_event_circuit_status(circ, CIRC_EVENT_EXTENDED, 0);
+
+ return 0;
+}
+
+/** We received a relay truncated cell on circ.
+ *
+ * Since we don't send truncates currently, getting a truncated
+ * means that a connection broke or an extend failed. For now,
+ * just give up: force circ to close, and return 0.
+ */
+int
- circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer, int reason)
++circuit_truncated(origin_circuit_t *circ, int reason)
+{
+// crypt_path_t *victim;
+// connection_t *stream;
+
+ tor_assert(circ);
- tor_assert(layer);
+
+ /* XXX Since we don't send truncates currently, getting a truncated
+ * means that a connection broke or an extend failed. For now,
+ * just give up.
+ */
+ circuit_mark_for_close(TO_CIRCUIT(circ),
+ END_CIRC_REASON_FLAG_REMOTE|reason);
+ return 0;
+
+#if 0
+ while (layer->next != circ->cpath) {
+ /* we need to clear out layer->next */
+ victim = layer->next;
+ log_debug(LD_CIRC, "Killing a layer of the cpath.");
+
+ for (stream = circ->p_streams; stream; stream=stream->next_stream) {
+ if (stream->cpath_layer == victim) {
+ log_info(LD_APP, "Marking stream %d for close because of truncate.",
+ stream->stream_id);
+ /* no need to send 'end' relay cells,
+ * because the other side's already dead
+ */
+ connection_mark_unattached_ap(stream, END_STREAM_REASON_DESTROY);
+ }
+ }
+
+ layer->next = victim->next;
+ circuit_free_cpath_node(victim);
+ }
+
+ log_info(LD_CIRC, "finished");
+ return 0;
+#endif /* 0 */
+}
+
+/** Given a response payload and keys, initialize, then send a created
+ * cell back.
+ */
+int
+onionskin_answer(or_circuit_t *circ,
+ const created_cell_t *created_cell,
+ const char *keys, size_t keys_len,
+ const uint8_t *rend_circ_nonce)
+{
+ cell_t cell;
+
+ tor_assert(keys_len == CPATH_KEY_MATERIAL_LEN);
+
+ if (created_cell_format(&cell, created_cell) < 0) {
+ log_warn(LD_BUG,"couldn't format created cell (type=%d, len=%d)",
+ (int)created_cell->cell_type, (int)created_cell->handshake_len);
+ return -1;
+ }
+ cell.circ_id = circ->p_circ_id;
+
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
+
+ log_debug(LD_CIRC,"init digest forward 0x%.8x, backward 0x%.8x.",
+ (unsigned int)get_uint32(keys),
+ (unsigned int)get_uint32(keys+20));
+ if (relay_crypto_init(&circ->crypto, keys, keys_len, 0, 0)<0) {
+ log_warn(LD_BUG,"Circuit initialization failed");
+ return -1;
+ }
+
+ memcpy(circ->rend_circ_nonce, rend_circ_nonce, DIGEST_LEN);
+
+ int used_create_fast = (created_cell->cell_type == CELL_CREATED_FAST);
+
+ append_cell_to_circuit_queue(TO_CIRCUIT(circ),
+ circ->p_chan, &cell, CELL_DIRECTION_IN, 0);
+ log_debug(LD_CIRC,"Finished sending '%s' cell.",
+ used_create_fast ? "created_fast" : "created");
+
+ /* Ignore the local bit when ExtendAllowPrivateAddresses is set:
+ * it violates the assumption that private addresses are local.
+ * Also, many test networks run on local addresses, and
+ * TestingTorNetwork sets ExtendAllowPrivateAddresses. */
+ if ((!channel_is_local(circ->p_chan)
+ || get_options()->ExtendAllowPrivateAddresses)
+ && !channel_is_outgoing(circ->p_chan)) {
+ /* record that we could process create cells from a non-local conn
+ * that we didn't initiate; presumably this means that create cells
+ * can reach us too. */
+ router_orport_found_reachable();
+ }
+
+ return 0;
+}
+
+/** Helper for new_route_len(). Choose a circuit length for purpose
+ * <b>purpose</b>: DEFAULT_ROUTE_LEN (+ 1 if someone else chose the
+ * exit). If someone else chose the exit, they could be colluding
+ * with the exit, so add a randomly selected node to preserve
+ * anonymity.
+ *
+ * Here, "exit node" sometimes means an OR acting as an internal
+ * endpoint, rather than as a relay to an external endpoint. This
+ * means there need to be at least DEFAULT_ROUTE_LEN routers between
+ * us and the internal endpoint to preserve the same anonymity
+ * properties that we would get when connecting to an external
+ * endpoint. These internal endpoints can include:
+ *
+ * - Connections to a directory of hidden services
+ * (CIRCUIT_PURPOSE_C_GENERAL)
+ *
+ * - A client connecting to an introduction point, which the hidden
+ * service picked (CIRCUIT_PURPOSE_C_INTRODUCING, via
+ * circuit_get_open_circ_or_launch() which rewrites it from
+ * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT)
+ *
+ * - A hidden service connecting to a rendezvous point, which the
+ * client picked (CIRCUIT_PURPOSE_S_CONNECT_REND, via
+ * rend_service_receive_introduction() and
+ * rend_service_relaunch_rendezvous)
+ *
+ * There are currently two situations where we picked the exit node
+ * ourselves, making DEFAULT_ROUTE_LEN a safe circuit length:
+ *
+ * - We are a hidden service connecting to an introduction point
+ * (CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, via
+ * rend_service_launch_establish_intro())
+ *
+ * - We are a router testing its own reachabiity
+ * (CIRCUIT_PURPOSE_TESTING, via router_do_reachability_checks())
+ *
+ * onion_pick_cpath_exit() bypasses us (by not calling
+ * new_route_len()) in the one-hop tunnel case, so we don't need to
+ * handle that.
+ */
+int
+route_len_for_purpose(uint8_t purpose, extend_info_t *exit_ei)
+{
+ int routelen = DEFAULT_ROUTE_LEN;
+ int known_purpose = 0;
+
+ if (circuit_should_use_vanguards(purpose)) {
+ /* Clients want an extra hop for rends to avoid linkability.
+ * Services want it for intro points to avoid publishing their
+ * layer3 guards. They want it for hsdir posts to use
+ * their full layer3 guard set for those connections.
+ * Ex: C - G - L2 - L3 - R
+ * S - G - L2 - L3 - HSDIR
+ * S - G - L2 - L3 - I
+ */
+ if (purpose == CIRCUIT_PURPOSE_C_ESTABLISH_REND ||
+ purpose == CIRCUIT_PURPOSE_S_HSDIR_POST ||
+ purpose == CIRCUIT_PURPOSE_HS_VANGUARDS ||
+ purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)
+ return routelen+1;
+
+ /* If we only have Layer2 vanguards, then we do not need
+ * the extra hop for linkabilty reasons (see below).
+ * This means all hops can be of the form:
+ * S/C - G - L2 - M - R/HSDir/I
+ */
+ if (get_options()->HSLayer2Nodes && !get_options()->HSLayer3Nodes)
+ return routelen+1;
+
+ /* For connections to hsdirs, clients want two extra hops
+ * when using layer3 guards, to avoid linkability.
+ * Same goes for intro points. Note that the route len
+ * includes the intro point or hsdir, hence the +2.
+ * Ex: C - G - L2 - L3 - M - I
+ * C - G - L2 - L3 - M - HSDIR
+ * S - G - L2 - L3 - M - R
+ */
+ if (purpose == CIRCUIT_PURPOSE_S_CONNECT_REND ||
+ purpose == CIRCUIT_PURPOSE_C_HSDIR_GET ||
+ purpose == CIRCUIT_PURPOSE_C_INTRODUCING)
+ return routelen+2;
+ }
+
+ if (!exit_ei)
+ return routelen;
+
+ switch (purpose) {
+ /* These two purposes connect to a router that we chose, so
+ * DEFAULT_ROUTE_LEN is safe. */
+ case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
+ /* hidden service connecting to introduction point */
+ case CIRCUIT_PURPOSE_TESTING:
+ /* router reachability testing */
+ known_purpose = 1;
+ break;
+
+ /* These three purposes connect to a router that someone else
+ * might have chosen, so add an extra hop to protect anonymity. */
+ case CIRCUIT_PURPOSE_C_GENERAL:
+ case CIRCUIT_PURPOSE_C_HSDIR_GET:
+ case CIRCUIT_PURPOSE_S_HSDIR_POST:
+ /* connecting to hidden service directory */
+ case CIRCUIT_PURPOSE_C_INTRODUCING:
+ /* client connecting to introduction point */
+ case CIRCUIT_PURPOSE_S_CONNECT_REND:
+ /* hidden service connecting to rendezvous point */
+ known_purpose = 1;
+ routelen++;
+ break;
+
+ default:
+ /* Got a purpose not listed above along with a chosen exit.
+ * Increase the circuit length by one anyway for safety. */
+ routelen++;
+ break;
+ }
+
+ if (BUG(exit_ei && !known_purpose)) {
+ log_warn(LD_BUG, "Unhandled purpose %d with a chosen exit; "
+ "assuming routelen %d.", purpose, routelen);
+ }
+ return routelen;
+}
+
+/** Choose a length for a circuit of purpose <b>purpose</b> and check
+ * if enough routers are available.
+ *
+ * If the routerlist <b>nodes</b> doesn't have enough routers
+ * to handle the desired path length, return -1.
+ */
+STATIC int
+new_route_len(uint8_t purpose, extend_info_t *exit_ei, smartlist_t *nodes)
+{
+ int num_acceptable_routers;
+ int routelen;
+
+ tor_assert(nodes);
+
+ routelen = route_len_for_purpose(purpose, exit_ei);
+
+ num_acceptable_routers = count_acceptable_nodes(nodes);
+
+ log_debug(LD_CIRC,"Chosen route length %d (%d/%d routers suitable).",
+ routelen, num_acceptable_routers, smartlist_len(nodes));
+
+ if (num_acceptable_routers < routelen) {
+ log_info(LD_CIRC,
+ "Not enough acceptable routers (%d/%d). Discarding this circuit.",
+ num_acceptable_routers, routelen);
+ return -1;
+ }
+
+ return routelen;
+}
+
+/** Return a newly allocated list of uint16_t * for each predicted port not
+ * handled by a current circuit. */
+static smartlist_t *
+circuit_get_unhandled_ports(time_t now)
+{
+ smartlist_t *dest = rep_hist_get_predicted_ports(now);
+ circuit_remove_handled_ports(dest);
+ return dest;
+}
+
+/** Return 1 if we already have circuits present or on the way for
+ * all anticipated ports. Return 0 if we should make more.
+ *
+ * If we're returning 0, set need_uptime and need_capacity to
+ * indicate any requirements that the unhandled ports have.
+ */
+MOCK_IMPL(int,
+circuit_all_predicted_ports_handled, (time_t now, int *need_uptime,
+ int *need_capacity))
+{
+ int i, enough;
+ uint16_t *port;
+ smartlist_t *sl = circuit_get_unhandled_ports(now);
+ smartlist_t *LongLivedServices = get_options()->LongLivedPorts;
+ tor_assert(need_uptime);
+ tor_assert(need_capacity);
+ // Always predict need_capacity
+ *need_capacity = 1;
+ enough = (smartlist_len(sl) == 0);
+ for (i = 0; i < smartlist_len(sl); ++i) {
+ port = smartlist_get(sl, i);
+ if (smartlist_contains_int_as_string(LongLivedServices, *port))
+ *need_uptime = 1;
+ tor_free(port);
+ }
+ smartlist_free(sl);
+ return enough;
+}
+
+/** Return 1 if <b>node</b> can handle one or more of the ports in
+ * <b>needed_ports</b>, else return 0.
+ */
+static int
+node_handles_some_port(const node_t *node, smartlist_t *needed_ports)
+{ /* XXXX MOVE */
+ int i;
+ uint16_t port;
+
+ for (i = 0; i < smartlist_len(needed_ports); ++i) {
+ addr_policy_result_t r;
+ /* alignment issues aren't a worry for this dereference, since
+ needed_ports is explicitly a smartlist of uint16_t's */
+ port = *(uint16_t *)smartlist_get(needed_ports, i);
+ tor_assert(port);
+ if (node)
+ r = compare_tor_addr_to_node_policy(NULL, port, node);
+ else
+ continue;
+ if (r != ADDR_POLICY_REJECTED && r != ADDR_POLICY_PROBABLY_REJECTED)
+ return 1;
+ }
+ return 0;
+}
+
+/** Return true iff <b>conn</b> needs another general circuit to be
+ * built. */
+static int
+ap_stream_wants_exit_attention(connection_t *conn)
+{
+ entry_connection_t *entry;
+ if (conn->type != CONN_TYPE_AP)
+ return 0;
+ entry = TO_ENTRY_CONN(conn);
+
+ if (conn->state == AP_CONN_STATE_CIRCUIT_WAIT &&
+ !conn->marked_for_close &&
+ !(entry->want_onehop) && /* ignore one-hop streams */
+ !(entry->use_begindir) && /* ignore targeted dir fetches */
+ !(entry->chosen_exit_name) && /* ignore defined streams */
+ !connection_edge_is_rendezvous_stream(TO_EDGE_CONN(conn)) &&
+ !circuit_stream_is_being_handled(TO_ENTRY_CONN(conn), 0,
+ MIN_CIRCUITS_HANDLING_STREAM))
+ return 1;
+ return 0;
+}
+
+/** Return a pointer to a suitable router to be the exit node for the
+ * general-purpose circuit we're about to build.
+ *
+ * Look through the connection array, and choose a router that maximizes
+ * the number of pending streams that can exit from this router.
+ *
+ * Return NULL if we can't find any suitable routers.
+ */
+static const node_t *
+choose_good_exit_server_general(router_crn_flags_t flags)
+{
+ int *n_supported;
+ int n_pending_connections = 0;
+ smartlist_t *connections;
+ int best_support = -1;
+ int n_best_support=0;
+ const or_options_t *options = get_options();
+ const smartlist_t *the_nodes;
+ const node_t *selected_node=NULL;
+ const int need_uptime = (flags & CRN_NEED_UPTIME) != 0;
+ const int need_capacity = (flags & CRN_NEED_CAPACITY) != 0;
+ const int direct_conn = (flags & CRN_DIRECT_CONN) != 0;
+
+ connections = get_connection_array();
+
+ /* Count how many connections are waiting for a circuit to be built.
+ * We use this for log messages now, but in the future we may depend on it.
+ */
+ SMARTLIST_FOREACH(connections, connection_t *, conn,
+ {
+ if (ap_stream_wants_exit_attention(conn))
+ ++n_pending_connections;
+ });
+// log_fn(LOG_DEBUG, "Choosing exit node; %d connections are pending",
+// n_pending_connections);
+ /* Now we count, for each of the routers in the directory, how many
+ * of the pending connections could possibly exit from that
+ * router (n_supported[i]). (We can't be sure about cases where we
+ * don't know the IP address of the pending connection.)
+ *
+ * -1 means "Don't use this router at all."
+ */
+ the_nodes = nodelist_get_list();
+ n_supported = tor_calloc(smartlist_len(the_nodes), sizeof(int));
+ SMARTLIST_FOREACH_BEGIN(the_nodes, const node_t *, node) {
+ const int i = node_sl_idx;
+ if (router_digest_is_me(node->identity)) {
+ n_supported[i] = -1;
+// log_fn(LOG_DEBUG,"Skipping node %s -- it's me.", router->nickname);
+ /* XXX there's probably a reverse predecessor attack here, but
+ * it's slow. should we take this out? -RD
+ */
+ continue;
+ }
+ if (!node_has_preferred_descriptor(node, direct_conn)) {
+ n_supported[i] = -1;
+ continue;
+ }
+ if (!node->is_running || node->is_bad_exit) {
+ n_supported[i] = -1;
+ continue; /* skip routers that are known to be down or bad exits */
+ }
+ if (node_get_purpose(node) != ROUTER_PURPOSE_GENERAL) {
+ /* never pick a non-general node as a random exit. */
+ n_supported[i] = -1;
+ continue;
+ }
+ if (routerset_contains_node(options->ExcludeExitNodesUnion_, node)) {
+ n_supported[i] = -1;
+ continue; /* user asked us not to use it, no matter what */
+ }
+ if (options->ExitNodes &&
+ !routerset_contains_node(options->ExitNodes, node)) {
+ n_supported[i] = -1;
+ continue; /* not one of our chosen exit nodes */
+ }
+
+ if (node_is_unreliable(node, need_uptime, need_capacity, 0)) {
+ n_supported[i] = -1;
+ continue; /* skip routers that are not suitable. Don't worry if
+ * this makes us reject all the possible routers: if so,
+ * we'll retry later in this function with need_update and
+ * need_capacity set to 0. */
+ }
+ if (!(node->is_valid)) {
+ /* if it's invalid and we don't want it */
+ n_supported[i] = -1;
+// log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- invalid router.",
+// router->nickname, i);
+ continue; /* skip invalid routers */
+ }
+ /* We do not allow relays that allow single hop exits by default. Option
+ * was deprecated in 0.2.9.2-alpha and removed in 0.3.1.0-alpha. */
+ if (node_allows_single_hop_exits(node)) {
+ n_supported[i] = -1;
+ continue;
+ }
+ if (node_exit_policy_rejects_all(node)) {
+ n_supported[i] = -1;
+// log_fn(LOG_DEBUG,"Skipping node %s (index %d) -- it rejects all.",
+// router->nickname, i);
+ continue; /* skip routers that reject all */
+ }
+ n_supported[i] = 0;
+ /* iterate over connections */
+ SMARTLIST_FOREACH_BEGIN(connections, connection_t *, conn) {
+ if (!ap_stream_wants_exit_attention(conn))
+ continue; /* Skip everything but APs in CIRCUIT_WAIT */
+ if (connection_ap_can_use_exit(TO_ENTRY_CONN(conn), node)) {
+ ++n_supported[i];
+// log_fn(LOG_DEBUG,"%s is supported. n_supported[%d] now %d.",
+// router->nickname, i, n_supported[i]);
+ } else {
+// log_fn(LOG_DEBUG,"%s (index %d) would reject this stream.",
+// router->nickname, i);
+ }
+ } SMARTLIST_FOREACH_END(conn);
+ if (n_pending_connections > 0 && n_supported[i] == 0) {
+ /* Leave best_support at -1 if that's where it is, so we can
+ * distinguish it later. */
+ continue;
+ }
+ if (n_supported[i] > best_support) {
+ /* If this router is better than previous ones, remember its index
+ * and goodness, and start counting how many routers are this good. */
+ best_support = n_supported[i]; n_best_support=1;
+// log_fn(LOG_DEBUG,"%s is new best supported option so far.",
+// router->nickname);
+ } else if (n_supported[i] == best_support) {
+ /* If this router is _as good_ as the best one, just increment the
+ * count of equally good routers.*/
+ ++n_best_support;
+ }
+ } SMARTLIST_FOREACH_END(node);
+ log_info(LD_CIRC,
+ "Found %d servers that might support %d/%d pending connections.",
+ n_best_support, best_support >= 0 ? best_support : 0,
+ n_pending_connections);
+
+ /* If any routers definitely support any pending connections, choose one
+ * at random. */
+ if (best_support > 0) {
+ smartlist_t *supporting = smartlist_new();
+
+ SMARTLIST_FOREACH(the_nodes, const node_t *, node, {
+ if (n_supported[node_sl_idx] == best_support)
+ smartlist_add(supporting, (void*)node);
+ });
+
+ selected_node = node_sl_choose_by_bandwidth(supporting, WEIGHT_FOR_EXIT);
+ smartlist_free(supporting);
+ } else {
+ /* Either there are no pending connections, or no routers even seem to
+ * possibly support any of them. Choose a router at random that satisfies
+ * at least one predicted exit port. */
+
+ int attempt;
+ smartlist_t *needed_ports, *supporting;
+
+ if (best_support == -1) {
+ if (need_uptime || need_capacity) {
+ log_info(LD_CIRC,
+ "We couldn't find any live%s%s routers; falling back "
+ "to list of all routers.",
+ need_capacity?", fast":"",
+ need_uptime?", stable":"");
+ tor_free(n_supported);
+ flags &= ~(CRN_NEED_UPTIME|CRN_NEED_CAPACITY);
+ return choose_good_exit_server_general(flags);
+ }
+ log_notice(LD_CIRC, "All routers are down or won't exit%s -- "
+ "choosing a doomed exit at random.",
+ options->ExcludeExitNodesUnion_ ? " or are Excluded" : "");
+ }
+ supporting = smartlist_new();
+ needed_ports = circuit_get_unhandled_ports(time(NULL));
+ for (attempt = 0; attempt < 2; attempt++) {
+ /* try once to pick only from routers that satisfy a needed port,
+ * then if there are none, pick from any that support exiting. */
+ SMARTLIST_FOREACH_BEGIN(the_nodes, const node_t *, node) {
+ if (n_supported[node_sl_idx] != -1 &&
+ (attempt || node_handles_some_port(node, needed_ports))) {
+// log_fn(LOG_DEBUG,"Try %d: '%s' is a possibility.",
+// try, router->nickname);
+ smartlist_add(supporting, (void*)node);
+ }
+ } SMARTLIST_FOREACH_END(node);
+
+ selected_node = node_sl_choose_by_bandwidth(supporting, WEIGHT_FOR_EXIT);
+ if (selected_node)
+ break;
+ smartlist_clear(supporting);
+ /* If we reach this point, we can't actually support any unhandled
+ * predicted ports, so clear all the remaining ones. */
+ if (smartlist_len(needed_ports))
+ rep_hist_remove_predicted_ports(needed_ports);
+ }
+ SMARTLIST_FOREACH(needed_ports, uint16_t *, cp, tor_free(cp));
+ smartlist_free(needed_ports);
+ smartlist_free(supporting);
+ }
+
+ tor_free(n_supported);
+ if (selected_node) {
+ log_info(LD_CIRC, "Chose exit server '%s'", node_describe(selected_node));
+ return selected_node;
+ }
+ if (options->ExitNodes) {
+ log_warn(LD_CIRC,
+ "No exits in ExitNodes%s seem to be running: "
+ "can't choose an exit.",
+ options->ExcludeExitNodesUnion_ ?
+ ", except possibly those excluded by your configuration, " : "");
+ }
+ return NULL;
+}
+
+/* Pick a Rendezvous Point for our HS circuits according to <b>flags</b>. */
+static const node_t *
+pick_rendezvous_node(router_crn_flags_t flags)
+{
+ const or_options_t *options = get_options();
+ return router_choose_random_node(NULL, options->ExcludeNodes, flags);
+}
+
+/*
+ * Helper function to pick a configured restricted middle node
+ * (either HSLayer2Nodes or HSLayer3Nodes).
+ *
+ * Make sure that the node we chose is alive, and not excluded,
+ * and return it.
+ *
+ * The exclude_set is a routerset of nodes that the selected node
+ * must not match, and the exclude_list is a simple list of nodes
+ * that the selected node must not be in. Either or both may be
+ * NULL.
+ *
+ * Return NULL if no usable nodes could be found. */
+static const node_t *
+pick_restricted_middle_node(router_crn_flags_t flags,
+ const routerset_t *pick_from,
+ const routerset_t *exclude_set,
+ const smartlist_t *exclude_list,
+ int position_hint)
+{
+ const node_t *middle_node = NULL;
+
+ smartlist_t *whitelisted_live_middles = smartlist_new();
+ smartlist_t *all_live_nodes = smartlist_new();
+
+ tor_assert(pick_from);
+
+ /* Add all running nodes to all_live_nodes */
+ router_add_running_nodes_to_smartlist(all_live_nodes,
+ (flags & CRN_NEED_UPTIME) != 0,
+ (flags & CRN_NEED_CAPACITY) != 0,
+ (flags & CRN_NEED_GUARD) != 0,
+ (flags & CRN_NEED_DESC) != 0,
+ (flags & CRN_PREF_ADDR) != 0,
+ (flags & CRN_DIRECT_CONN) != 0);
+
+ /* Filter all_live_nodes to only add live *and* whitelisted middles
+ * to the list whitelisted_live_middles. */
+ SMARTLIST_FOREACH_BEGIN(all_live_nodes, node_t *, live_node) {
+ if (routerset_contains_node(pick_from, live_node)) {
+ smartlist_add(whitelisted_live_middles, live_node);
+ }
+ } SMARTLIST_FOREACH_END(live_node);
+
+ /* Honor ExcludeNodes */
+ if (exclude_set) {
+ routerset_subtract_nodes(whitelisted_live_middles, exclude_set);
+ }
+
+ if (exclude_list) {
+ smartlist_subtract(whitelisted_live_middles, exclude_list);
+ }
+
+ /**
+ * Max number of restricted nodes before we alert the user and try
+ * to load balance for them.
+ *
+ * The most aggressive vanguard design had 16 nodes at layer3.
+ * Let's give a small ceiling above that. */
+#define MAX_SANE_RESTRICTED_NODES 20
+ /* If the user (or associated tor controller) selected only a few nodes,
+ * assume they took load balancing into account and don't do it for them.
+ *
+ * If there are a lot of nodes in here, assume they did not load balance
+ * and do it for them, but also warn them that they may be Doing It Wrong.
+ */
+ if (smartlist_len(whitelisted_live_middles) <=
+ MAX_SANE_RESTRICTED_NODES) {
+ middle_node = smartlist_choose(whitelisted_live_middles);
+ } else {
+ static ratelim_t pinned_notice_limit = RATELIM_INIT(24*3600);
+ log_fn_ratelim(&pinned_notice_limit, LOG_NOTICE, LD_CIRC,
+ "Your _HSLayer%dNodes setting has resulted "
+ "in %d total nodes. This is a lot of nodes. "
+ "You may want to consider using a Tor controller "
+ "to select and update a smaller set of nodes instead.",
+ position_hint, smartlist_len(whitelisted_live_middles));
+
+ /* NO_WEIGHTING here just means don't take node flags into account
+ * (ie: use consensus measurement only). This is done so that
+ * we don't further surprise the user by not using Exits that they
+ * specified at all */
+ middle_node = node_sl_choose_by_bandwidth(whitelisted_live_middles,
+ NO_WEIGHTING);
+ }
+
+ smartlist_free(whitelisted_live_middles);
+ smartlist_free(all_live_nodes);
+
+ return middle_node;
+}
+
+/** Return a pointer to a suitable router to be the exit node for the
+ * circuit of purpose <b>purpose</b> that we're about to build (or NULL
+ * if no router is suitable).
+ *
+ * For general-purpose circuits, pass it off to
+ * choose_good_exit_server_general()
+ *
+ * For client-side rendezvous circuits, choose a random node, weighted
+ * toward the preferences in 'options'.
+ */
+static const node_t *
+choose_good_exit_server(origin_circuit_t *circ,
+ router_crn_flags_t flags, int is_internal)
+{
+ const or_options_t *options = get_options();
+ flags |= CRN_NEED_DESC;
+
+ switch (TO_CIRCUIT(circ)->purpose) {
+ case CIRCUIT_PURPOSE_C_HSDIR_GET:
+ case CIRCUIT_PURPOSE_S_HSDIR_POST:
+ case CIRCUIT_PURPOSE_HS_VANGUARDS:
+ /* For these three, we want to pick the exit like a middle hop,
+ * since it should be random. */
+ tor_assert_nonfatal(is_internal);
+ /* Falls through */
+ case CIRCUIT_PURPOSE_C_GENERAL:
+ if (is_internal) /* pick it like a middle hop */
+ return router_choose_random_node(NULL, options->ExcludeNodes, flags);
+ else
+ return choose_good_exit_server_general(flags);
+ case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
+ {
+ /* Pick a new RP */
+ const node_t *rendezvous_node = pick_rendezvous_node(flags);
+ log_info(LD_REND, "Picked new RP: %s",
+ safe_str_client(node_describe(rendezvous_node)));
+ return rendezvous_node;
+ }
+ }
+ log_warn(LD_BUG,"Unhandled purpose %d", TO_CIRCUIT(circ)->purpose);
+ tor_fragile_assert();
+ return NULL;
+}
+
+/** Log a warning if the user specified an exit for the circuit that
+ * has been excluded from use by ExcludeNodes or ExcludeExitNodes. */
+static void
+warn_if_last_router_excluded(origin_circuit_t *circ,
+ const extend_info_t *exit_ei)
+{
+ const or_options_t *options = get_options();
+ routerset_t *rs = options->ExcludeNodes;
+ const char *description;
+ uint8_t purpose = circ->base_.purpose;
+
+ if (circ->build_state->onehop_tunnel)
+ return;
+
+ switch (purpose)
+ {
+ default:
+ case CIRCUIT_PURPOSE_OR:
+ case CIRCUIT_PURPOSE_INTRO_POINT:
+ case CIRCUIT_PURPOSE_REND_POINT_WAITING:
+ case CIRCUIT_PURPOSE_REND_ESTABLISHED:
+ log_warn(LD_BUG, "Called on non-origin circuit (purpose %d, %s)",
+ (int)purpose,
+ circuit_purpose_to_string(purpose));
+ return;
+ case CIRCUIT_PURPOSE_S_HSDIR_POST:
+ case CIRCUIT_PURPOSE_C_HSDIR_GET:
+ case CIRCUIT_PURPOSE_C_GENERAL:
+ if (circ->build_state->is_internal)
+ return;
+ description = "requested exit node";
+ rs = options->ExcludeExitNodesUnion_;
+ break;
+ case CIRCUIT_PURPOSE_C_INTRODUCING:
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT:
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED:
+ case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
+ case CIRCUIT_PURPOSE_S_CONNECT_REND:
+ case CIRCUIT_PURPOSE_S_REND_JOINED:
+ case CIRCUIT_PURPOSE_TESTING:
+ return;
+ case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
+ case CIRCUIT_PURPOSE_C_REND_READY:
+ case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED:
+ case CIRCUIT_PURPOSE_C_REND_JOINED:
+ description = "chosen rendezvous point";
+ break;
+ case CIRCUIT_PURPOSE_CONTROLLER:
+ rs = options->ExcludeExitNodesUnion_;
+ description = "controller-selected circuit target";
+ break;
+ }
+
+ if (routerset_contains_extendinfo(rs, exit_ei)) {
+ /* We should never get here if StrictNodes is set to 1. */
+ if (options->StrictNodes) {
+ log_warn(LD_BUG, "Using %s '%s' which is listed in ExcludeNodes%s, "
+ "even though StrictNodes is set. Please report. "
+ "(Circuit purpose: %s)",
+ description, extend_info_describe(exit_ei),
+ rs==options->ExcludeNodes?"":" or ExcludeExitNodes",
+ circuit_purpose_to_string(purpose));
+ } else {
+ log_warn(LD_CIRC, "Using %s '%s' which is listed in "
+ "ExcludeNodes%s, because no better options were available. To "
+ "prevent this (and possibly break your Tor functionality), "
+ "set the StrictNodes configuration option. "
+ "(Circuit purpose: %s)",
+ description, extend_info_describe(exit_ei),
+ rs==options->ExcludeNodes?"":" or ExcludeExitNodes",
+ circuit_purpose_to_string(purpose));
+ }
+ circuit_log_path(LOG_WARN, LD_CIRC, circ);
+ }
+
+ return;
+}
+
+/** Decide a suitable length for circ's cpath, and pick an exit
+ * router (or use <b>exit</b> if provided). Store these in the
+ * cpath.
+ *
+ * If <b>is_hs_v3_rp_circuit</b> is set, then this exit should be suitable to
+ * be used as an HS v3 rendezvous point.
+ *
+ * Return 0 if ok, -1 if circuit should be closed. */
+STATIC int
+onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit_ei,
+ int is_hs_v3_rp_circuit)
+{
+ cpath_build_state_t *state = circ->build_state;
+
+ if (state->onehop_tunnel) {
+ log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel%s.",
+ (rend_allow_non_anonymous_connection(get_options()) ?
+ ", or intro or rendezvous connection" : ""));
+ state->desired_path_len = 1;
+ } else {
+ int r = new_route_len(circ->base_.purpose, exit_ei, nodelist_get_list());
+ if (r < 1) /* must be at least 1 */
+ return -1;
+ state->desired_path_len = r;
+ }
+
+ if (exit_ei) { /* the circuit-builder pre-requested one */
+ warn_if_last_router_excluded(circ, exit_ei);
+ log_info(LD_CIRC,"Using requested exit node '%s'",
+ extend_info_describe(exit_ei));
+ exit_ei = extend_info_dup(exit_ei);
+ } else { /* we have to decide one */
+ router_crn_flags_t flags = CRN_NEED_DESC;
+ if (state->need_uptime)
+ flags |= CRN_NEED_UPTIME;
+ if (state->need_capacity)
+ flags |= CRN_NEED_CAPACITY;
+ if (is_hs_v3_rp_circuit)
+ flags |= CRN_RENDEZVOUS_V3;
+ if (state->onehop_tunnel)
+ flags |= CRN_DIRECT_CONN;
+ const node_t *node =
+ choose_good_exit_server(circ, flags, state->is_internal);
+ if (!node) {
+ log_warn(LD_CIRC,"Failed to choose an exit server");
+ return -1;
+ }
+ exit_ei = extend_info_from_node(node, state->onehop_tunnel);
+ if (BUG(exit_ei == NULL))
+ return -1;
+ }
+ state->chosen_exit = exit_ei;
+ return 0;
+}
+
+/** Give <b>circ</b> a new exit destination to <b>exit</b>, and add a
+ * hop to the cpath reflecting this. Don't send the next extend cell --
+ * the caller will do this if it wants to.
+ */
+int
+circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *exit_ei)
+{
+ cpath_build_state_t *state;
+ tor_assert(exit_ei);
+ tor_assert(circ);
+
+ state = circ->build_state;
+ tor_assert(state);
+ extend_info_free(state->chosen_exit);
+ state->chosen_exit = extend_info_dup(exit_ei);
+
+ ++circ->build_state->desired_path_len;
+ onion_append_hop(&circ->cpath, exit_ei);
+ return 0;
+}
+
+/** Take an open <b>circ</b>, and add a new hop at the end, based on
+ * <b>info</b>. Set its state back to CIRCUIT_STATE_BUILDING, and then
+ * send the next extend cell to begin connecting to that hop.
+ */
+int
+circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *exit_ei)
+{
+ int err_reason = 0;
+ warn_if_last_router_excluded(circ, exit_ei);
+
+ tor_gettimeofday(&circ->base_.timestamp_began);
+
+ circuit_append_new_exit(circ, exit_ei);
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_BUILDING);
+ if ((err_reason = circuit_send_next_onion_skin(circ))<0) {
+ log_warn(LD_CIRC, "Couldn't extend circuit to new point %s.",
+ extend_info_describe(exit_ei));
+ circuit_mark_for_close(TO_CIRCUIT(circ), -err_reason);
+ return -1;
+ }
+
+ // XXX: Should cannibalized circuits be dirty or not? Not easy to say..
+
+ return 0;
+}
+
+/** Return the number of routers in <b>routers</b> that are currently up
+ * and available for building circuits through.
+ *
+ * (Note that this function may overcount or undercount, if we have
+ * descriptors that are not the type we would prefer to use for some
+ * particular router. See bug #25885.)
+ */
+MOCK_IMPL(STATIC int,
+count_acceptable_nodes, (smartlist_t *nodes))
+{
+ int num=0;
+
+ SMARTLIST_FOREACH_BEGIN(nodes, const node_t *, node) {
+ // log_debug(LD_CIRC,
+// "Contemplating whether router %d (%s) is a new option.",
+// i, r->nickname);
+ if (! node->is_running)
+// log_debug(LD_CIRC,"Nope, the directory says %d is not running.",i);
+ continue;
+ if (! node->is_valid)
+// log_debug(LD_CIRC,"Nope, the directory says %d is not valid.",i);
+ continue;
+ if (! node_has_any_descriptor(node))
+ continue;
+ /* The node has a descriptor, so we can just check the ntor key directly */
+ if (!node_has_curve25519_onion_key(node))
+ continue;
+ ++num;
+ } SMARTLIST_FOREACH_END(node);
+
+// log_debug(LD_CIRC,"I like %d. num_acceptable_routers now %d.",i, num);
+
+ return num;
+}
+
+/** Add <b>new_hop</b> to the end of the doubly-linked-list <b>head_ptr</b>.
+ * This function is used to extend cpath by another hop.
+ */
+void
+onion_append_to_cpath(crypt_path_t **head_ptr, crypt_path_t *new_hop)
+{
+ if (*head_ptr) {
+ new_hop->next = (*head_ptr);
+ new_hop->prev = (*head_ptr)->prev;
+ (*head_ptr)->prev->next = new_hop;
+ (*head_ptr)->prev = new_hop;
+ } else {
+ *head_ptr = new_hop;
+ new_hop->prev = new_hop->next = new_hop;
+ }
+}
+
+#ifdef TOR_UNIT_TESTS
+
+/** Unittest helper function: Count number of hops in cpath linked list. */
+unsigned int
+cpath_get_n_hops(crypt_path_t **head_ptr)
+{
+ unsigned int n_hops = 0;
+ crypt_path_t *tmp;
+
+ if (!*head_ptr) {
+ return 0;
+ }
+
+ tmp = *head_ptr;
+ do {
+ n_hops++;
+ tmp = tmp->next;
+ } while (tmp != *head_ptr);
+
+ return n_hops;
+}
+
+#endif /* defined(TOR_UNIT_TESTS) */
+
+/**
+ * Build the exclude list for vanguard circuits.
+ *
+ * For vanguard circuits we exclude all the already chosen nodes (including the
+ * exit) from being middle hops to prevent the creation of A - B - A subpaths.
+ * We also allow the 4th hop to be the same as the guard node so as to not leak
+ * guard information to RP/IP/HSDirs.
+ *
+ * For vanguard circuits, we don't apply any subnet or family restrictions.
+ * This is to avoid impossible-to-build circuit paths, or just situations where
+ * our earlier guards prevent us from using most of our later ones.
+ *
+ * The alternative is building the circuit in reverse. Reverse calls to
+ * onion_extend_cpath() (ie: select outer hops first) would then have the
+ * property that you don't gain information about inner hops by observing
+ * outer ones. See https://trac.torproject.org/projects/tor/ticket/24487
+ * for this.
+ *
+ * (Note further that we still exclude the exit to prevent A - B - A
+ * at the end of the path. */
+static smartlist_t *
+build_vanguard_middle_exclude_list(uint8_t purpose,
+ cpath_build_state_t *state,
+ crypt_path_t *head,
+ int cur_len)
+{
+ smartlist_t *excluded;
+ const node_t *r;
+ crypt_path_t *cpath;
+ int i;
+
+ (void) purpose;
+
+ excluded = smartlist_new();
+
+ /* Add the exit to the exclude list (note that the exit/last hop is always
+ * chosen first in circuit_establish_circuit()). */
+ if ((r = build_state_get_exit_node(state))) {
+ smartlist_add(excluded, (node_t*)r);
+ }
+
+ /* If we are picking the 4th hop, allow that node to be the guard too.
+ * This prevents us from avoiding the Guard for those hops, which
+ * gives the adversary information about our guard if they control
+ * the RP, IP, or HSDIR. We don't do this check based on purpose
+ * because we also want to allow HS_VANGUARDS pre-build circuits
+ * to use the guard for that last hop.
+ */
+ if (cur_len == DEFAULT_ROUTE_LEN+1) {
+ /* Skip the first hop for the exclude list below */
+ head = head->next;
+ cur_len--;
+ }
+
+ for (i = 0, cpath = head; cpath && i < cur_len; ++i, cpath=cpath->next) {
+ if ((r = node_get_by_id(cpath->extend_info->identity_digest))) {
+ smartlist_add(excluded, (node_t*)r);
+ }
+ }
+
+ return excluded;
+}
+
+/**
+ * Build a list of nodes to exclude from the choice of this middle
+ * hop, based on already chosen nodes.
+ */
+static smartlist_t *
+build_middle_exclude_list(uint8_t purpose,
+ cpath_build_state_t *state,
+ crypt_path_t *head,
+ int cur_len)
+{
+ smartlist_t *excluded;
+ const node_t *r;
+ crypt_path_t *cpath;
+ int i;
+
+ /** Vanguard circuits have their own path selection rules */
+ if (circuit_should_use_vanguards(purpose)) {
+ return build_vanguard_middle_exclude_list(purpose, state, head, cur_len);
+ }
+
+ excluded = smartlist_new();
+
+ /* For non-vanguard circuits, add the exit and its family to the exclude list
+ * (note that the exit/last hop is always chosen first in
+ * circuit_establish_circuit()). */
+ if ((r = build_state_get_exit_node(state))) {
+ nodelist_add_node_and_family(excluded, r);
+ }
+
+ /* also exclude all other already chosen nodes and their family */
+ for (i = 0, cpath = head; cpath && i < cur_len; ++i, cpath=cpath->next) {
+ if ((r = node_get_by_id(cpath->extend_info->identity_digest))) {
+ nodelist_add_node_and_family(excluded, r);
+ }
+ }
+
+ return excluded;
+}
+
+/** Return true if we MUST use vanguards for picking this middle node. */
+static int
+middle_node_must_be_vanguard(const or_options_t *options,
+ uint8_t purpose, int cur_len)
+{
+ /* If this is not a hidden service circuit, don't use vanguards */
+ if (!circuit_purpose_is_hidden_service(purpose)) {
+ return 0;
+ }
+
+ /* If we have sticky L2 nodes, and this is an L2 pick, use vanguards */
+ if (options->HSLayer2Nodes && cur_len == 1) {
+ return 1;
+ }
+
+ /* If we have sticky L3 nodes, and this is an L3 pick, use vanguards */
+ if (options->HSLayer3Nodes && cur_len == 2) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/** Pick a sticky vanguard middle node or return NULL if not found.
+ * See doc of pick_restricted_middle_node() for argument details. */
+static const node_t *
+pick_vanguard_middle_node(const or_options_t *options,
+ router_crn_flags_t flags, int cur_len,
+ const smartlist_t *excluded)
+{
+ const routerset_t *vanguard_routerset = NULL;
+ const node_t *node = NULL;
+
+ /* Pick the right routerset based on the current hop */
+ if (cur_len == 1) {
+ vanguard_routerset = options->HSLayer2Nodes;
+ } else if (cur_len == 2) {
+ vanguard_routerset = options->HSLayer3Nodes;
+ } else {
+ /* guaranteed by middle_node_should_be_vanguard() */
+ tor_assert_nonfatal_unreached();
+ return NULL;
+ }
+
+ node = pick_restricted_middle_node(flags, vanguard_routerset,
+ options->ExcludeNodes, excluded,
+ cur_len+1);
+
+ if (!node) {
+ static ratelim_t pinned_warning_limit = RATELIM_INIT(300);
+ log_fn_ratelim(&pinned_warning_limit, LOG_WARN, LD_CIRC,
+ "Could not find a node that matches the configured "
+ "_HSLayer%dNodes set", cur_len+1);
+ }
+
+ return node;
+}
+
+/** A helper function used by onion_extend_cpath(). Use <b>purpose</b>
+ * and <b>state</b> and the cpath <b>head</b> (currently populated only
+ * to length <b>cur_len</b> to decide a suitable middle hop for a
+ * circuit. In particular, make sure we don't pick the exit node or its
+ * family, and make sure we don't duplicate any previous nodes or their
+ * families. */
+static const node_t *
+choose_good_middle_server(uint8_t purpose,
+ cpath_build_state_t *state,
+ crypt_path_t *head,
+ int cur_len)
+{
+ const node_t *choice;
+ smartlist_t *excluded;
+ const or_options_t *options = get_options();
+ router_crn_flags_t flags = CRN_NEED_DESC;
+ tor_assert(CIRCUIT_PURPOSE_MIN_ <= purpose &&
+ purpose <= CIRCUIT_PURPOSE_MAX_);
+
+ log_debug(LD_CIRC, "Contemplating intermediate hop #%d: random choice.",
+ cur_len+1);
+
+ excluded = build_middle_exclude_list(purpose, state, head, cur_len);
+
+ if (state->need_uptime)
+ flags |= CRN_NEED_UPTIME;
+ if (state->need_capacity)
+ flags |= CRN_NEED_CAPACITY;
+
+ /** If a hidden service circuit wants a specific middle node, pin it. */
+ if (middle_node_must_be_vanguard(options, purpose, cur_len)) {
+ log_debug(LD_GENERAL, "Picking a sticky node (cur_len = %d)", cur_len);
+ choice = pick_vanguard_middle_node(options, flags, cur_len, excluded);
+ smartlist_free(excluded);
+ return choice;
+ }
+
+ choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
+ smartlist_free(excluded);
+ return choice;
+}
+
+/** Pick a good entry server for the circuit to be built according to
+ * <b>state</b>. Don't reuse a chosen exit (if any), don't use this
+ * router (if we're an OR), and respect firewall settings; if we're
+ * configured to use entry guards, return one.
+ *
+ * Set *<b>guard_state_out</b> to information about the guard that
+ * we're selecting, which we'll use later to remember whether the
+ * guard worked or not.
+ */
+const node_t *
+choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state,
+ circuit_guard_state_t **guard_state_out)
+{
+ const node_t *choice;
+ smartlist_t *excluded;
+ const or_options_t *options = get_options();
+ /* If possible, choose an entry server with a preferred address,
+ * otherwise, choose one with an allowed address */
+ router_crn_flags_t flags = (CRN_NEED_GUARD|CRN_NEED_DESC|CRN_PREF_ADDR|
+ CRN_DIRECT_CONN);
+ const node_t *node;
+
+ /* Once we used this function to select a node to be a guard. We had
+ * 'state == NULL' be the signal for that. But we don't do that any more.
+ */
+ tor_assert_nonfatal(state);
+
+ if (state && options->UseEntryGuards &&
+ (purpose != CIRCUIT_PURPOSE_TESTING || options->BridgeRelay)) {
+ /* This request is for an entry server to use for a regular circuit,
+ * and we use entry guard nodes. Just return one of the guard nodes. */
+ tor_assert(guard_state_out);
+ return guards_choose_guard(state, purpose, guard_state_out);
+ }
+
+ excluded = smartlist_new();
+
+ if (state && (node = build_state_get_exit_node(state))) {
+ /* Exclude the exit node from the state, if we have one. Also exclude its
+ * family. */
+ nodelist_add_node_and_family(excluded, node);
+ }
+
+ if (state) {
+ if (state->need_uptime)
+ flags |= CRN_NEED_UPTIME;
+ if (state->need_capacity)
+ flags |= CRN_NEED_CAPACITY;
+ }
+
+ choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
+ smartlist_free(excluded);
+ return choice;
+}
+
+/** Return the first non-open hop in cpath, or return NULL if all
+ * hops are open. */
+static crypt_path_t *
+onion_next_hop_in_cpath(crypt_path_t *cpath)
+{
+ crypt_path_t *hop = cpath;
+ do {
+ if (hop->state != CPATH_STATE_OPEN)
+ return hop;
+ hop = hop->next;
+ } while (hop != cpath);
+ return NULL;
+}
+
+/** Choose a suitable next hop in the cpath <b>head_ptr</b>,
+ * based on <b>state</b>. Append the hop info to head_ptr.
+ *
+ * Return 1 if the path is complete, 0 if we successfully added a hop,
+ * and -1 on error.
+ */
+STATIC int
+onion_extend_cpath(origin_circuit_t *circ)
+{
+ uint8_t purpose = circ->base_.purpose;
+ cpath_build_state_t *state = circ->build_state;
+ int cur_len = circuit_get_cpath_len(circ);
+ extend_info_t *info = NULL;
+
+ if (cur_len >= state->desired_path_len) {
+ log_debug(LD_CIRC, "Path is complete: %d steps long",
+ state->desired_path_len);
+ return 1;
+ }
+
+ log_debug(LD_CIRC, "Path is %d long; we want %d", cur_len,
+ state->desired_path_len);
+
+ if (cur_len == state->desired_path_len - 1) { /* Picking last node */
+ info = extend_info_dup(state->chosen_exit);
+ } else if (cur_len == 0) { /* picking first node */
+ const node_t *r = choose_good_entry_server(purpose, state,
+ &circ->guard_state);
+ if (r) {
+ /* If we're a client, use the preferred address rather than the
+ primary address, for potentially connecting to an IPv6 OR
+ port. Servers always want the primary (IPv4) address. */
+ int client = (server_mode(get_options()) == 0);
+ info = extend_info_from_node(r, client);
+ /* Clients can fail to find an allowed address */
+ tor_assert_nonfatal(info || client);
+ }
+ } else {
+ const node_t *r =
+ choose_good_middle_server(purpose, state, circ->cpath, cur_len);
+ if (r) {
+ info = extend_info_from_node(r, 0);
+ tor_assert_nonfatal(info);
+ }
+ }
+
+ if (!info) {
+ log_warn(LD_CIRC,"Failed to find node for hop #%d of our path. Discarding "
+ "this circuit.", cur_len+1);
+ return -1;
+ }
+
+ log_debug(LD_CIRC,"Chose router %s for hop #%d (exit is %s)",
+ extend_info_describe(info),
+ cur_len+1, build_state_get_exit_nickname(state));
+
+ onion_append_hop(&circ->cpath, info);
+ extend_info_free(info);
+ return 0;
+}
+
+/** Create a new hop, annotate it with information about its
+ * corresponding router <b>choice</b>, and append it to the
+ * end of the cpath <b>head_ptr</b>. */
+STATIC int
+onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice)
+{
+ crypt_path_t *hop = tor_malloc_zero(sizeof(crypt_path_t));
+
+ /* link hop into the cpath, at the end. */
+ onion_append_to_cpath(head_ptr, hop);
+
+ hop->magic = CRYPT_PATH_MAGIC;
+ hop->state = CPATH_STATE_CLOSED;
+
+ hop->extend_info = extend_info_dup(choice);
+
+ hop->package_window = circuit_initial_package_window();
+ hop->deliver_window = CIRCWINDOW_START;
+
+ return 0;
+}
+
+/** Allocate a new extend_info object based on the various arguments. */
+extend_info_t *
+extend_info_new(const char *nickname,
+ const char *rsa_id_digest,
+ const ed25519_public_key_t *ed_id,
+ crypto_pk_t *onion_key,
+ const curve25519_public_key_t *ntor_key,
+ const tor_addr_t *addr, uint16_t port)
+{
+ extend_info_t *info = tor_malloc_zero(sizeof(extend_info_t));
+ memcpy(info->identity_digest, rsa_id_digest, DIGEST_LEN);
+ if (ed_id && !ed25519_public_key_is_zero(ed_id))
+ memcpy(&info->ed_identity, ed_id, sizeof(ed25519_public_key_t));
+ if (nickname)
+ strlcpy(info->nickname, nickname, sizeof(info->nickname));
+ if (onion_key)
+ info->onion_key = crypto_pk_dup_key(onion_key);
+ if (ntor_key)
+ memcpy(&info->curve25519_onion_key, ntor_key,
+ sizeof(curve25519_public_key_t));
+ tor_addr_copy(&info->addr, addr);
+ info->port = port;
+ return info;
+}
+
+/** Allocate and return a new extend_info that can be used to build a
+ * circuit to or through the node <b>node</b>. Use the primary address
+ * of the node (i.e. its IPv4 address) unless
+ * <b>for_direct_connect</b> is true, in which case the preferred
+ * address is used instead. May return NULL if there is not enough
+ * info about <b>node</b> to extend to it--for example, if the preferred
+ * routerinfo_t or microdesc_t is missing, or if for_direct_connect is
+ * true and none of the node's addresses is allowed by tor's firewall
+ * and IP version config.
+ **/
+extend_info_t *
+extend_info_from_node(const node_t *node, int for_direct_connect)
+{
+ tor_addr_port_t ap;
+ int valid_addr = 0;
+
+ if (!node_has_preferred_descriptor(node, for_direct_connect)) {
+ return NULL;
+ }
+
+ /* Choose a preferred address first, but fall back to an allowed address. */
+ if (for_direct_connect)
+ fascist_firewall_choose_address_node(node, FIREWALL_OR_CONNECTION, 0, &ap);
+ else {
+ node_get_prim_orport(node, &ap);
+ }
+ valid_addr = tor_addr_port_is_valid_ap(&ap, 0);
+
+ if (valid_addr)
+ log_debug(LD_CIRC, "using %s for %s",
+ fmt_addrport(&ap.addr, ap.port),
+ node->ri ? node->ri->nickname : node->rs->nickname);
+ else
+ log_warn(LD_CIRC, "Could not choose valid address for %s",
+ node->ri ? node->ri->nickname : node->rs->nickname);
+
+ /* Every node we connect or extend to must support ntor */
+ if (!node_has_curve25519_onion_key(node)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
+ "Attempted to create extend_info for a node that does not support "
+ "ntor: %s", node_describe(node));
+ return NULL;
+ }
+
+ const ed25519_public_key_t *ed_pubkey = NULL;
+
+ /* Don't send the ed25519 pubkey unless the target node actually supports
+ * authenticating with it. */
+ if (node_supports_ed25519_link_authentication(node, 0)) {
+ log_info(LD_CIRC, "Including Ed25519 ID for %s", node_describe(node));
+ ed_pubkey = node_get_ed25519_id(node);
+ } else if (node_get_ed25519_id(node)) {
+ log_info(LD_CIRC, "Not including the ed25519 ID for %s, since it won't "
+ "be able to authenticate it.",
+ node_describe(node));
+ }
+
+ /* Retrieve the curve25519 pubkey. */
+ const curve25519_public_key_t *curve_pubkey =
+ node_get_curve25519_onion_key(node);
+
+ if (valid_addr && node->ri)
+ return extend_info_new(node->ri->nickname,
+ node->identity,
+ ed_pubkey,
+ node->ri->onion_pkey,
+ curve_pubkey,
+ &ap.addr,
+ ap.port);
+ else if (valid_addr && node->rs && node->md)
+ return extend_info_new(node->rs->nickname,
+ node->identity,
+ ed_pubkey,
+ node->md->onion_pkey,
+ curve_pubkey,
+ &ap.addr,
+ ap.port);
+ else
+ return NULL;
+}
+
+/** Release storage held by an extend_info_t struct. */
+void
+extend_info_free_(extend_info_t *info)
+{
+ if (!info)
+ return;
+ crypto_pk_free(info->onion_key);
+ tor_free(info);
+}
+
+/** Allocate and return a new extend_info_t with the same contents as
+ * <b>info</b>. */
+extend_info_t *
+extend_info_dup(extend_info_t *info)
+{
+ extend_info_t *newinfo;
+ tor_assert(info);
+ newinfo = tor_malloc(sizeof(extend_info_t));
+ memcpy(newinfo, info, sizeof(extend_info_t));
+ if (info->onion_key)
+ newinfo->onion_key = crypto_pk_dup_key(info->onion_key);
+ else
+ newinfo->onion_key = NULL;
+ return newinfo;
+}
+
+/** Return the node_t for the chosen exit router in <b>state</b>.
+ * If there is no chosen exit, or if we don't know the node_t for
+ * the chosen exit, return NULL.
+ */
+const node_t *
+build_state_get_exit_node(cpath_build_state_t *state)
+{
+ if (!state || !state->chosen_exit)
+ return NULL;
+ return node_get_by_id(state->chosen_exit->identity_digest);
+}
+
+/** Return the RSA ID digest for the chosen exit router in <b>state</b>.
+ * If there is no chosen exit, return NULL.
+ */
+const uint8_t *
+build_state_get_exit_rsa_id(cpath_build_state_t *state)
+{
+ if (!state || !state->chosen_exit)
+ return NULL;
+ return (const uint8_t *) state->chosen_exit->identity_digest;
+}
+
+/** Return the nickname for the chosen exit router in <b>state</b>. If
+ * there is no chosen exit, or if we don't know the routerinfo_t for the
+ * chosen exit, return NULL.
+ */
+const char *
+build_state_get_exit_nickname(cpath_build_state_t *state)
+{
+ if (!state || !state->chosen_exit)
+ return NULL;
+ return state->chosen_exit->nickname;
+}
+
+/** Return true iff the given address can be used to extend to. */
+int
+extend_info_addr_is_allowed(const tor_addr_t *addr)
+{
+ tor_assert(addr);
+
+ /* Check if we have a private address and if we can extend to it. */
+ if ((tor_addr_is_internal(addr, 0) || tor_addr_is_multicast(addr)) &&
+ !get_options()->ExtendAllowPrivateAddresses) {
+ goto disallow;
+ }
+ /* Allowed! */
+ return 1;
+ disallow:
+ return 0;
+}
+
+/* Does ei have a valid TAP key? */
+int
+extend_info_supports_tap(const extend_info_t* ei)
+{
+ tor_assert(ei);
+ /* Valid TAP keys are not NULL */
+ return ei->onion_key != NULL;
+}
+
+/* Does ei have a valid ntor key? */
+int
+extend_info_supports_ntor(const extend_info_t* ei)
+{
+ tor_assert(ei);
+ /* Valid ntor keys have at least one non-zero byte */
+ return !tor_mem_is_zero(
+ (const char*)ei->curve25519_onion_key.public_key,
+ CURVE25519_PUBKEY_LEN);
+}
+
+/* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
+ * The hidden service protocol still uses TAP for some connections, because
+ * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
+static int
+circuit_purpose_can_use_tap_impl(uint8_t purpose)
+{
+ return (purpose == CIRCUIT_PURPOSE_S_CONNECT_REND ||
+ purpose == CIRCUIT_PURPOSE_C_INTRODUCING);
+}
+
+/* Is circ allowed to use the deprecated TAP encryption protocol?
+ * The hidden service protocol still uses TAP for some connections, because
+ * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
+int
+circuit_can_use_tap(const origin_circuit_t *circ)
+{
+ tor_assert(circ);
+ tor_assert(circ->cpath);
+ tor_assert(circ->cpath->extend_info);
+ return (circuit_purpose_can_use_tap_impl(circ->base_.purpose) &&
+ extend_info_supports_tap(circ->cpath->extend_info));
+}
+
+/* Does circ have an onion key which it's allowed to use? */
+int
+circuit_has_usable_onion_key(const origin_circuit_t *circ)
+{
+ tor_assert(circ);
+ tor_assert(circ->cpath);
+ tor_assert(circ->cpath->extend_info);
+ return (extend_info_supports_ntor(circ->cpath->extend_info) ||
+ circuit_can_use_tap(circ));
+}
+
+/* Does ei have an onion key which it would prefer to use?
+ * Currently, we prefer ntor keys*/
+int
+extend_info_has_preferred_onion_key(const extend_info_t* ei)
+{
+ tor_assert(ei);
+ return extend_info_supports_ntor(ei);
+}
+
+/** Find the circuits that are waiting to find out whether their guards are
+ * usable, and if any are ready to become usable, mark them open and try
+ * attaching streams as appropriate. */
+void
+circuit_upgrade_circuits_from_guard_wait(void)
+{
+ smartlist_t *to_upgrade =
+ circuit_find_circuits_to_upgrade_from_guard_wait();
+
+ if (to_upgrade == NULL)
+ return;
+
+ log_info(LD_GUARD, "Upgrading %d circuits from 'waiting for better guard' "
+ "to 'open'.", smartlist_len(to_upgrade));
+
+ SMARTLIST_FOREACH_BEGIN(to_upgrade, origin_circuit_t *, circ) {
+ circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN);
+ circuit_has_opened(circ);
+ } SMARTLIST_FOREACH_END(circ);
+
+ smartlist_free(to_upgrade);
+}
+
diff --cc src/core/or/circuitbuild.h
index 0c6f2f6ce,000000000..cee71b297
mode 100644,000000..100644
--- a/src/core/or/circuitbuild.h
+++ b/src/core/or/circuitbuild.h
@@@ -1,103 -1,0 +1,102 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file circuitbuild.h
+ * \brief Header file for circuitbuild.c.
+ **/
+
+#ifndef TOR_CIRCUITBUILD_H
+#define TOR_CIRCUITBUILD_H
+
+struct ed25519_public_key_t;
+struct curve25519_public_key_t;
+
+int route_len_for_purpose(uint8_t purpose, extend_info_t *exit_ei);
+char *circuit_list_path(origin_circuit_t *circ, int verbose);
+char *circuit_list_path_for_controller(origin_circuit_t *circ);
+void circuit_log_path(int severity, unsigned int domain,
+ origin_circuit_t *circ);
+origin_circuit_t *origin_circuit_init(uint8_t purpose, int flags);
+origin_circuit_t *circuit_establish_circuit(uint8_t purpose,
+ extend_info_t *exit,
+ int flags);
+struct circuit_guard_state_t *origin_circuit_get_guard_state(
+ origin_circuit_t *circ);
+int circuit_handle_first_hop(origin_circuit_t *circ);
+void circuit_n_chan_done(channel_t *chan, int status,
+ int close_origin_circuits);
+int inform_testing_reachability(void);
+int circuit_timeout_want_to_count_circ(const origin_circuit_t *circ);
+int circuit_send_next_onion_skin(origin_circuit_t *circ);
+void circuit_note_clock_jumped(int64_t seconds_elapsed, bool was_idle);
+int circuit_extend(cell_t *cell, circuit_t *circ);
+int circuit_init_cpath_crypto(crypt_path_t *cpath,
+ const char *key_data, size_t key_data_len,
+ int reverse, int is_hs_v3);
+struct created_cell_t;
+int circuit_finish_handshake(origin_circuit_t *circ,
+ const struct created_cell_t *created_cell);
- int circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer,
- int reason);
++int circuit_truncated(origin_circuit_t *circ, int reason);
+int onionskin_answer(or_circuit_t *circ,
+ const struct created_cell_t *created_cell,
+ const char *keys, size_t keys_len,
+ const uint8_t *rend_circ_nonce);
+MOCK_DECL(int, circuit_all_predicted_ports_handled, (time_t now,
+ int *need_uptime,
+ int *need_capacity));
+
+int circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *info);
+int circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *info);
+void onion_append_to_cpath(crypt_path_t **head_ptr, crypt_path_t *new_hop);
+extend_info_t *extend_info_new(const char *nickname,
+ const char *rsa_id_digest,
+ const struct ed25519_public_key_t *ed_id,
+ crypto_pk_t *onion_key,
+ const struct curve25519_public_key_t *ntor_key,
+ const tor_addr_t *addr, uint16_t port);
+extend_info_t *extend_info_from_node(const node_t *r, int for_direct_connect);
+extend_info_t *extend_info_dup(extend_info_t *info);
+void extend_info_free_(extend_info_t *info);
+#define extend_info_free(info) \
+ FREE_AND_NULL(extend_info_t, extend_info_free_, (info))
+int extend_info_addr_is_allowed(const tor_addr_t *addr);
+int extend_info_supports_tap(const extend_info_t* ei);
+int extend_info_supports_ntor(const extend_info_t* ei);
+int circuit_can_use_tap(const origin_circuit_t *circ);
+int circuit_has_usable_onion_key(const origin_circuit_t *circ);
+int extend_info_has_preferred_onion_key(const extend_info_t* ei);
+const uint8_t *build_state_get_exit_rsa_id(cpath_build_state_t *state);
+const node_t *build_state_get_exit_node(cpath_build_state_t *state);
+const char *build_state_get_exit_nickname(cpath_build_state_t *state);
+
+struct circuit_guard_state_t;
+
+const node_t *choose_good_entry_server(uint8_t purpose,
+ cpath_build_state_t *state,
+ struct circuit_guard_state_t **guard_state_out);
+void circuit_upgrade_circuits_from_guard_wait(void);
+
+#ifdef CIRCUITBUILD_PRIVATE
+STATIC circid_t get_unique_circ_id_by_chan(channel_t *chan);
+STATIC int new_route_len(uint8_t purpose, extend_info_t *exit_ei,
+ smartlist_t *nodes);
+MOCK_DECL(STATIC int, count_acceptable_nodes, (smartlist_t *nodes));
+
+STATIC int onion_extend_cpath(origin_circuit_t *circ);
+
+STATIC int
+onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit_ei,
+ int is_hs_v3_rp_circuit);
+
+#if defined(TOR_UNIT_TESTS)
+unsigned int cpath_get_n_hops(crypt_path_t **head_ptr);
+
+#endif /* defined(TOR_UNIT_TESTS) */
+
+#endif /* defined(CIRCUITBUILD_PRIVATE) */
+
+#endif /* !defined(TOR_CIRCUITBUILD_H) */
diff --cc src/core/or/circuitlist.c
index f39e05ecd,000000000..78ecadab7
mode 100644,000000..100644
--- a/src/core/or/circuitlist.c
+++ b/src/core/or/circuitlist.c
@@@ -1,2742 -1,0 +1,2751 @@@
+/* Copyright 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file circuitlist.c
+ *
+ * \brief Manage global structures that list and index circuits, and
+ * look up circuits within them.
+ *
+ * One of the most frequent operations in Tor occurs every time that
+ * a relay cell arrives on a channel. When that happens, we need to
+ * find which circuit it is associated with, based on the channel and the
+ * circuit ID in the relay cell.
+ *
+ * To handle that, we maintain a global list of circuits, and a hashtable
+ * mapping [channel,circID] pairs to circuits. Circuits are added to and
+ * removed from this mapping using circuit_set_p_circid_chan() and
+ * circuit_set_n_circid_chan(). To look up a circuit from this map, most
+ * callers should use circuit_get_by_circid_channel(), though
+ * circuit_get_by_circid_channel_even_if_marked() is appropriate under some
+ * circumstances.
+ *
+ * We also need to allow for the possibility that we have blocked use of a
+ * circuit ID (because we are waiting to send a DESTROY cell), but the
+ * circuit is not there any more. For that case, we allow placeholder
+ * entries in the table, using channel_mark_circid_unusable().
+ *
+ * To efficiently handle a channel that has just opened, we also maintain a
+ * list of the circuits waiting for channels, so we can attach them as
+ * needed without iterating through the whole list of circuits, using
+ * circuit_get_all_pending_on_channel().
+ *
+ * In this module, we also handle the list of circuits that have been
+ * marked for close elsewhere, and close them as needed. (We use this
+ * "mark now, close later" pattern here and elsewhere to avoid
+ * unpredictable recursion if we closed every circuit immediately upon
+ * realizing it needed to close.) See circuit_mark_for_close() for the
+ * mark function, and circuit_close_all_marked() for the close function.
+ *
+ * For hidden services, we need to be able to look up introduction point
+ * circuits and rendezvous circuits by cookie, key, etc. These are
+ * currently handled with linear searches in
+ * circuit_get_ready_rend_circuit_by_rend_data(),
+ * circuit_get_next_by_pk_and_purpose(), and with hash lookups in
+ * circuit_get_rendezvous() and circuit_get_intro_point().
+ *
+ * This module is also the entry point for our out-of-memory handler
+ * logic, which was originally circuit-focused.
+ **/
+#define CIRCUITLIST_PRIVATE
+#include "lib/cc/torint.h" /* TOR_PRIuSZ */
+
+#include "core/or/or.h"
+#include "core/or/channel.h"
+#include "feature/client/circpathbias.h"
+#include "core/or/circuitbuild.h"
+#include "core/or/circuitlist.h"
+#include "core/or/circuituse.h"
+#include "core/or/circuitstats.h"
+#include "core/mainloop/connection.h"
+#include "app/config/config.h"
+#include "core/or/connection_edge.h"
+#include "core/or/connection_or.h"
+#include "feature/control/control.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/crypt_ops/crypto_util.h"
+#include "lib/crypt_ops/crypto_dh.h"
+#include "feature/dircache/directory.h"
+#include "feature/client/entrynodes.h"
+#include "core/mainloop/main.h"
+#include "feature/hs/hs_circuit.h"
+#include "feature/hs/hs_circuitmap.h"
+#include "feature/hs/hs_ident.h"
+#include "feature/nodelist/networkstatus.h"
+#include "feature/nodelist/nodelist.h"
+#include "core/crypto/onion.h"
+#include "core/crypto/onion_fast.h"
+#include "core/or/policies.h"
+#include "core/or/relay.h"
+#include "core/crypto/relay_crypto.h"
+#include "feature/rend/rendclient.h"
+#include "feature/rend/rendcommon.h"
+#include "feature/stats/rephist.h"
+#include "feature/nodelist/routerlist.h"
+#include "feature/nodelist/routerset.h"
+#include "core/or/channelpadding.h"
+#include "lib/compress/compress.h"
+#include "lib/compress/compress_lzma.h"
+#include "lib/compress/compress_zlib.h"
+#include "lib/compress/compress_zstd.h"
+#include "lib/container/buffers.h"
+
+#include "ht.h"
+
+#include "core/or/cpath_build_state_st.h"
+#include "core/or/crypt_path_reference_st.h"
+#include "feature/dircommon/dir_connection_st.h"
+#include "core/or/edge_connection_st.h"
++#include "core/or/half_edge_st.h"
+#include "core/or/extend_info_st.h"
+#include "core/or/or_circuit_st.h"
+#include "core/or/origin_circuit_st.h"
+
+/********* START VARIABLES **********/
+
+/** A global list of all circuits at this hop. */
+static smartlist_t *global_circuitlist = NULL;
+
+/** A global list of all origin circuits. Every element of this is also
+ * an element of global_circuitlist. */
+static smartlist_t *global_origin_circuit_list = NULL;
+
+/** A list of all the circuits in CIRCUIT_STATE_CHAN_WAIT. */
+static smartlist_t *circuits_pending_chans = NULL;
+
+/** List of all the (origin) circuits whose state is
+ * CIRCUIT_STATE_GUARD_WAIT. */
+static smartlist_t *circuits_pending_other_guards = NULL;
+
+/** A list of all the circuits that have been marked with
+ * circuit_mark_for_close and which are waiting for circuit_about_to_free. */
+static smartlist_t *circuits_pending_close = NULL;
+
+static void circuit_free_cpath_node(crypt_path_t *victim);
+static void cpath_ref_decref(crypt_path_reference_t *cpath_ref);
+static void circuit_about_to_free_atexit(circuit_t *circ);
+static void circuit_about_to_free(circuit_t *circ);
+
+/**
+ * A cached value of the current state of the origin circuit list. Has the
+ * value 1 if we saw any opened circuits recently (since the last call to
+ * circuit_any_opened_circuits(), which gets called around once a second by
+ * circuit_expire_building). 0 otherwise.
+ */
+static int any_opened_circs_cached_val = 0;
+
+/********* END VARIABLES ************/
+
+or_circuit_t *
+TO_OR_CIRCUIT(circuit_t *x)
+{
+ tor_assert(x->magic == OR_CIRCUIT_MAGIC);
+ return DOWNCAST(or_circuit_t, x);
+}
+const or_circuit_t *
+CONST_TO_OR_CIRCUIT(const circuit_t *x)
+{
+ tor_assert(x->magic == OR_CIRCUIT_MAGIC);
+ return DOWNCAST(or_circuit_t, x);
+}
+origin_circuit_t *
+TO_ORIGIN_CIRCUIT(circuit_t *x)
+{
+ tor_assert(x->magic == ORIGIN_CIRCUIT_MAGIC);
+ return DOWNCAST(origin_circuit_t, x);
+}
+const origin_circuit_t *
+CONST_TO_ORIGIN_CIRCUIT(const circuit_t *x)
+{
+ tor_assert(x->magic == ORIGIN_CIRCUIT_MAGIC);
+ return DOWNCAST(origin_circuit_t, x);
+}
+
+/** A map from channel and circuit ID to circuit. (Lookup performance is
+ * very important here, since we need to do it every time a cell arrives.) */
+typedef struct chan_circid_circuit_map_t {
+ HT_ENTRY(chan_circid_circuit_map_t) node;
+ channel_t *chan;
+ circid_t circ_id;
+ circuit_t *circuit;
+ /* For debugging 12184: when was this placeholder item added? */
+ time_t made_placeholder_at;
+} chan_circid_circuit_map_t;
+
+/** Helper for hash tables: compare the channel and circuit ID for a and
+ * b, and return less than, equal to, or greater than zero appropriately.
+ */
+static inline int
+chan_circid_entries_eq_(chan_circid_circuit_map_t *a,
+ chan_circid_circuit_map_t *b)
+{
+ return a->chan == b->chan && a->circ_id == b->circ_id;
+}
+
+/** Helper: return a hash based on circuit ID and the pointer value of
+ * chan in <b>a</b>. */
+static inline unsigned int
+chan_circid_entry_hash_(chan_circid_circuit_map_t *a)
+{
+ /* Try to squeze the siphash input into 8 bytes to save any extra siphash
+ * rounds. This hash function is in the critical path. */
+ uintptr_t chan = (uintptr_t) (void*) a->chan;
+ uint32_t array[2];
+ array[0] = a->circ_id;
+ /* The low bits of the channel pointer are uninteresting, since the channel
+ * is a pretty big structure. */
+ array[1] = (uint32_t) (chan >> 6);
+ return (unsigned) siphash24g(array, sizeof(array));
+}
+
+/** Map from [chan,circid] to circuit. */
+static HT_HEAD(chan_circid_map, chan_circid_circuit_map_t)
+ chan_circid_map = HT_INITIALIZER();
+HT_PROTOTYPE(chan_circid_map, chan_circid_circuit_map_t, node,
+ chan_circid_entry_hash_, chan_circid_entries_eq_)
+HT_GENERATE2(chan_circid_map, chan_circid_circuit_map_t, node,
+ chan_circid_entry_hash_, chan_circid_entries_eq_, 0.6,
+ tor_reallocarray_, tor_free_)
+
+/** The most recently returned entry from circuit_get_by_circid_chan;
+ * used to improve performance when many cells arrive in a row from the
+ * same circuit.
+ */
+static chan_circid_circuit_map_t *_last_circid_chan_ent = NULL;
+
+/** Implementation helper for circuit_set_{p,n}_circid_channel: A circuit ID
+ * and/or channel for circ has just changed from <b>old_chan, old_id</b>
+ * to <b>chan, id</b>. Adjust the chan,circid map as appropriate, removing
+ * the old entry (if any) and adding a new one. */
+static void
+circuit_set_circid_chan_helper(circuit_t *circ, int direction,
+ circid_t id,
+ channel_t *chan)
+{
+ chan_circid_circuit_map_t search;
+ chan_circid_circuit_map_t *found;
+ channel_t *old_chan, **chan_ptr;
+ circid_t old_id, *circid_ptr;
+ int make_active, attached = 0;
+
+ if (direction == CELL_DIRECTION_OUT) {
+ chan_ptr = &circ->n_chan;
+ circid_ptr = &circ->n_circ_id;
+ make_active = circ->n_chan_cells.n > 0;
+ } else {
+ or_circuit_t *c = TO_OR_CIRCUIT(circ);
+ chan_ptr = &c->p_chan;
+ circid_ptr = &c->p_circ_id;
+ make_active = c->p_chan_cells.n > 0;
+ }
+ old_chan = *chan_ptr;
+ old_id = *circid_ptr;
+
+ if (id == old_id && chan == old_chan)
+ return;
+
+ if (_last_circid_chan_ent &&
+ ((old_id == _last_circid_chan_ent->circ_id &&
+ old_chan == _last_circid_chan_ent->chan) ||
+ (id == _last_circid_chan_ent->circ_id &&
+ chan == _last_circid_chan_ent->chan))) {
+ _last_circid_chan_ent = NULL;
+ }
+
+ if (old_chan) {
+ /*
+ * If we're changing channels or ID and had an old channel and a non
+ * zero old ID and weren't marked for close (i.e., we should have been
+ * attached), detach the circuit. ID changes require this because
+ * circuitmux hashes on (channel_id, circuit_id).
+ */
+ if (old_id != 0 && (old_chan != chan || old_id != id) &&
+ !(circ->marked_for_close)) {
+ tor_assert(old_chan->cmux);
+ circuitmux_detach_circuit(old_chan->cmux, circ);
+ }
+
+ /* we may need to remove it from the conn-circid map */
+ search.circ_id = old_id;
+ search.chan = old_chan;
+ found = HT_REMOVE(chan_circid_map, &chan_circid_map, &search);
+ if (found) {
+ tor_free(found);
+ if (direction == CELL_DIRECTION_OUT) {
+ /* One fewer circuits use old_chan as n_chan */
+ --(old_chan->num_n_circuits);
+ } else {
+ /* One fewer circuits use old_chan as p_chan */
+ --(old_chan->num_p_circuits);
+ }
+ }
+ }
+
+ /* Change the values only after we have possibly made the circuit inactive
+ * on the previous chan. */
+ *chan_ptr = chan;
+ *circid_ptr = id;
+
+ if (chan == NULL)
+ return;
+
+ /* now add the new one to the conn-circid map */
+ search.circ_id = id;
+ search.chan = chan;
+ found = HT_FIND(chan_circid_map, &chan_circid_map, &search);
+ if (found) {
+ found->circuit = circ;
+ found->made_placeholder_at = 0;
+ } else {
+ found = tor_malloc_zero(sizeof(chan_circid_circuit_map_t));
+ found->circ_id = id;
+ found->chan = chan;
+ found->circuit = circ;
+ HT_INSERT(chan_circid_map, &chan_circid_map, found);
+ }
+
+ /*
+ * Attach to the circuitmux if we're changing channels or IDs and
+ * have a new channel and ID to use and the circuit is not marked for
+ * close.
+ */
+ if (chan && id != 0 && (old_chan != chan || old_id != id) &&
+ !(circ->marked_for_close)) {
+ tor_assert(chan->cmux);
+ circuitmux_attach_circuit(chan->cmux, circ, direction);
+ attached = 1;
+ }
+
+ /*
+ * This is a no-op if we have no cells, but if we do it marks us active to
+ * the circuitmux
+ */
+ if (make_active && attached)
+ update_circuit_on_cmux(circ, direction);
+
+ /* Adjust circuit counts on new channel */
+ if (direction == CELL_DIRECTION_OUT) {
+ ++chan->num_n_circuits;
+ } else {
+ ++chan->num_p_circuits;
+ }
+}
+
+/** Mark that circuit id <b>id</b> shouldn't be used on channel <b>chan</b>,
+ * even if there is no circuit on the channel. We use this to keep the
+ * circuit id from getting re-used while we have queued but not yet sent
+ * a destroy cell. */
+void
+channel_mark_circid_unusable(channel_t *chan, circid_t id)
+{
+ chan_circid_circuit_map_t search;
+ chan_circid_circuit_map_t *ent;
+
+ /* See if there's an entry there. That wouldn't be good. */
+ memset(&search, 0, sizeof(search));
+ search.chan = chan;
+ search.circ_id = id;
+ ent = HT_FIND(chan_circid_map, &chan_circid_map, &search);
+
+ if (ent && ent->circuit) {
+ /* we have a problem. */
+ log_warn(LD_BUG, "Tried to mark %u unusable on %p, but there was already "
+ "a circuit there.", (unsigned)id, chan);
+ } else if (ent) {
+ /* It's already marked. */
+ if (!ent->made_placeholder_at)
+ ent->made_placeholder_at = approx_time();
+ } else {
+ ent = tor_malloc_zero(sizeof(chan_circid_circuit_map_t));
+ ent->chan = chan;
+ ent->circ_id = id;
+ /* leave circuit at NULL. */
+ ent->made_placeholder_at = approx_time();
+ HT_INSERT(chan_circid_map, &chan_circid_map, ent);
+ }
+}
+
+/** Mark that a circuit id <b>id</b> can be used again on <b>chan</b>.
+ * We use this to re-enable the circuit ID after we've sent a destroy cell.
+ */
+void
+channel_mark_circid_usable(channel_t *chan, circid_t id)
+{
+ chan_circid_circuit_map_t search;
+ chan_circid_circuit_map_t *ent;
+
+ /* See if there's an entry there. That wouldn't be good. */
+ memset(&search, 0, sizeof(search));
+ search.chan = chan;
+ search.circ_id = id;
+ ent = HT_REMOVE(chan_circid_map, &chan_circid_map, &search);
+ if (ent && ent->circuit) {
+ log_warn(LD_BUG, "Tried to mark %u usable on %p, but there was already "
+ "a circuit there.", (unsigned)id, chan);
+ return;
+ }
+ if (_last_circid_chan_ent == ent)
+ _last_circid_chan_ent = NULL;
+ tor_free(ent);
+}
+
+/** Called to indicate that a DESTROY is pending on <b>chan</b> with
+ * circuit ID <b>id</b>, but hasn't been sent yet. */
+void
+channel_note_destroy_pending(channel_t *chan, circid_t id)
+{
+ circuit_t *circ = circuit_get_by_circid_channel_even_if_marked(id,chan);
+ if (circ) {
+ if (circ->n_chan == chan && circ->n_circ_id == id) {
+ circ->n_delete_pending = 1;
+ } else {
+ or_circuit_t *orcirc = TO_OR_CIRCUIT(circ);
+ if (orcirc->p_chan == chan && orcirc->p_circ_id == id) {
+ circ->p_delete_pending = 1;
+ }
+ }
+ return;
+ }
+ channel_mark_circid_unusable(chan, id);
+}
+
+/** Called to indicate that a DESTROY is no longer pending on <b>chan</b> with
+ * circuit ID <b>id</b> -- typically, because it has been sent. */
+MOCK_IMPL(void,
+channel_note_destroy_not_pending,(channel_t *chan, circid_t id))
+{
+ circuit_t *circ = circuit_get_by_circid_channel_even_if_marked(id,chan);
+ if (circ) {
+ if (circ->n_chan == chan && circ->n_circ_id == id) {
+ circ->n_delete_pending = 0;
+ } else {
+ or_circuit_t *orcirc = TO_OR_CIRCUIT(circ);
+ if (orcirc->p_chan == chan && orcirc->p_circ_id == id) {
+ circ->p_delete_pending = 0;
+ }
+ }
+ /* XXXX this shouldn't happen; log a bug here. */
+ return;
+ }
+ channel_mark_circid_usable(chan, id);
+}
+
+/** Set the p_conn field of a circuit <b>circ</b>, along
+ * with the corresponding circuit ID, and add the circuit as appropriate
+ * to the (chan,id)-\>circuit map. */
+void
+circuit_set_p_circid_chan(or_circuit_t *or_circ, circid_t id,
+ channel_t *chan)
+{
+ circuit_t *circ = TO_CIRCUIT(or_circ);
+ channel_t *old_chan = or_circ->p_chan;
+ circid_t old_id = or_circ->p_circ_id;
+
+ circuit_set_circid_chan_helper(circ, CELL_DIRECTION_IN, id, chan);
+
+ if (chan) {
+ chan->timestamp_last_had_circuits = approx_time();
+ }
+
+ if (circ->p_delete_pending && old_chan) {
+ channel_mark_circid_unusable(old_chan, old_id);
+ circ->p_delete_pending = 0;
+ }
+}
+
+/** Set the n_conn field of a circuit <b>circ</b>, along
+ * with the corresponding circuit ID, and add the circuit as appropriate
+ * to the (chan,id)-\>circuit map. */
+void
+circuit_set_n_circid_chan(circuit_t *circ, circid_t id,
+ channel_t *chan)
+{
+ channel_t *old_chan = circ->n_chan;
+ circid_t old_id = circ->n_circ_id;
+
+ circuit_set_circid_chan_helper(circ, CELL_DIRECTION_OUT, id, chan);
+
+ if (chan) {
+ chan->timestamp_last_had_circuits = approx_time();
+ }
+
+ if (circ->n_delete_pending && old_chan) {
+ channel_mark_circid_unusable(old_chan, old_id);
+ circ->n_delete_pending = 0;
+ }
+}
+
+/** Change the state of <b>circ</b> to <b>state</b>, adding it to or removing
+ * it from lists as appropriate. */
+void
+circuit_set_state(circuit_t *circ, uint8_t state)
+{
+ tor_assert(circ);
+ if (state == circ->state)
+ return;
+ if (PREDICT_UNLIKELY(!circuits_pending_chans))
+ circuits_pending_chans = smartlist_new();
+ if (PREDICT_UNLIKELY(!circuits_pending_other_guards))
+ circuits_pending_other_guards = smartlist_new();
+ if (circ->state == CIRCUIT_STATE_CHAN_WAIT) {
+ /* remove from waiting-circuit list. */
+ smartlist_remove(circuits_pending_chans, circ);
+ }
+ if (state == CIRCUIT_STATE_CHAN_WAIT) {
+ /* add to waiting-circuit list. */
+ smartlist_add(circuits_pending_chans, circ);
+ }
+ if (circ->state == CIRCUIT_STATE_GUARD_WAIT) {
+ smartlist_remove(circuits_pending_other_guards, circ);
+ }
+ if (state == CIRCUIT_STATE_GUARD_WAIT) {
+ smartlist_add(circuits_pending_other_guards, circ);
+ }
+ if (state == CIRCUIT_STATE_GUARD_WAIT || state == CIRCUIT_STATE_OPEN)
+ tor_assert(!circ->n_chan_create_cell);
+ circ->state = state;
+}
+
+/** Append to <b>out</b> all circuits in state CHAN_WAIT waiting for
+ * the given connection. */
+void
+circuit_get_all_pending_on_channel(smartlist_t *out, channel_t *chan)
+{
+ tor_assert(out);
+ tor_assert(chan);
+
+ if (!circuits_pending_chans)
+ return;
+
+ SMARTLIST_FOREACH_BEGIN(circuits_pending_chans, circuit_t *, circ) {
+ if (circ->marked_for_close)
+ continue;
+ if (!circ->n_hop)
+ continue;
+ tor_assert(circ->state == CIRCUIT_STATE_CHAN_WAIT);
+ if (tor_digest_is_zero(circ->n_hop->identity_digest)) {
+ /* Look at addr/port. This is an unkeyed connection. */
+ if (!channel_matches_extend_info(chan, circ->n_hop))
+ continue;
+ } else {
+ /* We expected a key. See if it's the right one. */
+ if (tor_memneq(chan->identity_digest,
+ circ->n_hop->identity_digest, DIGEST_LEN))
+ continue;
+ }
+ smartlist_add(out, circ);
+ } SMARTLIST_FOREACH_END(circ);
+}
+
+/** Return the number of circuits in state CHAN_WAIT, waiting for the given
+ * channel. */
+int
+circuit_count_pending_on_channel(channel_t *chan)
+{
+ int cnt;
+ smartlist_t *sl = smartlist_new();
+
+ tor_assert(chan);
+
+ circuit_get_all_pending_on_channel(sl, chan);
+ cnt = smartlist_len(sl);
+ smartlist_free(sl);
+ log_debug(LD_CIRC,"or_conn to %s, %d pending circs",
+ channel_get_canonical_remote_descr(chan),
+ cnt);
+ return cnt;
+}
+
+/** Remove <b>origin_circ</b> from the global list of origin circuits.
+ * Called when we are freeing a circuit.
+ */
+static void
+circuit_remove_from_origin_circuit_list(origin_circuit_t *origin_circ)
+{
+ int origin_idx = origin_circ->global_origin_circuit_list_idx;
+ if (origin_idx < 0)
+ return;
+ origin_circuit_t *c2;
+ tor_assert(origin_idx <= smartlist_len(global_origin_circuit_list));
+ c2 = smartlist_get(global_origin_circuit_list, origin_idx);
+ tor_assert(origin_circ == c2);
+ smartlist_del(global_origin_circuit_list, origin_idx);
+ if (origin_idx < smartlist_len(global_origin_circuit_list)) {
+ origin_circuit_t *replacement =
+ smartlist_get(global_origin_circuit_list, origin_idx);
+ replacement->global_origin_circuit_list_idx = origin_idx;
+ }
+ origin_circ->global_origin_circuit_list_idx = -1;
+}
+
+/** Add <b>origin_circ</b> to the global list of origin circuits. Called
+ * when creating the circuit. */
+static void
+circuit_add_to_origin_circuit_list(origin_circuit_t *origin_circ)
+{
+ tor_assert(origin_circ->global_origin_circuit_list_idx == -1);
+ smartlist_t *lst = circuit_get_global_origin_circuit_list();
+ smartlist_add(lst, origin_circ);
+ origin_circ->global_origin_circuit_list_idx = smartlist_len(lst) - 1;
+}
+
+/** Detach from the global circuit list, and deallocate, all
+ * circuits that have been marked for close.
+ */
+void
+circuit_close_all_marked(void)
+{
+ if (circuits_pending_close == NULL)
+ return;
+
+ smartlist_t *lst = circuit_get_global_list();
+ SMARTLIST_FOREACH_BEGIN(circuits_pending_close, circuit_t *, circ) {
+ tor_assert(circ->marked_for_close);
+
+ /* Remove it from the circuit list. */
+ int idx = circ->global_circuitlist_idx;
+ smartlist_del(lst, idx);
+ if (idx < smartlist_len(lst)) {
+ circuit_t *replacement = smartlist_get(lst, idx);
+ replacement->global_circuitlist_idx = idx;
+ }
+ circ->global_circuitlist_idx = -1;
+
+ /* Remove it from the origin circuit list, if appropriate. */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_remove_from_origin_circuit_list(TO_ORIGIN_CIRCUIT(circ));
+ }
+
+ circuit_about_to_free(circ);
+ circuit_free(circ);
+ } SMARTLIST_FOREACH_END(circ);
+
+ smartlist_clear(circuits_pending_close);
+}
+
+/** Return a pointer to the global list of circuits. */
+MOCK_IMPL(smartlist_t *,
+circuit_get_global_list,(void))
+{
+ if (NULL == global_circuitlist)
+ global_circuitlist = smartlist_new();
+ return global_circuitlist;
+}
+
+/** Return a pointer to the global list of origin circuits. */
+smartlist_t *
+circuit_get_global_origin_circuit_list(void)
+{
+ if (NULL == global_origin_circuit_list)
+ global_origin_circuit_list = smartlist_new();
+ return global_origin_circuit_list;
+}
+
+/**
+ * Return true if we have any opened general-purpose 3 hop
+ * origin circuits.
+ *
+ * The result from this function is cached for use by
+ * circuit_any_opened_circuits_cached().
+ */
+int
+circuit_any_opened_circuits(void)
+{
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_origin_circuit_list(),
+ const origin_circuit_t *, next_circ) {
+ if (!TO_CIRCUIT(next_circ)->marked_for_close &&
+ next_circ->has_opened &&
+ TO_CIRCUIT(next_circ)->state == CIRCUIT_STATE_OPEN &&
+ TO_CIRCUIT(next_circ)->purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT &&
+ next_circ->build_state &&
+ next_circ->build_state->desired_path_len == DEFAULT_ROUTE_LEN) {
+ circuit_cache_opened_circuit_state(1);
+ return 1;
+ }
+ } SMARTLIST_FOREACH_END(next_circ);
+
+ circuit_cache_opened_circuit_state(0);
+ return 0;
+}
+
+/**
+ * Cache the "any circuits opened" state, as specified in param
+ * circuits_are_opened. This is a helper function to update
+ * the circuit opened status whenever we happen to look at the
+ * circuit list.
+ */
+void
+circuit_cache_opened_circuit_state(int circuits_are_opened)
+{
+ any_opened_circs_cached_val = circuits_are_opened;
+}
+
+/**
+ * Return true if there were any opened circuits since the last call to
+ * circuit_any_opened_circuits(), or since circuit_expire_building() last
+ * ran (it runs roughly once per second).
+ */
+int
+circuit_any_opened_circuits_cached(void)
+{
+ return any_opened_circs_cached_val;
+}
+
+/** Function to make circ-\>state human-readable */
+const char *
+circuit_state_to_string(int state)
+{
+ static char buf[64];
+ switch (state) {
+ case CIRCUIT_STATE_BUILDING: return "doing handshakes";
+ case CIRCUIT_STATE_ONIONSKIN_PENDING: return "processing the onion";
+ case CIRCUIT_STATE_CHAN_WAIT: return "connecting to server";
+ case CIRCUIT_STATE_GUARD_WAIT: return "waiting to see how other "
+ "guards perform";
+ case CIRCUIT_STATE_OPEN: return "open";
+ default:
+ log_warn(LD_BUG, "Unknown circuit state %d", state);
+ tor_snprintf(buf, sizeof(buf), "unknown state [%d]", state);
+ return buf;
+ }
+}
+
+/** Map a circuit purpose to a string suitable to be displayed to a
+ * controller. */
+const char *
+circuit_purpose_to_controller_string(uint8_t purpose)
+{
+ static char buf[32];
+ switch (purpose) {
+ case CIRCUIT_PURPOSE_OR:
+ case CIRCUIT_PURPOSE_INTRO_POINT:
+ case CIRCUIT_PURPOSE_REND_POINT_WAITING:
+ case CIRCUIT_PURPOSE_REND_ESTABLISHED:
+ return "SERVER"; /* A controller should never see these, actually. */
+
+ case CIRCUIT_PURPOSE_C_GENERAL:
+ return "GENERAL";
+
+ case CIRCUIT_PURPOSE_C_HSDIR_GET:
+ return "HS_CLIENT_HSDIR";
+
+ case CIRCUIT_PURPOSE_C_INTRODUCING:
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT:
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED:
+ return "HS_CLIENT_INTRO";
+
+ case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
+ case CIRCUIT_PURPOSE_C_REND_READY:
+ case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED:
+ case CIRCUIT_PURPOSE_C_REND_JOINED:
+ return "HS_CLIENT_REND";
+
+ case CIRCUIT_PURPOSE_S_HSDIR_POST:
+ return "HS_SERVICE_HSDIR";
+
+ case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
+ case CIRCUIT_PURPOSE_S_INTRO:
+ return "HS_SERVICE_INTRO";
+
+ case CIRCUIT_PURPOSE_S_CONNECT_REND:
+ case CIRCUIT_PURPOSE_S_REND_JOINED:
+ return "HS_SERVICE_REND";
+
+ case CIRCUIT_PURPOSE_TESTING:
+ return "TESTING";
+ case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT:
+ return "MEASURE_TIMEOUT";
+ case CIRCUIT_PURPOSE_CONTROLLER:
+ return "CONTROLLER";
+ case CIRCUIT_PURPOSE_PATH_BIAS_TESTING:
+ return "PATH_BIAS_TESTING";
+ case CIRCUIT_PURPOSE_HS_VANGUARDS:
+ return "HS_VANGUARDS";
+
+ default:
+ tor_snprintf(buf, sizeof(buf), "UNKNOWN_%d", (int)purpose);
+ return buf;
+ }
+}
+
+/** Return a string specifying the state of the hidden-service circuit
+ * purpose <b>purpose</b>, or NULL if <b>purpose</b> is not a
+ * hidden-service-related circuit purpose. */
+const char *
+circuit_purpose_to_controller_hs_state_string(uint8_t purpose)
+{
+ switch (purpose)
+ {
+ default:
+ log_fn(LOG_WARN, LD_BUG,
+ "Unrecognized circuit purpose: %d",
+ (int)purpose);
+ tor_fragile_assert();
+ /* fall through */
+
+ case CIRCUIT_PURPOSE_OR:
+ case CIRCUIT_PURPOSE_C_GENERAL:
+ case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT:
+ case CIRCUIT_PURPOSE_TESTING:
+ case CIRCUIT_PURPOSE_CONTROLLER:
+ case CIRCUIT_PURPOSE_PATH_BIAS_TESTING:
+ case CIRCUIT_PURPOSE_HS_VANGUARDS:
+ return NULL;
+
+ case CIRCUIT_PURPOSE_INTRO_POINT:
+ return "OR_HSSI_ESTABLISHED";
+ case CIRCUIT_PURPOSE_REND_POINT_WAITING:
+ return "OR_HSCR_ESTABLISHED";
+ case CIRCUIT_PURPOSE_REND_ESTABLISHED:
+ return "OR_HS_R_JOINED";
+
+ case CIRCUIT_PURPOSE_C_HSDIR_GET:
+ case CIRCUIT_PURPOSE_C_INTRODUCING:
+ return "HSCI_CONNECTING";
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT:
+ return "HSCI_INTRO_SENT";
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED:
+ return "HSCI_DONE";
+
+ case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
+ return "HSCR_CONNECTING";
+ case CIRCUIT_PURPOSE_C_REND_READY:
+ return "HSCR_ESTABLISHED_IDLE";
+ case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED:
+ return "HSCR_ESTABLISHED_WAITING";
+ case CIRCUIT_PURPOSE_C_REND_JOINED:
+ return "HSCR_JOINED";
+
+ case CIRCUIT_PURPOSE_S_HSDIR_POST:
+ case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
+ return "HSSI_CONNECTING";
+ case CIRCUIT_PURPOSE_S_INTRO:
+ return "HSSI_ESTABLISHED";
+
+ case CIRCUIT_PURPOSE_S_CONNECT_REND:
+ return "HSSR_CONNECTING";
+ case CIRCUIT_PURPOSE_S_REND_JOINED:
+ return "HSSR_JOINED";
+ }
+}
+
+/** Return a human-readable string for the circuit purpose <b>purpose</b>. */
+const char *
+circuit_purpose_to_string(uint8_t purpose)
+{
+ static char buf[32];
+
+ switch (purpose)
+ {
+ case CIRCUIT_PURPOSE_OR:
+ return "Circuit at relay";
+ case CIRCUIT_PURPOSE_INTRO_POINT:
+ return "Acting as intro point";
+ case CIRCUIT_PURPOSE_REND_POINT_WAITING:
+ return "Acting as rendezvous (pending)";
+ case CIRCUIT_PURPOSE_REND_ESTABLISHED:
+ return "Acting as rendezvous (established)";
+ case CIRCUIT_PURPOSE_C_GENERAL:
+ return "General-purpose client";
+ case CIRCUIT_PURPOSE_C_INTRODUCING:
+ return "Hidden service client: Connecting to intro point";
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT:
+ return "Hidden service client: Waiting for ack from intro point";
+ case CIRCUIT_PURPOSE_C_INTRODUCE_ACKED:
+ return "Hidden service client: Received ack from intro point";
+ case CIRCUIT_PURPOSE_C_ESTABLISH_REND:
+ return "Hidden service client: Establishing rendezvous point";
+ case CIRCUIT_PURPOSE_C_REND_READY:
+ return "Hidden service client: Pending rendezvous point";
+ case CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED:
+ return "Hidden service client: Pending rendezvous point (ack received)";
+ case CIRCUIT_PURPOSE_C_REND_JOINED:
+ return "Hidden service client: Active rendezvous point";
+ case CIRCUIT_PURPOSE_C_HSDIR_GET:
+ return "Hidden service client: Fetching HS descriptor";
+
+ case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT:
+ return "Measuring circuit timeout";
+
+ case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
+ return "Hidden service: Establishing introduction point";
+ case CIRCUIT_PURPOSE_S_INTRO:
+ return "Hidden service: Introduction point";
+ case CIRCUIT_PURPOSE_S_CONNECT_REND:
+ return "Hidden service: Connecting to rendezvous point";
+ case CIRCUIT_PURPOSE_S_REND_JOINED:
+ return "Hidden service: Active rendezvous point";
+ case CIRCUIT_PURPOSE_S_HSDIR_POST:
+ return "Hidden service: Uploading HS descriptor";
+
+ case CIRCUIT_PURPOSE_TESTING:
+ return "Testing circuit";
+
+ case CIRCUIT_PURPOSE_CONTROLLER:
+ return "Circuit made by controller";
+
+ case CIRCUIT_PURPOSE_PATH_BIAS_TESTING:
+ return "Path-bias testing circuit";
+
+ case CIRCUIT_PURPOSE_HS_VANGUARDS:
+ return "Hidden service: Pre-built vanguard circuit";
+
+ default:
+ tor_snprintf(buf, sizeof(buf), "UNKNOWN_%d", (int)purpose);
+ return buf;
+ }
+}
+
+/** Pick a reasonable package_window to start out for our circuits.
+ * Originally this was hard-coded at 1000, but now the consensus votes
+ * on the answer. See proposal 168. */
+int32_t
+circuit_initial_package_window(void)
+{
+ int32_t num = networkstatus_get_param(NULL, "circwindow", CIRCWINDOW_START,
+ CIRCWINDOW_START_MIN,
+ CIRCWINDOW_START_MAX);
+ /* If the consensus tells us a negative number, we'd assert. */
+ if (num < 0)
+ num = CIRCWINDOW_START;
+ return num;
+}
+
+/** Initialize the common elements in a circuit_t, and add it to the global
+ * list. */
+static void
+init_circuit_base(circuit_t *circ)
+{
+ tor_gettimeofday(&circ->timestamp_created);
+
+ // Gets reset when we send CREATE_FAST.
+ // circuit_expire_building() expects these to be equal
+ // until the orconn is built.
+ circ->timestamp_began = circ->timestamp_created;
+
+ circ->package_window = circuit_initial_package_window();
+ circ->deliver_window = CIRCWINDOW_START;
+ cell_queue_init(&circ->n_chan_cells);
+
+ smartlist_add(circuit_get_global_list(), circ);
+ circ->global_circuitlist_idx = smartlist_len(circuit_get_global_list()) - 1;
+}
+
+/** If we haven't yet decided on a good timeout value for circuit
+ * building, we close idle circuits aggressively so we can get more
+ * data points. These are the default, min, and max consensus values */
+#define DFLT_IDLE_TIMEOUT_WHILE_LEARNING (3*60)
+#define MIN_IDLE_TIMEOUT_WHILE_LEARNING (10)
+#define MAX_IDLE_TIMEOUT_WHILE_LEARNING (1000*60)
+
+/** Allocate space for a new circuit, initializing with <b>p_circ_id</b>
+ * and <b>p_conn</b>. Add it to the global circuit list.
+ */
+origin_circuit_t *
+origin_circuit_new(void)
+{
+ origin_circuit_t *circ;
+ /* never zero, since a global ID of 0 is treated specially by the
+ * controller */
+ static uint32_t n_circuits_allocated = 1;
+
+ circ = tor_malloc_zero(sizeof(origin_circuit_t));
+ circ->base_.magic = ORIGIN_CIRCUIT_MAGIC;
+
+ circ->next_stream_id = crypto_rand_int(1<<16);
+ circ->global_identifier = n_circuits_allocated++;
+ circ->remaining_relay_early_cells = MAX_RELAY_EARLY_CELLS_PER_CIRCUIT;
+ circ->remaining_relay_early_cells -= crypto_rand_int(2);
+
+ init_circuit_base(TO_CIRCUIT(circ));
+
+ /* Add to origin-list. */
+ circ->global_origin_circuit_list_idx = -1;
+ circuit_add_to_origin_circuit_list(circ);
+
+ circuit_build_times_update_last_circ(get_circuit_build_times_mutable());
+
+ if (! circuit_build_times_disabled(get_options()) &&
+ circuit_build_times_needs_circuits(get_circuit_build_times())) {
+ /* Circuits should be shorter lived if we need more of them
+ * for learning a good build timeout */
+ circ->circuit_idle_timeout =
+ networkstatus_get_param(NULL, "cbtlearntimeout",
+ DFLT_IDLE_TIMEOUT_WHILE_LEARNING,
+ MIN_IDLE_TIMEOUT_WHILE_LEARNING,
+ MAX_IDLE_TIMEOUT_WHILE_LEARNING);
+ } else {
+ // This should always be larger than the current port prediction time
+ // remaining, or else we'll end up with the case where a circuit times out
+ // and another one is built, effectively doubling the timeout window.
+ //
+ // We also randomize it by up to 5% more (ie 5% of 0 to 3600 seconds,
+ // depending on how much circuit prediction time is remaining) so that
+ // we don't close a bunch of unused circuits all at the same time.
+ int prediction_time_remaining =
+ predicted_ports_prediction_time_remaining(time(NULL));
+ circ->circuit_idle_timeout = prediction_time_remaining+1+
+ crypto_rand_int(1+prediction_time_remaining/20);
+
+ if (circ->circuit_idle_timeout <= 0) {
+ log_warn(LD_BUG,
+ "Circuit chose a negative idle timeout of %d based on "
+ "%d seconds of predictive building remaining.",
+ circ->circuit_idle_timeout,
+ prediction_time_remaining);
+ circ->circuit_idle_timeout =
+ networkstatus_get_param(NULL, "cbtlearntimeout",
+ DFLT_IDLE_TIMEOUT_WHILE_LEARNING,
+ MIN_IDLE_TIMEOUT_WHILE_LEARNING,
+ MAX_IDLE_TIMEOUT_WHILE_LEARNING);
+ }
+
+ log_info(LD_CIRC,
+ "Circuit %"PRIu32" chose an idle timeout of %d based on "
+ "%d seconds of predictive building remaining.",
+ (circ->global_identifier),
+ circ->circuit_idle_timeout,
+ prediction_time_remaining);
+ }
+
+ return circ;
+}
+
+/** Allocate a new or_circuit_t, connected to <b>p_chan</b> as
+ * <b>p_circ_id</b>. If <b>p_chan</b> is NULL, the circuit is unattached. */
+or_circuit_t *
+or_circuit_new(circid_t p_circ_id, channel_t *p_chan)
+{
+ /* CircIDs */
+ or_circuit_t *circ;
+
+ circ = tor_malloc_zero(sizeof(or_circuit_t));
+ circ->base_.magic = OR_CIRCUIT_MAGIC;
+
+ if (p_chan)
+ circuit_set_p_circid_chan(circ, p_circ_id, p_chan);
+
+ circ->remaining_relay_early_cells = MAX_RELAY_EARLY_CELLS_PER_CIRCUIT;
+ cell_queue_init(&circ->p_chan_cells);
+
+ init_circuit_base(TO_CIRCUIT(circ));
+
+ return circ;
+}
+
+/** Free all storage held in circ->testing_cell_stats */
+void
+circuit_clear_testing_cell_stats(circuit_t *circ)
+{
+ if (!circ || !circ->testing_cell_stats)
+ return;
+ SMARTLIST_FOREACH(circ->testing_cell_stats, testing_cell_stats_entry_t *,
+ ent, tor_free(ent));
+ smartlist_free(circ->testing_cell_stats);
+ circ->testing_cell_stats = NULL;
+}
+
+/** Deallocate space associated with circ.
+ */
+STATIC void
+circuit_free_(circuit_t *circ)
+{
+ circid_t n_circ_id = 0;
+ void *mem;
+ size_t memlen;
+ int should_free = 1;
+ if (!circ)
+ return;
+
+ /* We keep a copy of this so we can log its value before it gets unset. */
+ n_circ_id = circ->n_circ_id;
+
+ circuit_clear_testing_cell_stats(circ);
+
+ /* Cleanup circuit from anything HS v3 related. We also do this when the
+ * circuit is closed. This is to avoid any code path that free registered
+ * circuits without closing them before. This needs to be done before the
+ * hs identifier is freed. */
+ hs_circ_cleanup(circ);
+
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ mem = ocirc;
+ memlen = sizeof(origin_circuit_t);
+ tor_assert(circ->magic == ORIGIN_CIRCUIT_MAGIC);
+
+ circuit_remove_from_origin_circuit_list(ocirc);
+
++ if (ocirc->half_streams) {
++ SMARTLIST_FOREACH_BEGIN(ocirc->half_streams, half_edge_t*,
++ half_conn) {
++ tor_free(half_conn);
++ } SMARTLIST_FOREACH_END(half_conn);
++ smartlist_free(ocirc->half_streams);
++ }
++
+ if (ocirc->build_state) {
+ extend_info_free(ocirc->build_state->chosen_exit);
+ circuit_free_cpath_node(ocirc->build_state->pending_final_cpath);
+ cpath_ref_decref(ocirc->build_state->service_pending_final_cpath_ref);
+ }
+ tor_free(ocirc->build_state);
+
+ /* Cancel before freeing, if we haven't already succeeded or failed. */
+ if (ocirc->guard_state) {
+ entry_guard_cancel(ô->guard_state);
+ }
+ circuit_guard_state_free(ocirc->guard_state);
+
+ circuit_clear_cpath(ocirc);
+
+ crypto_pk_free(ocirc->intro_key);
+ rend_data_free(ocirc->rend_data);
+
+ /* Finally, free the identifier of the circuit and nullify it so multiple
+ * cleanup will work. */
+ hs_ident_circuit_free(ocirc->hs_ident);
+ ocirc->hs_ident = NULL;
+
+ tor_free(ocirc->dest_address);
+ if (ocirc->socks_username) {
+ memwipe(ocirc->socks_username, 0x12, ocirc->socks_username_len);
+ tor_free(ocirc->socks_username);
+ }
+ if (ocirc->socks_password) {
+ memwipe(ocirc->socks_password, 0x06, ocirc->socks_password_len);
+ tor_free(ocirc->socks_password);
+ }
+ addr_policy_list_free(ocirc->prepend_policy);
+ } else {
+ or_circuit_t *ocirc = TO_OR_CIRCUIT(circ);
+ /* Remember cell statistics for this circuit before deallocating. */
+ if (get_options()->CellStatistics)
+ rep_hist_buffer_stats_add_circ(circ, time(NULL));
+ mem = ocirc;
+ memlen = sizeof(or_circuit_t);
+ tor_assert(circ->magic == OR_CIRCUIT_MAGIC);
+
+ should_free = (ocirc->workqueue_entry == NULL);
+
+ relay_crypto_clear(ô->crypto);
+
+ if (ocirc->rend_splice) {
+ or_circuit_t *other = ocirc->rend_splice;
+ tor_assert(other->base_.magic == OR_CIRCUIT_MAGIC);
+ other->rend_splice = NULL;
+ }
+
+ /* remove from map. */
+ circuit_set_p_circid_chan(ocirc, 0, NULL);
+
+ /* Clear cell queue _after_ removing it from the map. Otherwise our
+ * "active" checks will be violated. */
+ cell_queue_clear(ô->p_chan_cells);
+ }
+
+ extend_info_free(circ->n_hop);
+ tor_free(circ->n_chan_create_cell);
+
+ if (circ->global_circuitlist_idx != -1) {
+ int idx = circ->global_circuitlist_idx;
+ circuit_t *c2 = smartlist_get(global_circuitlist, idx);
+ tor_assert(c2 == circ);
+ smartlist_del(global_circuitlist, idx);
+ if (idx < smartlist_len(global_circuitlist)) {
+ c2 = smartlist_get(global_circuitlist, idx);
+ c2->global_circuitlist_idx = idx;
+ }
+ }
+
+ /* Remove from map. */
+ circuit_set_n_circid_chan(circ, 0, NULL);
+
+ /* Clear cell queue _after_ removing it from the map. Otherwise our
+ * "active" checks will be violated. */
+ cell_queue_clear(&circ->n_chan_cells);
+
+ log_info(LD_CIRC, "Circuit %u (id: %" PRIu32 ") has been freed.",
+ n_circ_id,
+ CIRCUIT_IS_ORIGIN(circ) ?
+ TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0);
+
+ if (should_free) {
+ memwipe(mem, 0xAA, memlen); /* poison memory */
+ tor_free(mem);
+ } else {
+ /* If we made it here, this is an or_circuit_t that still has a pending
+ * cpuworker request which we weren't able to cancel. Instead, set up
+ * the magic value so that when the reply comes back, we'll know to discard
+ * the reply and free this structure.
+ */
+ memwipe(mem, 0xAA, memlen);
+ circ->magic = DEAD_CIRCUIT_MAGIC;
+ }
+}
+
+/** Deallocate the linked list circ-><b>cpath</b>, and remove the cpath from
+ * <b>circ</b>. */
+void
+circuit_clear_cpath(origin_circuit_t *circ)
+{
+ crypt_path_t *victim, *head, *cpath;
+
+ head = cpath = circ->cpath;
+
+ if (!cpath)
+ return;
+
+ /* it's a circular list, so we have to notice when we've
+ * gone through it once. */
+ while (cpath->next && cpath->next != head) {
+ victim = cpath;
+ cpath = victim->next;
+ circuit_free_cpath_node(victim);
+ }
+
+ circuit_free_cpath_node(cpath);
+
+ circ->cpath = NULL;
+}
+
+/** Release all storage held by circuits. */
+void
+circuit_free_all(void)
+{
+ smartlist_t *lst = circuit_get_global_list();
+
+ SMARTLIST_FOREACH_BEGIN(lst, circuit_t *, tmp) {
+ if (! CIRCUIT_IS_ORIGIN(tmp)) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(tmp);
+ while (or_circ->resolving_streams) {
+ edge_connection_t *next_conn;
+ next_conn = or_circ->resolving_streams->next_stream;
+ connection_free_(TO_CONN(or_circ->resolving_streams));
+ or_circ->resolving_streams = next_conn;
+ }
+ }
+ tmp->global_circuitlist_idx = -1;
+ circuit_about_to_free_atexit(tmp);
+ circuit_free(tmp);
+ SMARTLIST_DEL_CURRENT(lst, tmp);
+ } SMARTLIST_FOREACH_END(tmp);
+
+ smartlist_free(lst);
+ global_circuitlist = NULL;
+
+ smartlist_free(global_origin_circuit_list);
+ global_origin_circuit_list = NULL;
+
+ smartlist_free(circuits_pending_chans);
+ circuits_pending_chans = NULL;
+
+ smartlist_free(circuits_pending_close);
+ circuits_pending_close = NULL;
+
+ smartlist_free(circuits_pending_other_guards);
+ circuits_pending_other_guards = NULL;
+
+ {
+ chan_circid_circuit_map_t **elt, **next, *c;
+ for (elt = HT_START(chan_circid_map, &chan_circid_map);
+ elt;
+ elt = next) {
+ c = *elt;
+ next = HT_NEXT_RMV(chan_circid_map, &chan_circid_map, elt);
+
+ tor_assert(c->circuit == NULL);
+ tor_free(c);
+ }
+ }
+ HT_CLEAR(chan_circid_map, &chan_circid_map);
+}
+
+/** Deallocate space associated with the cpath node <b>victim</b>. */
+static void
+circuit_free_cpath_node(crypt_path_t *victim)
+{
+ if (!victim)
+ return;
+
+ relay_crypto_clear(&victim->crypto);
+ onion_handshake_state_release(&victim->handshake_state);
+ crypto_dh_free(victim->rend_dh_handshake_state);
+ extend_info_free(victim->extend_info);
+
+ memwipe(victim, 0xBB, sizeof(crypt_path_t)); /* poison memory */
+ tor_free(victim);
+}
+
+/** Release a crypt_path_reference_t*, which may be NULL. */
+static void
+cpath_ref_decref(crypt_path_reference_t *cpath_ref)
+{
+ if (cpath_ref != NULL) {
+ if (--(cpath_ref->refcount) == 0) {
+ circuit_free_cpath_node(cpath_ref->cpath);
+ tor_free(cpath_ref);
+ }
+ }
+}
+
+/** A helper function for circuit_dump_by_conn() below. Log a bunch
+ * of information about circuit <b>circ</b>.
+ */
+static void
+circuit_dump_conn_details(int severity,
+ circuit_t *circ,
+ int conn_array_index,
+ const char *type,
+ circid_t this_circid,
+ circid_t other_circid)
+{
+ tor_log(severity, LD_CIRC, "Conn %d has %s circuit: circID %u "
+ "(other side %u), state %d (%s), born %ld:",
+ conn_array_index, type, (unsigned)this_circid, (unsigned)other_circid,
+ circ->state, circuit_state_to_string(circ->state),
+ (long)circ->timestamp_began.tv_sec);
+ if (CIRCUIT_IS_ORIGIN(circ)) { /* circ starts at this node */
+ circuit_log_path(severity, LD_CIRC, TO_ORIGIN_CIRCUIT(circ));
+ }
+}
+
+/** Log, at severity <b>severity</b>, information about each circuit
+ * that is connected to <b>conn</b>.
+ */
+void
+circuit_dump_by_conn(connection_t *conn, int severity)
+{
+ edge_connection_t *tmpconn;
+
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ circid_t n_circ_id = circ->n_circ_id, p_circ_id = 0;
+
+ if (circ->marked_for_close) {
+ continue;
+ }
+
+ if (!CIRCUIT_IS_ORIGIN(circ)) {
+ p_circ_id = TO_OR_CIRCUIT(circ)->p_circ_id;
+ }
+
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ for (tmpconn=TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn;
+ tmpconn=tmpconn->next_stream) {
+ if (TO_CONN(tmpconn) == conn) {
+ circuit_dump_conn_details(severity, circ, conn->conn_array_index,
+ "App-ward", p_circ_id, n_circ_id);
+ }
+ }
+ }
+
+ if (! CIRCUIT_IS_ORIGIN(circ)) {
+ for (tmpconn=TO_OR_CIRCUIT(circ)->n_streams; tmpconn;
+ tmpconn=tmpconn->next_stream) {
+ if (TO_CONN(tmpconn) == conn) {
+ circuit_dump_conn_details(severity, circ, conn->conn_array_index,
+ "Exit-ward", n_circ_id, p_circ_id);
+ }
+ }
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+}
+
+/** Return the circuit whose global ID is <b>id</b>, or NULL if no
+ * such circuit exists. */
+origin_circuit_t *
+circuit_get_by_global_id(uint32_t id)
+{
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ if (CIRCUIT_IS_ORIGIN(circ) &&
+ TO_ORIGIN_CIRCUIT(circ)->global_identifier == id) {
+ if (circ->marked_for_close)
+ return NULL;
+ else
+ return TO_ORIGIN_CIRCUIT(circ);
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+ return NULL;
+}
+
+/** Return a circ such that:
+ * - circ-\>n_circ_id or circ-\>p_circ_id is equal to <b>circ_id</b>, and
+ * - circ is attached to <b>chan</b>, either as p_chan or n_chan.
+ * Return NULL if no such circuit exists.
+ *
+ * If <b>found_entry_out</b> is provided, set it to true if we have a
+ * placeholder entry for circid/chan, and leave it unset otherwise.
+ */
+static inline circuit_t *
+circuit_get_by_circid_channel_impl(circid_t circ_id, channel_t *chan,
+ int *found_entry_out)
+{
+ chan_circid_circuit_map_t search;
+ chan_circid_circuit_map_t *found;
+
+ if (_last_circid_chan_ent &&
+ circ_id == _last_circid_chan_ent->circ_id &&
+ chan == _last_circid_chan_ent->chan) {
+ found = _last_circid_chan_ent;
+ } else {
+ search.circ_id = circ_id;
+ search.chan = chan;
+ found = HT_FIND(chan_circid_map, &chan_circid_map, &search);
+ _last_circid_chan_ent = found;
+ }
+ if (found && found->circuit) {
+ log_debug(LD_CIRC,
+ "circuit_get_by_circid_channel_impl() returning circuit %p for"
+ " circ_id %u, channel ID %"PRIu64 " (%p)",
+ found->circuit, (unsigned)circ_id,
+ (chan->global_identifier), chan);
+ if (found_entry_out)
+ *found_entry_out = 1;
+ return found->circuit;
+ }
+
+ log_debug(LD_CIRC,
+ "circuit_get_by_circid_channel_impl() found %s for"
+ " circ_id %u, channel ID %"PRIu64 " (%p)",
+ found ? "placeholder" : "nothing",
+ (unsigned)circ_id,
+ (chan->global_identifier), chan);
+
+ if (found_entry_out)
+ *found_entry_out = found ? 1 : 0;
+
+ return NULL;
+ /* The rest of this checks for bugs. Disabled by default. */
+ /* We comment it out because coverity complains otherwise.
+ {
+ circuit_t *circ;
+ TOR_LIST_FOREACH(circ, &global_circuitlist, head) {
+ if (! CIRCUIT_IS_ORIGIN(circ)) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ if (or_circ->p_chan == chan && or_circ->p_circ_id == circ_id) {
+ log_warn(LD_BUG,
+ "circuit matches p_chan, but not in hash table (Bug!)");
+ return circ;
+ }
+ }
+ if (circ->n_chan == chan && circ->n_circ_id == circ_id) {
+ log_warn(LD_BUG,
+ "circuit matches n_chan, but not in hash table (Bug!)");
+ return circ;
+ }
+ }
+ return NULL;
+ } */
+}
+
+/** Return a circ such that:
+ * - circ-\>n_circ_id or circ-\>p_circ_id is equal to <b>circ_id</b>, and
+ * - circ is attached to <b>chan</b>, either as p_chan or n_chan.
+ * - circ is not marked for close.
+ * Return NULL if no such circuit exists.
+ */
+circuit_t *
+circuit_get_by_circid_channel(circid_t circ_id, channel_t *chan)
+{
+ circuit_t *circ = circuit_get_by_circid_channel_impl(circ_id, chan, NULL);
+ if (!circ || circ->marked_for_close)
+ return NULL;
+ else
+ return circ;
+}
+
+/** Return a circ such that:
+ * - circ-\>n_circ_id or circ-\>p_circ_id is equal to <b>circ_id</b>, and
+ * - circ is attached to <b>chan</b>, either as p_chan or n_chan.
+ * Return NULL if no such circuit exists.
+ */
+circuit_t *
+circuit_get_by_circid_channel_even_if_marked(circid_t circ_id,
+ channel_t *chan)
+{
+ return circuit_get_by_circid_channel_impl(circ_id, chan, NULL);
+}
+
+/** Return true iff the circuit ID <b>circ_id</b> is currently used by a
+ * circuit, marked or not, on <b>chan</b>, or if the circ ID is reserved until
+ * a queued destroy cell can be sent.
+ *
+ * (Return 1 if the circuit is present, marked or not; Return 2
+ * if the circuit ID is pending a destroy.)
+ **/
+int
+circuit_id_in_use_on_channel(circid_t circ_id, channel_t *chan)
+{
+ int found = 0;
+ if (circuit_get_by_circid_channel_impl(circ_id, chan, &found) != NULL)
+ return 1;
+ if (found)
+ return 2;
+ return 0;
+}
+
+/** Helper for debugging 12184. Returns the time since which 'circ_id' has
+ * been marked unusable on 'chan'. */
+time_t
+circuit_id_when_marked_unusable_on_channel(circid_t circ_id, channel_t *chan)
+{
+ chan_circid_circuit_map_t search;
+ chan_circid_circuit_map_t *found;
+
+ memset(&search, 0, sizeof(search));
+ search.circ_id = circ_id;
+ search.chan = chan;
+
+ found = HT_FIND(chan_circid_map, &chan_circid_map, &search);
+
+ if (! found || found->circuit)
+ return 0;
+
+ return found->made_placeholder_at;
+}
+
+/** Return the circuit that a given edge connection is using. */
+circuit_t *
+circuit_get_by_edge_conn(edge_connection_t *conn)
+{
+ circuit_t *circ;
+
+ circ = conn->on_circuit;
+ tor_assert(!circ ||
+ (CIRCUIT_IS_ORIGIN(circ) ? circ->magic == ORIGIN_CIRCUIT_MAGIC
+ : circ->magic == OR_CIRCUIT_MAGIC));
+
+ return circ;
+}
+
+/** For each circuit that has <b>chan</b> as n_chan or p_chan, unlink the
+ * circuit from the chan,circid map, and mark it for close if it hasn't
+ * been marked already.
+ */
+void
+circuit_unlink_all_from_channel(channel_t *chan, int reason)
+{
+ smartlist_t *detached = smartlist_new();
+
+/* #define DEBUG_CIRCUIT_UNLINK_ALL */
+
+ channel_unlink_all_circuits(chan, detached);
+
+#ifdef DEBUG_CIRCUIT_UNLINK_ALL
+ {
+ smartlist_t *detached_2 = smartlist_new();
+ int mismatch = 0, badlen = 0;
+
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ if (circ->n_chan == chan ||
+ (!CIRCUIT_IS_ORIGIN(circ) &&
+ TO_OR_CIRCUIT(circ)->p_chan == chan)) {
+ smartlist_add(detached_2, circ);
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+
+ if (smartlist_len(detached) != smartlist_len(detached_2)) {
+ log_warn(LD_BUG, "List of detached circuits had the wrong length! "
+ "(got %d, should have gotten %d)",
+ (int)smartlist_len(detached),
+ (int)smartlist_len(detached_2));
+ badlen = 1;
+ }
+ smartlist_sort_pointers(detached);
+ smartlist_sort_pointers(detached_2);
+
+ SMARTLIST_FOREACH(detached, circuit_t *, c,
+ if (c != smartlist_get(detached_2, c_sl_idx))
+ mismatch = 1;
+ );
+
+ if (mismatch)
+ log_warn(LD_BUG, "Mismatch in list of detached circuits.");
+
+ if (badlen || mismatch) {
+ smartlist_free(detached);
+ detached = detached_2;
+ } else {
+ log_notice(LD_CIRC, "List of %d circuits was as expected.",
+ (int)smartlist_len(detached));
+ smartlist_free(detached_2);
+ }
+ }
+#endif /* defined(DEBUG_CIRCUIT_UNLINK_ALL) */
+
+ SMARTLIST_FOREACH_BEGIN(detached, circuit_t *, circ) {
+ int mark = 0;
+ if (circ->n_chan == chan) {
+
+ circuit_set_n_circid_chan(circ, 0, NULL);
+ mark = 1;
+
+ /* If we didn't request this closure, pass the remote
+ * bit to mark_for_close. */
+ if (chan->reason_for_closing != CHANNEL_CLOSE_REQUESTED)
+ reason |= END_CIRC_REASON_FLAG_REMOTE;
+ }
+ if (! CIRCUIT_IS_ORIGIN(circ)) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ if (or_circ->p_chan == chan) {
+ circuit_set_p_circid_chan(or_circ, 0, NULL);
+ mark = 1;
+ }
+ }
+ if (!mark) {
+ log_warn(LD_BUG, "Circuit on detached list which I had no reason "
+ "to mark");
+ continue;
+ }
+ if (!circ->marked_for_close)
+ circuit_mark_for_close(circ, reason);
+ } SMARTLIST_FOREACH_END(circ);
+
+ smartlist_free(detached);
+}
+
+/** Return a circ such that
+ * - circ-\>rend_data-\>onion_address is equal to
+ * <b>rend_data</b>-\>onion_address,
+ * - circ-\>rend_data-\>rend_cookie is equal to
+ * <b>rend_data</b>-\>rend_cookie, and
+ * - circ-\>purpose is equal to CIRCUIT_PURPOSE_C_REND_READY.
+ *
+ * Return NULL if no such circuit exists.
+ */
+origin_circuit_t *
+circuit_get_ready_rend_circ_by_rend_data(const rend_data_t *rend_data)
+{
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ if (!circ->marked_for_close &&
+ circ->purpose == CIRCUIT_PURPOSE_C_REND_READY) {
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ if (ocirc->rend_data == NULL) {
+ continue;
+ }
+ if (!rend_cmp_service_ids(rend_data_get_address(rend_data),
+ rend_data_get_address(ocirc->rend_data)) &&
+ tor_memeq(ocirc->rend_data->rend_cookie,
+ rend_data->rend_cookie,
+ REND_COOKIE_LEN))
+ return ocirc;
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+ return NULL;
+}
+
+/** Return the first service introduction circuit originating from the global
+ * circuit list after <b>start</b> or at the start of the list if <b>start</b>
+ * is NULL. Return NULL if no circuit is found.
+ *
+ * A service introduction point circuit has a purpose of either
+ * CIRCUIT_PURPOSE_S_ESTABLISH_INTRO or CIRCUIT_PURPOSE_S_INTRO. This does not
+ * return a circuit marked for close and its state must be open. */
+origin_circuit_t *
+circuit_get_next_service_intro_circ(origin_circuit_t *start)
+{
+ int idx = 0;
+ smartlist_t *lst = circuit_get_global_list();
+
+ if (start) {
+ idx = TO_CIRCUIT(start)->global_circuitlist_idx + 1;
+ }
+
+ for ( ; idx < smartlist_len(lst); ++idx) {
+ circuit_t *circ = smartlist_get(lst, idx);
+
+ /* Ignore a marked for close circuit or purpose not matching a service
+ * intro point or if the state is not open. */
+ if (circ->marked_for_close || circ->state != CIRCUIT_STATE_OPEN ||
+ (circ->purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO &&
+ circ->purpose != CIRCUIT_PURPOSE_S_INTRO)) {
+ continue;
+ }
+ /* The purposes we are looking for are only for origin circuits so the
+ * following is valid. */
+ return TO_ORIGIN_CIRCUIT(circ);
+ }
+ /* Not found. */
+ return NULL;
+}
+
+/** Return the first service rendezvous circuit originating from the global
+ * circuit list after <b>start</b> or at the start of the list if <b>start</b>
+ * is NULL. Return NULL if no circuit is found.
+ *
+ * A service rendezvous point circuit has a purpose of either
+ * CIRCUIT_PURPOSE_S_CONNECT_REND or CIRCUIT_PURPOSE_S_REND_JOINED. This does
+ * not return a circuit marked for close and its state must be open. */
+origin_circuit_t *
+circuit_get_next_service_rp_circ(origin_circuit_t *start)
+{
+ int idx = 0;
+ smartlist_t *lst = circuit_get_global_list();
+
+ if (start) {
+ idx = TO_CIRCUIT(start)->global_circuitlist_idx + 1;
+ }
+
+ for ( ; idx < smartlist_len(lst); ++idx) {
+ circuit_t *circ = smartlist_get(lst, idx);
+
+ /* Ignore a marked for close circuit or purpose not matching a service
+ * intro point or if the state is not open. */
+ if (circ->marked_for_close || circ->state != CIRCUIT_STATE_OPEN ||
+ (circ->purpose != CIRCUIT_PURPOSE_S_CONNECT_REND &&
+ circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED)) {
+ continue;
+ }
+ /* The purposes we are looking for are only for origin circuits so the
+ * following is valid. */
+ return TO_ORIGIN_CIRCUIT(circ);
+ }
+ /* Not found. */
+ return NULL;
+}
+
+/** Return the first circuit originating here in global_circuitlist after
+ * <b>start</b> whose purpose is <b>purpose</b>, and where <b>digest</b> (if
+ * set) matches the private key digest of the rend data associated with the
+ * circuit. Return NULL if no circuit is found. If <b>start</b> is NULL,
+ * begin at the start of the list.
+ */
+origin_circuit_t *
+circuit_get_next_by_pk_and_purpose(origin_circuit_t *start,
+ const uint8_t *digest, uint8_t purpose)
+{
+ int idx;
+ smartlist_t *lst = circuit_get_global_list();
+ tor_assert(CIRCUIT_PURPOSE_IS_ORIGIN(purpose));
+ if (start == NULL)
+ idx = 0;
+ else
+ idx = TO_CIRCUIT(start)->global_circuitlist_idx + 1;
+
+ for ( ; idx < smartlist_len(lst); ++idx) {
+ circuit_t *circ = smartlist_get(lst, idx);
+ origin_circuit_t *ocirc;
+
+ if (circ->marked_for_close)
+ continue;
+ if (circ->purpose != purpose)
+ continue;
+ /* At this point we should be able to get a valid origin circuit because
+ * the origin purpose we are looking for matches this circuit. */
+ if (BUG(!CIRCUIT_PURPOSE_IS_ORIGIN(circ->purpose))) {
+ break;
+ }
+ ocirc = TO_ORIGIN_CIRCUIT(circ);
+ if (!digest)
+ return ocirc;
+ if (rend_circuit_pk_digest_eq(ocirc, digest)) {
+ return ocirc;
+ }
+ }
+ return NULL;
+}
+
+/** We might cannibalize this circuit: Return true if its last hop can be used
+ * as a v3 rendezvous point. */
+static int
+circuit_can_be_cannibalized_for_v3_rp(const origin_circuit_t *circ)
+{
+ if (!circ->build_state) {
+ return 0;
+ }
+
+ extend_info_t *chosen_exit = circ->build_state->chosen_exit;
+ if (BUG(!chosen_exit)) {
+ return 0;
+ }
+
+ const node_t *rp_node = node_get_by_id(chosen_exit->identity_digest);
+ if (rp_node) {
+ if (node_supports_v3_rendezvous_point(rp_node)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+/** We are trying to create a circuit of purpose <b>purpose</b> and we are
+ * looking for cannibalizable circuits. Return the circuit purpose we would be
+ * willing to cannibalize. */
+static uint8_t
+get_circuit_purpose_needed_to_cannibalize(uint8_t purpose)
+{
+ if (circuit_should_use_vanguards(purpose)) {
+ /* If we are using vanguards, then we should only cannibalize vanguard
+ * circuits so that we get the same path construction logic. */
+ return CIRCUIT_PURPOSE_HS_VANGUARDS;
+ } else {
+ /* If no vanguards are used just get a general circuit! */
+ return CIRCUIT_PURPOSE_C_GENERAL;
+ }
+}
+
+/** Return a circuit that is open, is CIRCUIT_PURPOSE_C_GENERAL,
+ * has a timestamp_dirty value of 0, has flags matching the CIRCLAUNCH_*
+ * flags in <b>flags</b>, and if info is defined, does not already use info
+ * as any of its hops; or NULL if no circuit fits this description.
+ *
+ * The <b>purpose</b> argument refers to the purpose of the circuit we want to
+ * create, not the purpose of the circuit we want to cannibalize.
+ *
+ * If !CIRCLAUNCH_NEED_UPTIME, prefer returning non-uptime circuits.
+ *
+ * To "cannibalize" a circuit means to extend it an extra hop, and use it
+ * for some other purpose than we had originally intended. We do this when
+ * we want to perform some low-bandwidth task at a specific relay, and we
+ * would like the circuit to complete as soon as possible. (If we were going
+ * to use a lot of bandwidth, we wouldn't want a circuit with an extra hop.
+ * If we didn't care about circuit completion latency, we would just build
+ * a new circuit.)
+ */
+origin_circuit_t *
+circuit_find_to_cannibalize(uint8_t purpose_to_produce, extend_info_t *info,
+ int flags)
+{
+ origin_circuit_t *best=NULL;
+ int need_uptime = (flags & CIRCLAUNCH_NEED_UPTIME) != 0;
+ int need_capacity = (flags & CIRCLAUNCH_NEED_CAPACITY) != 0;
+ int internal = (flags & CIRCLAUNCH_IS_INTERNAL) != 0;
+ const or_options_t *options = get_options();
+ /* We want the circuit we are trying to cannibalize to have this purpose */
+ int purpose_to_search_for;
+
+ /* Make sure we're not trying to create a onehop circ by
+ * cannibalization. */
+ tor_assert(!(flags & CIRCLAUNCH_ONEHOP_TUNNEL));
+
+ purpose_to_search_for = get_circuit_purpose_needed_to_cannibalize(
+ purpose_to_produce);
+
+ tor_assert_nonfatal(purpose_to_search_for == CIRCUIT_PURPOSE_C_GENERAL ||
+ purpose_to_search_for == CIRCUIT_PURPOSE_HS_VANGUARDS);
+
+ log_debug(LD_CIRC,
+ "Hunting for a circ to cannibalize: purpose %d, uptime %d, "
+ "capacity %d, internal %d",
+ purpose_to_produce, need_uptime, need_capacity, internal);
+
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ_) {
+ if (CIRCUIT_IS_ORIGIN(circ_) &&
+ circ_->state == CIRCUIT_STATE_OPEN &&
+ !circ_->marked_for_close &&
+ circ_->purpose == purpose_to_search_for &&
+ !circ_->timestamp_dirty) {
+ origin_circuit_t *circ = TO_ORIGIN_CIRCUIT(circ_);
+
+ /* Only cannibalize from reasonable length circuits. If we
+ * want C_GENERAL, then only choose 3 hop circs. If we want
+ * HS_VANGUARDS, only choose 4 hop circs.
+ */
+ if (circ->build_state->desired_path_len !=
+ route_len_for_purpose(purpose_to_search_for, NULL)) {
+ goto next;
+ }
+
+ /* Ignore any circuits for which we can't use the Guard. It is possible
+ * that the Guard was removed from the samepled set after the circuit
+ * was created so avoid using it. */
+ if (!entry_guard_could_succeed(circ->guard_state)) {
+ goto next;
+ }
+
+ if ((!need_uptime || circ->build_state->need_uptime) &&
+ (!need_capacity || circ->build_state->need_capacity) &&
+ (internal == circ->build_state->is_internal) &&
+ !circ->unusable_for_new_conns &&
+ circ->remaining_relay_early_cells &&
+ !circ->build_state->onehop_tunnel &&
+ !circ->isolation_values_set) {
+ if (info) {
+ /* need to make sure we don't duplicate hops */
+ crypt_path_t *hop = circ->cpath;
+ const node_t *ri1 = node_get_by_id(info->identity_digest);
+ do {
+ const node_t *ri2;
+ if (tor_memeq(hop->extend_info->identity_digest,
+ info->identity_digest, DIGEST_LEN))
+ goto next;
+ if (ri1 &&
+ (ri2 = node_get_by_id(hop->extend_info->identity_digest))
+ && nodes_in_same_family(ri1, ri2))
+ goto next;
+ hop=hop->next;
+ } while (hop!=circ->cpath);
+ }
+ if (options->ExcludeNodes) {
+ /* Make sure no existing nodes in the circuit are excluded for
+ * general use. (This may be possible if StrictNodes is 0, and we
+ * thought we needed to use an otherwise excluded node for, say, a
+ * directory operation.) */
+ crypt_path_t *hop = circ->cpath;
+ do {
+ if (routerset_contains_extendinfo(options->ExcludeNodes,
+ hop->extend_info))
+ goto next;
+ hop = hop->next;
+ } while (hop != circ->cpath);
+ }
+
+ if ((flags & CIRCLAUNCH_IS_V3_RP) &&
+ !circuit_can_be_cannibalized_for_v3_rp(circ)) {
+ log_debug(LD_GENERAL, "Skipping uncannibalizable circuit for v3 "
+ "rendezvous point.");
+ goto next;
+ }
+
+ if (!best || (best->build_state->need_uptime && !need_uptime))
+ best = circ;
+ next: ;
+ }
+ }
+ }
+ SMARTLIST_FOREACH_END(circ_);
+ return best;
+}
+
+/**
+ * Check whether any of the origin circuits that are waiting to see if
+ * their guard is good enough to use can be upgraded to "ready". If so,
+ * return a new smartlist containing them. Otherwise return NULL.
+ */
+smartlist_t *
+circuit_find_circuits_to_upgrade_from_guard_wait(void)
+{
+ /* Only if some circuit is actually waiting on an upgrade should we
+ * run the algorithm. */
+ if (! circuits_pending_other_guards ||
+ smartlist_len(circuits_pending_other_guards)==0)
+ return NULL;
+ /* Only if we have some origin circuits should we run the algorithm. */
+ if (!global_origin_circuit_list)
+ return NULL;
+
+ /* Okay; we can pass our circuit list to entrynodes.c.*/
+ smartlist_t *result = smartlist_new();
+ int circuits_upgraded = entry_guards_upgrade_waiting_circuits(
+ get_guard_selection_info(),
+ global_origin_circuit_list,
+ result);
+ if (circuits_upgraded && smartlist_len(result)) {
+ return result;
+ } else {
+ smartlist_free(result);
+ return NULL;
+ }
+}
+
+/** Return the number of hops in circuit's path. If circ has no entries,
+ * or is NULL, returns 0. */
+int
+circuit_get_cpath_len(origin_circuit_t *circ)
+{
+ int n = 0;
+ if (circ && circ->cpath) {
+ crypt_path_t *cpath, *cpath_next = NULL;
+ for (cpath = circ->cpath; cpath_next != circ->cpath; cpath = cpath_next) {
+ cpath_next = cpath->next;
+ ++n;
+ }
+ }
+ return n;
+}
+
+/** Return the number of opened hops in circuit's path.
+ * If circ has no entries, or is NULL, returns 0. */
+int
+circuit_get_cpath_opened_len(const origin_circuit_t *circ)
+{
+ int n = 0;
+ if (circ && circ->cpath) {
+ crypt_path_t *cpath, *cpath_next = NULL;
+ for (cpath = circ->cpath;
+ cpath->state == CPATH_STATE_OPEN
+ && cpath_next != circ->cpath;
+ cpath = cpath_next) {
+ cpath_next = cpath->next;
+ ++n;
+ }
+ }
+ return n;
+}
+
+/** Return the <b>hopnum</b>th hop in <b>circ</b>->cpath, or NULL if there
+ * aren't that many hops in the list. <b>hopnum</b> starts at 1.
+ * Returns NULL if <b>hopnum</b> is 0 or negative. */
+crypt_path_t *
+circuit_get_cpath_hop(origin_circuit_t *circ, int hopnum)
+{
+ if (circ && circ->cpath && hopnum > 0) {
+ crypt_path_t *cpath, *cpath_next = NULL;
+ for (cpath = circ->cpath; cpath_next != circ->cpath; cpath = cpath_next) {
+ cpath_next = cpath->next;
+ if (--hopnum <= 0)
+ return cpath;
+ }
+ }
+ return NULL;
+}
+
+/** Go through the circuitlist; mark-for-close each circuit that starts
+ * at us but has not yet been used. */
+void
+circuit_mark_all_unused_circs(void)
+{
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ if (CIRCUIT_IS_ORIGIN(circ) &&
+ !circ->marked_for_close &&
+ !circ->timestamp_dirty)
+ circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED);
+ }
+ SMARTLIST_FOREACH_END(circ);
+}
+
+/** Go through the circuitlist; for each circuit that starts at us
+ * and is dirty, frob its timestamp_dirty so we won't use it for any
+ * new streams.
+ *
+ * This is useful for letting the user change pseudonyms, so new
+ * streams will not be linkable to old streams.
+ */
+void
+circuit_mark_all_dirty_circs_as_unusable(void)
+{
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ if (CIRCUIT_IS_ORIGIN(circ) &&
+ !circ->marked_for_close &&
+ circ->timestamp_dirty) {
+ mark_circuit_unusable_for_new_conns(TO_ORIGIN_CIRCUIT(circ));
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+}
+
+/** Mark <b>circ</b> to be closed next time we call
+ * circuit_close_all_marked(). Do any cleanup needed:
+ * - If state is onionskin_pending, remove circ from the onion_pending
+ * list.
+ * - If circ isn't open yet: call circuit_build_failed() if we're
+ * the origin.
+ * - If purpose is C_INTRODUCE_ACK_WAIT, report the intro point
+ * failure we just had to the hidden service client module.
+ * - If purpose is C_INTRODUCING and <b>reason</b> isn't TIMEOUT,
+ * report to the hidden service client module that the intro point
+ * we just tried may be unreachable.
+ * - Send appropriate destroys and edge_destroys for conns and
+ * streams attached to circ.
+ * - If circ->rend_splice is set (we are the midpoint of a joined
+ * rendezvous stream), then mark the other circuit to close as well.
+ */
+MOCK_IMPL(void,
+circuit_mark_for_close_, (circuit_t *circ, int reason, int line,
+ const char *file))
+{
+ int orig_reason = reason; /* Passed to the controller */
+ assert_circuit_ok(circ);
+ tor_assert(line);
+ tor_assert(file);
+
+ if (circ->marked_for_close) {
+ log_warn(LD_BUG,
+ "Duplicate call to circuit_mark_for_close at %s:%d"
+ " (first at %s:%d)", file, line,
+ circ->marked_for_close_file, circ->marked_for_close);
+ return;
+ }
+ if (reason == END_CIRC_AT_ORIGIN) {
+ if (!CIRCUIT_IS_ORIGIN(circ)) {
+ log_warn(LD_BUG, "Specified 'at-origin' non-reason for ending circuit, "
+ "but circuit was not at origin. (called %s:%d, purpose=%d)",
+ file, line, circ->purpose);
+ }
+ reason = END_CIRC_REASON_NONE;
+ }
+
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ if (pathbias_check_close(TO_ORIGIN_CIRCUIT(circ), reason) == -1) {
+ /* Don't close it yet, we need to test it first */
+ return;
+ }
+
+ /* We don't send reasons when closing circuits at the origin. */
+ reason = END_CIRC_REASON_NONE;
+ }
+
+ if (reason & END_CIRC_REASON_FLAG_REMOTE)
+ reason &= ~END_CIRC_REASON_FLAG_REMOTE;
+
+ if (reason < END_CIRC_REASON_MIN_ || reason > END_CIRC_REASON_MAX_) {
+ if (!(orig_reason & END_CIRC_REASON_FLAG_REMOTE))
+ log_warn(LD_BUG, "Reason %d out of range at %s:%d", reason, file, line);
+ reason = END_CIRC_REASON_NONE;
+ }
+
+ circ->marked_for_close = line;
+ circ->marked_for_close_file = file;
+ circ->marked_for_close_reason = reason;
+ circ->marked_for_close_orig_reason = orig_reason;
+
+ if (!CIRCUIT_IS_ORIGIN(circ)) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ if (or_circ->rend_splice) {
+ if (!or_circ->rend_splice->base_.marked_for_close) {
+ /* do this after marking this circuit, to avoid infinite recursion. */
+ circuit_mark_for_close(TO_CIRCUIT(or_circ->rend_splice), reason);
+ }
+ or_circ->rend_splice = NULL;
+ }
+ }
+
+ /* Notify the HS subsystem that this circuit is closing. */
+ hs_circ_cleanup(circ);
+
+ if (circuits_pending_close == NULL)
+ circuits_pending_close = smartlist_new();
+
+ smartlist_add(circuits_pending_close, circ);
+ mainloop_schedule_postloop_cleanup();
+
+ log_info(LD_GENERAL, "Circuit %u (id: %" PRIu32 ") marked for close at "
+ "%s:%d (orig reason: %d, new reason: %d)",
+ circ->n_circ_id,
+ CIRCUIT_IS_ORIGIN(circ) ?
+ TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0,
+ file, line, orig_reason, reason);
+}
+
+/** Called immediately before freeing a marked circuit <b>circ</b> from
+ * circuit_free_all() while shutting down Tor; this is a safe-at-shutdown
+ * version of circuit_about_to_free(). It's important that it at least
+ * do circuitmux_detach_circuit() when appropriate.
+ */
+static void
+circuit_about_to_free_atexit(circuit_t *circ)
+{
+
+ if (circ->n_chan) {
+ circuit_clear_cell_queue(circ, circ->n_chan);
+ circuitmux_detach_circuit(circ->n_chan->cmux, circ);
+ circuit_set_n_circid_chan(circ, 0, NULL);
+ }
+
+ if (! CIRCUIT_IS_ORIGIN(circ)) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+
+ if (or_circ->p_chan) {
+ circuit_clear_cell_queue(circ, or_circ->p_chan);
+ circuitmux_detach_circuit(or_circ->p_chan->cmux, circ);
+ circuit_set_p_circid_chan(or_circ, 0, NULL);
+ }
+ }
+}
+
+/** Called immediately before freeing a marked circuit <b>circ</b>.
+ * Disconnects the circuit from other data structures, launches events
+ * as appropriate, and performs other housekeeping.
+ */
+static void
+circuit_about_to_free(circuit_t *circ)
+{
+
+ int reason = circ->marked_for_close_reason;
+ int orig_reason = circ->marked_for_close_orig_reason;
+
+ if (circ->state == CIRCUIT_STATE_ONIONSKIN_PENDING) {
+ onion_pending_remove(TO_OR_CIRCUIT(circ));
+ }
+ /* If the circuit ever became OPEN, we sent it to the reputation history
+ * module then. If it isn't OPEN, we send it there now to remember which
+ * links worked and which didn't.
+ */
+ if (circ->state != CIRCUIT_STATE_OPEN &&
+ circ->state != CIRCUIT_STATE_GUARD_WAIT) {
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ circuit_build_failed(ocirc); /* take actions if necessary */
+ }
+ }
+ if (circ->state == CIRCUIT_STATE_CHAN_WAIT) {
+ if (circuits_pending_chans)
+ smartlist_remove(circuits_pending_chans, circ);
+ }
+ if (circuits_pending_other_guards) {
+ smartlist_remove(circuits_pending_other_guards, circ);
+ }
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ control_event_circuit_status(TO_ORIGIN_CIRCUIT(circ),
+ (circ->state == CIRCUIT_STATE_OPEN ||
+ circ->state == CIRCUIT_STATE_GUARD_WAIT) ?
+ CIRC_EVENT_CLOSED:CIRC_EVENT_FAILED,
+ orig_reason);
+ }
+
+ if (circ->purpose == CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT) {
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ int timed_out = (reason == END_CIRC_REASON_TIMEOUT);
+ tor_assert(circ->state == CIRCUIT_STATE_OPEN);
+ tor_assert(ocirc->build_state->chosen_exit);
+ if (orig_reason != END_CIRC_REASON_IP_NOW_REDUNDANT &&
+ ocirc->rend_data) {
+ /* treat this like getting a nack from it */
+ log_info(LD_REND, "Failed intro circ %s to %s (awaiting ack). %s",
+ safe_str_client(rend_data_get_address(ocirc->rend_data)),
+ safe_str_client(build_state_get_exit_nickname(ocirc->build_state)),
+ timed_out ? "Recording timeout." : "Removing from descriptor.");
+ rend_client_report_intro_point_failure(ocirc->build_state->chosen_exit,
+ ocirc->rend_data,
+ timed_out ?
+ INTRO_POINT_FAILURE_TIMEOUT :
+ INTRO_POINT_FAILURE_GENERIC);
+ }
+ } else if (circ->purpose == CIRCUIT_PURPOSE_C_INTRODUCING &&
+ reason != END_CIRC_REASON_TIMEOUT) {
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ if (ocirc->build_state->chosen_exit && ocirc->rend_data) {
+ if (orig_reason != END_CIRC_REASON_IP_NOW_REDUNDANT &&
+ ocirc->rend_data) {
+ log_info(LD_REND, "Failed intro circ %s to %s "
+ "(building circuit to intro point). "
+ "Marking intro point as possibly unreachable.",
+ safe_str_client(rend_data_get_address(ocirc->rend_data)),
+ safe_str_client(build_state_get_exit_nickname(
+ ocirc->build_state)));
+ rend_client_report_intro_point_failure(ocirc->build_state->chosen_exit,
+ ocirc->rend_data,
+ INTRO_POINT_FAILURE_UNREACHABLE);
+ }
+ }
+ }
+
+ if (circ->n_chan) {
+ circuit_clear_cell_queue(circ, circ->n_chan);
+ /* Only send destroy if the channel isn't closing anyway */
+ if (!CHANNEL_CONDEMNED(circ->n_chan)) {
+ channel_send_destroy(circ->n_circ_id, circ->n_chan, reason);
+ }
+ circuitmux_detach_circuit(circ->n_chan->cmux, circ);
+ circuit_set_n_circid_chan(circ, 0, NULL);
+ }
+
+ if (! CIRCUIT_IS_ORIGIN(circ)) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ edge_connection_t *conn;
+ for (conn=or_circ->n_streams; conn; conn=conn->next_stream)
+ connection_edge_destroy(or_circ->p_circ_id, conn);
+ or_circ->n_streams = NULL;
+
+ while (or_circ->resolving_streams) {
+ conn = or_circ->resolving_streams;
+ or_circ->resolving_streams = conn->next_stream;
+ if (!conn->base_.marked_for_close) {
+ /* The client will see a DESTROY, and infer that the connections
+ * are closing because the circuit is getting torn down. No need
+ * to send an end cell. */
+ conn->edge_has_sent_end = 1;
+ conn->end_reason = END_STREAM_REASON_DESTROY;
+ conn->end_reason |= END_STREAM_REASON_FLAG_ALREADY_SENT_CLOSED;
+ connection_mark_for_close(TO_CONN(conn));
+ }
+ conn->on_circuit = NULL;
+ }
+
+ if (or_circ->p_chan) {
+ circuit_clear_cell_queue(circ, or_circ->p_chan);
+ /* Only send destroy if the channel isn't closing anyway */
+ if (!CHANNEL_CONDEMNED(or_circ->p_chan)) {
+ channel_send_destroy(or_circ->p_circ_id, or_circ->p_chan, reason);
+ }
+ circuitmux_detach_circuit(or_circ->p_chan->cmux, circ);
+ circuit_set_p_circid_chan(or_circ, 0, NULL);
+ }
+ } else {
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ edge_connection_t *conn;
+ for (conn=ocirc->p_streams; conn; conn=conn->next_stream)
+ connection_edge_destroy(circ->n_circ_id, conn);
+ ocirc->p_streams = NULL;
+ }
+}
+
+/** Given a marked circuit <b>circ</b>, aggressively free its cell queues to
+ * recover memory. */
+static void
+marked_circuit_free_cells(circuit_t *circ)
+{
+ if (!circ->marked_for_close) {
+ log_warn(LD_BUG, "Called on non-marked circuit");
+ return;
+ }
+ cell_queue_clear(&circ->n_chan_cells);
+ if (circ->n_mux)
+ circuitmux_clear_num_cells(circ->n_mux, circ);
+ if (! CIRCUIT_IS_ORIGIN(circ)) {
+ or_circuit_t *orcirc = TO_OR_CIRCUIT(circ);
+ cell_queue_clear(&orcirc->p_chan_cells);
+ if (orcirc->p_mux)
+ circuitmux_clear_num_cells(orcirc->p_mux, circ);
+ }
+}
+
+static size_t
+single_conn_free_bytes(connection_t *conn)
+{
+ size_t result = 0;
+ if (conn->inbuf) {
+ result += buf_allocation(conn->inbuf);
+ buf_clear(conn->inbuf);
+ }
+ if (conn->outbuf) {
+ result += buf_allocation(conn->outbuf);
+ buf_clear(conn->outbuf);
+ conn->outbuf_flushlen = 0;
+ }
+ if (conn->type == CONN_TYPE_DIR) {
+ dir_connection_t *dir_conn = TO_DIR_CONN(conn);
+ if (dir_conn->compress_state) {
+ result += tor_compress_state_size(dir_conn->compress_state);
+ tor_compress_free(dir_conn->compress_state);
+ dir_conn->compress_state = NULL;
+ }
+ }
+ return result;
+}
+
+/** Aggressively free buffer contents on all the buffers of all streams in the
+ * list starting at <b>stream</b>. Return the number of bytes recovered. */
+static size_t
+marked_circuit_streams_free_bytes(edge_connection_t *stream)
+{
+ size_t result = 0;
+ for ( ; stream; stream = stream->next_stream) {
+ connection_t *conn = TO_CONN(stream);
+ result += single_conn_free_bytes(conn);
+ if (conn->linked_conn) {
+ result += single_conn_free_bytes(conn->linked_conn);
+ }
+ }
+ return result;
+}
+
+/** Aggressively free buffer contents on all the buffers of all streams on
+ * circuit <b>c</b>. Return the number of bytes recovered. */
+static size_t
+marked_circuit_free_stream_bytes(circuit_t *c)
+{
+ if (CIRCUIT_IS_ORIGIN(c)) {
+ return marked_circuit_streams_free_bytes(TO_ORIGIN_CIRCUIT(c)->p_streams);
+ } else {
+ return marked_circuit_streams_free_bytes(TO_OR_CIRCUIT(c)->n_streams);
+ }
+}
+
+/** Return the number of cells used by the circuit <b>c</b>'s cell queues. */
+STATIC size_t
+n_cells_in_circ_queues(const circuit_t *c)
+{
+ size_t n = c->n_chan_cells.n;
+ if (! CIRCUIT_IS_ORIGIN(c)) {
+ circuit_t *cc = (circuit_t *) c;
+ n += TO_OR_CIRCUIT(cc)->p_chan_cells.n;
+ }
+ return n;
+}
+
+/**
+ * Return the age of the oldest cell queued on <b>c</b>, in timestamp units.
+ * Return 0 if there are no cells queued on c. Requires that <b>now</b> be
+ * the current coarse timestamp.
+ *
+ * This function will return incorrect results if the oldest cell queued on
+ * the circuit is older than about 2**32 msec (about 49 days) old.
+ */
+STATIC uint32_t
+circuit_max_queued_cell_age(const circuit_t *c, uint32_t now)
+{
+ uint32_t age = 0;
+ packed_cell_t *cell;
+
+ if (NULL != (cell = TOR_SIMPLEQ_FIRST(&c->n_chan_cells.head)))
+ age = now - cell->inserted_timestamp;
+
+ if (! CIRCUIT_IS_ORIGIN(c)) {
+ const or_circuit_t *orcirc = CONST_TO_OR_CIRCUIT(c);
+ if (NULL != (cell = TOR_SIMPLEQ_FIRST(&orcirc->p_chan_cells.head))) {
+ uint32_t age2 = now - cell->inserted_timestamp;
+ if (age2 > age)
+ return age2;
+ }
+ }
+ return age;
+}
+
+/** Return the age of the oldest buffer chunk on <b>conn</b>, where age is
+ * taken in timestamp units before the time <b>now</b>. If the connection has
+ * no data, treat it as having age zero.
+ **/
+static uint32_t
+conn_get_buffer_age(const connection_t *conn, uint32_t now_ts)
+{
+ uint32_t age = 0, age2;
+ if (conn->outbuf) {
+ age2 = buf_get_oldest_chunk_timestamp(conn->outbuf, now_ts);
+ if (age2 > age)
+ age = age2;
+ }
+ if (conn->inbuf) {
+ age2 = buf_get_oldest_chunk_timestamp(conn->inbuf, now_ts);
+ if (age2 > age)
+ age = age2;
+ }
+ return age;
+}
+
+/** Return the age in timestamp units of the oldest buffer chunk on any stream
+ * in the linked list <b>stream</b>, where age is taken in timestamp units
+ * before the timestamp <b>now</b>. */
+static uint32_t
+circuit_get_streams_max_data_age(const edge_connection_t *stream, uint32_t now)
+{
+ uint32_t age = 0, age2;
+ for (; stream; stream = stream->next_stream) {
+ const connection_t *conn = TO_CONN(stream);
+ age2 = conn_get_buffer_age(conn, now);
+ if (age2 > age)
+ age = age2;
+ if (conn->linked_conn) {
+ age2 = conn_get_buffer_age(conn->linked_conn, now);
+ if (age2 > age)
+ age = age2;
+ }
+ }
+ return age;
+}
+
+/** Return the age in timestamp units of the oldest buffer chunk on any stream
+ * attached to the circuit <b>c</b>, where age is taken before the timestamp
+ * <b>now</b>. */
+STATIC uint32_t
+circuit_max_queued_data_age(const circuit_t *c, uint32_t now)
+{
+ if (CIRCUIT_IS_ORIGIN(c)) {
+ return circuit_get_streams_max_data_age(
+ CONST_TO_ORIGIN_CIRCUIT(c)->p_streams, now);
+ } else {
+ return circuit_get_streams_max_data_age(
+ CONST_TO_OR_CIRCUIT(c)->n_streams, now);
+ }
+}
+
+/** Return the age of the oldest cell or stream buffer chunk on the circuit
+ * <b>c</b>, where age is taken in timestamp units before the timestamp
+ * <b>now</b> */
+STATIC uint32_t
+circuit_max_queued_item_age(const circuit_t *c, uint32_t now)
+{
+ uint32_t cell_age = circuit_max_queued_cell_age(c, now);
+ uint32_t data_age = circuit_max_queued_data_age(c, now);
+ if (cell_age > data_age)
+ return cell_age;
+ else
+ return data_age;
+}
+
+/** Helper to sort a list of circuit_t by age of oldest item, in descending
+ * order. */
+static int
+circuits_compare_by_oldest_queued_item_(const void **a_, const void **b_)
+{
+ const circuit_t *a = *a_;
+ const circuit_t *b = *b_;
+ uint32_t age_a = a->age_tmp;
+ uint32_t age_b = b->age_tmp;
+
+ if (age_a < age_b)
+ return 1;
+ else if (age_a == age_b)
+ return 0;
+ else
+ return -1;
+}
+
+static uint32_t now_ts_for_buf_cmp;
+
+/** Helper to sort a list of circuit_t by age of oldest item, in descending
+ * order. */
+static int
+conns_compare_by_buffer_age_(const void **a_, const void **b_)
+{
+ const connection_t *a = *a_;
+ const connection_t *b = *b_;
+ time_t age_a = conn_get_buffer_age(a, now_ts_for_buf_cmp);
+ time_t age_b = conn_get_buffer_age(b, now_ts_for_buf_cmp);
+
+ if (age_a < age_b)
+ return 1;
+ else if (age_a == age_b)
+ return 0;
+ else
+ return -1;
+}
+
+#define FRACTION_OF_DATA_TO_RETAIN_ON_OOM 0.90
+
+/** We're out of memory for cells, having allocated <b>current_allocation</b>
+ * bytes' worth. Kill the 'worst' circuits until we're under
+ * FRACTION_OF_DATA_TO_RETAIN_ON_OOM of our maximum usage. */
+void
+circuits_handle_oom(size_t current_allocation)
+{
+ smartlist_t *circlist;
+ smartlist_t *connection_array = get_connection_array();
+ int conn_idx;
+ size_t mem_to_recover;
+ size_t mem_recovered=0;
+ int n_circuits_killed=0;
+ int n_dirconns_killed=0;
+ uint32_t now_ts;
+ log_notice(LD_GENERAL, "We're low on memory (cell queues total alloc:"
+ " %"TOR_PRIuSZ" buffer total alloc: %" TOR_PRIuSZ ","
+ " tor compress total alloc: %" TOR_PRIuSZ
+ " (zlib: %" TOR_PRIuSZ ", zstd: %" TOR_PRIuSZ ","
+ " lzma: %" TOR_PRIuSZ "),"
+ " rendezvous cache total alloc: %" TOR_PRIuSZ "). Killing"
+ " circuits withover-long queues. (This behavior is controlled by"
+ " MaxMemInQueues.)",
+ cell_queues_get_total_allocation(),
+ buf_get_total_allocation(),
+ tor_compress_get_total_allocation(),
+ tor_zlib_get_total_allocation(),
+ tor_zstd_get_total_allocation(),
+ tor_lzma_get_total_allocation(),
+ rend_cache_get_total_allocation());
+
+ {
+ size_t mem_target = (size_t)(get_options()->MaxMemInQueues *
+ FRACTION_OF_DATA_TO_RETAIN_ON_OOM);
+ if (current_allocation <= mem_target)
+ return;
+ mem_to_recover = current_allocation - mem_target;
+ }
+
+ now_ts = monotime_coarse_get_stamp();
+
+ circlist = circuit_get_global_list();
+ SMARTLIST_FOREACH_BEGIN(circlist, circuit_t *, circ) {
+ circ->age_tmp = circuit_max_queued_item_age(circ, now_ts);
+ } SMARTLIST_FOREACH_END(circ);
+
+ /* This is O(n log n); there are faster algorithms we could use instead.
+ * Let's hope this doesn't happen enough to be in the critical path. */
+ smartlist_sort(circlist, circuits_compare_by_oldest_queued_item_);
+
+ /* Fix up the indices before we run into trouble */
+ SMARTLIST_FOREACH_BEGIN(circlist, circuit_t *, circ) {
+ circ->global_circuitlist_idx = circ_sl_idx;
+ } SMARTLIST_FOREACH_END(circ);
+
+ /* Now sort the connection array ... */
+ now_ts_for_buf_cmp = now_ts;
+ smartlist_sort(connection_array, conns_compare_by_buffer_age_);
+ now_ts_for_buf_cmp = 0;
+
+ /* Fix up the connection array to its new order. */
+ SMARTLIST_FOREACH_BEGIN(connection_array, connection_t *, conn) {
+ conn->conn_array_index = conn_sl_idx;
+ } SMARTLIST_FOREACH_END(conn);
+
+ /* Okay, now the worst circuits and connections are at the front of their
+ * respective lists. Let's mark them, and reclaim their storage
+ * aggressively. */
+ conn_idx = 0;
+ SMARTLIST_FOREACH_BEGIN(circlist, circuit_t *, circ) {
+ size_t n;
+ size_t freed;
+
+ /* Free storage in any non-linked directory connections that have buffered
+ * data older than this circuit. */
+ while (conn_idx < smartlist_len(connection_array)) {
+ connection_t *conn = smartlist_get(connection_array, conn_idx);
+ uint32_t conn_age = conn_get_buffer_age(conn, now_ts);
+ if (conn_age < circ->age_tmp) {
+ break;
+ }
+ if (conn->type == CONN_TYPE_DIR && conn->linked_conn == NULL) {
+ if (!conn->marked_for_close)
+ connection_mark_for_close(conn);
+ mem_recovered += single_conn_free_bytes(conn);
+
+ ++n_dirconns_killed;
+
+ if (mem_recovered >= mem_to_recover)
+ goto done_recovering_mem;
+ }
+ ++conn_idx;
+ }
+
+ /* Now, kill the circuit. */
+ n = n_cells_in_circ_queues(circ);
+ if (! circ->marked_for_close) {
+ circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT);
+ }
+ marked_circuit_free_cells(circ);
+ freed = marked_circuit_free_stream_bytes(circ);
+
+ ++n_circuits_killed;
+
+ mem_recovered += n * packed_cell_mem_cost();
+ mem_recovered += freed;
+
+ if (mem_recovered >= mem_to_recover)
+ goto done_recovering_mem;
+ } SMARTLIST_FOREACH_END(circ);
+
+ done_recovering_mem:
+
+ log_notice(LD_GENERAL, "Removed %"TOR_PRIuSZ" bytes by killing %d circuits; "
+ "%d circuits remain alive. Also killed %d non-linked directory "
+ "connections.",
+ mem_recovered,
+ n_circuits_killed,
+ smartlist_len(circlist) - n_circuits_killed,
+ n_dirconns_killed);
+}
+
+/** Verify that cpath layer <b>cp</b> has all of its invariants
+ * correct. Trigger an assert if anything is invalid.
+ */
+void
+assert_cpath_layer_ok(const crypt_path_t *cp)
+{
+// tor_assert(cp->addr); /* these are zero for rendezvous extra-hops */
+// tor_assert(cp->port);
+ tor_assert(cp);
+ tor_assert(cp->magic == CRYPT_PATH_MAGIC);
+ switch (cp->state)
+ {
+ case CPATH_STATE_OPEN:
+ relay_crypto_assert_ok(&cp->crypto);
+ /* fall through */
+ case CPATH_STATE_CLOSED:
+ /*XXXX Assert that there's no handshake_state either. */
+ tor_assert(!cp->rend_dh_handshake_state);
+ break;
+ case CPATH_STATE_AWAITING_KEYS:
+ /* tor_assert(cp->dh_handshake_state); */
+ break;
+ default:
+ log_fn(LOG_ERR, LD_BUG, "Unexpected state %d", cp->state);
+ tor_assert(0);
+ }
+ tor_assert(cp->package_window >= 0);
+ tor_assert(cp->deliver_window >= 0);
+}
+
+/** Verify that cpath <b>cp</b> has all of its invariants
+ * correct. Trigger an assert if anything is invalid.
+ */
+static void
+assert_cpath_ok(const crypt_path_t *cp)
+{
+ const crypt_path_t *start = cp;
+
+ do {
+ assert_cpath_layer_ok(cp);
+ /* layers must be in sequence of: "open* awaiting? closed*" */
+ if (cp != start) {
+ if (cp->state == CPATH_STATE_AWAITING_KEYS) {
+ tor_assert(cp->prev->state == CPATH_STATE_OPEN);
+ } else if (cp->state == CPATH_STATE_OPEN) {
+ tor_assert(cp->prev->state == CPATH_STATE_OPEN);
+ }
+ }
+ cp = cp->next;
+ tor_assert(cp);
+ } while (cp != start);
+}
+
+/** Verify that circuit <b>c</b> has all of its invariants
+ * correct. Trigger an assert if anything is invalid.
+ */
+MOCK_IMPL(void,
+assert_circuit_ok,(const circuit_t *c))
+{
+ edge_connection_t *conn;
+ const or_circuit_t *or_circ = NULL;
+ const origin_circuit_t *origin_circ = NULL;
+
+ tor_assert(c);
+ tor_assert(c->magic == ORIGIN_CIRCUIT_MAGIC || c->magic == OR_CIRCUIT_MAGIC);
+ tor_assert(c->purpose >= CIRCUIT_PURPOSE_MIN_ &&
+ c->purpose <= CIRCUIT_PURPOSE_MAX_);
+
+ if (CIRCUIT_IS_ORIGIN(c))
+ origin_circ = CONST_TO_ORIGIN_CIRCUIT(c);
+ else
+ or_circ = CONST_TO_OR_CIRCUIT(c);
+
+ if (c->n_chan) {
+ tor_assert(!c->n_hop);
+
+ if (c->n_circ_id) {
+ /* We use the _impl variant here to make sure we don't fail on marked
+ * circuits, which would not be returned by the regular function. */
+ circuit_t *c2 = circuit_get_by_circid_channel_impl(c->n_circ_id,
+ c->n_chan, NULL);
+ tor_assert(c == c2);
+ }
+ }
+ if (or_circ && or_circ->p_chan) {
+ if (or_circ->p_circ_id) {
+ /* ibid */
+ circuit_t *c2 =
+ circuit_get_by_circid_channel_impl(or_circ->p_circ_id,
+ or_circ->p_chan, NULL);
+ tor_assert(c == c2);
+ }
+ }
+ if (or_circ)
+ for (conn = or_circ->n_streams; conn; conn = conn->next_stream)
+ tor_assert(conn->base_.type == CONN_TYPE_EXIT);
+
+ tor_assert(c->deliver_window >= 0);
+ tor_assert(c->package_window >= 0);
+ if (c->state == CIRCUIT_STATE_OPEN ||
+ c->state == CIRCUIT_STATE_GUARD_WAIT) {
+ tor_assert(!c->n_chan_create_cell);
+ if (or_circ) {
+ relay_crypto_assert_ok(&or_circ->crypto);
+ }
+ }
+ if (c->state == CIRCUIT_STATE_CHAN_WAIT && !c->marked_for_close) {
+ tor_assert(circuits_pending_chans &&
+ smartlist_contains(circuits_pending_chans, c));
+ } else {
+ tor_assert(!circuits_pending_chans ||
+ !smartlist_contains(circuits_pending_chans, c));
+ }
+ if (origin_circ && origin_circ->cpath) {
+ assert_cpath_ok(origin_circ->cpath);
+ }
+ if (c->purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED) {
+ tor_assert(or_circ);
+ if (!c->marked_for_close) {
+ tor_assert(or_circ->rend_splice);
+ tor_assert(or_circ->rend_splice->rend_splice == or_circ);
+ }
+ tor_assert(or_circ->rend_splice != or_circ);
+ } else {
+ tor_assert(!or_circ || !or_circ->rend_splice);
+ }
+}
diff --cc src/core/or/connection_edge.c
index ab3c14d2c,000000000..2cc54f774
mode 100644,000000..100644
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@@@ -1,4219 -1,0 +1,4445 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file connection_edge.c
+ * \brief Handle edge streams.
+ *
+ * An edge_connection_t is a subtype of a connection_t, and represents two
+ * critical concepts in Tor: a stream, and an edge connection. From the Tor
+ * protocol's point of view, a stream is a bi-directional channel that is
+ * multiplexed on a single circuit. Each stream on a circuit is identified
+ * with a separate 16-bit stream ID, local to the (circuit,exit) pair.
+ * Streams are created in response to client requests.
+ *
+ * An edge connection is one thing that can implement a stream: it is either a
+ * TCP application socket that has arrived via (e.g.) a SOCKS request, or an
+ * exit connection.
+ *
+ * Not every instance of edge_connection_t truly represents an edge connction,
+ * however. (Sorry!) We also create edge_connection_t objects for streams that
+ * we will not be handling with TCP. The types of these streams are:
+ * <ul>
+ * <li>DNS lookup streams, created on the client side in response to
+ * a UDP DNS request received on a DNSPort, or a RESOLVE command
+ * on a controller.
+ * <li>DNS lookup streams, created on the exit side in response to
+ * a RELAY_RESOLVE cell from a client.
+ * <li>Tunneled directory streams, created on the directory cache side
+ * in response to a RELAY_BEGIN_DIR cell. These streams attach directly
+ * to a dir_connection_t object without ever using TCP.
+ * </ul>
+ *
+ * This module handles general-purpose functionality having to do with
+ * edge_connection_t. On the client side, it accepts various types of
+ * application requests on SocksPorts, TransPorts, and NATDPorts, and
+ * creates streams appropriately.
+ *
+ * This module is also responsible for implementing stream isolation:
+ * ensuring that streams that should not be linkable to one another are
+ * kept to different circuits.
+ *
+ * On the exit side, this module handles the various stream-creating
+ * type of RELAY cells by launching appropriate outgoing connections,
+ * DNS requests, or directory connection objects.
+ *
+ * And for all edge connections, this module is responsible for handling
+ * incoming and outdoing data as it arrives or leaves in the relay.c
+ * module. (Outgoing data will be packaged in
+ * connection_edge_process_inbuf() as it calls
+ * connection_edge_package_raw_inbuf(); incoming data from RELAY_DATA
+ * cells is applied in connection_edge_process_relay_cell().)
+ **/
+#define CONNECTION_EDGE_PRIVATE
+
+#include "core/or/or.h"
+
+#include "lib/err/backtrace.h"
+
+#include "feature/client/addressmap.h"
+#include "lib/container/buffers.h"
+#include "core/or/channel.h"
+#include "feature/client/circpathbias.h"
+#include "core/or/circuitlist.h"
+#include "core/or/circuituse.h"
+#include "app/config/config.h"
+#include "core/mainloop/connection.h"
+#include "core/or/connection_edge.h"
+#include "core/or/connection_or.h"
+#include "feature/control/control.h"
+#include "lib/crypt_ops/crypto_util.h"
+#include "feature/relay/dns.h"
+#include "feature/client/dnsserv.h"
+#include "feature/dircache/directory.h"
+#include "feature/dircache/dirserv.h"
+#include "feature/hibernate/hibernate.h"
+#include "feature/hs/hs_common.h"
+#include "feature/hs/hs_cache.h"
+#include "feature/hs/hs_client.h"
+#include "feature/hs/hs_circuit.h"
+#include "core/mainloop/main.h"
+#include "feature/nodelist/networkstatus.h"
+#include "feature/nodelist/nodelist.h"
+#include "core/or/policies.h"
+#include "core/proto/proto_http.h"
+#include "core/proto/proto_socks.h"
+#include "core/or/reasons.h"
+#include "core/or/relay.h"
+#include "feature/rend/rendclient.h"
+#include "feature/rend/rendcommon.h"
+#include "feature/rend/rendservice.h"
+#include "feature/stats/rephist.h"
+#include "feature/relay/router.h"
+#include "feature/nodelist/routerlist.h"
+#include "feature/nodelist/routerset.h"
+#include "core/or/circuitbuild.h"
+
+#include "core/or/cell_st.h"
+#include "core/or/cpath_build_state_st.h"
+#include "feature/dircommon/dir_connection_st.h"
+#include "core/or/entry_connection_st.h"
+#include "core/or/extend_info_st.h"
+#include "feature/nodelist/node_st.h"
+#include "core/or/or_circuit_st.h"
+#include "core/or/origin_circuit_st.h"
++#include "core/or/half_edge_st.h"
+#include "core/or/socks_request_st.h"
+#include "lib/evloop/compat_libevent.h"
+
+#ifdef HAVE_LINUX_TYPES_H
+#include <linux/types.h>
+#endif
+#ifdef HAVE_LINUX_NETFILTER_IPV4_H
+#include <linux/netfilter_ipv4.h>
+#define TRANS_NETFILTER
+#define TRANS_NETFILTER_IPV4
+#endif
+
+#ifdef HAVE_LINUX_IF_H
+#include <linux/if.h>
+#endif
+
+#ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#if defined(IP6T_SO_ORIGINAL_DST)
+#define TRANS_NETFILTER
+#define TRANS_NETFILTER_IPV6
+#endif
+#endif /* defined(HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H) */
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_IOCTL_H
+#include <sys/ioctl.h>
+#endif
+
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+#include <net/if.h>
+#include <net/pfvar.h>
+#define TRANS_PF
+#endif
+
+#ifdef IP_TRANSPARENT
+#define TRANS_TPROXY
+#endif
+
+#define SOCKS4_GRANTED 90
+#define SOCKS4_REJECT 91
+
+static int connection_ap_handshake_process_socks(entry_connection_t *conn);
+static int connection_ap_process_natd(entry_connection_t *conn);
+static int connection_exit_connect_dir(edge_connection_t *exitconn);
+static int consider_plaintext_ports(entry_connection_t *conn, uint16_t port);
+static int connection_ap_supports_optimistic_data(const entry_connection_t *);
++STATIC void connection_half_edge_add(const edge_connection_t *conn,
++ origin_circuit_t *circ);
++STATIC half_edge_t *connection_half_edge_find_stream_id(
++ const smartlist_t *half_conns,
++ streamid_t stream_id);
+
+/** Convert a connection_t* to an edge_connection_t*; assert if the cast is
+ * invalid. */
+edge_connection_t *
+TO_EDGE_CONN(connection_t *c)
+{
+ tor_assert(c->magic == EDGE_CONNECTION_MAGIC ||
+ c->magic == ENTRY_CONNECTION_MAGIC);
+ return DOWNCAST(edge_connection_t, c);
+}
+
+entry_connection_t *
+TO_ENTRY_CONN(connection_t *c)
+{
+ tor_assert(c->magic == ENTRY_CONNECTION_MAGIC);
+ return (entry_connection_t*) SUBTYPE_P(c, entry_connection_t, edge_.base_);
+}
+
+entry_connection_t *
+EDGE_TO_ENTRY_CONN(edge_connection_t *c)
+{
+ tor_assert(c->base_.magic == ENTRY_CONNECTION_MAGIC);
+ return (entry_connection_t*) SUBTYPE_P(c, entry_connection_t, edge_);
+}
+
+/** An AP stream has failed/finished. If it hasn't already sent back
+ * a socks reply, send one now (based on endreason). Also set
+ * has_sent_end to 1, and mark the conn.
+ */
+MOCK_IMPL(void,
+connection_mark_unattached_ap_,(entry_connection_t *conn, int endreason,
+ int line, const char *file))
+{
+ connection_t *base_conn = ENTRY_TO_CONN(conn);
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn);
+ tor_assert(base_conn->type == CONN_TYPE_AP);
+ ENTRY_TO_EDGE_CONN(conn)->edge_has_sent_end = 1; /* no circ yet */
+
+ /* If this is a rendezvous stream and it is failing without ever
+ * being attached to a circuit, assume that an attempt to connect to
+ * the destination hidden service has just ended.
+ *
+ * XXXX This condition doesn't limit to only streams failing
+ * without ever being attached. That sloppiness should be harmless,
+ * but we should fix it someday anyway. */
+ if ((edge_conn->on_circuit != NULL || edge_conn->edge_has_sent_end) &&
+ connection_edge_is_rendezvous_stream(edge_conn)) {
+ if (edge_conn->rend_data) {
+ rend_client_note_connection_attempt_ended(edge_conn->rend_data);
+ }
+ }
+
+ if (base_conn->marked_for_close) {
+ /* This call will warn as appropriate. */
+ connection_mark_for_close_(base_conn, line, file);
+ return;
+ }
+
+ if (!conn->socks_request->has_finished) {
+ if (endreason & END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED)
+ log_warn(LD_BUG,
+ "stream (marked at %s:%d) sending two socks replies?",
+ file, line);
+
+ if (SOCKS_COMMAND_IS_CONNECT(conn->socks_request->command))
+ connection_ap_handshake_socks_reply(conn, NULL, 0, endreason);
+ else if (SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command))
+ connection_ap_handshake_socks_resolved(conn,
+ RESOLVED_TYPE_ERROR_TRANSIENT,
+ 0, NULL, -1, -1);
+ else /* unknown or no handshake at all. send no response. */
+ conn->socks_request->has_finished = 1;
+ }
+
+ connection_mark_and_flush_(base_conn, line, file);
+
+ ENTRY_TO_EDGE_CONN(conn)->end_reason = endreason;
+}
+
+/** There was an EOF. Send an end and mark the connection for close.
+ */
+int
+connection_edge_reached_eof(edge_connection_t *conn)
+{
+ if (connection_get_inbuf_len(TO_CONN(conn)) &&
+ connection_state_is_open(TO_CONN(conn))) {
+ /* it still has stuff to process. don't let it die yet. */
+ return 0;
+ }
+ log_info(LD_EDGE,"conn (fd "TOR_SOCKET_T_FORMAT") reached eof. Closing.",
+ conn->base_.s);
+ if (!conn->base_.marked_for_close) {
+ /* only mark it if not already marked. it's possible to
+ * get the 'end' right around when the client hangs up on us. */
+ connection_edge_end(conn, END_STREAM_REASON_DONE);
+ if (conn->base_.type == CONN_TYPE_AP) {
+ /* eof, so don't send a socks reply back */
+ if (EDGE_TO_ENTRY_CONN(conn)->socks_request)
+ EDGE_TO_ENTRY_CONN(conn)->socks_request->has_finished = 1;
+ }
+ connection_mark_for_close(TO_CONN(conn));
+ }
+ return 0;
+}
+
+/** Handle new bytes on conn->inbuf based on state:
+ * - If it's waiting for socks info, try to read another step of the
+ * socks handshake out of conn->inbuf.
+ * - If it's waiting for the original destination, fetch it.
+ * - If it's open, then package more relay cells from the stream.
+ * - Else, leave the bytes on inbuf alone for now.
+ *
+ * Mark and return -1 if there was an unexpected error with the conn,
+ * else return 0.
+ */
+int
+connection_edge_process_inbuf(edge_connection_t *conn, int package_partial)
+{
+ tor_assert(conn);
+
+ switch (conn->base_.state) {
+ case AP_CONN_STATE_SOCKS_WAIT:
+ if (connection_ap_handshake_process_socks(EDGE_TO_ENTRY_CONN(conn)) <0) {
+ /* already marked */
+ return -1;
+ }
+ return 0;
+ case AP_CONN_STATE_NATD_WAIT:
+ if (connection_ap_process_natd(EDGE_TO_ENTRY_CONN(conn)) < 0) {
+ /* already marked */
+ return -1;
+ }
+ return 0;
+ case AP_CONN_STATE_HTTP_CONNECT_WAIT:
+ if (connection_ap_process_http_connect(EDGE_TO_ENTRY_CONN(conn)) < 0) {
+ return -1;
+ }
+ return 0;
+ case AP_CONN_STATE_OPEN:
+ case EXIT_CONN_STATE_OPEN:
+ if (connection_edge_package_raw_inbuf(conn, package_partial, NULL) < 0) {
+ /* (We already sent an end cell if possible) */
+ connection_mark_for_close(TO_CONN(conn));
+ return -1;
+ }
+ return 0;
+ case AP_CONN_STATE_CONNECT_WAIT:
+ if (connection_ap_supports_optimistic_data(EDGE_TO_ENTRY_CONN(conn))) {
+ log_info(LD_EDGE,
+ "data from edge while in '%s' state. Sending it anyway. "
+ "package_partial=%d, buflen=%ld",
+ conn_state_to_string(conn->base_.type, conn->base_.state),
+ package_partial,
+ (long)connection_get_inbuf_len(TO_CONN(conn)));
+ if (connection_edge_package_raw_inbuf(conn, package_partial, NULL)<0) {
+ /* (We already sent an end cell if possible) */
+ connection_mark_for_close(TO_CONN(conn));
+ return -1;
+ }
+ return 0;
+ }
+ /* Fall through if the connection is on a circuit without optimistic
+ * data support. */
+ /* Falls through. */
+ case EXIT_CONN_STATE_CONNECTING:
+ case AP_CONN_STATE_RENDDESC_WAIT:
+ case AP_CONN_STATE_CIRCUIT_WAIT:
+ case AP_CONN_STATE_RESOLVE_WAIT:
+ case AP_CONN_STATE_CONTROLLER_WAIT:
+ log_info(LD_EDGE,
+ "data from edge while in '%s' state. Leaving it on buffer.",
+ conn_state_to_string(conn->base_.type, conn->base_.state));
+ return 0;
+ }
+ log_warn(LD_BUG,"Got unexpected state %d. Closing.",conn->base_.state);
+ tor_fragile_assert();
+ connection_edge_end(conn, END_STREAM_REASON_INTERNAL);
+ connection_mark_for_close(TO_CONN(conn));
+ return -1;
+}
+
+/** This edge needs to be closed, because its circuit has closed.
+ * Mark it for close and return 0.
+ */
+int
+connection_edge_destroy(circid_t circ_id, edge_connection_t *conn)
+{
+ if (!conn->base_.marked_for_close) {
+ log_info(LD_EDGE, "CircID %u: At an edge. Marking connection for close.",
+ (unsigned) circ_id);
+ if (conn->base_.type == CONN_TYPE_AP) {
+ entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_DESTROY);
+ control_event_stream_bandwidth(conn);
+ control_event_stream_status(entry_conn, STREAM_EVENT_CLOSED,
+ END_STREAM_REASON_DESTROY);
+ conn->end_reason |= END_STREAM_REASON_FLAG_ALREADY_SENT_CLOSED;
+ } else {
+ /* closing the circuit, nothing to send an END to */
+ conn->edge_has_sent_end = 1;
+ conn->end_reason = END_STREAM_REASON_DESTROY;
+ conn->end_reason |= END_STREAM_REASON_FLAG_ALREADY_SENT_CLOSED;
+ connection_mark_and_flush(TO_CONN(conn));
+ }
+ }
+ conn->cpath_layer = NULL;
+ conn->on_circuit = NULL;
+ return 0;
+}
+
+/** Send a raw end cell to the stream with ID <b>stream_id</b> out over the
+ * <b>circ</b> towards the hop identified with <b>cpath_layer</b>. If this
+ * is not a client connection, set the relay end cell's reason for closing
+ * as <b>reason</b> */
+static int
+relay_send_end_cell_from_edge(streamid_t stream_id, circuit_t *circ,
+ uint8_t reason, crypt_path_t *cpath_layer)
+{
+ char payload[1];
+
+ if (CIRCUIT_PURPOSE_IS_CLIENT(circ->purpose)) {
+ /* Never send the server an informative reason code; it doesn't need to
+ * know why the client stream is failing. */
+ reason = END_STREAM_REASON_MISC;
+ }
+
+ payload[0] = (char) reason;
+
+ /* Note: we have to use relay_send_command_from_edge here, not
+ * connection_edge_end or connection_edge_send_command, since those require
+ * that we have a stream connected to a circuit, and we don't connect to a
+ * circuit until we have a pending/successful resolve. */
+ return relay_send_command_from_edge(stream_id, circ, RELAY_COMMAND_END,
+ payload, 1, cpath_layer);
+}
+
+/* If the connection <b>conn</b> is attempting to connect to an external
+ * destination that is an hidden service and the reason is a connection
+ * refused or timeout, log it so the operator can take appropriate actions.
+ * The log statement is a rate limited warning. */
+static void
+warn_if_hs_unreachable(const edge_connection_t *conn, uint8_t reason)
+{
+ tor_assert(conn);
+
+ if (conn->base_.type == CONN_TYPE_EXIT &&
+ connection_edge_is_rendezvous_stream(conn) &&
+ (reason == END_STREAM_REASON_CONNECTREFUSED ||
+ reason == END_STREAM_REASON_TIMEOUT)) {
+#define WARN_FAILED_HS_CONNECTION 300
+ static ratelim_t warn_limit = RATELIM_INIT(WARN_FAILED_HS_CONNECTION);
+ char *m;
+ if ((m = rate_limit_log(&warn_limit, approx_time()))) {
+ log_warn(LD_EDGE, "Onion service connection to %s failed (%s)",
+ (conn->base_.socket_family == AF_UNIX) ?
+ safe_str(conn->base_.address) :
+ safe_str(fmt_addrport(&conn->base_.addr, conn->base_.port)),
+ stream_end_reason_to_string(reason));
+ tor_free(m);
+ }
+ }
+}
+
+/** Send a relay end cell from stream <b>conn</b> down conn's circuit, and
+ * remember that we've done so. If this is not a client connection, set the
+ * relay end cell's reason for closing as <b>reason</b>.
+ *
+ * Return -1 if this function has already been called on this conn,
+ * else return 0.
+ */
+int
+connection_edge_end(edge_connection_t *conn, uint8_t reason)
+{
+ char payload[RELAY_PAYLOAD_SIZE];
+ size_t payload_len=1;
+ circuit_t *circ;
+ uint8_t control_reason = reason;
+
+ if (conn->edge_has_sent_end) {
+ log_warn(LD_BUG,"(Harmless.) Calling connection_edge_end (reason %d) "
+ "on an already ended stream?", reason);
+ tor_fragile_assert();
+ return -1;
+ }
+
+ if (conn->base_.marked_for_close) {
+ log_warn(LD_BUG,
+ "called on conn that's already marked for close at %s:%d.",
+ conn->base_.marked_for_close_file, conn->base_.marked_for_close);
+ return 0;
+ }
+
+ circ = circuit_get_by_edge_conn(conn);
+ if (circ && CIRCUIT_PURPOSE_IS_CLIENT(circ->purpose)) {
+ /* If this is a client circuit, don't send the server an informative
+ * reason code; it doesn't need to know why the client stream is
+ * failing. */
+ reason = END_STREAM_REASON_MISC;
+ }
+
+ payload[0] = (char)reason;
+ if (reason == END_STREAM_REASON_EXITPOLICY &&
+ !connection_edge_is_rendezvous_stream(conn)) {
+ int addrlen;
+ if (tor_addr_family(&conn->base_.addr) == AF_INET) {
+ set_uint32(payload+1, tor_addr_to_ipv4n(&conn->base_.addr));
+ addrlen = 4;
+ } else {
+ memcpy(payload+1, tor_addr_to_in6_addr8(&conn->base_.addr), 16);
+ addrlen = 16;
+ }
+ set_uint32(payload+1+addrlen, htonl(dns_clip_ttl(conn->address_ttl)));
+ payload_len += 4+addrlen;
+ }
+
+ if (circ && !circ->marked_for_close) {
+ log_debug(LD_EDGE,"Sending end on conn (fd "TOR_SOCKET_T_FORMAT").",
+ conn->base_.s);
++
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ);
++ connection_half_edge_add(conn, origin_circ);
++ }
++
+ connection_edge_send_command(conn, RELAY_COMMAND_END,
+ payload, payload_len);
+ /* We'll log warn if the connection was an hidden service and couldn't be
+ * made because the service wasn't available. */
+ warn_if_hs_unreachable(conn, control_reason);
+ } else {
+ log_debug(LD_EDGE,"No circ to send end on conn "
+ "(fd "TOR_SOCKET_T_FORMAT").",
+ conn->base_.s);
+ }
+
+ conn->edge_has_sent_end = 1;
+ conn->end_reason = control_reason;
+ return 0;
+}
+
++/**
++ * Helper function for bsearch.
++ *
++ * As per smartlist_bsearch, return < 0 if key preceeds member,
++ * > 0 if member preceeds key, and 0 if they are equal.
++ *
++ * This is equivalent to subtraction of the values of key - member
++ * (why does no one ever say that explicitly?).
++ */
++static int
++connection_half_edge_compare_bsearch(const void *key, const void **member)
++{
++ const half_edge_t *e2;
++ tor_assert(key);
++ tor_assert(member && *(half_edge_t**)member);
++ e2 = *(const half_edge_t **)member;
++
++ return *(const streamid_t*)key - e2->stream_id;
++}
++
++/**
++ * Add a half-closed connection to the list, to watch for activity.
++ *
++ * These connections are removed from the list upon receiving an end
++ * cell.
++ */
++STATIC void
++connection_half_edge_add(const edge_connection_t *conn,
++ origin_circuit_t *circ)
++{
++ half_edge_t *half_conn = NULL;
++ int insert_at = 0;
++ int ignored;
++
++ /* Double-check for re-insertion. This should not happen,
++ * but this check is cheap compared to the sort anyway */
++ if (connection_half_edge_find_stream_id(circ->half_streams,
++ conn->stream_id)) {
++ log_warn(LD_BUG, "Duplicate stream close for stream %d on circuit %d",
++ conn->stream_id, circ->global_identifier);
++ return;
++ }
++
++ half_conn = tor_malloc_zero(sizeof(half_edge_t));
++
++ if (!circ->half_streams) {
++ circ->half_streams = smartlist_new();
++ }
++
++ half_conn->stream_id = conn->stream_id;
++
++ // How many sendme's should I expect?
++ half_conn->sendmes_pending =
++ (STREAMWINDOW_START-conn->package_window)/STREAMWINDOW_INCREMENT;
++
++ // Is there a connected cell pending?
++ half_conn->connected_pending = conn->base_.state ==
++ AP_CONN_STATE_CONNECT_WAIT;
++
++ /* Data should only arrive if we're not waiting on a resolved cell.
++ * It can arrive after waiting on connected, because of optimistic
++ * data. */
++ if (conn->base_.state != AP_CONN_STATE_RESOLVE_WAIT) {
++ // How many more data cells can arrive on this id?
++ half_conn->data_pending = conn->deliver_window;
++ }
++
++ insert_at = smartlist_bsearch_idx(circ->half_streams, &half_conn->stream_id,
++ connection_half_edge_compare_bsearch,
++ &ignored);
++ smartlist_insert(circ->half_streams, insert_at, half_conn);
++}
++
++/**
++ * Find a stream_id_t in the list in O(lg(n)).
++ *
++ * Returns NULL if the list is empty or element is not found.
++ * Returns a pointer to the element if found.
++ */
++STATIC half_edge_t *
++connection_half_edge_find_stream_id(const smartlist_t *half_conns,
++ streamid_t stream_id)
++{
++ if (!half_conns)
++ return NULL;
++
++ return smartlist_bsearch(half_conns, &stream_id,
++ connection_half_edge_compare_bsearch);
++}
++
++/**
++ * Check if this stream_id is in a half-closed state. If so,
++ * check if it still has data cells pending, and decrement that
++ * window if so.
++ *
++ * Return 1 if the data window was not empty.
++ * Return 0 otherwise.
++ */
++int
++connection_half_edge_is_valid_data(const smartlist_t *half_conns,
++ streamid_t stream_id)
++{
++ half_edge_t *half = connection_half_edge_find_stream_id(half_conns,
++ stream_id);
++
++ if (!half)
++ return 0;
++
++ if (half->data_pending > 0) {
++ half->data_pending--;
++ return 1;
++ }
++
++ return 0;
++}
++
++/**
++ * Check if this stream_id is in a half-closed state. If so,
++ * check if it still has a connected cell pending, and decrement
++ * that window if so.
++ *
++ * Return 1 if the connected window was not empty.
++ * Return 0 otherwise.
++ */
++int
++connection_half_edge_is_valid_connected(const smartlist_t *half_conns,
++ streamid_t stream_id)
++{
++ half_edge_t *half = connection_half_edge_find_stream_id(half_conns,
++ stream_id);
++
++ if (!half)
++ return 0;
++
++ if (half->connected_pending) {
++ half->connected_pending = 0;
++ return 1;
++ }
++
++ return 0;
++}
++
++/**
++ * Check if this stream_id is in a half-closed state. If so,
++ * check if it still has sendme cells pending, and decrement that
++ * window if so.
++ *
++ * Return 1 if the sendme window was not empty.
++ * Return 0 otherwise.
++ */
++int
++connection_half_edge_is_valid_sendme(const smartlist_t *half_conns,
++ streamid_t stream_id)
++{
++ half_edge_t *half = connection_half_edge_find_stream_id(half_conns,
++ stream_id);
++
++ if (!half)
++ return 0;
++
++ if (half->sendmes_pending > 0) {
++ half->sendmes_pending--;
++ return 1;
++ }
++
++ return 0;
++}
++
++/**
++ * Check if this stream_id is in a half-closed state. If so, remove
++ * it from the list. No other data should come after the END cell.
++ *
++ * Return 1 if stream_id was in half-closed state.
++ * Return 0 otherwise.
++ */
++int
++connection_half_edge_is_valid_end(smartlist_t *half_conns,
++ streamid_t stream_id)
++{
++ half_edge_t *half;
++ int found, remove_idx;
++
++ if (!half_conns)
++ return 0;
++
++ remove_idx = smartlist_bsearch_idx(half_conns, &stream_id,
++ connection_half_edge_compare_bsearch,
++ &found);
++ if (!found)
++ return 0;
++
++ half = smartlist_get(half_conns, remove_idx);
++ smartlist_del_keeporder(half_conns, remove_idx);
++ tor_free(half);
++ return 1;
++}
++
++/**
++ * Streams that were used to send a RESOLVE cell are closed
++ * when they get the RESOLVED, without an end. So treat
++ * a RESOLVED just like an end, and remove from the list.
++ */
++int
++connection_half_edge_is_valid_resolved(smartlist_t *half_conns,
++ streamid_t stream_id)
++{
++ return connection_half_edge_is_valid_end(half_conns, stream_id);
++}
++
+/** An error has just occurred on an operation on an edge connection
+ * <b>conn</b>. Extract the errno; convert it to an end reason, and send an
+ * appropriate relay end cell to the other end of the connection's circuit.
+ **/
+int
+connection_edge_end_errno(edge_connection_t *conn)
+{
+ uint8_t reason;
+ tor_assert(conn);
+ reason = errno_to_stream_end_reason(tor_socket_errno(conn->base_.s));
+ return connection_edge_end(conn, reason);
+}
+
+/** We just wrote some data to <b>conn</b>; act appropriately.
+ *
+ * (That is, if it's open, consider sending a stream-level sendme cell if we
+ * have just flushed enough.)
+ */
+int
+connection_edge_flushed_some(edge_connection_t *conn)
+{
+ switch (conn->base_.state) {
+ case AP_CONN_STATE_OPEN:
+ case EXIT_CONN_STATE_OPEN:
+ connection_edge_consider_sending_sendme(conn);
+ break;
+ }
+ return 0;
+}
+
+/** Connection <b>conn</b> has finished writing and has no bytes left on
+ * its outbuf.
+ *
+ * If it's in state 'open', stop writing, consider responding with a
+ * sendme, and return.
+ * Otherwise, stop writing and return.
+ *
+ * If <b>conn</b> is broken, mark it for close and return -1, else
+ * return 0.
+ */
+int
+connection_edge_finished_flushing(edge_connection_t *conn)
+{
+ tor_assert(conn);
+
+ switch (conn->base_.state) {
+ case AP_CONN_STATE_OPEN:
+ case EXIT_CONN_STATE_OPEN:
+ connection_edge_consider_sending_sendme(conn);
+ return 0;
+ case AP_CONN_STATE_SOCKS_WAIT:
+ case AP_CONN_STATE_NATD_WAIT:
+ case AP_CONN_STATE_RENDDESC_WAIT:
+ case AP_CONN_STATE_CIRCUIT_WAIT:
+ case AP_CONN_STATE_CONNECT_WAIT:
+ case AP_CONN_STATE_CONTROLLER_WAIT:
+ case AP_CONN_STATE_RESOLVE_WAIT:
+ case AP_CONN_STATE_HTTP_CONNECT_WAIT:
+ return 0;
+ default:
+ log_warn(LD_BUG, "Called in unexpected state %d.",conn->base_.state);
+ tor_fragile_assert();
+ return -1;
+ }
+ return 0;
+}
+
+/** Longest size for the relay payload of a RELAY_CONNECTED cell that we're
+ * able to generate. */
+/* 4 zero bytes; 1 type byte; 16 byte IPv6 address; 4 byte TTL. */
+#define MAX_CONNECTED_CELL_PAYLOAD_LEN 25
+
+/** Set the buffer at <b>payload_out</b> -- which must have at least
+ * MAX_CONNECTED_CELL_PAYLOAD_LEN bytes available -- to the body of a
+ * RELAY_CONNECTED cell indicating that we have connected to <b>addr</b>, and
+ * that the name resolution that led us to <b>addr</b> will be valid for
+ * <b>ttl</b> seconds. Return -1 on error, or the number of bytes used on
+ * success. */
+STATIC int
+connected_cell_format_payload(uint8_t *payload_out,
+ const tor_addr_t *addr,
+ uint32_t ttl)
+{
+ const sa_family_t family = tor_addr_family(addr);
+ int connected_payload_len;
+
+ /* should be needless */
+ memset(payload_out, 0, MAX_CONNECTED_CELL_PAYLOAD_LEN);
+
+ if (family == AF_INET) {
+ set_uint32(payload_out, tor_addr_to_ipv4n(addr));
+ connected_payload_len = 4;
+ } else if (family == AF_INET6) {
+ set_uint32(payload_out, 0);
+ set_uint8(payload_out + 4, 6);
+ memcpy(payload_out + 5, tor_addr_to_in6_addr8(addr), 16);
+ connected_payload_len = 21;
+ } else {
+ return -1;
+ }
+
+ set_uint32(payload_out + connected_payload_len, htonl(dns_clip_ttl(ttl)));
+ connected_payload_len += 4;
+
+ tor_assert(connected_payload_len <= MAX_CONNECTED_CELL_PAYLOAD_LEN);
+
+ return connected_payload_len;
+}
+
+/** Connected handler for exit connections: start writing pending
+ * data, deliver 'CONNECTED' relay cells as appropriate, and check
+ * any pending data that may have been received. */
+int
+connection_edge_finished_connecting(edge_connection_t *edge_conn)
+{
+ connection_t *conn;
+
+ tor_assert(edge_conn);
+ tor_assert(edge_conn->base_.type == CONN_TYPE_EXIT);
+ conn = TO_CONN(edge_conn);
+ tor_assert(conn->state == EXIT_CONN_STATE_CONNECTING);
+
+ log_info(LD_EXIT,"Exit connection to %s:%u (%s) established.",
+ escaped_safe_str(conn->address), conn->port,
+ safe_str(fmt_and_decorate_addr(&conn->addr)));
+
+ rep_hist_note_exit_stream_opened(conn->port);
+
+ conn->state = EXIT_CONN_STATE_OPEN;
+ connection_watch_events(conn, READ_EVENT); /* stop writing, keep reading */
+ if (connection_get_outbuf_len(conn)) /* in case there are any queued relay
+ * cells */
+ connection_start_writing(conn);
+ /* deliver a 'connected' relay cell back through the circuit. */
+ if (connection_edge_is_rendezvous_stream(edge_conn)) {
+ if (connection_edge_send_command(edge_conn,
+ RELAY_COMMAND_CONNECTED, NULL, 0) < 0)
+ return 0; /* circuit is closed, don't continue */
+ } else {
+ uint8_t connected_payload[MAX_CONNECTED_CELL_PAYLOAD_LEN];
+ int connected_payload_len =
+ connected_cell_format_payload(connected_payload, &conn->addr,
+ edge_conn->address_ttl);
+ if (connected_payload_len < 0)
+ return -1;
+
+ if (connection_edge_send_command(edge_conn,
+ RELAY_COMMAND_CONNECTED,
+ (char*)connected_payload, connected_payload_len) < 0)
+ return 0; /* circuit is closed, don't continue */
+ }
+ tor_assert(edge_conn->package_window > 0);
+ /* in case the server has written anything */
+ return connection_edge_process_inbuf(edge_conn, 1);
+}
+
+/** A list of all the entry_connection_t * objects that are not marked
+ * for close, and are in AP_CONN_STATE_CIRCUIT_WAIT.
+ *
+ * (Right now, we check in several places to make sure that this list is
+ * correct. When it's incorrect, we'll fix it, and log a BUG message.)
+ */
+static smartlist_t *pending_entry_connections = NULL;
+
+static int untried_pending_connections = 0;
+
+/**
+ * Mainloop event to tell us to scan for pending connections that can
+ * be attached.
+ */
+static mainloop_event_t *attach_pending_entry_connections_ev = NULL;
+
+/** Common code to connection_(ap|exit)_about_to_close. */
+static void
+connection_edge_about_to_close(edge_connection_t *edge_conn)
+{
+ if (!edge_conn->edge_has_sent_end) {
+ connection_t *conn = TO_CONN(edge_conn);
+ log_warn(LD_BUG, "(Harmless.) Edge connection (marked at %s:%d) "
+ "hasn't sent end yet?",
+ conn->marked_for_close_file, conn->marked_for_close);
+ tor_fragile_assert();
+ }
+}
+
+/** Called when we're about to finally unlink and free an AP (client)
+ * connection: perform necessary accounting and cleanup */
+void
+connection_ap_about_to_close(entry_connection_t *entry_conn)
+{
+ circuit_t *circ;
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(entry_conn);
+ connection_t *conn = ENTRY_TO_CONN(entry_conn);
+
+ connection_edge_about_to_close(edge_conn);
+
+ if (entry_conn->socks_request->has_finished == 0) {
+ /* since conn gets removed right after this function finishes,
+ * there's no point trying to send back a reply at this point. */
+ log_warn(LD_BUG,"Closing stream (marked at %s:%d) without sending"
+ " back a socks reply.",
+ conn->marked_for_close_file, conn->marked_for_close);
+ }
+ if (!edge_conn->end_reason) {
+ log_warn(LD_BUG,"Closing stream (marked at %s:%d) without having"
+ " set end_reason.",
+ conn->marked_for_close_file, conn->marked_for_close);
+ }
+ if (entry_conn->dns_server_request) {
+ log_warn(LD_BUG,"Closing stream (marked at %s:%d) without having"
+ " replied to DNS request.",
+ conn->marked_for_close_file, conn->marked_for_close);
+ dnsserv_reject_request(entry_conn);
+ }
+
+ if (TO_CONN(edge_conn)->state == AP_CONN_STATE_CIRCUIT_WAIT) {
+ smartlist_remove(pending_entry_connections, entry_conn);
+ }
+
+#if 1
+ /* Check to make sure that this isn't in pending_entry_connections if it
+ * didn't actually belong there. */
+ if (TO_CONN(edge_conn)->type == CONN_TYPE_AP) {
+ connection_ap_warn_and_unmark_if_pending_circ(entry_conn,
+ "about_to_close");
+ }
+#endif /* 1 */
+
+ control_event_stream_bandwidth(edge_conn);
+ control_event_stream_status(entry_conn, STREAM_EVENT_CLOSED,
+ edge_conn->end_reason);
+ circ = circuit_get_by_edge_conn(edge_conn);
+ if (circ)
+ circuit_detach_stream(circ, edge_conn);
+}
+
+/** Called when we're about to finally unlink and free an exit
+ * connection: perform necessary accounting and cleanup */
+void
+connection_exit_about_to_close(edge_connection_t *edge_conn)
+{
+ circuit_t *circ;
+ connection_t *conn = TO_CONN(edge_conn);
+
+ connection_edge_about_to_close(edge_conn);
+
+ circ = circuit_get_by_edge_conn(edge_conn);
+ if (circ)
+ circuit_detach_stream(circ, edge_conn);
+ if (conn->state == EXIT_CONN_STATE_RESOLVING) {
+ connection_dns_remove(edge_conn);
+ }
+}
+
+/** Define a schedule for how long to wait between retrying
+ * application connections. Rather than waiting a fixed amount of
+ * time between each retry, we wait 10 seconds each for the first
+ * two tries, and 15 seconds for each retry after
+ * that. Hopefully this will improve the expected user experience. */
+static int
+compute_retry_timeout(entry_connection_t *conn)
+{
+ int timeout = get_options()->CircuitStreamTimeout;
+ if (timeout) /* if our config options override the default, use them */
+ return timeout;
+ if (conn->num_socks_retries < 2) /* try 0 and try 1 */
+ return 10;
+ return 15;
+}
+
+/** Find all general-purpose AP streams waiting for a response that sent their
+ * begin/resolve cell too long ago. Detach from their current circuit, and
+ * mark their current circuit as unsuitable for new streams. Then call
+ * connection_ap_handshake_attach_circuit() to attach to a new circuit (if
+ * available) or launch a new one.
+ *
+ * For rendezvous streams, simply give up after SocksTimeout seconds (with no
+ * retry attempt).
+ */
+void
+connection_ap_expire_beginning(void)
+{
+ edge_connection_t *conn;
+ entry_connection_t *entry_conn;
+ circuit_t *circ;
+ time_t now = time(NULL);
+ const or_options_t *options = get_options();
+ int severity;
+ int cutoff;
+ int seconds_idle, seconds_since_born;
+ smartlist_t *conns = get_connection_array();
+
+ SMARTLIST_FOREACH_BEGIN(conns, connection_t *, base_conn) {
+ if (base_conn->type != CONN_TYPE_AP || base_conn->marked_for_close)
+ continue;
+ entry_conn = TO_ENTRY_CONN(base_conn);
+ conn = ENTRY_TO_EDGE_CONN(entry_conn);
+ /* if it's an internal linked connection, don't yell its status. */
+ severity = (tor_addr_is_null(&base_conn->addr) && !base_conn->port)
+ ? LOG_INFO : LOG_NOTICE;
+ seconds_idle = (int)( now - base_conn->timestamp_last_read_allowed );
+ seconds_since_born = (int)( now - base_conn->timestamp_created );
+
+ if (base_conn->state == AP_CONN_STATE_OPEN)
+ continue;
+
+ /* We already consider SocksTimeout in
+ * connection_ap_handshake_attach_circuit(), but we need to consider
+ * it here too because controllers that put streams in controller_wait
+ * state never ask Tor to attach the circuit. */
+ if (AP_CONN_STATE_IS_UNATTACHED(base_conn->state)) {
+ if (seconds_since_born >= options->SocksTimeout) {
+ log_fn(severity, LD_APP,
+ "Tried for %d seconds to get a connection to %s:%d. "
+ "Giving up. (%s)",
+ seconds_since_born,
+ safe_str_client(entry_conn->socks_request->address),
+ entry_conn->socks_request->port,
+ conn_state_to_string(CONN_TYPE_AP, base_conn->state));
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
+ }
+ continue;
+ }
+
+ /* We're in state connect_wait or resolve_wait now -- waiting for a
+ * reply to our relay cell. See if we want to retry/give up. */
+
+ cutoff = compute_retry_timeout(entry_conn);
+ if (seconds_idle < cutoff)
+ continue;
+ circ = circuit_get_by_edge_conn(conn);
+ if (!circ) { /* it's vanished? */
+ log_info(LD_APP,"Conn is waiting (address %s), but lost its circ.",
+ safe_str_client(entry_conn->socks_request->address));
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
+ continue;
+ }
+ if (circ->purpose == CIRCUIT_PURPOSE_C_REND_JOINED) {
+ if (seconds_idle >= options->SocksTimeout) {
+ log_fn(severity, LD_REND,
+ "Rend stream is %d seconds late. Giving up on address"
+ " '%s.onion'.",
+ seconds_idle,
+ safe_str_client(entry_conn->socks_request->address));
+ /* Roll back path bias use state so that we probe the circuit
+ * if nothing else succeeds on it */
+ pathbias_mark_use_rollback(TO_ORIGIN_CIRCUIT(circ));
+
+ connection_edge_end(conn, END_STREAM_REASON_TIMEOUT);
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
+ }
+ continue;
+ }
+
+ if (circ->purpose != CIRCUIT_PURPOSE_C_GENERAL &&
+ circ->purpose != CIRCUIT_PURPOSE_C_HSDIR_GET &&
+ circ->purpose != CIRCUIT_PURPOSE_S_HSDIR_POST &&
+ circ->purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT &&
+ circ->purpose != CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
+ log_warn(LD_BUG, "circuit->purpose == CIRCUIT_PURPOSE_C_GENERAL failed. "
+ "The purpose on the circuit was %s; it was in state %s, "
+ "path_state %s.",
+ circuit_purpose_to_string(circ->purpose),
+ circuit_state_to_string(circ->state),
+ CIRCUIT_IS_ORIGIN(circ) ?
+ pathbias_state_to_string(TO_ORIGIN_CIRCUIT(circ)->path_state) :
+ "none");
+ }
+ log_fn(cutoff < 15 ? LOG_INFO : severity, LD_APP,
+ "We tried for %d seconds to connect to '%s' using exit %s."
+ " Retrying on a new circuit.",
+ seconds_idle,
+ safe_str_client(entry_conn->socks_request->address),
+ conn->cpath_layer ?
+ extend_info_describe(conn->cpath_layer->extend_info):
+ "*unnamed*");
+ /* send an end down the circuit */
+ connection_edge_end(conn, END_STREAM_REASON_TIMEOUT);
+ /* un-mark it as ending, since we're going to reuse it */
+ conn->edge_has_sent_end = 0;
+ conn->end_reason = 0;
+ /* make us not try this circuit again, but allow
+ * current streams on it to survive if they can */
+ mark_circuit_unusable_for_new_conns(TO_ORIGIN_CIRCUIT(circ));
+
+ /* give our stream another 'cutoff' seconds to try */
+ conn->base_.timestamp_last_read_allowed += cutoff;
+ if (entry_conn->num_socks_retries < 250) /* avoid overflow */
+ entry_conn->num_socks_retries++;
+ /* move it back into 'pending' state, and try to attach. */
+ if (connection_ap_detach_retriable(entry_conn, TO_ORIGIN_CIRCUIT(circ),
+ END_STREAM_REASON_TIMEOUT)<0) {
+ if (!base_conn->marked_for_close)
+ connection_mark_unattached_ap(entry_conn,
+ END_STREAM_REASON_CANT_ATTACH);
+ }
+ } SMARTLIST_FOREACH_END(base_conn);
+}
+
+/**
+ * As connection_ap_attach_pending, but first scans the entire connection
+ * array to see if any elements are missing.
+ */
+void
+connection_ap_rescan_and_attach_pending(void)
+{
+ entry_connection_t *entry_conn;
+ smartlist_t *conns = get_connection_array();
+
+ if (PREDICT_UNLIKELY(NULL == pending_entry_connections))
+ pending_entry_connections = smartlist_new();
+
+ SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
+ if (conn->marked_for_close ||
+ conn->type != CONN_TYPE_AP ||
+ conn->state != AP_CONN_STATE_CIRCUIT_WAIT)
+ continue;
+
+ entry_conn = TO_ENTRY_CONN(conn);
+ tor_assert(entry_conn);
+ if (! smartlist_contains(pending_entry_connections, entry_conn)) {
+ log_warn(LD_BUG, "Found a connection %p that was supposed to be "
+ "in pending_entry_connections, but wasn't. No worries; "
+ "adding it.",
+ pending_entry_connections);
+ untried_pending_connections = 1;
+ connection_ap_mark_as_pending_circuit(entry_conn);
+ }
+
+ } SMARTLIST_FOREACH_END(conn);
+
+ connection_ap_attach_pending(1);
+}
+
+#ifdef DEBUGGING_17659
+#define UNMARK() do { \
+ entry_conn->marked_pending_circ_line = 0; \
+ entry_conn->marked_pending_circ_file = 0; \
+ } while (0)
+#else /* !(defined(DEBUGGING_17659)) */
+#define UNMARK() do { } while (0)
+#endif /* defined(DEBUGGING_17659) */
+
+/** Tell any AP streams that are listed as waiting for a new circuit to try
+ * again. If there is an available circuit for a stream, attach it. Otherwise,
+ * launch a new circuit.
+ *
+ * If <b>retry</b> is false, only check the list if it contains at least one
+ * streams that we have not yet tried to attach to a circuit.
+ */
+void
+connection_ap_attach_pending(int retry)
+{
+ if (PREDICT_UNLIKELY(!pending_entry_connections)) {
+ return;
+ }
+
+ if (untried_pending_connections == 0 && !retry)
+ return;
+
+ /* Don't allow any modifications to list while we are iterating over
+ * it. We'll put streams back on this list if we can't attach them
+ * immediately. */
+ smartlist_t *pending = pending_entry_connections;
+ pending_entry_connections = smartlist_new();
+
+ SMARTLIST_FOREACH_BEGIN(pending,
+ entry_connection_t *, entry_conn) {
+ connection_t *conn = ENTRY_TO_CONN(entry_conn);
+ tor_assert(conn && entry_conn);
+ if (conn->marked_for_close) {
+ UNMARK();
+ continue;
+ }
+ if (conn->magic != ENTRY_CONNECTION_MAGIC) {
+ log_warn(LD_BUG, "%p has impossible magic value %u.",
+ entry_conn, (unsigned)conn->magic);
+ UNMARK();
+ continue;
+ }
+ if (conn->state != AP_CONN_STATE_CIRCUIT_WAIT) {
+ log_warn(LD_BUG, "%p is no longer in circuit_wait. Its current state "
+ "is %s. Why is it on pending_entry_connections?",
+ entry_conn,
+ conn_state_to_string(conn->type, conn->state));
+ UNMARK();
+ continue;
+ }
+
+ /* Okay, we're through the sanity checks. Try to handle this stream. */
+ if (connection_ap_handshake_attach_circuit(entry_conn) < 0) {
+ if (!conn->marked_for_close)
+ connection_mark_unattached_ap(entry_conn,
+ END_STREAM_REASON_CANT_ATTACH);
+ }
+
+ if (! conn->marked_for_close &&
+ conn->type == CONN_TYPE_AP &&
+ conn->state == AP_CONN_STATE_CIRCUIT_WAIT) {
+ /* Is it still waiting for a circuit? If so, we didn't attach it,
+ * so it's still pending. Put it back on the list.
+ */
+ if (!smartlist_contains(pending_entry_connections, entry_conn)) {
+ smartlist_add(pending_entry_connections, entry_conn);
+ continue;
+ }
+ }
+
+ /* If we got here, then we either closed the connection, or
+ * we attached it. */
+ UNMARK();
+ } SMARTLIST_FOREACH_END(entry_conn);
+
+ smartlist_free(pending);
+ untried_pending_connections = 0;
+}
+
+static void
+attach_pending_entry_connections_cb(mainloop_event_t *ev, void *arg)
+{
+ (void)ev;
+ (void)arg;
+ connection_ap_attach_pending(0);
+}
+
+/** Mark <b>entry_conn</b> as needing to get attached to a circuit.
+ *
+ * And <b>entry_conn</b> must be in AP_CONN_STATE_CIRCUIT_WAIT,
+ * should not already be pending a circuit. The circuit will get
+ * launched or the connection will get attached the next time we
+ * call connection_ap_attach_pending().
+ */
+void
+connection_ap_mark_as_pending_circuit_(entry_connection_t *entry_conn,
+ const char *fname, int lineno)
+{
+ connection_t *conn = ENTRY_TO_CONN(entry_conn);
+ tor_assert(conn->state == AP_CONN_STATE_CIRCUIT_WAIT);
+ tor_assert(conn->magic == ENTRY_CONNECTION_MAGIC);
+ if (conn->marked_for_close)
+ return;
+
+ if (PREDICT_UNLIKELY(NULL == pending_entry_connections)) {
+ pending_entry_connections = smartlist_new();
+ }
+ if (PREDICT_UNLIKELY(NULL == attach_pending_entry_connections_ev)) {
+ attach_pending_entry_connections_ev = mainloop_event_postloop_new(
+ attach_pending_entry_connections_cb, NULL);
+ }
+ if (PREDICT_UNLIKELY(smartlist_contains(pending_entry_connections,
+ entry_conn))) {
+ log_warn(LD_BUG, "What?? pending_entry_connections already contains %p! "
+ "(Called from %s:%d.)",
+ entry_conn, fname, lineno);
+#ifdef DEBUGGING_17659
+ const char *f2 = entry_conn->marked_pending_circ_file;
+ log_warn(LD_BUG, "(Previously called from %s:%d.)\n",
+ f2 ? f2 : "<NULL>",
+ entry_conn->marked_pending_circ_line);
+#endif /* defined(DEBUGGING_17659) */
+ log_backtrace(LOG_WARN, LD_BUG, "To debug, this may help");
+ return;
+ }
+
+#ifdef DEBUGGING_17659
+ entry_conn->marked_pending_circ_line = (uint16_t) lineno;
+ entry_conn->marked_pending_circ_file = fname;
+#endif
+
+ untried_pending_connections = 1;
+ smartlist_add(pending_entry_connections, entry_conn);
+
+ mainloop_event_activate(attach_pending_entry_connections_ev);
+}
+
+/** Mark <b>entry_conn</b> as no longer waiting for a circuit. */
+void
+connection_ap_mark_as_non_pending_circuit(entry_connection_t *entry_conn)
+{
+ if (PREDICT_UNLIKELY(NULL == pending_entry_connections))
+ return;
+ UNMARK();
+ smartlist_remove(pending_entry_connections, entry_conn);
+}
+
+/* DOCDOC */
+void
+connection_ap_warn_and_unmark_if_pending_circ(entry_connection_t *entry_conn,
+ const char *where)
+{
+ if (pending_entry_connections &&
+ smartlist_contains(pending_entry_connections, entry_conn)) {
+ log_warn(LD_BUG, "What was %p doing in pending_entry_connections in %s?",
+ entry_conn, where);
+ connection_ap_mark_as_non_pending_circuit(entry_conn);
+ }
+}
+
+/** Tell any AP streams that are waiting for a one-hop tunnel to
+ * <b>failed_digest</b> that they are going to fail. */
+/* XXXX We should get rid of this function, and instead attach
+ * one-hop streams to circ->p_streams so they get marked in
+ * circuit_mark_for_close like normal p_streams. */
+void
+connection_ap_fail_onehop(const char *failed_digest,
+ cpath_build_state_t *build_state)
+{
+ entry_connection_t *entry_conn;
+ char digest[DIGEST_LEN];
+ smartlist_t *conns = get_connection_array();
+ SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
+ if (conn->marked_for_close ||
+ conn->type != CONN_TYPE_AP ||
+ conn->state != AP_CONN_STATE_CIRCUIT_WAIT)
+ continue;
+ entry_conn = TO_ENTRY_CONN(conn);
+ if (!entry_conn->want_onehop)
+ continue;
+ if (hexdigest_to_digest(entry_conn->chosen_exit_name, digest) < 0 ||
+ tor_memneq(digest, failed_digest, DIGEST_LEN))
+ continue;
+ if (tor_digest_is_zero(digest)) {
+ /* we don't know the digest; have to compare addr:port */
+ tor_addr_t addr;
+ if (!build_state || !build_state->chosen_exit ||
+ !entry_conn->socks_request) {
+ continue;
+ }
+ if (tor_addr_parse(&addr, entry_conn->socks_request->address)<0 ||
+ !tor_addr_eq(&build_state->chosen_exit->addr, &addr) ||
+ build_state->chosen_exit->port != entry_conn->socks_request->port)
+ continue;
+ }
+ log_info(LD_APP, "Closing one-hop stream to '%s/%s' because the OR conn "
+ "just failed.", entry_conn->chosen_exit_name,
+ entry_conn->socks_request->address);
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
+ } SMARTLIST_FOREACH_END(conn);
+}
+
+/** A circuit failed to finish on its last hop <b>info</b>. If there
+ * are any streams waiting with this exit node in mind, but they
+ * don't absolutely require it, make them give up on it.
+ */
+void
+circuit_discard_optional_exit_enclaves(extend_info_t *info)
+{
+ entry_connection_t *entry_conn;
+ const node_t *r1, *r2;
+
+ smartlist_t *conns = get_connection_array();
+ SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
+ if (conn->marked_for_close ||
+ conn->type != CONN_TYPE_AP ||
+ conn->state != AP_CONN_STATE_CIRCUIT_WAIT)
+ continue;
+ entry_conn = TO_ENTRY_CONN(conn);
+ if (!entry_conn->chosen_exit_optional &&
+ !entry_conn->chosen_exit_retries)
+ continue;
+ r1 = node_get_by_nickname(entry_conn->chosen_exit_name,
+ NNF_NO_WARN_UNNAMED);
+ r2 = node_get_by_id(info->identity_digest);
+ if (!r1 || !r2 || r1 != r2)
+ continue;
+ tor_assert(entry_conn->socks_request);
+ if (entry_conn->chosen_exit_optional) {
+ log_info(LD_APP, "Giving up on enclave exit '%s' for destination %s.",
+ safe_str_client(entry_conn->chosen_exit_name),
+ escaped_safe_str_client(entry_conn->socks_request->address));
+ entry_conn->chosen_exit_optional = 0;
+ tor_free(entry_conn->chosen_exit_name); /* clears it */
+ /* if this port is dangerous, warn or reject it now that we don't
+ * think it'll be using an enclave. */
+ consider_plaintext_ports(entry_conn, entry_conn->socks_request->port);
+ }
+ if (entry_conn->chosen_exit_retries) {
+ if (--entry_conn->chosen_exit_retries == 0) { /* give up! */
+ clear_trackexithost_mappings(entry_conn->chosen_exit_name);
+ tor_free(entry_conn->chosen_exit_name); /* clears it */
+ /* if this port is dangerous, warn or reject it now that we don't
+ * think it'll be using an enclave. */
+ consider_plaintext_ports(entry_conn, entry_conn->socks_request->port);
+ }
+ }
+ } SMARTLIST_FOREACH_END(conn);
+}
+
+/** The AP connection <b>conn</b> has just failed while attaching or
+ * sending a BEGIN or resolving on <b>circ</b>, but another circuit
+ * might work. Detach the circuit, and either reattach it, launch a
+ * new circuit, tell the controller, or give up as appropriate.
+ *
+ * Returns -1 on err, 1 on success, 0 on not-yet-sure.
+ */
+int
+connection_ap_detach_retriable(entry_connection_t *conn,
+ origin_circuit_t *circ,
+ int reason)
+{
+ control_event_stream_status(conn, STREAM_EVENT_FAILED_RETRIABLE, reason);
+ ENTRY_TO_CONN(conn)->timestamp_last_read_allowed = time(NULL);
+
+ /* Roll back path bias use state so that we probe the circuit
+ * if nothing else succeeds on it */
+ pathbias_mark_use_rollback(circ);
+
+ if (conn->pending_optimistic_data) {
+ buf_set_to_copy(&conn->sending_optimistic_data,
+ conn->pending_optimistic_data);
+ }
+
+ if (!get_options()->LeaveStreamsUnattached || conn->use_begindir) {
+ /* If we're attaching streams ourself, or if this connection is
+ * a tunneled directory connection, then just attach it. */
+ ENTRY_TO_CONN(conn)->state = AP_CONN_STATE_CIRCUIT_WAIT;
+ circuit_detach_stream(TO_CIRCUIT(circ),ENTRY_TO_EDGE_CONN(conn));
+ connection_ap_mark_as_pending_circuit(conn);
+ } else {
+ CONNECTION_AP_EXPECT_NONPENDING(conn);
+ ENTRY_TO_CONN(conn)->state = AP_CONN_STATE_CONTROLLER_WAIT;
+ circuit_detach_stream(TO_CIRCUIT(circ),ENTRY_TO_EDGE_CONN(conn));
+ }
+ return 0;
+}
+
+/** Check if <b>conn</b> is using a dangerous port. Then warn and/or
+ * reject depending on our config options. */
+static int
+consider_plaintext_ports(entry_connection_t *conn, uint16_t port)
+{
+ const or_options_t *options = get_options();
+ int reject = smartlist_contains_int_as_string(
+ options->RejectPlaintextPorts, port);
+
+ if (smartlist_contains_int_as_string(options->WarnPlaintextPorts, port)) {
+ log_warn(LD_APP, "Application request to port %d: this port is "
+ "commonly used for unencrypted protocols. Please make sure "
+ "you don't send anything you would mind the rest of the "
+ "Internet reading!%s", port, reject ? " Closing." : "");
+ control_event_client_status(LOG_WARN, "DANGEROUS_PORT PORT=%d RESULT=%s",
+ port, reject ? "REJECT" : "WARN");
+ }
+
+ if (reject) {
+ log_info(LD_APP, "Port %d listed in RejectPlaintextPorts. Closing.", port);
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+
+ return 0;
+}
+
+/** How many times do we try connecting with an exit configured via
+ * TrackHostExits before concluding that it won't work any more and trying a
+ * different one? */
+#define TRACKHOSTEXITS_RETRIES 5
+
+/** Call connection_ap_handshake_rewrite_and_attach() unless a controller
+ * asked us to leave streams unattached. Return 0 in that case.
+ *
+ * See connection_ap_handshake_rewrite_and_attach()'s
+ * documentation for arguments and return value.
+ */
+MOCK_IMPL(int,
+connection_ap_rewrite_and_attach_if_allowed,(entry_connection_t *conn,
+ origin_circuit_t *circ,
+ crypt_path_t *cpath))
+{
+ const or_options_t *options = get_options();
+
+ if (options->LeaveStreamsUnattached) {
+ CONNECTION_AP_EXPECT_NONPENDING(conn);
+ ENTRY_TO_CONN(conn)->state = AP_CONN_STATE_CONTROLLER_WAIT;
+ return 0;
+ }
+ return connection_ap_handshake_rewrite_and_attach(conn, circ, cpath);
+}
+
+/* Try to perform any map-based rewriting of the target address in
+ * <b>conn</b>, filling in the fields of <b>out</b> as we go, and modifying
+ * conn->socks_request.address as appropriate.
+ */
+STATIC void
+connection_ap_handshake_rewrite(entry_connection_t *conn,
+ rewrite_result_t *out)
+{
+ socks_request_t *socks = conn->socks_request;
+ const or_options_t *options = get_options();
+ tor_addr_t addr_tmp;
+
+ /* Initialize all the fields of 'out' to reasonable defaults */
+ out->automap = 0;
+ out->exit_source = ADDRMAPSRC_NONE;
+ out->map_expires = TIME_MAX;
+ out->end_reason = 0;
+ out->should_close = 0;
+ out->orig_address[0] = 0;
+
+ /* We convert all incoming addresses to lowercase. */
+ tor_strlower(socks->address);
+ /* Remember the original address. */
+ strlcpy(out->orig_address, socks->address, sizeof(out->orig_address));
+ log_debug(LD_APP,"Client asked for %s:%d",
+ safe_str_client(socks->address),
+ socks->port);
+
+ /* Check for whether this is a .exit address. By default, those are
+ * disallowed when they're coming straight from the client, but you're
+ * allowed to have them in MapAddress commands and so forth. */
+ if (!strcmpend(socks->address, ".exit")) {
+ log_warn(LD_APP, "The \".exit\" notation is disabled in Tor due to "
+ "security risks.");
+ control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
+ escaped(socks->address));
+ out->end_reason = END_STREAM_REASON_TORPROTOCOL;
+ out->should_close = 1;
+ return;
+ }
+
+ /* Remember the original address so we can tell the user about what
+ * they actually said, not just what it turned into. */
+ /* XXX yes, this is the same as out->orig_address above. One is
+ * in the output, and one is in the connection. */
+ if (! conn->original_dest_address) {
+ /* Is the 'if' necessary here? XXXX */
+ conn->original_dest_address = tor_strdup(conn->socks_request->address);
+ }
+
+ /* First, apply MapAddress and MAPADDRESS mappings. We need to do
+ * these only for non-reverse lookups, since they don't exist for those.
+ * We also need to do this before we consider automapping, since we might
+ * e.g. resolve irc.oftc.net into irconionaddress.onion, at which point
+ * we'd need to automap it. */
+ if (socks->command != SOCKS_COMMAND_RESOLVE_PTR) {
+ const unsigned rewrite_flags = AMR_FLAG_USE_MAPADDRESS;
+ if (addressmap_rewrite(socks->address, sizeof(socks->address),
+ rewrite_flags, &out->map_expires, &out->exit_source)) {
+ control_event_stream_status(conn, STREAM_EVENT_REMAP,
+ REMAP_STREAM_SOURCE_CACHE);
+ }
+ }
+
+ /* Now see if we need to create or return an existing Hostname->IP
+ * automapping. Automapping happens when we're asked to resolve a
+ * hostname, and AutomapHostsOnResolve is set, and the hostname has a
+ * suffix listed in AutomapHostsSuffixes. It's a handy feature
+ * that lets you have Tor assign e.g. IPv6 addresses for .onion
+ * names, and return them safely from DNSPort.
+ */
+ if (socks->command == SOCKS_COMMAND_RESOLVE &&
+ tor_addr_parse(&addr_tmp, socks->address)<0 &&
+ options->AutomapHostsOnResolve) {
+ /* Check the suffix... */
+ out->automap = addressmap_address_should_automap(socks->address, options);
+ if (out->automap) {
+ /* If we get here, then we should apply an automapping for this. */
+ const char *new_addr;
+ /* We return an IPv4 address by default, or an IPv6 address if we
+ * are allowed to do so. */
+ int addr_type = RESOLVED_TYPE_IPV4;
+ if (conn->socks_request->socks_version != 4) {
+ if (!conn->entry_cfg.ipv4_traffic ||
+ (conn->entry_cfg.ipv6_traffic && conn->entry_cfg.prefer_ipv6) ||
+ conn->entry_cfg.prefer_ipv6_virtaddr)
+ addr_type = RESOLVED_TYPE_IPV6;
+ }
+ /* Okay, register the target address as automapped, and find the new
+ * address we're supposed to give as a resolve answer. (Return a cached
+ * value if we've looked up this address before.
+ */
+ new_addr = addressmap_register_virtual_address(
+ addr_type, tor_strdup(socks->address));
+ if (! new_addr) {
+ log_warn(LD_APP, "Unable to automap address %s",
+ escaped_safe_str(socks->address));
+ out->end_reason = END_STREAM_REASON_INTERNAL;
+ out->should_close = 1;
+ return;
+ }
+ log_info(LD_APP, "Automapping %s to %s",
+ escaped_safe_str_client(socks->address),
+ safe_str_client(new_addr));
+ strlcpy(socks->address, new_addr, sizeof(socks->address));
+ }
+ }
+
+ /* Now handle reverse lookups, if they're in the cache. This doesn't
+ * happen too often, since client-side DNS caching is off by default,
+ * and very deprecated. */
+ if (socks->command == SOCKS_COMMAND_RESOLVE_PTR) {
+ unsigned rewrite_flags = 0;
+ if (conn->entry_cfg.use_cached_ipv4_answers)
+ rewrite_flags |= AMR_FLAG_USE_IPV4_DNS;
+ if (conn->entry_cfg.use_cached_ipv6_answers)
+ rewrite_flags |= AMR_FLAG_USE_IPV6_DNS;
+
+ if (addressmap_rewrite_reverse(socks->address, sizeof(socks->address),
+ rewrite_flags, &out->map_expires)) {
+ char *result = tor_strdup(socks->address);
+ /* remember _what_ is supposed to have been resolved. */
+ tor_snprintf(socks->address, sizeof(socks->address), "REVERSE[%s]",
+ out->orig_address);
+ connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME,
+ strlen(result), (uint8_t*)result,
+ -1,
+ out->map_expires);
+ tor_free(result);
+ out->end_reason = END_STREAM_REASON_DONE |
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED;
+ out->should_close = 1;
+ return;
+ }
+
+ /* Hang on, did we find an answer saying that this is a reverse lookup for
+ * an internal address? If so, we should reject it if we're configured to
+ * do so. */
+ if (options->ClientDNSRejectInternalAddresses) {
+ /* Don't let clients try to do a reverse lookup on 10.0.0.1. */
+ tor_addr_t addr;
+ int ok;
+ ok = tor_addr_parse_PTR_name(
+ &addr, socks->address, AF_UNSPEC, 1);
+ if (ok == 1 && tor_addr_is_internal(&addr, 0)) {
+ connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_ERROR,
+ 0, NULL, -1, TIME_MAX);
+ out->end_reason = END_STREAM_REASON_SOCKSPROTOCOL |
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED;
+ out->should_close = 1;
+ return;
+ }
+ }
+ }
+
+ /* If we didn't automap it before, then this is still the address that
+ * came straight from the user, mapped according to any
+ * MapAddress/MAPADDRESS commands. Now apply other mappings,
+ * including previously registered Automap entries (IP back to
+ * hostname), TrackHostExits entries, and client-side DNS cache
+ * entries (if they're turned on).
+ */
+ if (socks->command != SOCKS_COMMAND_RESOLVE_PTR &&
+ !out->automap) {
+ unsigned rewrite_flags = AMR_FLAG_USE_AUTOMAP | AMR_FLAG_USE_TRACKEXIT;
+ addressmap_entry_source_t exit_source2;
+ if (conn->entry_cfg.use_cached_ipv4_answers)
+ rewrite_flags |= AMR_FLAG_USE_IPV4_DNS;
+ if (conn->entry_cfg.use_cached_ipv6_answers)
+ rewrite_flags |= AMR_FLAG_USE_IPV6_DNS;
+ if (addressmap_rewrite(socks->address, sizeof(socks->address),
+ rewrite_flags, &out->map_expires, &exit_source2)) {
+ control_event_stream_status(conn, STREAM_EVENT_REMAP,
+ REMAP_STREAM_SOURCE_CACHE);
+ }
+ if (out->exit_source == ADDRMAPSRC_NONE) {
+ /* If it wasn't a .exit before, maybe it turned into a .exit. Remember
+ * the original source of a .exit. */
+ out->exit_source = exit_source2;
+ }
+ }
+
+ /* Check to see whether we're about to use an address in the virtual
+ * range without actually having gotten it from an Automap. */
+ if (!out->automap && address_is_in_virtual_range(socks->address)) {
+ /* This address was probably handed out by
+ * client_dns_get_unmapped_address, but the mapping was discarded for some
+ * reason. Or the user typed in a virtual address range manually. We
+ * *don't* want to send the address through Tor; that's likely to fail,
+ * and may leak information.
+ */
+ log_warn(LD_APP,"Missing mapping for virtual address '%s'. Refusing.",
+ safe_str_client(socks->address));
+ out->end_reason = END_STREAM_REASON_INTERNAL;
+ out->should_close = 1;
+ return;
+ }
+}
+
+/** We just received a SOCKS request in <b>conn</b> to an onion address of type
+ * <b>addresstype</b>. Start connecting to the onion service. */
+static int
+connection_ap_handle_onion(entry_connection_t *conn,
+ socks_request_t *socks,
+ origin_circuit_t *circ,
+ hostname_type_t addresstype)
+{
+ time_t now = approx_time();
+ connection_t *base_conn = ENTRY_TO_CONN(conn);
+
+ /* If .onion address requests are disabled, refuse the request */
+ if (!conn->entry_cfg.onion_traffic) {
+ log_warn(LD_APP, "Onion address %s requested from a port with .onion "
+ "disabled", safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+
+ /* Check whether it's RESOLVE or RESOLVE_PTR. We don't handle those
+ * for hidden service addresses. */
+ if (SOCKS_COMMAND_IS_RESOLVE(socks->command)) {
+ /* if it's a resolve request, fail it right now, rather than
+ * building all the circuits and then realizing it won't work. */
+ log_warn(LD_APP,
+ "Resolve requests to hidden services not allowed. Failing.");
+ connection_ap_handshake_socks_resolved(conn,RESOLVED_TYPE_ERROR,
+ 0,NULL,-1,TIME_MAX);
+ connection_mark_unattached_ap(conn,
+ END_STREAM_REASON_SOCKSPROTOCOL |
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+ return -1;
+ }
+
+ /* If we were passed a circuit, then we need to fail. .onion addresses
+ * only work when we launch our own circuits for now. */
+ if (circ) {
+ log_warn(LD_CONTROL, "Attachstream to a circuit is not "
+ "supported for .onion addresses currently. Failing.");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+
+ /* Interface: Regardless of HS version after the block below we should have
+ set onion_address, rend_cache_lookup_result, and descriptor_is_usable. */
+ const char *onion_address = NULL;
+ int rend_cache_lookup_result = -ENOENT;
+ int descriptor_is_usable = 0;
+
+ if (addresstype == ONION_V2_HOSTNAME) { /* it's a v2 hidden service */
+ rend_cache_entry_t *entry = NULL;
+ /* Look up if we have client authorization configured for this hidden
+ * service. If we do, associate it with the rend_data. */
+ rend_service_authorization_t *client_auth =
+ rend_client_lookup_service_authorization(socks->address);
+
+ const uint8_t *cookie = NULL;
+ rend_auth_type_t auth_type = REND_NO_AUTH;
+ if (client_auth) {
+ log_info(LD_REND, "Using previously configured client authorization "
+ "for hidden service request.");
+ auth_type = client_auth->auth_type;
+ cookie = client_auth->descriptor_cookie;
+ }
+
+ /* Fill in the rend_data field so we can start doing a connection to
+ * a hidden service. */
+ rend_data_t *rend_data = ENTRY_TO_EDGE_CONN(conn)->rend_data =
+ rend_data_client_create(socks->address, NULL, (char *) cookie,
+ auth_type);
+ if (rend_data == NULL) {
+ return -1;
+ }
+ onion_address = rend_data_get_address(rend_data);
+ log_info(LD_REND,"Got a hidden service request for ID '%s'",
+ safe_str_client(onion_address));
+
+ rend_cache_lookup_result = rend_cache_lookup_entry(onion_address,-1,
+ &entry);
+ if (!rend_cache_lookup_result && entry) {
+ descriptor_is_usable = rend_client_any_intro_points_usable(entry);
+ }
+ } else { /* it's a v3 hidden service */
+ tor_assert(addresstype == ONION_V3_HOSTNAME);
+ const hs_descriptor_t *cached_desc = NULL;
+ int retval;
+ /* Create HS conn identifier with HS pubkey */
+ hs_ident_edge_conn_t *hs_conn_ident =
+ tor_malloc_zero(sizeof(hs_ident_edge_conn_t));
+
+ retval = hs_parse_address(socks->address, &hs_conn_ident->identity_pk,
+ NULL, NULL);
+ if (retval < 0) {
+ log_warn(LD_GENERAL, "failed to parse hs address");
+ tor_free(hs_conn_ident);
+ return -1;
+ }
+ ENTRY_TO_EDGE_CONN(conn)->hs_ident = hs_conn_ident;
+
+ onion_address = socks->address;
+
+ /* Check the v3 desc cache */
+ cached_desc = hs_cache_lookup_as_client(&hs_conn_ident->identity_pk);
+ if (cached_desc) {
+ rend_cache_lookup_result = 0;
+ descriptor_is_usable =
+ hs_client_any_intro_points_usable(&hs_conn_ident->identity_pk,
+ cached_desc);
+ log_info(LD_GENERAL, "Found %s descriptor in cache for %s. %s.",
+ (descriptor_is_usable) ? "usable" : "unusable",
+ safe_str_client(onion_address),
+ (descriptor_is_usable) ? "Not fetching." : "Refecting.");
+ } else {
+ rend_cache_lookup_result = -ENOENT;
+ }
+ }
+
+ /* Lookup the given onion address. If invalid, stop right now.
+ * Otherwise, we might have it in the cache or not. */
+ unsigned int refetch_desc = 0;
+ if (rend_cache_lookup_result < 0) {
+ switch (-rend_cache_lookup_result) {
+ case EINVAL:
+ /* We should already have rejected this address! */
+ log_warn(LD_BUG,"Invalid service name '%s'",
+ safe_str_client(onion_address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ case ENOENT:
+ /* We didn't have this; we should look it up. */
+ log_info(LD_REND, "No descriptor found in our cache for %s. Fetching.",
+ safe_str_client(onion_address));
+ refetch_desc = 1;
+ break;
+ default:
+ log_warn(LD_BUG, "Unknown cache lookup error %d",
+ rend_cache_lookup_result);
+ return -1;
+ }
+ }
+
+ /* Help predict that we'll want to do hidden service circuits in the
+ * future. We're not sure if it will need a stable circuit yet, but
+ * we know we'll need *something*. */
+ rep_hist_note_used_internal(now, 0, 1);
+
+ /* Now we have a descriptor but is it usable or not? If not, refetch.
+ * Also, a fetch could have been requested if the onion address was not
+ * found in the cache previously. */
+ if (refetch_desc || !descriptor_is_usable) {
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn);
+ connection_ap_mark_as_non_pending_circuit(conn);
+ base_conn->state = AP_CONN_STATE_RENDDESC_WAIT;
+ if (addresstype == ONION_V2_HOSTNAME) {
+ tor_assert(edge_conn->rend_data);
+ rend_client_refetch_v2_renddesc(edge_conn->rend_data);
+ /* Whatever the result of the refetch, we don't go further. */
+ return 0;
+ } else {
+ tor_assert(addresstype == ONION_V3_HOSTNAME);
+ tor_assert(edge_conn->hs_ident);
+ /* Attempt to fetch the hsv3 descriptor. Check the retval to see how it
+ * went and act accordingly. */
+ int ret = hs_client_refetch_hsdesc(&edge_conn->hs_ident->identity_pk);
+ switch (ret) {
+ case HS_CLIENT_FETCH_MISSING_INFO:
+ /* Keeping the connection in descriptor wait state is fine because
+ * once we get enough dirinfo or a new live consensus, the HS client
+ * subsystem is notified and every connection in that state will
+ * trigger a fetch for the service key. */
+ case HS_CLIENT_FETCH_LAUNCHED:
+ case HS_CLIENT_FETCH_PENDING:
+ case HS_CLIENT_FETCH_HAVE_DESC:
+ return 0;
+ case HS_CLIENT_FETCH_ERROR:
+ case HS_CLIENT_FETCH_NO_HSDIRS:
+ case HS_CLIENT_FETCH_NOT_ALLOWED:
+ /* Can't proceed further and better close the SOCKS request. */
+ return -1;
+ }
+ }
+ }
+
+ /* We have the descriptor! So launch a connection to the HS. */
+ log_info(LD_REND, "Descriptor is here. Great.");
+
+ base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT;
+ /* We'll try to attach it at the next event loop, or whenever
+ * we call connection_ap_attach_pending() */
+ connection_ap_mark_as_pending_circuit(conn);
+ return 0;
+}
+
+/** Connection <b>conn</b> just finished its socks handshake, or the
+ * controller asked us to take care of it. If <b>circ</b> is defined,
+ * then that's where we'll want to attach it. Otherwise we have to
+ * figure it out ourselves.
+ *
+ * First, parse whether it's a .exit address, remap it, and so on. Then
+ * if it's for a general circuit, try to attach it to a circuit (or launch
+ * one as needed), else if it's for a rendezvous circuit, fetch a
+ * rendezvous descriptor first (or attach/launch a circuit if the
+ * rendezvous descriptor is already here and fresh enough).
+ *
+ * The stream will exit from the hop
+ * indicated by <b>cpath</b>, or from the last hop in circ's cpath if
+ * <b>cpath</b> is NULL.
+ */
+int
+connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
+ origin_circuit_t *circ,
+ crypt_path_t *cpath)
+{
+ socks_request_t *socks = conn->socks_request;
+ const or_options_t *options = get_options();
+ connection_t *base_conn = ENTRY_TO_CONN(conn);
+ time_t now = time(NULL);
+ rewrite_result_t rr;
+
+ /* First we'll do the rewrite part. Let's see if we get a reasonable
+ * answer.
+ */
+ memset(&rr, 0, sizeof(rr));
+ connection_ap_handshake_rewrite(conn,&rr);
+
+ if (rr.should_close) {
+ /* connection_ap_handshake_rewrite told us to close the connection:
+ * either because it sent back an answer, or because it sent back an
+ * error */
+ connection_mark_unattached_ap(conn, rr.end_reason);
+ if (END_STREAM_REASON_DONE == (rr.end_reason & END_STREAM_REASON_MASK))
+ return 0;
+ else
+ return -1;
+ }
+
+ const time_t map_expires = rr.map_expires;
+ const int automap = rr.automap;
+ const addressmap_entry_source_t exit_source = rr.exit_source;
+
+ /* Now, we parse the address to see if it's an .onion or .exit or
+ * other special address.
+ */
+ const hostname_type_t addresstype = parse_extended_hostname(socks->address);
+
+ /* Now see whether the hostname is bogus. This could happen because of an
+ * onion hostname whose format we don't recognize. */
+ if (addresstype == BAD_HOSTNAME) {
+ control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
+ escaped(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+
+ /* If this is a .exit hostname, strip off the .name.exit part, and
+ * see whether we're willing to connect there, and and otherwise handle the
+ * .exit address.
+ *
+ * We'll set chosen_exit_name and/or close the connection as appropriate.
+ */
+ if (addresstype == EXIT_HOSTNAME) {
+ /* If StrictNodes is not set, then .exit overrides ExcludeNodes but
+ * not ExcludeExitNodes. */
+ routerset_t *excludeset = options->StrictNodes ?
+ options->ExcludeExitNodesUnion_ : options->ExcludeExitNodes;
+ const node_t *node = NULL;
+
+ /* If this .exit was added by an AUTOMAP, then it came straight from
+ * a user. That's not safe. */
+ if (exit_source == ADDRMAPSRC_AUTOMAP) {
+ /* Whoops; this one is stale. It must have gotten added earlier?
+ * (Probably this is not possible, since AllowDotExit no longer
+ * exists.) */
+ log_warn(LD_APP,"Stale automapped address for '%s.exit'. Refusing.",
+ safe_str_client(socks->address));
+ control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
+ escaped(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ tor_assert_nonfatal_unreached();
+ return -1;
+ }
+
+ /* Double-check to make sure there are no .exits coming from
+ * impossible/weird sources. */
+ if (exit_source == ADDRMAPSRC_DNS || exit_source == ADDRMAPSRC_NONE) {
+ /* It shouldn't be possible to get a .exit address from any of these
+ * sources. */
+ log_warn(LD_BUG,"Address '%s.exit', with impossible source for the "
+ ".exit part. Refusing.",
+ safe_str_client(socks->address));
+ control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
+ escaped(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+
+ tor_assert(!automap);
+
+ /* Now, find the character before the .(name) part.
+ * (The ".exit" part got stripped off by "parse_extended_hostname").
+ *
+ * We're going to put the exit name into conn->chosen_exit_name, and
+ * look up a node correspondingly. */
+ char *s = strrchr(socks->address,'.');
+ if (s) {
+ /* The address was of the form "(stuff).(name).exit */
+ if (s[1] != '\0') {
+ /* Looks like a real .exit one. */
+ conn->chosen_exit_name = tor_strdup(s+1);
+ node = node_get_by_nickname(conn->chosen_exit_name, 0);
+
+ if (exit_source == ADDRMAPSRC_TRACKEXIT) {
+ /* We 5 tries before it expires the addressmap */
+ conn->chosen_exit_retries = TRACKHOSTEXITS_RETRIES;
+ }
+ *s = 0;
+ } else {
+ /* Oops, the address was (stuff)..exit. That's not okay. */
+ log_warn(LD_APP,"Malformed exit address '%s.exit'. Refusing.",
+ safe_str_client(socks->address));
+ control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
+ escaped(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+ } else {
+ /* It looks like they just asked for "foo.exit". That's a special
+ * form that means (foo's address).foo.exit. */
+
+ conn->chosen_exit_name = tor_strdup(socks->address);
+ node = node_get_by_nickname(conn->chosen_exit_name, 0);
+ if (node) {
+ *socks->address = 0;
+ node_get_address_string(node, socks->address, sizeof(socks->address));
+ }
+ }
+
+ /* Now make sure that the chosen exit exists... */
+ if (!node) {
+ log_warn(LD_APP,
+ "Unrecognized relay in exit address '%s.exit'. Refusing.",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+ /* ...and make sure that it isn't excluded. */
+ if (routerset_contains_node(excludeset, node)) {
+ log_warn(LD_APP,
+ "Excluded relay in exit address '%s.exit'. Refusing.",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+ /* XXXX-1090 Should we also allow foo.bar.exit if ExitNodes is set and
+ Bar is not listed in it? I say yes, but our revised manpage branch
+ implies no. */
+ }
+
+ /* Now, we handle everything that isn't a .onion address. */
+ if (addresstype != ONION_V2_HOSTNAME && addresstype != ONION_V3_HOSTNAME) {
+ /* Not a hidden-service request. It's either a hostname or an IP,
+ * possibly with a .exit that we stripped off. We're going to check
+ * if we're allowed to connect/resolve there, and then launch the
+ * appropriate request. */
+
+ /* Check for funny characters in the address. */
+ if (address_is_invalid_destination(socks->address, 1)) {
+ control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
+ escaped(socks->address));
+ log_warn(LD_APP,
+ "Destination '%s' seems to be an invalid hostname. Failing.",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+
+ /* socks->address is a non-onion hostname or IP address.
+ * If we can't do any non-onion requests, refuse the connection.
+ * If we have a hostname but can't do DNS, refuse the connection.
+ * If we have an IP address, but we can't use that address family,
+ * refuse the connection.
+ *
+ * If we can do DNS requests, and we can use at least one address family,
+ * then we have to resolve the address first. Then we'll know if it
+ * resolves to a usable address family. */
+
+ /* First, check if all non-onion traffic is disabled */
+ if (!conn->entry_cfg.dns_request && !conn->entry_cfg.ipv4_traffic
+ && !conn->entry_cfg.ipv6_traffic) {
+ log_warn(LD_APP, "Refusing to connect to non-hidden-service hostname "
+ "or IP address %s because Port has OnionTrafficOnly set (or "
+ "NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic).",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+
+ /* Then check if we have a hostname or IP address, and whether DNS or
+ * the IP address family are permitted. Reject if not. */
+ tor_addr_t dummy_addr;
+ int socks_family = tor_addr_parse(&dummy_addr, socks->address);
+ /* family will be -1 for a non-onion hostname that's not an IP */
+ if (socks_family == -1) {
+ if (!conn->entry_cfg.dns_request) {
+ log_warn(LD_APP, "Refusing to connect to hostname %s "
+ "because Port has NoDNSRequest set.",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+ } else if (socks_family == AF_INET) {
+ if (!conn->entry_cfg.ipv4_traffic) {
+ log_warn(LD_APP, "Refusing to connect to IPv4 address %s because "
+ "Port has NoIPv4Traffic set.",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+ } else if (socks_family == AF_INET6) {
+ if (!conn->entry_cfg.ipv6_traffic) {
+ log_warn(LD_APP, "Refusing to connect to IPv6 address %s because "
+ "Port has NoIPv6Traffic set.",
+ safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+ } else {
+ tor_assert_nonfatal_unreached_once();
+ }
+
+ /* See if this is a hostname lookup that we can answer immediately.
+ * (For example, an attempt to look up the IP address for an IP address.)
+ */
+ if (socks->command == SOCKS_COMMAND_RESOLVE) {
+ tor_addr_t answer;
+ /* Reply to resolves immediately if we can. */
+ if (tor_addr_parse(&answer, socks->address) >= 0) {/* is it an IP? */
+ /* remember _what_ is supposed to have been resolved. */
+ strlcpy(socks->address, rr.orig_address, sizeof(socks->address));
+ connection_ap_handshake_socks_resolved_addr(conn, &answer, -1,
+ map_expires);
+ connection_mark_unattached_ap(conn,
+ END_STREAM_REASON_DONE |
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+ return 0;
+ }
+ tor_assert(!automap);
+ rep_hist_note_used_resolve(now); /* help predict this next time */
+ } else if (socks->command == SOCKS_COMMAND_CONNECT) {
+ /* Now see if this is a connect request that we can reject immediately */
+
+ tor_assert(!automap);
+ /* Don't allow connections to port 0. */
+ if (socks->port == 0) {
+ log_notice(LD_APP,"Application asked to connect to port 0. Refusing.");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return -1;
+ }
+ /* You can't make connections to internal addresses, by default.
+ * Exceptions are begindir requests (where the address is meaningless),
+ * or cases where you've hand-configured a particular exit, thereby
+ * making the local address meaningful. */
+ if (options->ClientRejectInternalAddresses &&
+ !conn->use_begindir && !conn->chosen_exit_name && !circ) {
+ /* If we reach this point then we don't want to allow internal
+ * addresses. Check if we got one. */
+ tor_addr_t addr;
+ if (tor_addr_hostname_is_local(socks->address) ||
+ (tor_addr_parse(&addr, socks->address) >= 0 &&
+ tor_addr_is_internal(&addr, 0))) {
+ /* If this is an explicit private address with no chosen exit node,
+ * then we really don't want to try to connect to it. That's
+ * probably an error. */
+ if (conn->is_transparent_ap) {
+#define WARN_INTRVL_LOOP 300
+ static ratelim_t loop_warn_limit = RATELIM_INIT(WARN_INTRVL_LOOP);
+ char *m;
+ if ((m = rate_limit_log(&loop_warn_limit, approx_time()))) {
+ log_warn(LD_NET,
+ "Rejecting request for anonymous connection to private "
+ "address %s on a TransPort or NATDPort. Possible loop "
+ "in your NAT rules?%s", safe_str_client(socks->address),
+ m);
+ tor_free(m);
+ }
+ } else {
+#define WARN_INTRVL_PRIV 300
+ static ratelim_t priv_warn_limit = RATELIM_INIT(WARN_INTRVL_PRIV);
+ char *m;
+ if ((m = rate_limit_log(&priv_warn_limit, approx_time()))) {
+ log_warn(LD_NET,
+ "Rejecting SOCKS request for anonymous connection to "
+ "private address %s.%s",
+ safe_str_client(socks->address),m);
+ tor_free(m);
+ }
+ }
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_PRIVATE_ADDR);
+ return -1;
+ }
+ } /* end "if we should check for internal addresses" */
+
+ /* Okay. We're still doing a CONNECT, and it wasn't a private
+ * address. Here we do special handling for literal IP addresses,
+ * to see if we should reject this preemptively, and to set up
+ * fields in conn->entry_cfg to tell the exit what AF we want. */
+ {
+ tor_addr_t addr;
+ /* XXX Duplicate call to tor_addr_parse. */
+ if (tor_addr_parse(&addr, socks->address) >= 0) {
+ /* If we reach this point, it's an IPv4 or an IPv6 address. */
+ sa_family_t family = tor_addr_family(&addr);
+
+ if ((family == AF_INET && ! conn->entry_cfg.ipv4_traffic) ||
+ (family == AF_INET6 && ! conn->entry_cfg.ipv6_traffic)) {
+ /* You can't do an IPv4 address on a v6-only socks listener,
+ * or vice versa. */
+ log_warn(LD_NET, "Rejecting SOCKS request for an IP address "
+ "family that this listener does not support.");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ } else if (family == AF_INET6 && socks->socks_version == 4) {
+ /* You can't make a socks4 request to an IPv6 address. Socks4
+ * doesn't support that. */
+ log_warn(LD_NET, "Rejecting SOCKS4 request for an IPv6 address.");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ } else if (socks->socks_version == 4 &&
+ !conn->entry_cfg.ipv4_traffic) {
+ /* You can't do any kind of Socks4 request when IPv4 is forbidden.
+ *
+ * XXX raise this check outside the enclosing block? */
+ log_warn(LD_NET, "Rejecting SOCKS4 request on a listener with "
+ "no IPv4 traffic supported.");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ } else if (family == AF_INET6) {
+ /* Tell the exit: we won't accept any ipv4 connection to an IPv6
+ * address. */
+ conn->entry_cfg.ipv4_traffic = 0;
+ } else if (family == AF_INET) {
+ /* Tell the exit: we won't accept any ipv6 connection to an IPv4
+ * address. */
+ conn->entry_cfg.ipv6_traffic = 0;
+ }
+ }
+ }
+
+ /* we never allow IPv6 answers on socks4. (TODO: Is this smart?) */
+ if (socks->socks_version == 4)
+ conn->entry_cfg.ipv6_traffic = 0;
+
+ /* Still handling CONNECT. Now, check for exit enclaves. (Which we
+ * don't do on BEGIN_DIR, or when there is a chosen exit.)
+ *
+ * TODO: Should we remove this? Exit enclaves are nutty and don't
+ * work very well
+ */
+ if (!conn->use_begindir && !conn->chosen_exit_name && !circ) {
+ /* see if we can find a suitable enclave exit */
+ const node_t *r =
+ router_find_exact_exit_enclave(socks->address, socks->port);
+ if (r) {
+ log_info(LD_APP,
+ "Redirecting address %s to exit at enclave router %s",
+ safe_str_client(socks->address), node_describe(r));
+ /* use the hex digest, not nickname, in case there are two
+ routers with this nickname */
+ conn->chosen_exit_name =
+ tor_strdup(hex_str(r->identity, DIGEST_LEN));
+ conn->chosen_exit_optional = 1;
+ }
+ }
+
+ /* Still handling CONNECT: warn or reject if it's using a dangerous
+ * port. */
+ if (!conn->use_begindir && !conn->chosen_exit_name && !circ)
+ if (consider_plaintext_ports(conn, socks->port) < 0)
+ return -1;
+
+ /* Remember the port so that we will predict that more requests
+ there will happen in the future. */
+ if (!conn->use_begindir) {
+ /* help predict this next time */
+ rep_hist_note_used_port(now, socks->port);
+ }
+ } else if (socks->command == SOCKS_COMMAND_RESOLVE_PTR) {
+ rep_hist_note_used_resolve(now); /* help predict this next time */
+ /* no extra processing needed */
+ } else {
+ /* We should only be doing CONNECT, RESOLVE, or RESOLVE_PTR! */
+ tor_fragile_assert();
+ }
+
+ /* Okay. At this point we've set chosen_exit_name if needed, rewritten the
+ * address, and decided not to reject it for any number of reasons. Now
+ * mark the connection as waiting for a circuit, and try to attach it!
+ */
+ base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT;
+
+ /* If we were given a circuit to attach to, try to attach. Otherwise,
+ * try to find a good one and attach to that. */
+ int rv;
+ if (circ) {
+ rv = connection_ap_handshake_attach_chosen_circuit(conn, circ, cpath);
+ } else {
+ /* We'll try to attach it at the next event loop, or whenever
+ * we call connection_ap_attach_pending() */
+ connection_ap_mark_as_pending_circuit(conn);
+ rv = 0;
+ }
+
+ /* If the above function returned 0 then we're waiting for a circuit.
+ * if it returned 1, we're attached. Both are okay. But if it returned
+ * -1, there was an error, so make sure the connection is marked, and
+ * return -1. */
+ if (rv < 0) {
+ if (!base_conn->marked_for_close)
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_CANT_ATTACH);
+ return -1;
+ }
+
+ return 0;
+ } else {
+ /* If we get here, it's a request for a .onion address! */
+ tor_assert(addresstype == ONION_V2_HOSTNAME ||
+ addresstype == ONION_V3_HOSTNAME);
+ tor_assert(!automap);
+ return connection_ap_handle_onion(conn, socks, circ, addresstype);
+ }
+
+ return 0; /* unreached but keeps the compiler happy */
+}
+
+#ifdef TRANS_PF
+static int pf_socket = -1;
+int
+get_pf_socket(void)
+{
+ int pf;
+ /* This should be opened before dropping privileges. */
+ if (pf_socket >= 0)
+ return pf_socket;
+
+#if defined(OpenBSD)
+ /* only works on OpenBSD */
+ pf = tor_open_cloexec("/dev/pf", O_RDONLY, 0);
+#else
+ /* works on NetBSD and FreeBSD */
+ pf = tor_open_cloexec("/dev/pf", O_RDWR, 0);
+#endif /* defined(OpenBSD) */
+
+ if (pf < 0) {
+ log_warn(LD_NET, "open(\"/dev/pf\") failed: %s", strerror(errno));
+ return -1;
+ }
+
+ pf_socket = pf;
+ return pf_socket;
+}
+#endif /* defined(TRANS_PF) */
+
+#if defined(TRANS_NETFILTER) || defined(TRANS_PF) || \
+ defined(TRANS_TPROXY)
+/** Try fill in the address of <b>req</b> from the socket configured
+ * with <b>conn</b>. */
+static int
+destination_from_socket(entry_connection_t *conn, socks_request_t *req)
+{
+ struct sockaddr_storage orig_dst;
+ socklen_t orig_dst_len = sizeof(orig_dst);
+ tor_addr_t addr;
+
+#ifdef TRANS_TPROXY
+ if (get_options()->TransProxyType_parsed == TPT_TPROXY) {
+ if (getsockname(ENTRY_TO_CONN(conn)->s, (struct sockaddr*)&orig_dst,
+ &orig_dst_len) < 0) {
+ int e = tor_socket_errno(ENTRY_TO_CONN(conn)->s);
+ log_warn(LD_NET, "getsockname() failed: %s", tor_socket_strerror(e));
+ return -1;
+ }
+ goto done;
+ }
+#endif /* defined(TRANS_TPROXY) */
+
+#ifdef TRANS_NETFILTER
+ int rv = -1;
+ switch (ENTRY_TO_CONN(conn)->socket_family) {
+#ifdef TRANS_NETFILTER_IPV4
+ case AF_INET:
+ rv = getsockopt(ENTRY_TO_CONN(conn)->s, SOL_IP, SO_ORIGINAL_DST,
+ (struct sockaddr*)&orig_dst, &orig_dst_len);
+ break;
+#endif /* defined(TRANS_NETFILTER_IPV4) */
+#ifdef TRANS_NETFILTER_IPV6
+ case AF_INET6:
+ rv = getsockopt(ENTRY_TO_CONN(conn)->s, SOL_IPV6, IP6T_SO_ORIGINAL_DST,
+ (struct sockaddr*)&orig_dst, &orig_dst_len);
+ break;
+#endif /* defined(TRANS_NETFILTER_IPV6) */
+ default:
+ log_warn(LD_BUG,
+ "Received transparent data from an unsuported socket family %d",
+ ENTRY_TO_CONN(conn)->socket_family);
+ return -1;
+ }
+ if (rv < 0) {
+ int e = tor_socket_errno(ENTRY_TO_CONN(conn)->s);
+ log_warn(LD_NET, "getsockopt() failed: %s", tor_socket_strerror(e));
+ return -1;
+ }
+ goto done;
+#elif defined(TRANS_PF)
+ if (getsockname(ENTRY_TO_CONN(conn)->s, (struct sockaddr*)&orig_dst,
+ &orig_dst_len) < 0) {
+ int e = tor_socket_errno(ENTRY_TO_CONN(conn)->s);
+ log_warn(LD_NET, "getsockname() failed: %s", tor_socket_strerror(e));
+ return -1;
+ }
+ goto done;
+#else
+ (void)conn;
+ (void)req;
+ log_warn(LD_BUG, "Unable to determine destination from socket.");
+ return -1;
+#endif /* defined(TRANS_NETFILTER) || ... */
+
+ done:
+ tor_addr_from_sockaddr(&addr, (struct sockaddr*)&orig_dst, &req->port);
+ tor_addr_to_str(req->address, &addr, sizeof(req->address), 1);
+
+ return 0;
+}
+#endif /* defined(TRANS_NETFILTER) || defined(TRANS_PF) || ... */
+
+#ifdef TRANS_PF
+static int
+destination_from_pf(entry_connection_t *conn, socks_request_t *req)
+{
+ struct sockaddr_storage proxy_addr;
+ socklen_t proxy_addr_len = sizeof(proxy_addr);
+ struct sockaddr *proxy_sa = (struct sockaddr*) &proxy_addr;
+ struct pfioc_natlook pnl;
+ tor_addr_t addr;
+ int pf = -1;
+
+ if (getsockname(ENTRY_TO_CONN(conn)->s, (struct sockaddr*)&proxy_addr,
+ &proxy_addr_len) < 0) {
+ int e = tor_socket_errno(ENTRY_TO_CONN(conn)->s);
+ log_warn(LD_NET, "getsockname() to determine transocks destination "
+ "failed: %s", tor_socket_strerror(e));
+ return -1;
+ }
+
+#ifdef __FreeBSD__
+ if (get_options()->TransProxyType_parsed == TPT_IPFW) {
+ /* ipfw(8) is used and in this case getsockname returned the original
+ destination */
+ if (tor_addr_from_sockaddr(&addr, proxy_sa, &req->port) < 0) {
+ tor_fragile_assert();
+ return -1;
+ }
+
+ tor_addr_to_str(req->address, &addr, sizeof(req->address), 0);
+
+ return 0;
+ }
+#endif /* defined(__FreeBSD__) */
+
+ memset(&pnl, 0, sizeof(pnl));
+ pnl.proto = IPPROTO_TCP;
+ pnl.direction = PF_OUT;
+ if (proxy_sa->sa_family == AF_INET) {
+ struct sockaddr_in *sin = (struct sockaddr_in *)proxy_sa;
+ pnl.af = AF_INET;
+ pnl.saddr.v4.s_addr = tor_addr_to_ipv4n(&ENTRY_TO_CONN(conn)->addr);
+ pnl.sport = htons(ENTRY_TO_CONN(conn)->port);
+ pnl.daddr.v4.s_addr = sin->sin_addr.s_addr;
+ pnl.dport = sin->sin_port;
+ } else if (proxy_sa->sa_family == AF_INET6) {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)proxy_sa;
+ pnl.af = AF_INET6;
+ memcpy(&pnl.saddr.v6, tor_addr_to_in6(&ENTRY_TO_CONN(conn)->addr),
+ sizeof(struct in6_addr));
+ pnl.sport = htons(ENTRY_TO_CONN(conn)->port);
+ memcpy(&pnl.daddr.v6, &sin6->sin6_addr, sizeof(struct in6_addr));
+ pnl.dport = sin6->sin6_port;
+ } else {
+ log_warn(LD_NET, "getsockname() gave an unexpected address family (%d)",
+ (int)proxy_sa->sa_family);
+ return -1;
+ }
+
+ pf = get_pf_socket();
+ if (pf<0)
+ return -1;
+
+ if (ioctl(pf, DIOCNATLOOK, &pnl) < 0) {
+ log_warn(LD_NET, "ioctl(DIOCNATLOOK) failed: %s", strerror(errno));
+ return -1;
+ }
+
+ if (pnl.af == AF_INET) {
+ tor_addr_from_ipv4n(&addr, pnl.rdaddr.v4.s_addr);
+ } else if (pnl.af == AF_INET6) {
+ tor_addr_from_in6(&addr, &pnl.rdaddr.v6);
+ } else {
+ tor_fragile_assert();
+ return -1;
+ }
+
+ tor_addr_to_str(req->address, &addr, sizeof(req->address), 1);
+ req->port = ntohs(pnl.rdport);
+
+ return 0;
+}
+#endif /* defined(TRANS_PF) */
+
+/** Fetch the original destination address and port from a
+ * system-specific interface and put them into a
+ * socks_request_t as if they came from a socks request.
+ *
+ * Return -1 if an error prevents fetching the destination,
+ * else return 0.
+ */
+static int
+connection_ap_get_original_destination(entry_connection_t *conn,
+ socks_request_t *req)
+{
+#ifdef TRANS_NETFILTER
+ return destination_from_socket(conn, req);
+#elif defined(TRANS_PF)
+ const or_options_t *options = get_options();
+
+ if (options->TransProxyType_parsed == TPT_PF_DIVERT)
+ return destination_from_socket(conn, req);
+
+ if (options->TransProxyType_parsed == TPT_DEFAULT ||
+ options->TransProxyType_parsed == TPT_IPFW)
+ return destination_from_pf(conn, req);
+
+ (void)conn;
+ (void)req;
+ log_warn(LD_BUG, "Proxy destination determination mechanism %s unknown.",
+ options->TransProxyType);
+ return -1;
+#else
+ (void)conn;
+ (void)req;
+ log_warn(LD_BUG, "Called connection_ap_get_original_destination, but no "
+ "transparent proxy method was configured.");
+ return -1;
+#endif /* defined(TRANS_NETFILTER) || ... */
+}
+
+/** connection_edge_process_inbuf() found a conn in state
+ * socks_wait. See if conn->inbuf has the right bytes to proceed with
+ * the socks handshake.
+ *
+ * If the handshake is complete, send it to
+ * connection_ap_handshake_rewrite_and_attach().
+ *
+ * Return -1 if an unexpected error with conn occurs (and mark it for close),
+ * else return 0.
+ */
+static int
+connection_ap_handshake_process_socks(entry_connection_t *conn)
+{
+ socks_request_t *socks;
+ int sockshere;
+ const or_options_t *options = get_options();
+ int had_reply = 0;
+ connection_t *base_conn = ENTRY_TO_CONN(conn);
+
+ tor_assert(conn);
+ tor_assert(base_conn->type == CONN_TYPE_AP);
+ tor_assert(base_conn->state == AP_CONN_STATE_SOCKS_WAIT);
+ tor_assert(conn->socks_request);
+ socks = conn->socks_request;
+
+ log_debug(LD_APP,"entered.");
+
+ sockshere = fetch_from_buf_socks(base_conn->inbuf, socks,
+ options->TestSocks, options->SafeSocks);
+
+ if (socks->replylen) {
+ had_reply = 1;
+ connection_buf_add((const char*)socks->reply, socks->replylen,
+ base_conn);
+ socks->replylen = 0;
+ if (sockshere == -1) {
+ /* An invalid request just got a reply, no additional
+ * one is necessary. */
+ socks->has_finished = 1;
+ }
+ }
+
+ if (sockshere == 0) {
+ log_debug(LD_APP,"socks handshake not all here yet.");
+ return 0;
+ } else if (sockshere == -1) {
+ if (!had_reply) {
+ log_warn(LD_APP,"Fetching socks handshake failed. Closing.");
+ connection_ap_handshake_socks_reply(conn, NULL, 0,
+ END_STREAM_REASON_SOCKSPROTOCOL);
+ }
+ connection_mark_unattached_ap(conn,
+ END_STREAM_REASON_SOCKSPROTOCOL |
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+ return -1;
+ } /* else socks handshake is done, continue processing */
+
+ if (SOCKS_COMMAND_IS_CONNECT(socks->command))
+ control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
+ else
+ control_event_stream_status(conn, STREAM_EVENT_NEW_RESOLVE, 0);
+
+ return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
+}
+
+/** connection_init_accepted_conn() found a new trans AP conn.
+ * Get the original destination and send it to
+ * connection_ap_handshake_rewrite_and_attach().
+ *
+ * Return -1 if an unexpected error with conn (and it should be marked
+ * for close), else return 0.
+ */
+int
+connection_ap_process_transparent(entry_connection_t *conn)
+{
+ socks_request_t *socks;
+
+ tor_assert(conn);
+ tor_assert(conn->socks_request);
+ socks = conn->socks_request;
+
+ /* pretend that a socks handshake completed so we don't try to
+ * send a socks reply down a transparent conn */
+ socks->command = SOCKS_COMMAND_CONNECT;
+ socks->has_finished = 1;
+
+ log_debug(LD_APP,"entered.");
+
+ if (connection_ap_get_original_destination(conn, socks) < 0) {
+ log_warn(LD_APP,"Fetching original destination failed. Closing.");
+ connection_mark_unattached_ap(conn,
+ END_STREAM_REASON_CANT_FETCH_ORIG_DEST);
+ return -1;
+ }
+ /* we have the original destination */
+
+ control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
+
+ return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
+}
+
+/** connection_edge_process_inbuf() found a conn in state natd_wait. See if
+ * conn-\>inbuf has the right bytes to proceed. See FreeBSD's libalias(3) and
+ * ProxyEncodeTcpStream() in src/lib/libalias/alias_proxy.c for the encoding
+ * form of the original destination.
+ *
+ * If the original destination is complete, send it to
+ * connection_ap_handshake_rewrite_and_attach().
+ *
+ * Return -1 if an unexpected error with conn (and it should be marked
+ * for close), else return 0.
+ */
+static int
+connection_ap_process_natd(entry_connection_t *conn)
+{
+ char tmp_buf[36], *tbuf, *daddr;
+ size_t tlen = 30;
+ int err, port_ok;
+ socks_request_t *socks;
+
+ tor_assert(conn);
+ tor_assert(ENTRY_TO_CONN(conn)->state == AP_CONN_STATE_NATD_WAIT);
+ tor_assert(conn->socks_request);
+ socks = conn->socks_request;
+
+ log_debug(LD_APP,"entered.");
+
+ /* look for LF-terminated "[DEST ip_addr port]"
+ * where ip_addr is a dotted-quad and port is in string form */
+ err = connection_buf_get_line(ENTRY_TO_CONN(conn), tmp_buf, &tlen);
+ if (err == 0)
+ return 0;
+ if (err < 0) {
+ log_warn(LD_APP,"NATD handshake failed (DEST too long). Closing");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+ return -1;
+ }
+
+ if (strcmpstart(tmp_buf, "[DEST ")) {
+ log_warn(LD_APP,"NATD handshake was ill-formed; closing. The client "
+ "said: %s",
+ escaped(tmp_buf));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+ return -1;
+ }
+
+ daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
+ if (!(tbuf = strchr(tbuf, ' '))) {
+ log_warn(LD_APP,"NATD handshake was ill-formed; closing. The client "
+ "said: %s",
+ escaped(tmp_buf));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+ return -1;
+ }
+ *tbuf++ = '\0';
+
+ /* pretend that a socks handshake completed so we don't try to
+ * send a socks reply down a natd conn */
+ strlcpy(socks->address, daddr, sizeof(socks->address));
+ socks->port = (uint16_t)
+ tor_parse_long(tbuf, 10, 1, 65535, &port_ok, &daddr);
+ if (!port_ok) {
+ log_warn(LD_APP,"NATD handshake failed; port %s is ill-formed or out "
+ "of range.", escaped(tbuf));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+ return -1;
+ }
+
+ socks->command = SOCKS_COMMAND_CONNECT;
+ socks->has_finished = 1;
+
+ control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
+
+ ENTRY_TO_CONN(conn)->state = AP_CONN_STATE_CIRCUIT_WAIT;
+
+ return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
+}
+
+/** Called on an HTTP CONNECT entry connection when some bytes have arrived,
+ * but we have not yet received a full HTTP CONNECT request. Try to parse an
+ * HTTP CONNECT request from the connection's inbuf. On success, set up the
+ * connection's socks_request field and try to attach the connection. On
+ * failure, send an HTTP reply, and mark the connection.
+ */
+STATIC int
+connection_ap_process_http_connect(entry_connection_t *conn)
+{
+ if (BUG(ENTRY_TO_CONN(conn)->state != AP_CONN_STATE_HTTP_CONNECT_WAIT))
+ return -1;
+
+ char *headers = NULL, *body = NULL;
+ char *command = NULL, *addrport = NULL;
+ char *addr = NULL;
+ size_t bodylen = 0;
+
+ const char *errmsg = NULL;
+ int rv = 0;
+
+ const int http_status =
+ fetch_from_buf_http(ENTRY_TO_CONN(conn)->inbuf, &headers, 8192,
+ &body, &bodylen, 1024, 0);
+ if (http_status < 0) {
+ /* Bad http status */
+ errmsg = "HTTP/1.0 400 Bad Request\r\n\r\n";
+ goto err;
+ } else if (http_status == 0) {
+ /* no HTTP request yet. */
+ goto done;
+ }
+
+ const int cmd_status = parse_http_command(headers, &command, &addrport);
+ if (cmd_status < 0) {
+ errmsg = "HTTP/1.0 400 Bad Request\r\n\r\n";
+ goto err;
+ }
+ tor_assert(command);
+ tor_assert(addrport);
+ if (strcasecmp(command, "connect")) {
+ errmsg = "HTTP/1.0 405 Method Not Allowed\r\n\r\n";
+ goto err;
+ }
+
+ tor_assert(conn->socks_request);
+ socks_request_t *socks = conn->socks_request;
+ uint16_t port;
+ if (tor_addr_port_split(LOG_WARN, addrport, &addr, &port) < 0) {
+ errmsg = "HTTP/1.0 400 Bad Request\r\n\r\n";
+ goto err;
+ }
+ if (strlen(addr) >= MAX_SOCKS_ADDR_LEN) {
+ errmsg = "HTTP/1.0 414 Request-URI Too Long\r\n\r\n";
+ goto err;
+ }
+
+ /* Abuse the 'username' and 'password' fields here. They are already an
+ * abuse. */
+ {
+ char *authorization = http_get_header(headers, "Proxy-Authorization: ");
+ if (authorization) {
+ socks->username = authorization; // steal reference
+ socks->usernamelen = strlen(authorization);
+ }
+ char *isolation = http_get_header(headers, "X-Tor-Stream-Isolation: ");
+ if (isolation) {
+ socks->password = isolation; // steal reference
+ socks->passwordlen = strlen(isolation);
+ }
+ }
+
+ socks->command = SOCKS_COMMAND_CONNECT;
+ socks->listener_type = CONN_TYPE_AP_HTTP_CONNECT_LISTENER;
+ strlcpy(socks->address, addr, sizeof(socks->address));
+ socks->port = port;
+
+ control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
+
+ rv = connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
+
+ // XXXX send a "100 Continue" message?
+
+ goto done;
+
+ err:
+ if (BUG(errmsg == NULL))
+ errmsg = "HTTP/1.0 400 Bad Request\r\n\r\n";
+ log_warn(LD_EDGE, "Saying %s", escaped(errmsg));
+ connection_buf_add(errmsg, strlen(errmsg), ENTRY_TO_CONN(conn));
+ connection_mark_unattached_ap(conn,
+ END_STREAM_REASON_HTTPPROTOCOL|
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+
+ done:
+ tor_free(headers);
+ tor_free(body);
+ tor_free(command);
+ tor_free(addrport);
+ tor_free(addr);
+ return rv;
+}
+
+/** Iterate over the two bytes of stream_id until we get one that is not
+ * already in use; return it. Return 0 if can't get a unique stream_id.
+ */
+streamid_t
+get_unique_stream_id_by_circ(origin_circuit_t *circ)
+{
+ edge_connection_t *tmpconn;
+ streamid_t test_stream_id;
+ uint32_t attempts=0;
+
+ again:
+ test_stream_id = circ->next_stream_id++;
+ if (++attempts > 1<<16) {
+ /* Make sure we don't loop forever if all stream_id's are used. */
+ log_warn(LD_APP,"No unused stream IDs. Failing.");
+ return 0;
+ }
+ if (test_stream_id == 0)
+ goto again;
+ for (tmpconn = circ->p_streams; tmpconn; tmpconn=tmpconn->next_stream)
+ if (tmpconn->stream_id == test_stream_id)
+ goto again;
++
++ if (connection_half_edge_find_stream_id(circ->half_streams,
++ test_stream_id))
++ goto again;
++
+ return test_stream_id;
+}
+
+/** Return true iff <b>conn</b> is linked to a circuit and configured to use
+ * an exit that supports optimistic data. */
+static int
+connection_ap_supports_optimistic_data(const entry_connection_t *conn)
+{
+ const edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn);
+ /* We can only send optimistic data if we're connected to an open
+ general circuit. */
+ if (edge_conn->on_circuit == NULL ||
+ edge_conn->on_circuit->state != CIRCUIT_STATE_OPEN ||
+ (edge_conn->on_circuit->purpose != CIRCUIT_PURPOSE_C_GENERAL &&
+ edge_conn->on_circuit->purpose != CIRCUIT_PURPOSE_C_HSDIR_GET &&
+ edge_conn->on_circuit->purpose != CIRCUIT_PURPOSE_S_HSDIR_POST &&
+ edge_conn->on_circuit->purpose != CIRCUIT_PURPOSE_C_REND_JOINED))
+ return 0;
+
+ return conn->may_use_optimistic_data;
+}
+
+/** Return a bitmask of BEGIN_FLAG_* flags that we should transmit in the
+ * RELAY_BEGIN cell for <b>ap_conn</b>. */
+static uint32_t
+connection_ap_get_begincell_flags(entry_connection_t *ap_conn)
+{
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(ap_conn);
+ const node_t *exitnode = NULL;
+ const crypt_path_t *cpath_layer = edge_conn->cpath_layer;
+ uint32_t flags = 0;
+
+ /* No flags for begindir */
+ if (ap_conn->use_begindir)
+ return 0;
+
+ /* No flags for hidden services. */
+ if (edge_conn->on_circuit->purpose != CIRCUIT_PURPOSE_C_GENERAL)
+ return 0;
+
+ /* If only IPv4 is supported, no flags */
+ if (ap_conn->entry_cfg.ipv4_traffic && !ap_conn->entry_cfg.ipv6_traffic)
+ return 0;
+
+ if (! cpath_layer ||
+ ! cpath_layer->extend_info)
+ return 0;
+
+ if (!ap_conn->entry_cfg.ipv4_traffic)
+ flags |= BEGIN_FLAG_IPV4_NOT_OK;
+
+ exitnode = node_get_by_id(cpath_layer->extend_info->identity_digest);
+
+ if (ap_conn->entry_cfg.ipv6_traffic && exitnode) {
+ tor_addr_t a;
+ tor_addr_make_null(&a, AF_INET6);
+ if (compare_tor_addr_to_node_policy(&a, ap_conn->socks_request->port,
+ exitnode)
+ != ADDR_POLICY_REJECTED) {
+ /* Only say "IPv6 OK" if the exit node supports IPv6. Otherwise there's
+ * no point. */
+ flags |= BEGIN_FLAG_IPV6_OK;
+ }
+ }
+
+ if (flags == BEGIN_FLAG_IPV6_OK) {
+ /* When IPv4 and IPv6 are both allowed, consider whether to say we
+ * prefer IPv6. Otherwise there's no point in declaring a preference */
+ if (ap_conn->entry_cfg.prefer_ipv6)
+ flags |= BEGIN_FLAG_IPV6_PREFERRED;
+ }
+
+ if (flags == BEGIN_FLAG_IPV4_NOT_OK) {
+ log_warn(LD_EDGE, "I'm about to ask a node for a connection that I "
+ "am telling it to fulfil with neither IPv4 nor IPv6. That's "
+ "not going to work. Did you perhaps ask for an IPv6 address "
+ "on an IPv4Only port, or vice versa?");
+ }
+
+ return flags;
+}
+
+/** Write a relay begin cell, using destaddr and destport from ap_conn's
+ * socks_request field, and send it down circ.
+ *
+ * If ap_conn is broken, mark it for close and return -1. Else return 0.
+ */
+MOCK_IMPL(int,
+connection_ap_handshake_send_begin,(entry_connection_t *ap_conn))
+{
+ char payload[CELL_PAYLOAD_SIZE];
+ int payload_len;
+ int begin_type;
+ const or_options_t *options = get_options();
+ origin_circuit_t *circ;
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(ap_conn);
+ connection_t *base_conn = TO_CONN(edge_conn);
+ tor_assert(edge_conn->on_circuit);
+ circ = TO_ORIGIN_CIRCUIT(edge_conn->on_circuit);
+
+ tor_assert(base_conn->type == CONN_TYPE_AP);
+ tor_assert(base_conn->state == AP_CONN_STATE_CIRCUIT_WAIT);
+ tor_assert(ap_conn->socks_request);
+ tor_assert(SOCKS_COMMAND_IS_CONNECT(ap_conn->socks_request->command));
+
+ edge_conn->stream_id = get_unique_stream_id_by_circ(circ);
+ if (edge_conn->stream_id==0) {
+ /* XXXX+ Instead of closing this stream, we should make it get
+ * retried on another circuit. */
+ connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
+
+ /* Mark this circuit "unusable for new streams". */
+ mark_circuit_unusable_for_new_conns(circ);
+ return -1;
+ }
+
+ /* Set up begin cell flags. */
+ edge_conn->begincell_flags = connection_ap_get_begincell_flags(ap_conn);
+
+ tor_snprintf(payload,RELAY_PAYLOAD_SIZE, "%s:%d",
+ (circ->base_.purpose == CIRCUIT_PURPOSE_C_GENERAL) ?
+ ap_conn->socks_request->address : "",
+ ap_conn->socks_request->port);
+ payload_len = (int)strlen(payload)+1;
+ if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
+ set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
+ payload_len += 4;
+ }
+
+ log_info(LD_APP,
+ "Sending relay cell %d on circ %u to begin stream %d.",
+ (int)ap_conn->use_begindir,
+ (unsigned)circ->base_.n_circ_id,
+ edge_conn->stream_id);
+
+ begin_type = ap_conn->use_begindir ?
+ RELAY_COMMAND_BEGIN_DIR : RELAY_COMMAND_BEGIN;
+
+ /* Check that circuits are anonymised, based on their type. */
+ if (begin_type == RELAY_COMMAND_BEGIN) {
+ /* This connection is a standard OR connection.
+ * Make sure its path length is anonymous, or that we're in a
+ * non-anonymous mode. */
+ assert_circ_anonymity_ok(circ, options);
+ } else if (begin_type == RELAY_COMMAND_BEGIN_DIR) {
+ /* This connection is a begindir directory connection.
+ * Look at the linked directory connection to access the directory purpose.
+ * If a BEGINDIR connection is ever not linked, that's a bug. */
+ if (BUG(!base_conn->linked)) {
+ return -1;
+ }
+ connection_t *linked_dir_conn_base = base_conn->linked_conn;
+ /* If the linked connection has been unlinked by other code, we can't send
+ * a begin cell on it. */
+ if (!linked_dir_conn_base) {
+ return -1;
+ }
+ /* Sensitive directory connections must have an anonymous path length.
+ * Otherwise, directory connections are typically one-hop.
+ * This matches the earlier check for directory connection path anonymity
+ * in directory_initiate_request(). */
+ if (purpose_needs_anonymity(linked_dir_conn_base->purpose,
+ TO_DIR_CONN(linked_dir_conn_base)->router_purpose,
+ TO_DIR_CONN(linked_dir_conn_base)->requested_resource)) {
+ assert_circ_anonymity_ok(circ, options);
+ }
+ } else {
+ /* This code was written for the two connection types BEGIN and BEGIN_DIR
+ */
+ tor_assert_unreached();
+ }
+
+ if (connection_edge_send_command(edge_conn, begin_type,
+ begin_type == RELAY_COMMAND_BEGIN ? payload : NULL,
+ begin_type == RELAY_COMMAND_BEGIN ? payload_len : 0) < 0)
+ return -1; /* circuit is closed, don't continue */
+
+ edge_conn->package_window = STREAMWINDOW_START;
+ edge_conn->deliver_window = STREAMWINDOW_START;
+ base_conn->state = AP_CONN_STATE_CONNECT_WAIT;
+ log_info(LD_APP,"Address/port sent, ap socket "TOR_SOCKET_T_FORMAT
+ ", n_circ_id %u",
+ base_conn->s, (unsigned)circ->base_.n_circ_id);
+ control_event_stream_status(ap_conn, STREAM_EVENT_SENT_CONNECT, 0);
+
+ /* If there's queued-up data, send it now */
+ if ((connection_get_inbuf_len(base_conn) ||
+ ap_conn->sending_optimistic_data) &&
+ connection_ap_supports_optimistic_data(ap_conn)) {
+ log_info(LD_APP, "Sending up to %ld + %ld bytes of queued-up data",
+ (long)connection_get_inbuf_len(base_conn),
+ ap_conn->sending_optimistic_data ?
+ (long)buf_datalen(ap_conn->sending_optimistic_data) : 0);
+ if (connection_edge_package_raw_inbuf(edge_conn, 1, NULL) < 0) {
+ connection_mark_for_close(base_conn);
+ }
+ }
+
+ return 0;
+}
+
+/** Write a relay resolve cell, using destaddr and destport from ap_conn's
+ * socks_request field, and send it down circ.
+ *
+ * If ap_conn is broken, mark it for close and return -1. Else return 0.
+ */
+int
+connection_ap_handshake_send_resolve(entry_connection_t *ap_conn)
+{
+ int payload_len, command;
+ const char *string_addr;
+ char inaddr_buf[REVERSE_LOOKUP_NAME_BUF_LEN];
+ origin_circuit_t *circ;
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(ap_conn);
+ connection_t *base_conn = TO_CONN(edge_conn);
+ tor_assert(edge_conn->on_circuit);
+ circ = TO_ORIGIN_CIRCUIT(edge_conn->on_circuit);
+
+ tor_assert(base_conn->type == CONN_TYPE_AP);
+ tor_assert(base_conn->state == AP_CONN_STATE_CIRCUIT_WAIT);
+ tor_assert(ap_conn->socks_request);
+ tor_assert(circ->base_.purpose == CIRCUIT_PURPOSE_C_GENERAL);
+
+ command = ap_conn->socks_request->command;
+ tor_assert(SOCKS_COMMAND_IS_RESOLVE(command));
+
+ edge_conn->stream_id = get_unique_stream_id_by_circ(circ);
+ if (edge_conn->stream_id==0) {
+ /* XXXX+ Instead of closing this stream, we should make it get
+ * retried on another circuit. */
+ connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
+
+ /* Mark this circuit "unusable for new streams". */
+ mark_circuit_unusable_for_new_conns(circ);
+ return -1;
+ }
+
+ if (command == SOCKS_COMMAND_RESOLVE) {
+ string_addr = ap_conn->socks_request->address;
+ payload_len = (int)strlen(string_addr)+1;
+ } else {
+ /* command == SOCKS_COMMAND_RESOLVE_PTR */
+ const char *a = ap_conn->socks_request->address;
+ tor_addr_t addr;
+ int r;
+
+ /* We're doing a reverse lookup. The input could be an IP address, or
+ * could be an .in-addr.arpa or .ip6.arpa address */
+ r = tor_addr_parse_PTR_name(&addr, a, AF_UNSPEC, 1);
+ if (r <= 0) {
+ log_warn(LD_APP, "Rejecting ill-formed reverse lookup of %s",
+ safe_str_client(a));
+ connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
+ return -1;
+ }
+
+ r = tor_addr_to_PTR_name(inaddr_buf, sizeof(inaddr_buf), &addr);
+ if (r < 0) {
+ log_warn(LD_BUG, "Couldn't generate reverse lookup hostname of %s",
+ safe_str_client(a));
+ connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
+ return -1;
+ }
+
+ string_addr = inaddr_buf;
+ payload_len = (int)strlen(inaddr_buf)+1;
+ tor_assert(payload_len <= (int)sizeof(inaddr_buf));
+ }
+
+ log_debug(LD_APP,
+ "Sending relay cell to begin stream %d.", edge_conn->stream_id);
+
+ if (connection_edge_send_command(edge_conn,
+ RELAY_COMMAND_RESOLVE,
+ string_addr, payload_len) < 0)
+ return -1; /* circuit is closed, don't continue */
+
+ if (!base_conn->address) {
+ /* This might be unnecessary. XXXX */
+ base_conn->address = tor_addr_to_str_dup(&base_conn->addr);
+ }
+ base_conn->state = AP_CONN_STATE_RESOLVE_WAIT;
+ log_info(LD_APP,"Address sent for resolve, ap socket "TOR_SOCKET_T_FORMAT
+ ", n_circ_id %u",
+ base_conn->s, (unsigned)circ->base_.n_circ_id);
+ control_event_stream_status(ap_conn, STREAM_EVENT_SENT_RESOLVE, 0);
+ return 0;
+}
+
+/** Make an AP connection_t linked to the connection_t <b>partner</b>. make a
+ * new linked connection pair, and attach one side to the conn, connection_add
+ * it, initialize it to circuit_wait, and call
+ * connection_ap_handshake_attach_circuit(conn) on it.
+ *
+ * Return the newly created end of the linked connection pair, or -1 if error.
+ */
+entry_connection_t *
+connection_ap_make_link(connection_t *partner,
+ char *address, uint16_t port,
+ const char *digest,
+ int session_group, int isolation_flags,
+ int use_begindir, int want_onehop)
+{
+ entry_connection_t *conn;
+ connection_t *base_conn;
+
+ log_info(LD_APP,"Making internal %s tunnel to %s:%d ...",
+ want_onehop ? "direct" : "anonymized",
+ safe_str_client(address), port);
+
+ conn = entry_connection_new(CONN_TYPE_AP, tor_addr_family(&partner->addr));
+ base_conn = ENTRY_TO_CONN(conn);
+ base_conn->linked = 1; /* so that we can add it safely below. */
+
+ /* populate conn->socks_request */
+
+ /* leave version at zero, so the socks_reply is empty */
+ conn->socks_request->socks_version = 0;
+ conn->socks_request->has_finished = 0; /* waiting for 'connected' */
+ strlcpy(conn->socks_request->address, address,
+ sizeof(conn->socks_request->address));
+ conn->socks_request->port = port;
+ conn->socks_request->command = SOCKS_COMMAND_CONNECT;
+ conn->want_onehop = want_onehop;
+ conn->use_begindir = use_begindir;
+ if (use_begindir) {
+ conn->chosen_exit_name = tor_malloc(HEX_DIGEST_LEN+2);
+ conn->chosen_exit_name[0] = '$';
+ tor_assert(digest);
+ base16_encode(conn->chosen_exit_name+1,HEX_DIGEST_LEN+1,
+ digest, DIGEST_LEN);
+ }
+
+ /* Populate isolation fields. */
+ conn->socks_request->listener_type = CONN_TYPE_DIR_LISTENER;
+ conn->original_dest_address = tor_strdup(address);
+ conn->entry_cfg.session_group = session_group;
+ conn->entry_cfg.isolation_flags = isolation_flags;
+
+ base_conn->address = tor_strdup("(Tor_internal)");
+ tor_addr_make_unspec(&base_conn->addr);
+ base_conn->port = 0;
+
+ connection_link_connections(partner, base_conn);
+
+ if (connection_add(base_conn) < 0) { /* no space, forget it */
+ connection_free(base_conn);
+ return NULL;
+ }
+
+ base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT;
+
+ control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
+
+ /* attaching to a dirty circuit is fine */
+ connection_ap_mark_as_pending_circuit(conn);
+ log_info(LD_APP,"... application connection created and linked.");
+ return conn;
+}
+
+/** Notify any interested controller connections about a new hostname resolve
+ * or resolve error. Takes the same arguments as does
+ * connection_ap_handshake_socks_resolved(). */
+static void
+tell_controller_about_resolved_result(entry_connection_t *conn,
+ int answer_type,
+ size_t answer_len,
+ const char *answer,
+ int ttl,
+ time_t expires)
+{
+ expires = time(NULL) + ttl;
+ if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
+ char *cp = tor_dup_ip(ntohl(get_uint32(answer)));
+ control_event_address_mapped(conn->socks_request->address,
+ cp, expires, NULL, 0);
+ tor_free(cp);
+ } else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
+ char *cp = tor_strndup(answer, answer_len);
+ control_event_address_mapped(conn->socks_request->address,
+ cp, expires, NULL, 0);
+ tor_free(cp);
+ } else {
+ control_event_address_mapped(conn->socks_request->address,
+ "<error>", time(NULL)+ttl,
+ "error=yes", 0);
+ }
+}
+
+/**
+ * As connection_ap_handshake_socks_resolved, but take a tor_addr_t to send
+ * as the answer.
+ */
+void
+connection_ap_handshake_socks_resolved_addr(entry_connection_t *conn,
+ const tor_addr_t *answer,
+ int ttl,
+ time_t expires)
+{
+ if (tor_addr_family(answer) == AF_INET) {
+ uint32_t a = tor_addr_to_ipv4n(answer); /* network order */
+ connection_ap_handshake_socks_resolved(conn,RESOLVED_TYPE_IPV4,4,
+ (uint8_t*)&a,
+ ttl, expires);
+ } else if (tor_addr_family(answer) == AF_INET6) {
+ const uint8_t *a = tor_addr_to_in6_addr8(answer);
+ connection_ap_handshake_socks_resolved(conn,RESOLVED_TYPE_IPV6,16,
+ a,
+ ttl, expires);
+ } else {
+ log_warn(LD_BUG, "Got called with address of unexpected family %d",
+ tor_addr_family(answer));
+ connection_ap_handshake_socks_resolved(conn,
+ RESOLVED_TYPE_ERROR,0,NULL,-1,-1);
+ }
+}
+
+/** Send an answer to an AP connection that has requested a DNS lookup via
+ * SOCKS. The type should be one of RESOLVED_TYPE_(IPV4|IPV6|HOSTNAME) or -1
+ * for unreachable; the answer should be in the format specified in the socks
+ * extensions document. <b>ttl</b> is the ttl for the answer, or -1 on
+ * certain errors or for values that didn't come via DNS. <b>expires</b> is
+ * a time when the answer expires, or -1 or TIME_MAX if there's a good TTL.
+ **/
+/* XXXX the use of the ttl and expires fields is nutty. Let's make this
+ * interface and those that use it less ugly. */
+MOCK_IMPL(void,
+connection_ap_handshake_socks_resolved,(entry_connection_t *conn,
+ int answer_type,
+ size_t answer_len,
+ const uint8_t *answer,
+ int ttl,
+ time_t expires))
+{
+ char buf[384];
+ size_t replylen;
+
+ if (ttl >= 0) {
+ if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4) {
+ tor_addr_t a;
+ tor_addr_from_ipv4n(&a, get_uint32(answer));
+ if (! tor_addr_is_null(&a)) {
+ client_dns_set_addressmap(conn,
+ conn->socks_request->address, &a,
+ conn->chosen_exit_name, ttl);
+ }
+ } else if (answer_type == RESOLVED_TYPE_IPV6 && answer_len == 16) {
+ tor_addr_t a;
+ tor_addr_from_ipv6_bytes(&a, (char*)answer);
+ if (! tor_addr_is_null(&a)) {
+ client_dns_set_addressmap(conn,
+ conn->socks_request->address, &a,
+ conn->chosen_exit_name, ttl);
+ }
+ } else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
+ char *cp = tor_strndup((char*)answer, answer_len);
+ client_dns_set_reverse_addressmap(conn,
+ conn->socks_request->address,
+ cp,
+ conn->chosen_exit_name, ttl);
+ tor_free(cp);
+ }
+ }
+
+ if (ENTRY_TO_EDGE_CONN(conn)->is_dns_request) {
+ if (conn->dns_server_request) {
+ /* We had a request on our DNS port: answer it. */
+ dnsserv_resolved(conn, answer_type, answer_len, (char*)answer, ttl);
+ conn->socks_request->has_finished = 1;
+ return;
+ } else {
+ /* This must be a request from the controller. Since answers to those
+ * requests are not cached, they do not generate an ADDRMAP event on
+ * their own. */
+ tell_controller_about_resolved_result(conn, answer_type, answer_len,
+ (char*)answer, ttl, expires);
+ conn->socks_request->has_finished = 1;
+ return;
+ }
+ /* We shouldn't need to free conn here; it gets marked by the caller. */
+ }
+
+ if (conn->socks_request->socks_version == 4) {
+ buf[0] = 0x00; /* version */
+ if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4) {
+ buf[1] = SOCKS4_GRANTED;
+ set_uint16(buf+2, 0);
+ memcpy(buf+4, answer, 4); /* address */
+ replylen = SOCKS4_NETWORK_LEN;
+ } else { /* "error" */
+ buf[1] = SOCKS4_REJECT;
+ memset(buf+2, 0, 6);
+ replylen = SOCKS4_NETWORK_LEN;
+ }
+ } else if (conn->socks_request->socks_version == 5) {
+ /* SOCKS5 */
+ buf[0] = 0x05; /* version */
+ if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4) {
+ buf[1] = SOCKS5_SUCCEEDED;
+ buf[2] = 0; /* reserved */
+ buf[3] = 0x01; /* IPv4 address type */
+ memcpy(buf+4, answer, 4); /* address */
+ set_uint16(buf+8, 0); /* port == 0. */
+ replylen = 10;
+ } else if (answer_type == RESOLVED_TYPE_IPV6 && answer_len == 16) {
+ buf[1] = SOCKS5_SUCCEEDED;
+ buf[2] = 0; /* reserved */
+ buf[3] = 0x04; /* IPv6 address type */
+ memcpy(buf+4, answer, 16); /* address */
+ set_uint16(buf+20, 0); /* port == 0. */
+ replylen = 22;
+ } else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
+ buf[1] = SOCKS5_SUCCEEDED;
+ buf[2] = 0; /* reserved */
+ buf[3] = 0x03; /* Domainname address type */
+ buf[4] = (char)answer_len;
+ memcpy(buf+5, answer, answer_len); /* address */
+ set_uint16(buf+5+answer_len, 0); /* port == 0. */
+ replylen = 5+answer_len+2;
+ } else {
+ buf[1] = SOCKS5_HOST_UNREACHABLE;
+ memset(buf+2, 0, 8);
+ replylen = 10;
+ }
+ } else {
+ /* no socks version info; don't send anything back */
+ return;
+ }
+ connection_ap_handshake_socks_reply(conn, buf, replylen,
+ (answer_type == RESOLVED_TYPE_IPV4 ||
+ answer_type == RESOLVED_TYPE_IPV6 ||
+ answer_type == RESOLVED_TYPE_HOSTNAME) ?
+ 0 : END_STREAM_REASON_RESOLVEFAILED);
+}
+
+/** Send a socks reply to stream <b>conn</b>, using the appropriate
+ * socks version, etc, and mark <b>conn</b> as completed with SOCKS
+ * handshaking.
+ *
+ * If <b>reply</b> is defined, then write <b>replylen</b> bytes of it to conn
+ * and return, else reply based on <b>endreason</b> (one of
+ * END_STREAM_REASON_*). If <b>reply</b> is undefined, <b>endreason</b> can't
+ * be 0 or REASON_DONE. Send endreason to the controller, if appropriate.
+ */
+void
+connection_ap_handshake_socks_reply(entry_connection_t *conn, char *reply,
+ size_t replylen, int endreason)
+{
+ char buf[256];
+ socks5_reply_status_t status =
+ stream_end_reason_to_socks5_response(endreason);
+
+ tor_assert(conn->socks_request); /* make sure it's an AP stream */
+
+ if (!SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command)) {
+ control_event_stream_status(conn, status==SOCKS5_SUCCEEDED ?
+ STREAM_EVENT_SUCCEEDED : STREAM_EVENT_FAILED,
+ endreason);
+ }
+
+ /* Flag this stream's circuit as having completed a stream successfully
+ * (for path bias) */
+ if (status == SOCKS5_SUCCEEDED ||
+ endreason == END_STREAM_REASON_RESOLVEFAILED ||
+ endreason == END_STREAM_REASON_CONNECTREFUSED ||
+ endreason == END_STREAM_REASON_CONNRESET ||
+ endreason == END_STREAM_REASON_NOROUTE ||
+ endreason == END_STREAM_REASON_RESOURCELIMIT) {
+ if (!conn->edge_.on_circuit ||
+ !CIRCUIT_IS_ORIGIN(conn->edge_.on_circuit)) {
+ if (endreason != END_STREAM_REASON_RESOLVEFAILED) {
+ log_info(LD_BUG,
+ "No origin circuit for successful SOCKS stream %"PRIu64
+ ". Reason: %d",
+ (ENTRY_TO_CONN(conn)->global_identifier),
+ endreason);
+ }
+ /*
+ * Else DNS remaps and failed hidden service lookups can send us
+ * here with END_STREAM_REASON_RESOLVEFAILED; ignore it
+ *
+ * Perhaps we could make the test more precise; we can tell hidden
+ * services by conn->edge_.renddata != NULL; anything analogous for
+ * the DNS remap case?
+ */
+ } else {
+ // XXX: Hrmm. It looks like optimistic data can't go through this
+ // codepath, but someone should probably test it and make sure.
+ // We don't want to mark optimistically opened streams as successful.
+ pathbias_mark_use_success(TO_ORIGIN_CIRCUIT(conn->edge_.on_circuit));
+ }
+ }
+
+ if (conn->socks_request->has_finished) {
+ log_warn(LD_BUG, "(Harmless.) duplicate calls to "
+ "connection_ap_handshake_socks_reply.");
+ return;
+ }
+ if (replylen) { /* we already have a reply in mind */
+ connection_buf_add(reply, replylen, ENTRY_TO_CONN(conn));
+ conn->socks_request->has_finished = 1;
+ return;
+ }
+ if (conn->socks_request->listener_type ==
+ CONN_TYPE_AP_HTTP_CONNECT_LISTENER) {
+ const char *response = end_reason_to_http_connect_response_line(endreason);
+ if (!response) {
+ response = "HTTP/1.0 400 Bad Request\r\n\r\n";
+ }
+ connection_buf_add(response, strlen(response), ENTRY_TO_CONN(conn));
+ } else if (conn->socks_request->socks_version == 4) {
+ memset(buf,0,SOCKS4_NETWORK_LEN);
+ buf[1] = (status==SOCKS5_SUCCEEDED ? SOCKS4_GRANTED : SOCKS4_REJECT);
+ /* leave version, destport, destip zero */
+ connection_buf_add(buf, SOCKS4_NETWORK_LEN, ENTRY_TO_CONN(conn));
+ } else if (conn->socks_request->socks_version == 5) {
+ size_t buf_len;
+ memset(buf,0,sizeof(buf));
+ if (tor_addr_family(&conn->edge_.base_.addr) == AF_INET) {
+ buf[0] = 5; /* version 5 */
+ buf[1] = (char)status;
+ buf[2] = 0;
+ buf[3] = 1; /* ipv4 addr */
+ /* 4 bytes for the header, 2 bytes for the port, 4 for the address. */
+ buf_len = 10;
+ } else { /* AF_INET6. */
+ buf[0] = 5; /* version 5 */
+ buf[1] = (char)status;
+ buf[2] = 0;
+ buf[3] = 4; /* ipv6 addr */
+ /* 4 bytes for the header, 2 bytes for the port, 16 for the address. */
+ buf_len = 22;
+ }
+ connection_buf_add(buf,buf_len,ENTRY_TO_CONN(conn));
+ }
+ /* If socks_version isn't 4 or 5, don't send anything.
+ * This can happen in the case of AP bridges. */
+ conn->socks_request->has_finished = 1;
+ return;
+}
+
+/** Read a RELAY_BEGIN or RELAY_BEGIN_DIR cell from <b>cell</b>, decode it, and
+ * place the result in <b>bcell</b>. On success return 0; on failure return
+ * <0 and set *<b>end_reason_out</b> to the end reason we should send back to
+ * the client.
+ *
+ * Return -1 in the case where we want to send a RELAY_END cell, and < -1 when
+ * we don't.
+ **/
+STATIC int
+begin_cell_parse(const cell_t *cell, begin_cell_t *bcell,
+ uint8_t *end_reason_out)
+{
+ relay_header_t rh;
+ const uint8_t *body, *nul;
+
+ memset(bcell, 0, sizeof(*bcell));
+ *end_reason_out = END_STREAM_REASON_MISC;
+
+ relay_header_unpack(&rh, cell->payload);
+ if (rh.length > RELAY_PAYLOAD_SIZE) {
+ return -2; /*XXXX why not TORPROTOCOL? */
+ }
+
+ bcell->stream_id = rh.stream_id;
+
+ if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
+ bcell->is_begindir = 1;
+ return 0;
+ } else if (rh.command != RELAY_COMMAND_BEGIN) {
+ log_warn(LD_BUG, "Got an unexpected command %d", (int)rh.command);
+ *end_reason_out = END_STREAM_REASON_INTERNAL;
+ return -1;
+ }
+
+ body = cell->payload + RELAY_HEADER_SIZE;
+ nul = memchr(body, 0, rh.length);
+ if (! nul) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Relay begin cell has no \\0. Closing.");
+ *end_reason_out = END_STREAM_REASON_TORPROTOCOL;
+ return -1;
+ }
+
+ if (tor_addr_port_split(LOG_PROTOCOL_WARN,
+ (char*)(body),
+ &bcell->address,&bcell->port)<0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Unable to parse addr:port in relay begin cell. Closing.");
+ *end_reason_out = END_STREAM_REASON_TORPROTOCOL;
+ return -1;
+ }
+ if (bcell->port == 0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Missing port in relay begin cell. Closing.");
+ tor_free(bcell->address);
+ *end_reason_out = END_STREAM_REASON_TORPROTOCOL;
+ return -1;
+ }
+ if (body + rh.length >= nul + 4)
+ bcell->flags = ntohl(get_uint32(nul+1));
+
+ return 0;
+}
+
+/** For the given <b>circ</b> and the edge connection <b>conn</b>, setup the
+ * connection, attach it to the circ and connect it. Return 0 on success
+ * or END_CIRC_AT_ORIGIN if we can't find the requested hidden service port
+ * where the caller should close the circuit. */
+static int
+handle_hs_exit_conn(circuit_t *circ, edge_connection_t *conn)
+{
+ int ret;
+ origin_circuit_t *origin_circ;
+
+ assert_circuit_ok(circ);
+ tor_assert(circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED);
+ tor_assert(conn);
+
+ log_debug(LD_REND, "Connecting the hidden service rendezvous circuit "
+ "to the service destination.");
+
+ origin_circ = TO_ORIGIN_CIRCUIT(circ);
+ conn->base_.address = tor_strdup("(rendezvous)");
+ conn->base_.state = EXIT_CONN_STATE_CONNECTING;
+
+ /* The circuit either has an hs identifier for v3+ or a rend_data for legacy
+ * service. */
+ if (origin_circ->rend_data) {
+ conn->rend_data = rend_data_dup(origin_circ->rend_data);
+ tor_assert(connection_edge_is_rendezvous_stream(conn));
+ ret = rend_service_set_connection_addr_port(conn, origin_circ);
+ } else if (origin_circ->hs_ident) {
+ /* Setup the identifier to be the one for the circuit service. */
+ conn->hs_ident =
+ hs_ident_edge_conn_new(&origin_circ->hs_ident->identity_pk);
+ tor_assert(connection_edge_is_rendezvous_stream(conn));
+ ret = hs_service_set_conn_addr_port(origin_circ, conn);
+ } else {
+ /* We should never get here if the circuit's purpose is rendezvous. */
+ tor_assert_nonfatal_unreached();
+ return -1;
+ }
+ if (ret < 0) {
+ log_info(LD_REND, "Didn't find rendezvous service (addr%s, port %d)",
+ fmt_addr(&TO_CONN(conn)->addr), TO_CONN(conn)->port);
+ /* Send back reason DONE because we want to make hidden service port
+ * scanning harder thus instead of returning that the exit policy
+ * didn't match, which makes it obvious that the port is closed,
+ * return DONE and kill the circuit. That way, a user (malicious or
+ * not) needs one circuit per bad port unless it matches the policy of
+ * the hidden service. */
+ relay_send_end_cell_from_edge(conn->stream_id, circ,
+ END_STREAM_REASON_DONE,
+ origin_circ->cpath->prev);
+ connection_free_(TO_CONN(conn));
+
+ /* Drop the circuit here since it might be someone deliberately
+ * scanning the hidden service ports. Note that this mitigates port
+ * scanning by adding more work on the attacker side to successfully
+ * scan but does not fully solve it. */
+ if (ret < -1) {
+ return END_CIRC_AT_ORIGIN;
+ } else {
+ return 0;
+ }
+ }
+
+ /* Link the circuit and the connection crypt path. */
+ conn->cpath_layer = origin_circ->cpath->prev;
+
+ /* Add it into the linked list of p_streams on this circuit */
+ conn->next_stream = origin_circ->p_streams;
+ origin_circ->p_streams = conn;
+ conn->on_circuit = circ;
+ assert_circuit_ok(circ);
+
+ hs_inc_rdv_stream_counter(origin_circ);
+
+ /* Connect tor to the hidden service destination. */
+ connection_exit_connect(conn);
+
+ /* For path bias: This circuit was used successfully */
+ pathbias_mark_use_success(origin_circ);
+ return 0;
+}
+
+/** A relay 'begin' or 'begin_dir' cell has arrived, and either we are
+ * an exit hop for the circuit, or we are the origin and it is a
+ * rendezvous begin.
+ *
+ * Launch a new exit connection and initialize things appropriately.
+ *
+ * If it's a rendezvous stream, call connection_exit_connect() on
+ * it.
+ *
+ * For general streams, call dns_resolve() on it first, and only call
+ * connection_exit_connect() if the dns answer is already known.
+ *
+ * Note that we don't call connection_add() on the new stream! We wait
+ * for connection_exit_connect() to do that.
+ *
+ * Return -(some circuit end reason) if we want to tear down <b>circ</b>.
+ * Else return 0.
+ */
+int
+connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
+{
+ edge_connection_t *n_stream;
+ relay_header_t rh;
+ char *address = NULL;
+ uint16_t port = 0;
+ or_circuit_t *or_circ = NULL;
+ origin_circuit_t *origin_circ = NULL;
+ crypt_path_t *layer_hint = NULL;
+ const or_options_t *options = get_options();
+ begin_cell_t bcell;
+ int rv;
+ uint8_t end_reason=0;
+
+ assert_circuit_ok(circ);
+ if (!CIRCUIT_IS_ORIGIN(circ)) {
+ or_circ = TO_OR_CIRCUIT(circ);
+ } else {
+ tor_assert(circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED);
+ origin_circ = TO_ORIGIN_CIRCUIT(circ);
+ layer_hint = origin_circ->cpath->prev;
+ }
+
+ relay_header_unpack(&rh, cell->payload);
+ if (rh.length > RELAY_PAYLOAD_SIZE)
+ return -END_CIRC_REASON_TORPROTOCOL;
+
+ if (!server_mode(options) &&
+ circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Relay begin cell at non-server. Closing.");
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ END_STREAM_REASON_EXITPOLICY, NULL);
+ return 0;
+ }
+
+ rv = begin_cell_parse(cell, &bcell, &end_reason);
+ if (rv < -1) {
+ return -END_CIRC_REASON_TORPROTOCOL;
+ } else if (rv == -1) {
+ tor_free(bcell.address);
+ relay_send_end_cell_from_edge(rh.stream_id, circ, end_reason, layer_hint);
+ return 0;
+ }
+
+ if (! bcell.is_begindir) {
+ /* Steal reference */
+ address = bcell.address;
+ port = bcell.port;
+
+ if (or_circ && or_circ->p_chan) {
+ const int client_chan = channel_is_client(or_circ->p_chan);
+ if ((client_chan ||
+ (!connection_or_digest_is_known_relay(
+ or_circ->p_chan->identity_digest) &&
+ should_refuse_unknown_exits(options)))) {
+ /* Don't let clients use us as a single-hop proxy. It attracts
+ * attackers and users who'd be better off with, well, single-hop
+ * proxies. */
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Attempt by %s to open a stream %s. Closing.",
+ safe_str(channel_get_canonical_remote_descr(or_circ->p_chan)),
+ client_chan ? "on first hop of circuit" :
+ "from unknown relay");
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ client_chan ?
+ END_STREAM_REASON_TORPROTOCOL :
+ END_STREAM_REASON_MISC,
+ NULL);
+ tor_free(address);
+ return 0;
+ }
+ }
+ } else if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
+ if (!directory_permits_begindir_requests(options) ||
+ circ->purpose != CIRCUIT_PURPOSE_OR) {
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ END_STREAM_REASON_NOTDIRECTORY, layer_hint);
+ return 0;
+ }
+ /* Make sure to get the 'real' address of the previous hop: the
+ * caller might want to know whether the remote IP address has changed,
+ * and we might already have corrected base_.addr[ess] for the relay's
+ * canonical IP address. */
+ if (or_circ && or_circ->p_chan)
+ address = tor_strdup(channel_get_actual_remote_address(or_circ->p_chan));
+ else
+ address = tor_strdup("127.0.0.1");
+ port = 1; /* XXXX This value is never actually used anywhere, and there
+ * isn't "really" a connection here. But we
+ * need to set it to something nonzero. */
+ } else {
+ log_warn(LD_BUG, "Got an unexpected command %d", (int)rh.command);
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ END_STREAM_REASON_INTERNAL, layer_hint);
+ return 0;
+ }
+
+ if (! options->IPv6Exit) {
+ /* I don't care if you prefer IPv6; I can't give you any. */
+ bcell.flags &= ~BEGIN_FLAG_IPV6_PREFERRED;
+ /* If you don't want IPv4, I can't help. */
+ if (bcell.flags & BEGIN_FLAG_IPV4_NOT_OK) {
+ tor_free(address);
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ END_STREAM_REASON_EXITPOLICY, layer_hint);
+ return 0;
+ }
+ }
+
+ log_debug(LD_EXIT,"Creating new exit connection.");
+ /* The 'AF_INET' here is temporary; we might need to change it later in
+ * connection_exit_connect(). */
+ n_stream = edge_connection_new(CONN_TYPE_EXIT, AF_INET);
+
+ /* Remember the tunneled request ID in the new edge connection, so that
+ * we can measure download times. */
+ n_stream->dirreq_id = circ->dirreq_id;
+
+ n_stream->base_.purpose = EXIT_PURPOSE_CONNECT;
+ n_stream->begincell_flags = bcell.flags;
+ n_stream->stream_id = rh.stream_id;
+ n_stream->base_.port = port;
+ /* leave n_stream->s at -1, because it's not yet valid */
+ n_stream->package_window = STREAMWINDOW_START;
+ n_stream->deliver_window = STREAMWINDOW_START;
+
+ if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED) {
+ int ret;
+ tor_free(address);
+ /* We handle this circuit and stream in this function for all supported
+ * hidden service version. */
+ ret = handle_hs_exit_conn(circ, n_stream);
+
+ if (ret == 0) {
+ /* This was a valid cell. Count it as delivered + overhead. */
+ circuit_read_valid_data(origin_circ, rh.length);
+ }
+ return ret;
+ }
+ tor_strlower(address);
+ n_stream->base_.address = address;
+ n_stream->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
+ /* default to failed, change in dns_resolve if it turns out not to fail */
+
+ /* If we're hibernating or shutting down, we refuse to open new streams. */
+ if (we_are_hibernating()) {
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ END_STREAM_REASON_HIBERNATING, NULL);
+ connection_free_(TO_CONN(n_stream));
+ return 0;
+ }
+
+ n_stream->on_circuit = circ;
+
+ if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
+ tor_addr_t tmp_addr;
+ tor_assert(or_circ);
+ if (or_circ->p_chan &&
+ channel_get_addr_if_possible(or_circ->p_chan, &tmp_addr)) {
+ tor_addr_copy(&n_stream->base_.addr, &tmp_addr);
+ }
+ return connection_exit_connect_dir(n_stream);
+ }
+
+ log_debug(LD_EXIT,"about to start the dns_resolve().");
+
+ /* send it off to the gethostbyname farm */
+ switch (dns_resolve(n_stream)) {
+ case 1: /* resolve worked; now n_stream is attached to circ. */
+ assert_circuit_ok(circ);
+ log_debug(LD_EXIT,"about to call connection_exit_connect().");
+ connection_exit_connect(n_stream);
+ return 0;
+ case -1: /* resolve failed */
+ relay_send_end_cell_from_edge(rh.stream_id, circ,
+ END_STREAM_REASON_RESOLVEFAILED, NULL);
+ /* n_stream got freed. don't touch it. */
+ break;
+ case 0: /* resolve added to pending list */
+ assert_circuit_ok(circ);
+ break;
+ }
+ return 0;
+}
+
+/**
+ * Called when we receive a RELAY_COMMAND_RESOLVE cell 'cell' along the
+ * circuit <b>circ</b>;
+ * begin resolving the hostname, and (eventually) reply with a RESOLVED cell.
+ */
+int
+connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ)
+{
+ edge_connection_t *dummy_conn;
+ relay_header_t rh;
+
+ assert_circuit_ok(TO_CIRCUIT(circ));
+ relay_header_unpack(&rh, cell->payload);
+ if (rh.length > RELAY_PAYLOAD_SIZE)
+ return -1;
+
+ /* This 'dummy_conn' only exists to remember the stream ID
+ * associated with the resolve request; and to make the
+ * implementation of dns.c more uniform. (We really only need to
+ * remember the circuit, the stream ID, and the hostname to be
+ * resolved; but if we didn't store them in a connection like this,
+ * the housekeeping in dns.c would get way more complicated.)
+ */
+ dummy_conn = edge_connection_new(CONN_TYPE_EXIT, AF_INET);
+ dummy_conn->stream_id = rh.stream_id;
+ dummy_conn->base_.address = tor_strndup(
+ (char*)cell->payload+RELAY_HEADER_SIZE,
+ rh.length);
+ dummy_conn->base_.port = 0;
+ dummy_conn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
+ dummy_conn->base_.purpose = EXIT_PURPOSE_RESOLVE;
+
+ dummy_conn->on_circuit = TO_CIRCUIT(circ);
+
+ /* send it off to the gethostbyname farm */
+ switch (dns_resolve(dummy_conn)) {
+ case -1: /* Impossible to resolve; a resolved cell was sent. */
+ /* Connection freed; don't touch it. */
+ return 0;
+ case 1: /* The result was cached; a resolved cell was sent. */
+ if (!dummy_conn->base_.marked_for_close)
+ connection_free_(TO_CONN(dummy_conn));
+ return 0;
+ case 0: /* resolve added to pending list */
+ assert_circuit_ok(TO_CIRCUIT(circ));
+ break;
+ }
+ return 0;
+}
+
+/** Helper: Return true and set *<b>why_rejected</b> to an optional clarifying
+ * message message iff we do not allow connections to <b>addr</b>:<b>port</b>.
+ */
+static int
+my_exit_policy_rejects(const tor_addr_t *addr,
+ uint16_t port,
+ const char **why_rejected)
+{
+ if (router_compare_to_my_exit_policy(addr, port)) {
+ *why_rejected = "";
+ return 1;
+ } else if (tor_addr_family(addr) == AF_INET6 && !get_options()->IPv6Exit) {
+ *why_rejected = " (IPv6 address without IPv6Exit configured)";
+ return 1;
+ }
+ return 0;
+}
+
+/** Connect to conn's specified addr and port. If it worked, conn
+ * has now been added to the connection_array.
+ *
+ * Send back a connected cell. Include the resolved IP of the destination
+ * address, but <em>only</em> if it's a general exit stream. (Rendezvous
+ * streams must not reveal what IP they connected to.)
+ */
+void
+connection_exit_connect(edge_connection_t *edge_conn)
+{
+ const tor_addr_t *addr;
+ uint16_t port;
+ connection_t *conn = TO_CONN(edge_conn);
+ int socket_error = 0, result;
+ const char *why_failed_exit_policy = NULL;
+
+ /* Apply exit policy to non-rendezvous connections. */
+ if (! connection_edge_is_rendezvous_stream(edge_conn) &&
+ my_exit_policy_rejects(&edge_conn->base_.addr,
+ edge_conn->base_.port,
+ &why_failed_exit_policy)) {
+ if (BUG(!why_failed_exit_policy))
+ why_failed_exit_policy = "";
+ log_info(LD_EXIT,"%s:%d failed exit policy%s. Closing.",
+ escaped_safe_str_client(conn->address), conn->port,
+ why_failed_exit_policy);
+ connection_edge_end(edge_conn, END_STREAM_REASON_EXITPOLICY);
+ circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn);
+ connection_free(conn);
+ return;
+ }
+
+#ifdef HAVE_SYS_UN_H
+ if (conn->socket_family != AF_UNIX) {
+#else
+ {
+#endif /* defined(HAVE_SYS_UN_H) */
+ addr = &conn->addr;
+ port = conn->port;
+
+ if (tor_addr_family(addr) == AF_INET6)
+ conn->socket_family = AF_INET6;
+
+ log_debug(LD_EXIT, "about to try connecting");
+ result = connection_connect(conn, conn->address,
+ addr, port, &socket_error);
+#ifdef HAVE_SYS_UN_H
+ } else {
+ /*
+ * In the AF_UNIX case, we expect to have already had conn->port = 1,
+ * tor_addr_make_unspec(conn->addr) (cf. the way we mark in the incoming
+ * case in connection_handle_listener_read()), and conn->address should
+ * have the socket path to connect to.
+ */
+ tor_assert(conn->address && strlen(conn->address) > 0);
+
+ log_debug(LD_EXIT, "about to try connecting");
+ result = connection_connect_unix(conn, conn->address, &socket_error);
+#endif /* defined(HAVE_SYS_UN_H) */
+ }
+
+ switch (result) {
+ case -1: {
+ int reason = errno_to_stream_end_reason(socket_error);
+ connection_edge_end(edge_conn, reason);
+ circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn);
+ connection_free(conn);
+ return;
+ }
+ case 0:
+ conn->state = EXIT_CONN_STATE_CONNECTING;
+
+ connection_watch_events(conn, READ_EVENT | WRITE_EVENT);
+ /* writable indicates finish;
+ * readable/error indicates broken link in windows-land. */
+ return;
+ /* case 1: fall through */
+ }
+
+ conn->state = EXIT_CONN_STATE_OPEN;
+ if (connection_get_outbuf_len(conn)) {
+ /* in case there are any queued data cells, from e.g. optimistic data */
+ connection_watch_events(conn, READ_EVENT|WRITE_EVENT);
+ } else {
+ connection_watch_events(conn, READ_EVENT);
+ }
+
+ /* also, deliver a 'connected' cell back through the circuit. */
+ if (connection_edge_is_rendezvous_stream(edge_conn)) {
+ /* don't send an address back! */
+ connection_edge_send_command(edge_conn,
+ RELAY_COMMAND_CONNECTED,
+ NULL, 0);
+ } else { /* normal stream */
+ uint8_t connected_payload[MAX_CONNECTED_CELL_PAYLOAD_LEN];
+ int connected_payload_len =
+ connected_cell_format_payload(connected_payload, &conn->addr,
+ edge_conn->address_ttl);
+ if (connected_payload_len < 0) {
+ connection_edge_end(edge_conn, END_STREAM_REASON_INTERNAL);
+ circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn);
+ connection_free(conn);
+ return;
+ }
+
+ connection_edge_send_command(edge_conn,
+ RELAY_COMMAND_CONNECTED,
+ (char*)connected_payload,
+ connected_payload_len);
+ }
+}
+
+/** Given an exit conn that should attach to us as a directory server, open a
+ * bridge connection with a linked connection pair, create a new directory
+ * conn, and join them together. Return 0 on success (or if there was an
+ * error we could send back an end cell for). Return -(some circuit end
+ * reason) if the circuit needs to be torn down. Either connects
+ * <b>exitconn</b>, frees it, or marks it, as appropriate.
+ */
+static int
+connection_exit_connect_dir(edge_connection_t *exitconn)
+{
+ dir_connection_t *dirconn = NULL;
+ or_circuit_t *circ = TO_OR_CIRCUIT(exitconn->on_circuit);
+
+ log_info(LD_EXIT, "Opening local connection for anonymized directory exit");
+
+ exitconn->base_.state = EXIT_CONN_STATE_OPEN;
+
+ dirconn = dir_connection_new(tor_addr_family(&exitconn->base_.addr));
+
+ tor_addr_copy(&dirconn->base_.addr, &exitconn->base_.addr);
+ dirconn->base_.port = 0;
+ dirconn->base_.address = tor_strdup(exitconn->base_.address);
+ dirconn->base_.type = CONN_TYPE_DIR;
+ dirconn->base_.purpose = DIR_PURPOSE_SERVER;
+ dirconn->base_.state = DIR_CONN_STATE_SERVER_COMMAND_WAIT;
+
+ /* Note that the new dir conn belongs to the same tunneled request as
+ * the edge conn, so that we can measure download times. */
+ dirconn->dirreq_id = exitconn->dirreq_id;
+
+ connection_link_connections(TO_CONN(dirconn), TO_CONN(exitconn));
+
+ if (connection_add(TO_CONN(exitconn))<0) {
+ connection_edge_end(exitconn, END_STREAM_REASON_RESOURCELIMIT);
+ connection_free_(TO_CONN(exitconn));
+ connection_free_(TO_CONN(dirconn));
+ return 0;
+ }
+
+ /* link exitconn to circ, now that we know we can use it. */
+ exitconn->next_stream = circ->n_streams;
+ circ->n_streams = exitconn;
+
+ if (connection_add(TO_CONN(dirconn))<0) {
+ connection_edge_end(exitconn, END_STREAM_REASON_RESOURCELIMIT);
+ connection_close_immediate(TO_CONN(exitconn));
+ connection_mark_for_close(TO_CONN(exitconn));
+ connection_free_(TO_CONN(dirconn));
+ return 0;
+ }
+
+ connection_start_reading(TO_CONN(dirconn));
+ connection_start_reading(TO_CONN(exitconn));
+
+ if (connection_edge_send_command(exitconn,
+ RELAY_COMMAND_CONNECTED, NULL, 0) < 0) {
+ connection_mark_for_close(TO_CONN(exitconn));
+ connection_mark_for_close(TO_CONN(dirconn));
+ return 0;
+ }
+
+ return 0;
+}
+
+/** Return 1 if <b>conn</b> is a rendezvous stream, or 0 if
+ * it is a general stream.
+ */
+int
+connection_edge_is_rendezvous_stream(const edge_connection_t *conn)
+{
+ tor_assert(conn);
+ /* It should not be possible to set both of these structs */
+ tor_assert_nonfatal(!(conn->rend_data && conn->hs_ident));
+
+ if (conn->rend_data || conn->hs_ident) {
+ return 1;
+ }
+ return 0;
+}
+
+/** Return 1 if router <b>exit_node</b> is likely to allow stream <b>conn</b>
+ * to exit from it, or 0 if it probably will not allow it.
+ * (We might be uncertain if conn's destination address has not yet been
+ * resolved.)
+ */
+int
+connection_ap_can_use_exit(const entry_connection_t *conn,
+ const node_t *exit_node)
+{
+ const or_options_t *options = get_options();
+
+ tor_assert(conn);
+ tor_assert(conn->socks_request);
+ tor_assert(exit_node);
+
+ /* If a particular exit node has been requested for the new connection,
+ * make sure the exit node of the existing circuit matches exactly.
+ */
+ if (conn->chosen_exit_name) {
+ const node_t *chosen_exit =
+ node_get_by_nickname(conn->chosen_exit_name, 0);
+ if (!chosen_exit || tor_memneq(chosen_exit->identity,
+ exit_node->identity, DIGEST_LEN)) {
+ /* doesn't match */
+// log_debug(LD_APP,"Requested node '%s', considering node '%s'. No.",
+// conn->chosen_exit_name, exit->nickname);
+ return 0;
+ }
+ }
+
+ if (conn->use_begindir) {
+ /* Internal directory fetches do not count as exiting. */
+ return 1;
+ }
+
+ if (conn->socks_request->command == SOCKS_COMMAND_CONNECT) {
+ tor_addr_t addr, *addrp = NULL;
+ addr_policy_result_t r;
+ if (0 == tor_addr_parse(&addr, conn->socks_request->address)) {
+ addrp = &addr;
+ } else if (!conn->entry_cfg.ipv4_traffic && conn->entry_cfg.ipv6_traffic) {
+ tor_addr_make_null(&addr, AF_INET6);
+ addrp = &addr;
+ } else if (conn->entry_cfg.ipv4_traffic && !conn->entry_cfg.ipv6_traffic) {
+ tor_addr_make_null(&addr, AF_INET);
+ addrp = &addr;
+ }
+ r = compare_tor_addr_to_node_policy(addrp, conn->socks_request->port,
+ exit_node);
+ if (r == ADDR_POLICY_REJECTED)
+ return 0; /* We know the address, and the exit policy rejects it. */
+ if (r == ADDR_POLICY_PROBABLY_REJECTED && !conn->chosen_exit_name)
+ return 0; /* We don't know the addr, but the exit policy rejects most
+ * addresses with this port. Since the user didn't ask for
+ * this node, err on the side of caution. */
+ } else if (SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command)) {
+ /* Don't send DNS requests to non-exit servers by default. */
+ if (!conn->chosen_exit_name && node_exit_policy_rejects_all(exit_node))
+ return 0;
+ }
+ if (routerset_contains_node(options->ExcludeExitNodesUnion_, exit_node)) {
+ /* Not a suitable exit. Refuse it. */
+ return 0;
+ }
+
+ return 1;
+}
+
+/** If address is of the form "y.onion" with a well-formed handle y:
+ * Put a NUL after y, lower-case it, and return ONION_V2_HOSTNAME or
+ * ONION_V3_HOSTNAME depending on the HS version.
+ *
+ * If address is of the form "x.y.onion" with a well-formed handle x:
+ * Drop "x.", put a NUL after y, lower-case it, and return
+ * ONION_V2_HOSTNAME or ONION_V3_HOSTNAME depending on the HS version.
+ *
+ * If address is of the form "y.onion" with a badly-formed handle y:
+ * Return BAD_HOSTNAME and log a message.
+ *
+ * If address is of the form "y.exit":
+ * Put a NUL after y and return EXIT_HOSTNAME.
+ *
+ * Otherwise:
+ * Return NORMAL_HOSTNAME and change nothing.
+ */
+hostname_type_t
+parse_extended_hostname(char *address)
+{
+ char *s;
+ char *q;
+ char query[HS_SERVICE_ADDR_LEN_BASE32+1];
+
+ s = strrchr(address,'.');
+ if (!s)
+ return NORMAL_HOSTNAME; /* no dot, thus normal */
+ if (!strcmp(s+1,"exit")) {
+ *s = 0; /* NUL-terminate it */
+ return EXIT_HOSTNAME; /* .exit */
+ }
+ if (strcmp(s+1,"onion"))
+ return NORMAL_HOSTNAME; /* neither .exit nor .onion, thus normal */
+
+ /* so it is .onion */
+ *s = 0; /* NUL-terminate it */
+ /* locate a 'sub-domain' component, in order to remove it */
+ q = strrchr(address, '.');
+ if (q == address) {
+ goto failed; /* reject sub-domain, as DNS does */
+ }
+ q = (NULL == q) ? address : q + 1;
+ if (strlcpy(query, q, HS_SERVICE_ADDR_LEN_BASE32+1) >=
+ HS_SERVICE_ADDR_LEN_BASE32+1)
+ goto failed;
+ if (q != address) {
+ memmove(address, q, strlen(q) + 1 /* also get \0 */);
+ }
+ if (rend_valid_v2_service_id(query)) {
+ return ONION_V2_HOSTNAME; /* success */
+ }
+ if (hs_address_is_valid(query)) {
+ return ONION_V3_HOSTNAME;
+ }
+ failed:
+ /* otherwise, return to previous state and return 0 */
+ *s = '.';
+ log_warn(LD_APP, "Invalid onion hostname %s; rejecting",
+ safe_str_client(address));
+ return BAD_HOSTNAME;
+}
+
+/** Return true iff the (possibly NULL) <b>alen</b>-byte chunk of memory at
+ * <b>a</b> is equal to the (possibly NULL) <b>blen</b>-byte chunk of memory
+ * at <b>b</b>. */
+static int
+memeq_opt(const char *a, size_t alen, const char *b, size_t blen)
+{
+ if (a == NULL) {
+ return (b == NULL);
+ } else if (b == NULL) {
+ return 0;
+ } else if (alen != blen) {
+ return 0;
+ } else {
+ return tor_memeq(a, b, alen);
+ }
+}
+
+/**
+ * Return true iff none of the isolation flags and fields in <b>conn</b>
+ * should prevent it from being attached to <b>circ</b>.
+ */
+int
+connection_edge_compatible_with_circuit(const entry_connection_t *conn,
+ const origin_circuit_t *circ)
+{
+ const uint8_t iso = conn->entry_cfg.isolation_flags;
+ const socks_request_t *sr = conn->socks_request;
+
+ /* If circ has never been used for an isolated connection, we can
+ * totally use it for this one. */
+ if (!circ->isolation_values_set)
+ return 1;
+
+ /* If circ has been used for connections having more than one value
+ * for some field f, it will have the corresponding bit set in
+ * isolation_flags_mixed. If isolation_flags_mixed has any bits
+ * in common with iso, then conn must be isolated from at least
+ * one stream that has been attached to circ. */
+ if ((iso & circ->isolation_flags_mixed) != 0) {
+ /* For at least one field where conn is isolated, the circuit
+ * already has mixed streams. */
+ return 0;
+ }
+
+ if (! conn->original_dest_address) {
+ log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without "
+ "having set conn->original_dest_address");
+ ((entry_connection_t*)conn)->original_dest_address =
+ tor_strdup(conn->socks_request->address);
+ }
+
+ if ((iso & ISO_STREAM) &&
+ (circ->associated_isolated_stream_global_id !=
+ ENTRY_TO_CONN(conn)->global_identifier))
+ return 0;
+
+ if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
+ return 0;
+ if ((iso & ISO_DESTADDR) &&
+ strcasecmp(conn->original_dest_address, circ->dest_address))
+ return 0;
+ if ((iso & ISO_SOCKSAUTH) &&
+ (! memeq_opt(sr->username, sr->usernamelen,
+ circ->socks_username, circ->socks_username_len) ||
+ ! memeq_opt(sr->password, sr->passwordlen,
+ circ->socks_password, circ->socks_password_len)))
+ return 0;
+ if ((iso & ISO_CLIENTPROTO) &&
+ (conn->socks_request->listener_type != circ->client_proto_type ||
+ conn->socks_request->socks_version != circ->client_proto_socksver))
+ return 0;
+ if ((iso & ISO_CLIENTADDR) &&
+ !tor_addr_eq(&ENTRY_TO_CONN(conn)->addr, &circ->client_addr))
+ return 0;
+ if ((iso & ISO_SESSIONGRP) &&
+ conn->entry_cfg.session_group != circ->session_group)
+ return 0;
+ if ((iso & ISO_NYM_EPOCH) && conn->nym_epoch != circ->nym_epoch)
+ return 0;
+
+ return 1;
+}
+
+/**
+ * If <b>dry_run</b> is false, update <b>circ</b>'s isolation flags and fields
+ * to reflect having had <b>conn</b> attached to it, and return 0. Otherwise,
+ * if <b>dry_run</b> is true, then make no changes to <b>circ</b>, and return
+ * a bitfield of isolation flags that we would have to set in
+ * isolation_flags_mixed to add <b>conn</b> to <b>circ</b>, or -1 if
+ * <b>circ</b> has had no streams attached to it.
+ */
+int
+connection_edge_update_circuit_isolation(const entry_connection_t *conn,
+ origin_circuit_t *circ,
+ int dry_run)
+{
+ const socks_request_t *sr = conn->socks_request;
+ if (! conn->original_dest_address) {
+ log_warn(LD_BUG, "Reached connection_update_circuit_isolation without "
+ "having set conn->original_dest_address");
+ ((entry_connection_t*)conn)->original_dest_address =
+ tor_strdup(conn->socks_request->address);
+ }
+
+ if (!circ->isolation_values_set) {
+ if (dry_run)
+ return -1;
+ circ->associated_isolated_stream_global_id =
+ ENTRY_TO_CONN(conn)->global_identifier;
+ circ->dest_port = conn->socks_request->port;
+ circ->dest_address = tor_strdup(conn->original_dest_address);
+ circ->client_proto_type = conn->socks_request->listener_type;
+ circ->client_proto_socksver = conn->socks_request->socks_version;
+ tor_addr_copy(&circ->client_addr, &ENTRY_TO_CONN(conn)->addr);
+ circ->session_group = conn->entry_cfg.session_group;
+ circ->nym_epoch = conn->nym_epoch;
+ circ->socks_username = sr->username ?
+ tor_memdup(sr->username, sr->usernamelen) : NULL;
+ circ->socks_password = sr->password ?
+ tor_memdup(sr->password, sr->passwordlen) : NULL;
+ circ->socks_username_len = sr->usernamelen;
+ circ->socks_password_len = sr->passwordlen;
+
+ circ->isolation_values_set = 1;
+ return 0;
+ } else {
+ uint8_t mixed = 0;
+ if (conn->socks_request->port != circ->dest_port)
+ mixed |= ISO_DESTPORT;
+ if (strcasecmp(conn->original_dest_address, circ->dest_address))
+ mixed |= ISO_DESTADDR;
+ if (!memeq_opt(sr->username, sr->usernamelen,
+ circ->socks_username, circ->socks_username_len) ||
+ !memeq_opt(sr->password, sr->passwordlen,
+ circ->socks_password, circ->socks_password_len))
+ mixed |= ISO_SOCKSAUTH;
+ if ((conn->socks_request->listener_type != circ->client_proto_type ||
+ conn->socks_request->socks_version != circ->client_proto_socksver))
+ mixed |= ISO_CLIENTPROTO;
+ if (!tor_addr_eq(&ENTRY_TO_CONN(conn)->addr, &circ->client_addr))
+ mixed |= ISO_CLIENTADDR;
+ if (conn->entry_cfg.session_group != circ->session_group)
+ mixed |= ISO_SESSIONGRP;
+ if (conn->nym_epoch != circ->nym_epoch)
+ mixed |= ISO_NYM_EPOCH;
+
+ if (dry_run)
+ return mixed;
+
+ if ((mixed & conn->entry_cfg.isolation_flags) != 0) {
+ log_warn(LD_BUG, "Updating a circuit with seemingly incompatible "
+ "isolation flags.");
+ }
+ circ->isolation_flags_mixed |= mixed;
+ return 0;
+ }
+}
+
+/**
+ * Clear the isolation settings on <b>circ</b>.
+ *
+ * This only works on an open circuit that has never had a stream attached to
+ * it, and whose isolation settings are hypothetical. (We set hypothetical
+ * isolation settings on circuits as we're launching them, so that we
+ * know whether they can handle more streams or whether we need to launch
+ * even more circuits. Once the circuit is open, if it turns out that
+ * we no longer have any streams to attach to it, we clear the isolation flags
+ * and data so that other streams can have a chance.)
+ */
+void
+circuit_clear_isolation(origin_circuit_t *circ)
+{
+ if (circ->isolation_any_streams_attached) {
+ log_warn(LD_BUG, "Tried to clear the isolation status of a dirty circuit");
+ return;
+ }
+ if (TO_CIRCUIT(circ)->state != CIRCUIT_STATE_OPEN) {
+ log_warn(LD_BUG, "Tried to clear the isolation status of a non-open "
+ "circuit");
+ return;
+ }
+
+ circ->isolation_values_set = 0;
+ circ->isolation_flags_mixed = 0;
+ circ->associated_isolated_stream_global_id = 0;
+ circ->client_proto_type = 0;
+ circ->client_proto_socksver = 0;
+ circ->dest_port = 0;
+ tor_addr_make_unspec(&circ->client_addr);
+ tor_free(circ->dest_address);
+ circ->session_group = -1;
+ circ->nym_epoch = 0;
+ if (circ->socks_username) {
+ memwipe(circ->socks_username, 0x11, circ->socks_username_len);
+ tor_free(circ->socks_username);
+ }
+ if (circ->socks_password) {
+ memwipe(circ->socks_password, 0x05, circ->socks_password_len);
+ tor_free(circ->socks_password);
+ }
+ circ->socks_username_len = circ->socks_password_len = 0;
+}
+
+/** Free all storage held in module-scoped variables for connection_edge.c */
+void
+connection_edge_free_all(void)
+{
+ untried_pending_connections = 0;
+ smartlist_free(pending_entry_connections);
+ pending_entry_connections = NULL;
+ mainloop_event_free(attach_pending_entry_connections_ev);
+}
diff --cc src/core/or/connection_edge.h
index 24968b277,000000000..1348dd49f
mode 100644,000000..100644
--- a/src/core/or/connection_edge.h
+++ b/src/core/or/connection_edge.h
@@@ -1,248 -1,0 +1,259 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file connection_edge.h
+ * \brief Header file for connection_edge.c.
+ **/
+
+#ifndef TOR_CONNECTION_EDGE_H
+#define TOR_CONNECTION_EDGE_H
+
+#include "lib/testsupport/testsupport.h"
+
+edge_connection_t *TO_EDGE_CONN(connection_t *);
+entry_connection_t *TO_ENTRY_CONN(connection_t *);
+entry_connection_t *EDGE_TO_ENTRY_CONN(edge_connection_t *);
+
+#define EXIT_CONN_STATE_MIN_ 1
+/** State for an exit connection: waiting for response from DNS farm. */
+#define EXIT_CONN_STATE_RESOLVING 1
+/** State for an exit connection: waiting for connect() to finish. */
+#define EXIT_CONN_STATE_CONNECTING 2
+/** State for an exit connection: open and ready to transmit data. */
+#define EXIT_CONN_STATE_OPEN 3
+/** State for an exit connection: waiting to be removed. */
+#define EXIT_CONN_STATE_RESOLVEFAILED 4
+#define EXIT_CONN_STATE_MAX_ 4
+
+/* The AP state values must be disjoint from the EXIT state values. */
+#define AP_CONN_STATE_MIN_ 5
+/** State for a SOCKS connection: waiting for SOCKS request. */
+#define AP_CONN_STATE_SOCKS_WAIT 5
+/** State for a SOCKS connection: got a y.onion URL; waiting to receive
+ * rendezvous descriptor. */
+#define AP_CONN_STATE_RENDDESC_WAIT 6
+/** The controller will attach this connection to a circuit; it isn't our
+ * job to do so. */
+#define AP_CONN_STATE_CONTROLLER_WAIT 7
+/** State for a SOCKS connection: waiting for a completed circuit. */
+#define AP_CONN_STATE_CIRCUIT_WAIT 8
+/** State for a SOCKS connection: sent BEGIN, waiting for CONNECTED. */
+#define AP_CONN_STATE_CONNECT_WAIT 9
+/** State for a SOCKS connection: sent RESOLVE, waiting for RESOLVED. */
+#define AP_CONN_STATE_RESOLVE_WAIT 10
+/** State for a SOCKS connection: ready to send and receive. */
+#define AP_CONN_STATE_OPEN 11
+/** State for a transparent natd connection: waiting for original
+ * destination. */
+#define AP_CONN_STATE_NATD_WAIT 12
+/** State for an HTTP tunnel: waiting for an HTTP CONNECT command. */
+#define AP_CONN_STATE_HTTP_CONNECT_WAIT 13
+#define AP_CONN_STATE_MAX_ 13
+
+#define EXIT_PURPOSE_MIN_ 1
+/** This exit stream wants to do an ordinary connect. */
+#define EXIT_PURPOSE_CONNECT 1
+/** This exit stream wants to do a resolve (either normal or reverse). */
+#define EXIT_PURPOSE_RESOLVE 2
+#define EXIT_PURPOSE_MAX_ 2
+
+/** True iff the AP_CONN_STATE_* value <b>s</b> means that the corresponding
+ * edge connection is not attached to any circuit. */
+#define AP_CONN_STATE_IS_UNATTACHED(s) \
+ ((s) <= AP_CONN_STATE_CIRCUIT_WAIT || (s) == AP_CONN_STATE_NATD_WAIT)
+
+#define connection_mark_unattached_ap(conn, endreason) \
+ connection_mark_unattached_ap_((conn), (endreason), __LINE__, SHORT_FILE__)
+
+MOCK_DECL(void,connection_mark_unattached_ap_,
+ (entry_connection_t *conn, int endreason,
+ int line, const char *file));
+int connection_edge_reached_eof(edge_connection_t *conn);
+int connection_edge_process_inbuf(edge_connection_t *conn,
+ int package_partial);
+int connection_edge_destroy(circid_t circ_id, edge_connection_t *conn);
+int connection_edge_end(edge_connection_t *conn, uint8_t reason);
+int connection_edge_end_errno(edge_connection_t *conn);
+int connection_edge_flushed_some(edge_connection_t *conn);
+int connection_edge_finished_flushing(edge_connection_t *conn);
+int connection_edge_finished_connecting(edge_connection_t *conn);
+
+void connection_ap_about_to_close(entry_connection_t *edge_conn);
+void connection_exit_about_to_close(edge_connection_t *edge_conn);
+
+MOCK_DECL(int,
+ connection_ap_handshake_send_begin,(entry_connection_t *ap_conn));
+int connection_ap_handshake_send_resolve(entry_connection_t *ap_conn);
+
+entry_connection_t *connection_ap_make_link(connection_t *partner,
+ char *address, uint16_t port,
+ const char *digest,
+ int session_group,
+ int isolation_flags,
+ int use_begindir, int want_onehop);
+void connection_ap_handshake_socks_reply(entry_connection_t *conn, char *reply,
+ size_t replylen,
+ int endreason);
+MOCK_DECL(void,connection_ap_handshake_socks_resolved,
+ (entry_connection_t *conn,
+ int answer_type,
+ size_t answer_len,
+ const uint8_t *answer,
+ int ttl,
+ time_t expires));
+void connection_ap_handshake_socks_resolved_addr(entry_connection_t *conn,
+ const tor_addr_t *answer,
+ int ttl,
+ time_t expires);
+
+int connection_exit_begin_conn(cell_t *cell, circuit_t *circ);
+int connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ);
+void connection_exit_connect(edge_connection_t *conn);
+int connection_edge_is_rendezvous_stream(const edge_connection_t *conn);
+int connection_ap_can_use_exit(const entry_connection_t *conn,
+ const node_t *exit);
+void connection_ap_expire_beginning(void);
+void connection_ap_rescan_and_attach_pending(void);
+void connection_ap_attach_pending(int retry);
+void connection_ap_mark_as_pending_circuit_(entry_connection_t *entry_conn,
+ const char *file, int line);
+#define connection_ap_mark_as_pending_circuit(c) \
+ connection_ap_mark_as_pending_circuit_((c), __FILE__, __LINE__)
+void connection_ap_mark_as_non_pending_circuit(entry_connection_t *entry_conn);
+#define CONNECTION_AP_EXPECT_NONPENDING(c) do { \
+ if (ENTRY_TO_CONN(c)->state == AP_CONN_STATE_CIRCUIT_WAIT) { \
+ log_warn(LD_BUG, "At %s:%d: %p was unexpectedly in circuit_wait.", \
+ __FILE__, __LINE__, (c)); \
+ connection_ap_mark_as_non_pending_circuit(c); \
+ } \
+ } while (0)
+void connection_ap_fail_onehop(const char *failed_digest,
+ cpath_build_state_t *build_state);
+void circuit_discard_optional_exit_enclaves(extend_info_t *info);
+int connection_ap_detach_retriable(entry_connection_t *conn,
+ origin_circuit_t *circ,
+ int reason);
+int connection_ap_process_transparent(entry_connection_t *conn);
+
+int address_is_invalid_destination(const char *address, int client);
+
+MOCK_DECL(int, connection_ap_rewrite_and_attach_if_allowed,
+ (entry_connection_t *conn,
+ origin_circuit_t *circ,
+ crypt_path_t *cpath));
+int connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
+ origin_circuit_t *circ,
+ crypt_path_t *cpath);
+
+/** Possible return values for parse_extended_hostname. */
+typedef enum hostname_type_t {
+ NORMAL_HOSTNAME, ONION_V2_HOSTNAME, ONION_V3_HOSTNAME,
+ EXIT_HOSTNAME, BAD_HOSTNAME
+} hostname_type_t;
+hostname_type_t parse_extended_hostname(char *address);
+
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+int get_pf_socket(void);
+#endif
+
+int connection_edge_compatible_with_circuit(const entry_connection_t *conn,
+ const origin_circuit_t *circ);
+int connection_edge_update_circuit_isolation(const entry_connection_t *conn,
+ origin_circuit_t *circ,
+ int dry_run);
+void circuit_clear_isolation(origin_circuit_t *circ);
+streamid_t get_unique_stream_id_by_circ(origin_circuit_t *circ);
+
+void connection_edge_free_all(void);
+
+void connection_ap_warn_and_unmark_if_pending_circ(
+ entry_connection_t *entry_conn,
+ const char *where);
+
++int connection_half_edge_is_valid_data(const smartlist_t *half_conns,
++ streamid_t stream_id);
++int connection_half_edge_is_valid_sendme(const smartlist_t *half_conns,
++ streamid_t stream_id);
++int connection_half_edge_is_valid_connected(const smartlist_t *half_conns,
++ streamid_t stream_id);
++int connection_half_edge_is_valid_end(smartlist_t *half_conns,
++ streamid_t stream_id);
++int connection_half_edge_is_valid_resolved(smartlist_t *half_conns,
++ streamid_t stream_id);
++
+/** @name Begin-cell flags
+ *
+ * These flags are used in RELAY_BEGIN cells to change the default behavior
+ * of the cell.
+ *
+ * @{
+ **/
+/** When this flag is set, the client is willing to get connected to IPv6
+ * addresses */
+#define BEGIN_FLAG_IPV6_OK (1u<<0)
+/** When this flag is set, the client DOES NOT support connecting to IPv4
+ * addresses. (The sense of this flag is inverted from IPV6_OK, so that the
+ * old default behavior of Tor is equivalent to having all flags set to 0.)
+ **/
+#define BEGIN_FLAG_IPV4_NOT_OK (1u<<1)
+/** When this flag is set, if we find both an IPv4 and an IPv6 address,
+ * we use the IPv6 address. Otherwise we use the IPv4 address. */
+#define BEGIN_FLAG_IPV6_PREFERRED (1u<<2)
+/**@}*/
+
+#ifdef CONNECTION_EDGE_PRIVATE
+
+/** A parsed BEGIN or BEGIN_DIR cell */
+typedef struct begin_cell_t {
+ /** The address the client has asked us to connect to, or NULL if this is
+ * a BEGIN_DIR cell*/
+ char *address;
+ /** The flags specified in the BEGIN cell's body. One or more of
+ * BEGIN_FLAG_*. */
+ uint32_t flags;
+ /** The client's requested port. */
+ uint16_t port;
+ /** The client's requested Stream ID */
+ uint16_t stream_id;
+ /** True iff this is a BEGIN_DIR cell. */
+ unsigned is_begindir : 1;
+} begin_cell_t;
+
+STATIC int begin_cell_parse(const cell_t *cell, begin_cell_t *bcell,
+ uint8_t *end_reason_out);
+STATIC int connected_cell_format_payload(uint8_t *payload_out,
+ const tor_addr_t *addr,
+ uint32_t ttl);
+
+typedef struct {
+ /** Original address, after we lowercased it but before we started
+ * mapping it.
+ */
+ char orig_address[MAX_SOCKS_ADDR_LEN];
+ /** True iff the address has been automatically remapped to a local
+ * address in VirtualAddrNetwork. (Only set true when we do a resolve
+ * and get a virtual address; not when we connect to the address.) */
+ int automap;
+ /** If this connection has a .exit address, who put it there? */
+ addressmap_entry_source_t exit_source;
+ /** If we've rewritten the address, when does this map expire? */
+ time_t map_expires;
+ /** If we should close the connection, this is the end_reason to pass
+ * to connection_mark_unattached_ap */
+ int end_reason;
+ /** True iff we should close the connection, either because of error or
+ * because of successful early RESOLVED reply. */
+ int should_close;
+} rewrite_result_t;
+
+STATIC void connection_ap_handshake_rewrite(entry_connection_t *conn,
+ rewrite_result_t *out);
+
+STATIC int connection_ap_process_http_connect(entry_connection_t *conn);
+#endif /* defined(CONNECTION_EDGE_PRIVATE) */
+
+#endif /* !defined(TOR_CONNECTION_EDGE_H) */
diff --cc src/core/or/half_edge_st.h
index 000000000,000000000..5ed24dabe
new file mode 100644
--- /dev/null
+++ b/src/core/or/half_edge_st.h
@@@ -1,0 -1,0 +1,34 @@@
++/* Copyright (c) 2001 Matej Pfajfar.
++ * Copyright (c) 2001-2004, Roger Dingledine.
++ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
++ * Copyright (c) 2007-2018, The Tor Project, Inc. */
++/* See LICENSE for licensing information */
++
++#ifndef HALF_EDGE_ST_H
++#define HALF_EDGE_ST_H
++
++#include "core/or/or.h"
++
++/**
++ * Struct to track a connection that we closed that the other end
++ * still thinks is open. Exists in origin_circuit_t.half_streams until
++ * we get an end cell or a resolved cell for this stream id.
++ */
++typedef struct half_edge_t {
++ /** stream_id for the half-closed connection */
++ streamid_t stream_id;
++
++ /** How many sendme's can the other end still send, based on how
++ * much data we had sent at the time of close */
++ int sendmes_pending;
++
++ /** How much more data can the other end still send, based on
++ * our deliver window */
++ int data_pending;
++
++ /** Is there a connected cell pending? */
++ int connected_pending : 1;
++} half_edge_t;
++
++#endif
++
diff --cc src/core/or/origin_circuit_st.h
index e7b864e82,000000000..26cdf590f
mode 100644,000000..100644
--- a/src/core/or/origin_circuit_st.h
+++ b/src/core/or/origin_circuit_st.h
@@@ -1,290 -1,0 +1,294 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#ifndef ORIGIN_CIRCUIT_ST_H
+#define ORIGIN_CIRCUIT_ST_H
+
+#include "core/or/or.h"
+
+#include "core/or/circuit_st.h"
+
+struct onion_queue_t;
+
+/**
+ * Describes the circuit building process in simplified terms based
+ * on the path bias accounting state for a circuit.
+ *
+ * NOTE: These state values are enumerated in the order for which we
+ * expect circuits to transition through them. If you add states,
+ * you need to preserve this overall ordering. The various pathbias
+ * state transition and accounting functions (pathbias_mark_* and
+ * pathbias_count_*) contain ordinal comparisons to enforce proper
+ * state transitions for corrections.
+ *
+ * This state machine and the associated logic was created to prevent
+ * miscounting due to unknown cases of circuit reuse. See also tickets
+ * #6475 and #7802.
+ */
+enum path_state_t {
+ /** This circuit is "new". It has not yet completed a first hop
+ * or been counted by the path bias code. */
+ PATH_STATE_NEW_CIRC = 0,
+ /** This circuit has completed one/two hops, and has been counted by
+ * the path bias logic. */
+ PATH_STATE_BUILD_ATTEMPTED = 1,
+ /** This circuit has been completely built */
+ PATH_STATE_BUILD_SUCCEEDED = 2,
+ /** Did we try to attach any SOCKS streams or hidserv introductions to
+ * this circuit?
+ *
+ * Note: If we ever implement end-to-end stream timing through test
+ * stream probes (#5707), we must *not* set this for those probes
+ * (or any other automatic streams) because the adversary could
+ * just tag at a later point.
+ */
+ PATH_STATE_USE_ATTEMPTED = 3,
+ /** Did any SOCKS streams or hidserv introductions actually succeed on
+ * this circuit?
+ *
+ * If any streams detatch/fail from this circuit, the code transitions
+ * the circuit back to PATH_STATE_USE_ATTEMPTED to ensure we probe. See
+ * pathbias_mark_use_rollback() for that.
+ */
+ PATH_STATE_USE_SUCCEEDED = 4,
+
+ /**
+ * This is a special state to indicate that we got a corrupted
+ * relay cell on a circuit and we don't intend to probe it.
+ */
+ PATH_STATE_USE_FAILED = 5,
+
+ /**
+ * This is a special state to indicate that we already counted
+ * the circuit. Used to guard against potential state machine
+ * violations.
+ */
+ PATH_STATE_ALREADY_COUNTED = 6,
+};
+
+/** An origin_circuit_t holds data necessary to build and use a circuit.
+ */
+struct origin_circuit_t {
+ circuit_t base_;
+
+ /** Linked list of AP streams (or EXIT streams if hidden service)
+ * associated with this circuit. */
+ edge_connection_t *p_streams;
+
++ /** Smartlist of half-closed streams (half_edge_t*) that still
++ * have pending activity */
++ smartlist_t *half_streams;
++
+ /** Bytes read on this circuit since last call to
+ * control_event_circ_bandwidth_used(). Only used if we're configured
+ * to emit CIRC_BW events. */
+ uint32_t n_read_circ_bw;
+
+ /** Bytes written to on this circuit since last call to
+ * control_event_circ_bandwidth_used(). Only used if we're configured
+ * to emit CIRC_BW events. */
+ uint32_t n_written_circ_bw;
+
+ /** Total known-valid relay cell bytes since last call to
+ * control_event_circ_bandwidth_used(). Only used if we're configured
+ * to emit CIRC_BW events. */
+ uint32_t n_delivered_read_circ_bw;
+
+ /** Total written relay cell bytes since last call to
+ * control_event_circ_bandwidth_used(). Only used if we're configured
+ * to emit CIRC_BW events. */
+ uint32_t n_delivered_written_circ_bw;
+
+ /** Total overhead data in all known-valid relay data cells since last
+ * call to control_event_circ_bandwidth_used(). Only used if we're
+ * configured to emit CIRC_BW events. */
+ uint32_t n_overhead_read_circ_bw;
+
+ /** Total written overhead data in all relay data cells since last call to
+ * control_event_circ_bandwidth_used(). Only used if we're configured
+ * to emit CIRC_BW events. */
+ uint32_t n_overhead_written_circ_bw;
+
+ /** Build state for this circuit. It includes the intended path
+ * length, the chosen exit router, rendezvous information, etc.
+ */
+ cpath_build_state_t *build_state;
+ /** The doubly-linked list of crypt_path_t entries, one per hop,
+ * for this circuit. This includes ciphers for each hop,
+ * integrity-checking digests for each hop, and package/delivery
+ * windows for each hop.
+ */
+ crypt_path_t *cpath;
+
+ /** Holds all rendezvous data on either client or service side. */
+ rend_data_t *rend_data;
+
+ /** Holds hidden service identifier on either client or service side. This
+ * is for both introduction and rendezvous circuit. */
+ struct hs_ident_circuit_t *hs_ident;
+
+ /** Holds the data that the entry guard system uses to track the
+ * status of the guard this circuit is using, and thereby to determine
+ * whether this circuit can be used. */
+ struct circuit_guard_state_t *guard_state;
+
+ /** Index into global_origin_circuit_list for this circuit. -1 if not
+ * present. */
+ int global_origin_circuit_list_idx;
+
+ /** How many more relay_early cells can we send on this circuit, according
+ * to the specification? */
+ unsigned int remaining_relay_early_cells : 4;
+
+ /** Set if this circuit is insanely old and we already informed the user */
+ unsigned int is_ancient : 1;
+
+ /** Set if this circuit has already been opened. Used to detect
+ * cannibalized circuits. */
+ unsigned int has_opened : 1;
+
+ /**
+ * Path bias state machine. Used to ensure integrity of our
+ * circuit building and usage accounting. See path_state_t
+ * for more details.
+ */
+ path_state_bitfield_t path_state : 3;
+
+ /* If this flag is set, we should not consider attaching any more
+ * connections to this circuit. */
+ unsigned int unusable_for_new_conns : 1;
+
+ /**
+ * Tristate variable to guard against pathbias miscounting
+ * due to circuit purpose transitions changing the decision
+ * of pathbias_should_count(). This variable is informational
+ * only. The current results of pathbias_should_count() are
+ * the official decision for pathbias accounting.
+ */
+ uint8_t pathbias_shouldcount;
+#define PATHBIAS_SHOULDCOUNT_UNDECIDED 0
+#define PATHBIAS_SHOULDCOUNT_IGNORED 1
+#define PATHBIAS_SHOULDCOUNT_COUNTED 2
+
+ /** For path probing. Store the temporary probe stream ID
+ * for response comparison */
+ streamid_t pathbias_probe_id;
+
+ /** For path probing. Store the temporary probe address nonce
+ * (in host byte order) for response comparison. */
+ uint32_t pathbias_probe_nonce;
+
+ /** Set iff this is a hidden-service circuit which has timed out
+ * according to our current circuit-build timeout, but which has
+ * been kept around because it might still succeed in connecting to
+ * its destination, and which is not a fully-connected rendezvous
+ * circuit.
+ *
+ * (We clear this flag for client-side rendezvous circuits when they
+ * are 'joined' to the other side's rendezvous circuit, so that
+ * connection_ap_handshake_attach_circuit can put client streams on
+ * the circuit. We also clear this flag for service-side rendezvous
+ * circuits when they are 'joined' to a client's rend circ, but only
+ * for symmetry with the client case. Client-side introduction
+ * circuits are closed when we get a joined rend circ, and
+ * service-side introduction circuits never have this flag set.) */
+ unsigned int hs_circ_has_timed_out : 1;
+
+ /** Set iff this circuit has been given a relaxed timeout because
+ * no circuits have opened. Used to prevent spamming logs. */
+ unsigned int relaxed_timeout : 1;
+
+ /** Set iff this is a service-side rendezvous circuit for which a
+ * new connection attempt has been launched. We consider launching
+ * a new service-side rend circ to a client when the previous one
+ * fails; now that we don't necessarily close a service-side rend
+ * circ when we launch a new one to the same client, this flag keeps
+ * us from launching two retries for the same failed rend circ. */
+ unsigned int hs_service_side_rend_circ_has_been_relaunched : 1;
+
+ /** What commands were sent over this circuit that decremented the
+ * RELAY_EARLY counter? This is for debugging task 878. */
+ uint8_t relay_early_commands[MAX_RELAY_EARLY_CELLS_PER_CIRCUIT];
+
+ /** How many RELAY_EARLY cells have been sent over this circuit? This is
+ * for debugging task 878, too. */
+ int relay_early_cells_sent;
+
+ /** The next stream_id that will be tried when we're attempting to
+ * construct a new AP stream originating at this circuit. */
+ streamid_t next_stream_id;
+
+ /* The intro key replaces the hidden service's public key if purpose is
+ * S_ESTABLISH_INTRO or S_INTRO, provided that no unversioned rendezvous
+ * descriptor is used. */
+ crypto_pk_t *intro_key;
+
+ /** Quasi-global identifier for this circuit; used for control.c */
+ /* XXXX NM This can get re-used after 2**32 circuits. */
+ uint32_t global_identifier;
+
+ /** True if we have associated one stream to this circuit, thereby setting
+ * the isolation parameters for this circuit. Note that this doesn't
+ * necessarily mean that we've <em>attached</em> any streams to the circuit:
+ * we may only have marked up this circuit during the launch process.
+ */
+ unsigned int isolation_values_set : 1;
+ /** True iff any stream has <em>ever</em> been attached to this circuit.
+ *
+ * In a better world we could use timestamp_dirty for this, but
+ * timestamp_dirty is far too overloaded at the moment.
+ */
+ unsigned int isolation_any_streams_attached : 1;
+
+ /** A bitfield of ISO_* flags for every isolation field such that this
+ * circuit has had streams with more than one value for that field
+ * attached to it. */
+ uint8_t isolation_flags_mixed;
+
+ /** @name Isolation parameters
+ *
+ * If any streams have been associated with this circ (isolation_values_set
+ * == 1), and all streams associated with the circuit have had the same
+ * value for some field ((isolation_flags_mixed & ISO_FOO) == 0), then these
+ * elements hold the value for that field.
+ *
+ * Note again that "associated" is not the same as "attached": we
+ * preliminarily associate streams with a circuit while the circuit is being
+ * launched, so that we can tell whether we need to launch more circuits.
+ *
+ * @{
+ */
+ uint8_t client_proto_type;
+ uint8_t client_proto_socksver;
+ uint16_t dest_port;
+ tor_addr_t client_addr;
+ char *dest_address;
+ int session_group;
+ unsigned nym_epoch;
+ size_t socks_username_len;
+ uint8_t socks_password_len;
+ /* Note that the next two values are NOT NUL-terminated; see
+ socks_username_len and socks_password_len for their lengths. */
+ char *socks_username;
+ char *socks_password;
+ /** Global identifier for the first stream attached here; used by
+ * ISO_STREAM. */
+ uint64_t associated_isolated_stream_global_id;
+ /**@}*/
+ /** A list of addr_policy_t for this circuit in particular. Used by
+ * adjust_exit_policy_from_exitpolicy_failure.
+ */
+ smartlist_t *prepend_policy;
+
+ /** How long do we wait before closing this circuit if it remains
+ * completely idle after it was built, in seconds? This value
+ * is randomized on a per-circuit basis from CircuitsAvailableTimoeut
+ * to 2*CircuitsAvailableTimoeut. */
+ int circuit_idle_timeout;
+
+};
+
+#endif
diff --cc src/core/or/relay.c
index 6e1adfaff,000000000..8b58725ad
mode 100644,000000..100644
--- a/src/core/or/relay.c
+++ b/src/core/or/relay.c
@@@ -1,3097 -1,0 +1,3168 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file relay.c
+ * \brief Handle relay cell encryption/decryption, plus packaging and
+ * receiving from circuits, plus queuing on circuits.
+ *
+ * This is a core modules that makes Tor work. It's responsible for
+ * dealing with RELAY cells (the ones that travel more than one hop along a
+ * circuit), by:
+ * <ul>
+ * <li>constructing relays cells,
+ * <li>encrypting relay cells,
+ * <li>decrypting relay cells,
+ * <li>demultiplexing relay cells as they arrive on a connection,
+ * <li>queueing relay cells for retransmission,
+ * <li>or handling relay cells that are for us to receive (as an exit or a
+ * client).
+ * </ul>
+ *
+ * RELAY cells are generated throughout the code at the client or relay side,
+ * using relay_send_command_from_edge() or one of the functions like
+ * connection_edge_send_command() that calls it. Of particular interest is
+ * connection_edge_package_raw_inbuf(), which takes information that has
+ * arrived on an edge connection socket, and packages it as a RELAY_DATA cell
+ * -- this is how information is actually sent across the Tor network. The
+ * cryptography for these functions is handled deep in
+ * circuit_package_relay_cell(), which either adds a single layer of
+ * encryption (if we're an exit), or multiple layers (if we're the origin of
+ * the circuit). After construction and encryption, the RELAY cells are
+ * passed to append_cell_to_circuit_queue(), which queues them for
+ * transmission and tells the circuitmux (see circuitmux.c) that the circuit
+ * is waiting to send something.
+ *
+ * Incoming RELAY cells arrive at circuit_receive_relay_cell(), called from
+ * command.c. There they are decrypted and, if they are for us, are passed to
+ * connection_edge_process_relay_cell(). If they're not for us, they're
+ * re-queued for retransmission again with append_cell_to_circuit_queue().
+ *
+ * The connection_edge_process_relay_cell() function handles all the different
+ * types of relay cells, launching requests or transmitting data as needed.
+ **/
+
+#define RELAY_PRIVATE
+#include "core/or/or.h"
+#include "feature/client/addressmap.h"
+#include "lib/err/backtrace.h"
+#include "lib/container/buffers.h"
+#include "core/or/channel.h"
+#include "feature/client/circpathbias.h"
+#include "core/or/circuitbuild.h"
+#include "core/or/circuitlist.h"
+#include "core/or/circuituse.h"
+#include "lib/compress/compress.h"
+#include "app/config/config.h"
+#include "core/mainloop/connection.h"
+#include "core/or/connection_edge.h"
+#include "core/or/connection_or.h"
+#include "feature/control/control.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/crypt_ops/crypto_util.h"
+#include "feature/dircache/directory.h"
+#include "feature/relay/dns.h"
+#include "feature/stats/geoip.h"
+#include "feature/hs/hs_cache.h"
+#include "core/mainloop/main.h"
+#include "feature/nodelist/networkstatus.h"
+#include "feature/nodelist/nodelist.h"
+#include "core/crypto/onion.h"
+#include "core/or/policies.h"
+#include "core/or/reasons.h"
+#include "core/or/relay.h"
+#include "core/crypto/relay_crypto.h"
+#include "feature/rend/rendcache.h"
+#include "feature/rend/rendcommon.h"
+#include "feature/relay/router.h"
+#include "feature/nodelist/routerlist.h"
+#include "feature/nodelist/routerparse.h"
+#include "core/or/scheduler.h"
+#include "feature/stats/rephist.h"
+
+#include "core/or/cell_st.h"
+#include "core/or/cell_queue_st.h"
+#include "core/or/cpath_build_state_st.h"
+#include "feature/dircommon/dir_connection_st.h"
+#include "core/or/destroy_cell_queue_st.h"
+#include "core/or/entry_connection_st.h"
+#include "core/or/extend_info_st.h"
+#include "core/or/or_circuit_st.h"
+#include "core/or/origin_circuit_st.h"
+#include "feature/nodelist/routerinfo_st.h"
+#include "core/or/socks_request_st.h"
+
+#include "lib/intmath/weakrng.h"
+
+static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell,
+ cell_direction_t cell_direction,
+ crypt_path_t *layer_hint);
+
+static void circuit_consider_sending_sendme(circuit_t *circ,
+ crypt_path_t *layer_hint);
+static void circuit_resume_edge_reading(circuit_t *circ,
+ crypt_path_t *layer_hint);
+static int circuit_resume_edge_reading_helper(edge_connection_t *conn,
+ circuit_t *circ,
+ crypt_path_t *layer_hint);
+static int circuit_consider_stop_edge_reading(circuit_t *circ,
+ crypt_path_t *layer_hint);
+static int circuit_queue_streams_are_blocked(circuit_t *circ);
+static void adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ,
+ entry_connection_t *conn,
+ node_t *node,
+ const tor_addr_t *addr);
+
+/** Stop reading on edge connections when we have this many cells
+ * waiting on the appropriate queue. */
+#define CELL_QUEUE_HIGHWATER_SIZE 256
+/** Start reading from edge connections again when we get down to this many
+ * cells. */
+#define CELL_QUEUE_LOWWATER_SIZE 64
+
+/** Stats: how many relay cells have originated at this hop, or have
+ * been relayed onward (not recognized at this hop)?
+ */
+uint64_t stats_n_relay_cells_relayed = 0;
+/** Stats: how many relay cells have been delivered to streams at this
+ * hop?
+ */
+uint64_t stats_n_relay_cells_delivered = 0;
+/** Stats: how many circuits have we closed due to the cell queue limit being
+ * reached (see append_cell_to_circuit_queue()) */
+uint64_t stats_n_circ_max_cell_reached = 0;
+
+/** Used to tell which stream to read from first on a circuit. */
+static tor_weak_rng_t stream_choice_rng = TOR_WEAK_RNG_INIT;
+
+/**
+ * Update channel usage state based on the type of relay cell and
+ * circuit properties.
+ *
+ * This is needed to determine if a client channel is being
+ * used for application traffic, and if a relay channel is being
+ * used for multihop circuits and application traffic. The decision
+ * to pad in channelpadding.c depends upon this info (as well as
+ * consensus parameters) to decide what channels to pad.
+ */
+static void
+circuit_update_channel_usage(circuit_t *circ, cell_t *cell)
+{
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ /*
+ * The client state was first set much earlier in
+ * circuit_send_next_onion_skin(), so we can start padding as early as
+ * possible.
+ *
+ * However, if padding turns out to be expensive, we may want to not do
+ * it until actual application traffic starts flowing (which is controlled
+ * via consensus param nf_pad_before_usage).
+ *
+ * So: If we're an origin circuit and we've created a full length circuit,
+ * then any CELL_RELAY cell means application data. Increase the usage
+ * state of the channel to indicate this.
+ *
+ * We want to wait for CELL_RELAY specifically here, so we know that
+ * the channel was definitely being used for data and not for extends.
+ * By default, we pad as soon as a channel has been used for *any*
+ * circuits, so this state is irrelevant to the padding decision in
+ * the default case. However, if padding turns out to be expensive,
+ * we would like the ability to avoid padding until we're absolutely
+ * sure that a channel is used for enough application data to be worth
+ * padding.
+ *
+ * (So it does not matter that CELL_RELAY_EARLY can actually contain
+ * application data. This is only a load reducing option and that edge
+ * case does not matter if we're desperately trying to reduce overhead
+ * anyway. See also consensus parameter nf_pad_before_usage).
+ */
+ if (BUG(!circ->n_chan))
+ return;
+
+ if (circ->n_chan->channel_usage == CHANNEL_USED_FOR_FULL_CIRCS &&
+ cell->command == CELL_RELAY) {
+ circ->n_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC;
+ }
+ } else {
+ /* If we're a relay circuit, the question is more complicated. Basically:
+ * we only want to pad connections that carry multihop (anonymous)
+ * circuits.
+ *
+ * We assume we're more than one hop if either the previous hop
+ * is not a client, or if the previous hop is a client and there's
+ * a next hop. Then, circuit traffic starts at RELAY_EARLY, and
+ * user application traffic starts when we see RELAY cells.
+ */
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+
+ if (BUG(!or_circ->p_chan))
+ return;
+
+ if (!channel_is_client(or_circ->p_chan) ||
+ (channel_is_client(or_circ->p_chan) && circ->n_chan)) {
+ if (cell->command == CELL_RELAY_EARLY) {
+ if (or_circ->p_chan->channel_usage < CHANNEL_USED_FOR_FULL_CIRCS) {
+ or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_FULL_CIRCS;
+ }
+ } else if (cell->command == CELL_RELAY) {
+ or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC;
+ }
+ }
+ }
+}
+
+/** Receive a relay cell:
+ * - Crypt it (encrypt if headed toward the origin or if we <b>are</b> the
+ * origin; decrypt if we're headed toward the exit).
+ * - Check if recognized (if exitward).
+ * - If recognized and the digest checks out, then find if there's a stream
+ * that the cell is intended for, and deliver it to the right
+ * connection_edge.
+ * - If not recognized, then we need to relay it: append it to the appropriate
+ * cell_queue on <b>circ</b>.
+ *
+ * Return -<b>reason</b> on failure.
+ */
+int
+circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
+ cell_direction_t cell_direction)
+{
+ channel_t *chan = NULL;
+ crypt_path_t *layer_hint=NULL;
+ char recognized=0;
+ int reason;
+
+ tor_assert(cell);
+ tor_assert(circ);
+ tor_assert(cell_direction == CELL_DIRECTION_OUT ||
+ cell_direction == CELL_DIRECTION_IN);
+ if (circ->marked_for_close)
+ return 0;
+
+ if (relay_decrypt_cell(circ, cell, cell_direction, &layer_hint, &recognized)
+ < 0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "relay crypt failed. Dropping connection.");
+ return -END_CIRC_REASON_INTERNAL;
+ }
+
+ circuit_update_channel_usage(circ, cell);
+
+ if (recognized) {
+ edge_connection_t *conn = NULL;
+
+ if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
- pathbias_check_probe_response(circ, cell);
++ if (pathbias_check_probe_response(circ, cell) == -1) {
++ pathbias_count_valid_cells(circ, cell);
++ }
+
+ /* We need to drop this cell no matter what to avoid code that expects
+ * a certain purpose (such as the hidserv code). */
+ return 0;
+ }
+
+ conn = relay_lookup_conn(circ, cell, cell_direction, layer_hint);
+ if (cell_direction == CELL_DIRECTION_OUT) {
+ ++stats_n_relay_cells_delivered;
+ log_debug(LD_OR,"Sending away from origin.");
+ if ((reason=connection_edge_process_relay_cell(cell, circ, conn, NULL))
+ < 0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "connection_edge_process_relay_cell (away from origin) "
+ "failed.");
+ return reason;
+ }
+ }
+ if (cell_direction == CELL_DIRECTION_IN) {
+ ++stats_n_relay_cells_delivered;
+ log_debug(LD_OR,"Sending to origin.");
+ if ((reason = connection_edge_process_relay_cell(cell, circ, conn,
+ layer_hint)) < 0) {
+ /* If a client is trying to connect to unknown hidden service port,
+ * END_CIRC_AT_ORIGIN is sent back so we can then close the circuit.
+ * Do not log warn as this is an expected behavior for a service. */
+ if (reason != END_CIRC_AT_ORIGIN) {
+ log_warn(LD_OR,
+ "connection_edge_process_relay_cell (at origin) failed.");
+ }
+ return reason;
+ }
+ }
+ return 0;
+ }
+
+ /* not recognized. pass it on. */
+ if (cell_direction == CELL_DIRECTION_OUT) {
+ cell->circ_id = circ->n_circ_id; /* switch it */
+ chan = circ->n_chan;
+ } else if (! CIRCUIT_IS_ORIGIN(circ)) {
+ cell->circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; /* switch it */
+ chan = TO_OR_CIRCUIT(circ)->p_chan;
+ } else {
+ log_fn(LOG_PROTOCOL_WARN, LD_OR,
+ "Dropping unrecognized inbound cell on origin circuit.");
+ /* If we see unrecognized cells on path bias testing circs,
+ * it's bad mojo. Those circuits need to die.
+ * XXX: Shouldn't they always die? */
+ if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
+ TO_ORIGIN_CIRCUIT(circ)->path_state = PATH_STATE_USE_FAILED;
+ return -END_CIRC_REASON_TORPROTOCOL;
+ } else {
+ return 0;
+ }
+ }
+
+ if (!chan) {
+ // XXXX Can this splice stuff be done more cleanly?
+ if (! CIRCUIT_IS_ORIGIN(circ) &&
+ TO_OR_CIRCUIT(circ)->rend_splice &&
+ cell_direction == CELL_DIRECTION_OUT) {
+ or_circuit_t *splice_ = TO_OR_CIRCUIT(circ)->rend_splice;
+ tor_assert(circ->purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED);
+ tor_assert(splice_->base_.purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED);
+ cell->circ_id = splice_->p_circ_id;
+ cell->command = CELL_RELAY; /* can't be relay_early anyway */
+ if ((reason = circuit_receive_relay_cell(cell, TO_CIRCUIT(splice_),
+ CELL_DIRECTION_IN)) < 0) {
+ log_warn(LD_REND, "Error relaying cell across rendezvous; closing "
+ "circuits");
+ /* XXXX Do this here, or just return -1? */
+ circuit_mark_for_close(circ, -reason);
+ return reason;
+ }
+ return 0;
+ }
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Didn't recognize cell, but circ stops here! Closing circ.");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+
+ log_debug(LD_OR,"Passing on unrecognized cell.");
+
+ ++stats_n_relay_cells_relayed; /* XXXX no longer quite accurate {cells}
+ * we might kill the circ before we relay
+ * the cells. */
+
+ append_cell_to_circuit_queue(circ, chan, cell, cell_direction, 0);
+ return 0;
+}
+
+/** Package a relay cell from an edge:
+ * - Encrypt it to the right layer
+ * - Append it to the appropriate cell_queue on <b>circ</b>.
+ */
+static int
+circuit_package_relay_cell(cell_t *cell, circuit_t *circ,
+ cell_direction_t cell_direction,
+ crypt_path_t *layer_hint, streamid_t on_stream,
+ const char *filename, int lineno)
+{
+ channel_t *chan; /* where to send the cell */
+
+ if (circ->marked_for_close) {
+ /* Circuit is marked; send nothing. */
+ return 0;
+ }
+
+ if (cell_direction == CELL_DIRECTION_OUT) {
+ chan = circ->n_chan;
+ if (!chan) {
+ log_warn(LD_BUG,"outgoing relay cell sent from %s:%d has n_chan==NULL."
+ " Dropping. Circuit is in state %s (%d), and is "
+ "%smarked for close. (%s:%d, %d)", filename, lineno,
+ circuit_state_to_string(circ->state), circ->state,
+ circ->marked_for_close ? "" : "not ",
+ circ->marked_for_close_file?circ->marked_for_close_file:"",
+ circ->marked_for_close, circ->marked_for_close_reason);
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_log_path(LOG_WARN, LD_BUG, TO_ORIGIN_CIRCUIT(circ));
+ }
+ log_backtrace(LOG_WARN,LD_BUG,"");
+ return 0; /* just drop it */
+ }
+ if (!CIRCUIT_IS_ORIGIN(circ)) {
+ log_warn(LD_BUG,"outgoing relay cell sent from %s:%d on non-origin "
+ "circ. Dropping.", filename, lineno);
+ log_backtrace(LOG_WARN,LD_BUG,"");
+ return 0; /* just drop it */
+ }
+
+ relay_encrypt_cell_outbound(cell, TO_ORIGIN_CIRCUIT(circ), layer_hint);
+
+ /* Update circ written totals for control port */
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ ocirc->n_written_circ_bw = tor_add_u32_nowrap(ocirc->n_written_circ_bw,
+ CELL_PAYLOAD_SIZE);
+
+ } else { /* incoming cell */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ /* We should never package an _incoming_ cell from the circuit
+ * origin; that means we messed up somewhere. */
+ log_warn(LD_BUG,"incoming relay cell at origin circuit. Dropping.");
+ assert_circuit_ok(circ);
+ return 0; /* just drop it */
+ }
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ relay_encrypt_cell_inbound(cell, or_circ);
+ chan = or_circ->p_chan;
+ }
+ ++stats_n_relay_cells_relayed;
+
+ append_cell_to_circuit_queue(circ, chan, cell, cell_direction, on_stream);
+ return 0;
+}
+
+/** If cell's stream_id matches the stream_id of any conn that's
+ * attached to circ, return that conn, else return NULL.
+ */
+static edge_connection_t *
+relay_lookup_conn(circuit_t *circ, cell_t *cell,
+ cell_direction_t cell_direction, crypt_path_t *layer_hint)
+{
+ edge_connection_t *tmpconn;
+ relay_header_t rh;
+
+ relay_header_unpack(&rh, cell->payload);
+
+ if (!rh.stream_id)
+ return NULL;
+
+ /* IN or OUT cells could have come from either direction, now
+ * that we allow rendezvous *to* an OP.
+ */
+
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn;
+ tmpconn=tmpconn->next_stream) {
+ if (rh.stream_id == tmpconn->stream_id &&
+ !tmpconn->base_.marked_for_close &&
+ tmpconn->cpath_layer == layer_hint) {
+ log_debug(LD_APP,"found conn for stream %d.", rh.stream_id);
+ return tmpconn;
+ }
+ }
+ } else {
+ for (tmpconn = TO_OR_CIRCUIT(circ)->n_streams; tmpconn;
+ tmpconn=tmpconn->next_stream) {
+ if (rh.stream_id == tmpconn->stream_id &&
+ !tmpconn->base_.marked_for_close) {
+ log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id);
+ if (cell_direction == CELL_DIRECTION_OUT ||
+ connection_edge_is_rendezvous_stream(tmpconn))
+ return tmpconn;
+ }
+ }
+ for (tmpconn = TO_OR_CIRCUIT(circ)->resolving_streams; tmpconn;
+ tmpconn=tmpconn->next_stream) {
+ if (rh.stream_id == tmpconn->stream_id &&
+ !tmpconn->base_.marked_for_close) {
+ log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id);
+ return tmpconn;
+ }
+ }
+ }
+ return NULL; /* probably a begin relay cell */
+}
+
+/** Pack the relay_header_t host-order structure <b>src</b> into
+ * network-order in the buffer <b>dest</b>. See tor-spec.txt for details
+ * about the wire format.
+ */
+void
+relay_header_pack(uint8_t *dest, const relay_header_t *src)
+{
+ set_uint8(dest, src->command);
+ set_uint16(dest+1, htons(src->recognized));
+ set_uint16(dest+3, htons(src->stream_id));
+ memcpy(dest+5, src->integrity, 4);
+ set_uint16(dest+9, htons(src->length));
+}
+
+/** Unpack the network-order buffer <b>src</b> into a host-order
+ * relay_header_t structure <b>dest</b>.
+ */
+void
+relay_header_unpack(relay_header_t *dest, const uint8_t *src)
+{
+ dest->command = get_uint8(src);
+ dest->recognized = ntohs(get_uint16(src+1));
+ dest->stream_id = ntohs(get_uint16(src+3));
+ memcpy(dest->integrity, src+5, 4);
+ dest->length = ntohs(get_uint16(src+9));
+}
+
+/** Convert the relay <b>command</b> into a human-readable string. */
+static const char *
+relay_command_to_string(uint8_t command)
+{
+ static char buf[64];
+ switch (command) {
+ case RELAY_COMMAND_BEGIN: return "BEGIN";
+ case RELAY_COMMAND_DATA: return "DATA";
+ case RELAY_COMMAND_END: return "END";
+ case RELAY_COMMAND_CONNECTED: return "CONNECTED";
+ case RELAY_COMMAND_SENDME: return "SENDME";
+ case RELAY_COMMAND_EXTEND: return "EXTEND";
+ case RELAY_COMMAND_EXTENDED: return "EXTENDED";
+ case RELAY_COMMAND_TRUNCATE: return "TRUNCATE";
+ case RELAY_COMMAND_TRUNCATED: return "TRUNCATED";
+ case RELAY_COMMAND_DROP: return "DROP";
+ case RELAY_COMMAND_RESOLVE: return "RESOLVE";
+ case RELAY_COMMAND_RESOLVED: return "RESOLVED";
+ case RELAY_COMMAND_BEGIN_DIR: return "BEGIN_DIR";
+ case RELAY_COMMAND_ESTABLISH_INTRO: return "ESTABLISH_INTRO";
+ case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: return "ESTABLISH_RENDEZVOUS";
+ case RELAY_COMMAND_INTRODUCE1: return "INTRODUCE1";
+ case RELAY_COMMAND_INTRODUCE2: return "INTRODUCE2";
+ case RELAY_COMMAND_RENDEZVOUS1: return "RENDEZVOUS1";
+ case RELAY_COMMAND_RENDEZVOUS2: return "RENDEZVOUS2";
+ case RELAY_COMMAND_INTRO_ESTABLISHED: return "INTRO_ESTABLISHED";
+ case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
+ return "RENDEZVOUS_ESTABLISHED";
+ case RELAY_COMMAND_INTRODUCE_ACK: return "INTRODUCE_ACK";
+ case RELAY_COMMAND_EXTEND2: return "EXTEND2";
+ case RELAY_COMMAND_EXTENDED2: return "EXTENDED2";
+ default:
+ tor_snprintf(buf, sizeof(buf), "Unrecognized relay command %u",
+ (unsigned)command);
+ return buf;
+ }
+}
+
+/** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and send
+ * it onto the open circuit <b>circ</b>. <b>stream_id</b> is the ID on
+ * <b>circ</b> for the stream that's sending the relay cell, or 0 if it's a
+ * control cell. <b>cpath_layer</b> is NULL for OR->OP cells, or the
+ * destination hop for OP->OR cells.
+ *
+ * If you can't send the cell, mark the circuit for close and return -1. Else
+ * return 0.
+ */
+MOCK_IMPL(int,
+relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *circ,
+ uint8_t relay_command, const char *payload,
+ size_t payload_len, crypt_path_t *cpath_layer,
+ const char *filename, int lineno))
+{
+ cell_t cell;
+ relay_header_t rh;
+ cell_direction_t cell_direction;
+ /* XXXX NM Split this function into a separate versions per circuit type? */
+
+ tor_assert(circ);
+ tor_assert(payload_len <= RELAY_PAYLOAD_SIZE);
+
+ memset(&cell, 0, sizeof(cell_t));
+ cell.command = CELL_RELAY;
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ tor_assert(cpath_layer);
+ cell.circ_id = circ->n_circ_id;
+ cell_direction = CELL_DIRECTION_OUT;
+ } else {
+ tor_assert(! cpath_layer);
+ cell.circ_id = TO_OR_CIRCUIT(circ)->p_circ_id;
+ cell_direction = CELL_DIRECTION_IN;
+ }
+
+ memset(&rh, 0, sizeof(rh));
+ rh.command = relay_command;
+ rh.stream_id = stream_id;
+ rh.length = payload_len;
+ relay_header_pack(cell.payload, &rh);
+ if (payload_len)
+ memcpy(cell.payload+RELAY_HEADER_SIZE, payload, payload_len);
+
+ log_debug(LD_OR,"delivering %d cell %s.", relay_command,
+ cell_direction == CELL_DIRECTION_OUT ? "forward" : "backward");
+
+ if (relay_command == RELAY_COMMAND_DROP)
+ rep_hist_padding_count_write(PADDING_TYPE_DROP);
+
+ /* If we are sending an END cell and this circuit is used for a tunneled
+ * directory request, advance its state. */
+ if (relay_command == RELAY_COMMAND_END && circ->dirreq_id)
+ geoip_change_dirreq_state(circ->dirreq_id, DIRREQ_TUNNELED,
+ DIRREQ_END_CELL_SENT);
+
+ if (cell_direction == CELL_DIRECTION_OUT && circ->n_chan) {
+ /* if we're using relaybandwidthrate, this conn wants priority */
+ channel_timestamp_client(circ->n_chan);
+ }
+
+ if (cell_direction == CELL_DIRECTION_OUT) {
+ origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ);
+ if (origin_circ->remaining_relay_early_cells > 0 &&
+ (relay_command == RELAY_COMMAND_EXTEND ||
+ relay_command == RELAY_COMMAND_EXTEND2 ||
+ cpath_layer != origin_circ->cpath)) {
+ /* If we've got any relay_early cells left and (we're sending
+ * an extend cell or we're not talking to the first hop), use
+ * one of them. Don't worry about the conn protocol version:
+ * append_cell_to_circuit_queue will fix it up. */
+ cell.command = CELL_RELAY_EARLY;
+ --origin_circ->remaining_relay_early_cells;
+ log_debug(LD_OR, "Sending a RELAY_EARLY cell; %d remaining.",
+ (int)origin_circ->remaining_relay_early_cells);
+ /* Memorize the command that is sent as RELAY_EARLY cell; helps debug
+ * task 878. */
+ origin_circ->relay_early_commands[
+ origin_circ->relay_early_cells_sent++] = relay_command;
+ } else if (relay_command == RELAY_COMMAND_EXTEND ||
+ relay_command == RELAY_COMMAND_EXTEND2) {
+ /* If no RELAY_EARLY cells can be sent over this circuit, log which
+ * commands have been sent as RELAY_EARLY cells before; helps debug
+ * task 878. */
+ smartlist_t *commands_list = smartlist_new();
+ int i = 0;
+ char *commands = NULL;
+ for (; i < origin_circ->relay_early_cells_sent; i++)
+ smartlist_add(commands_list, (char *)
+ relay_command_to_string(origin_circ->relay_early_commands[i]));
+ commands = smartlist_join_strings(commands_list, ",", 0, NULL);
+ log_warn(LD_BUG, "Uh-oh. We're sending a RELAY_COMMAND_EXTEND cell, "
+ "but we have run out of RELAY_EARLY cells on that circuit. "
+ "Commands sent before: %s", commands);
+ tor_free(commands);
+ smartlist_free(commands_list);
+ }
+
+ /* Let's assume we're well-behaved: Anything that we decide to send is
+ * valid, delivered data. */
+ circuit_sent_valid_data(origin_circ, rh.length);
+ }
+
+ if (circuit_package_relay_cell(&cell, circ, cell_direction, cpath_layer,
+ stream_id, filename, lineno) < 0) {
+ log_warn(LD_BUG,"circuit_package_relay_cell failed. Closing.");
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+ return -1;
+ }
+ return 0;
+}
+
+/** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and
+ * send it onto the open circuit <b>circ</b>. <b>fromconn</b> is the stream
+ * that's sending the relay cell, or NULL if it's a control cell.
+ * <b>cpath_layer</b> is NULL for OR->OP cells, or the destination hop
+ * for OP->OR cells.
+ *
+ * If you can't send the cell, mark the circuit for close and
+ * return -1. Else return 0.
+ */
+int
+connection_edge_send_command(edge_connection_t *fromconn,
+ uint8_t relay_command, const char *payload,
+ size_t payload_len)
+{
+ /* XXXX NM Split this function into a separate versions per circuit type? */
+ circuit_t *circ;
+ crypt_path_t *cpath_layer = fromconn->cpath_layer;
+ tor_assert(fromconn);
+ circ = fromconn->on_circuit;
+
+ if (fromconn->base_.marked_for_close) {
+ log_warn(LD_BUG,
+ "called on conn that's already marked for close at %s:%d.",
+ fromconn->base_.marked_for_close_file,
+ fromconn->base_.marked_for_close);
+ return 0;
+ }
+
+ if (!circ) {
+ if (fromconn->base_.type == CONN_TYPE_AP) {
+ log_info(LD_APP,"no circ. Closing conn.");
+ connection_mark_unattached_ap(EDGE_TO_ENTRY_CONN(fromconn),
+ END_STREAM_REASON_INTERNAL);
+ } else {
+ log_info(LD_EXIT,"no circ. Closing conn.");
+ fromconn->edge_has_sent_end = 1; /* no circ to send to */
+ fromconn->end_reason = END_STREAM_REASON_INTERNAL;
+ connection_mark_for_close(TO_CONN(fromconn));
+ }
+ return -1;
+ }
+
+ if (circ->marked_for_close) {
+ /* The circuit has been marked, but not freed yet. When it's freed, it
+ * will mark this connection for close. */
+ return -1;
+ }
+
+#ifdef MEASUREMENTS_21206
+ /* Keep track of the number of RELAY_DATA cells sent for directory
+ * connections. */
+ connection_t *linked_conn = TO_CONN(fromconn)->linked_conn;
+
+ if (linked_conn && linked_conn->type == CONN_TYPE_DIR) {
+ ++(TO_DIR_CONN(linked_conn)->data_cells_sent);
+ }
+#endif /* defined(MEASUREMENTS_21206) */
+
+ return relay_send_command_from_edge(fromconn->stream_id, circ,
+ relay_command, payload,
+ payload_len, cpath_layer);
+}
+
+/** How many times will I retry a stream that fails due to DNS
+ * resolve failure or misc error?
+ */
+#define MAX_RESOLVE_FAILURES 3
+
+/** Return 1 if reason is something that you should retry if you
+ * get the end cell before you've connected; else return 0. */
+static int
+edge_reason_is_retriable(int reason)
+{
+ return reason == END_STREAM_REASON_HIBERNATING ||
+ reason == END_STREAM_REASON_RESOURCELIMIT ||
+ reason == END_STREAM_REASON_EXITPOLICY ||
+ reason == END_STREAM_REASON_RESOLVEFAILED ||
+ reason == END_STREAM_REASON_MISC ||
+ reason == END_STREAM_REASON_NOROUTE;
+}
+
+/** Called when we receive an END cell on a stream that isn't open yet,
+ * from the client side.
+ * Arguments are as for connection_edge_process_relay_cell().
+ */
+static int
+connection_ap_process_end_not_open(
+ relay_header_t *rh, cell_t *cell, origin_circuit_t *circ,
+ entry_connection_t *conn, crypt_path_t *layer_hint)
+{
+ node_t *exitrouter;
+ int reason = *(cell->payload+RELAY_HEADER_SIZE);
+ int control_reason;
+ edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn);
+ (void) layer_hint; /* unused */
+
+ if (rh->length > 0) {
+ if (reason == END_STREAM_REASON_TORPROTOCOL ||
+ reason == END_STREAM_REASON_DESTROY) {
+ /* Both of these reasons could mean a failed tag
+ * hit the exit and it complained. Do not probe.
+ * Fail the circuit. */
+ circ->path_state = PATH_STATE_USE_FAILED;
+ return -END_CIRC_REASON_TORPROTOCOL;
+ } else if (reason == END_STREAM_REASON_INTERNAL) {
+ /* We can't infer success or failure, since older Tors report
+ * ENETUNREACH as END_STREAM_REASON_INTERNAL. */
+ } else {
+ /* Path bias: If we get a valid reason code from the exit,
+ * it wasn't due to tagging.
+ *
+ * We rely on recognized+digest being strong enough to make
+ * tags unlikely to allow us to get tagged, yet 'recognized'
+ * reason codes here. */
+ pathbias_mark_use_success(circ);
+ }
+ }
+
+ /* This end cell is now valid. */
+ circuit_read_valid_data(circ, rh->length);
+
+ if (rh->length == 0) {
+ reason = END_STREAM_REASON_MISC;
+ }
+
+ control_reason = reason | END_STREAM_REASON_FLAG_REMOTE;
+
+ if (edge_reason_is_retriable(reason) &&
+ /* avoid retry if rend */
+ !connection_edge_is_rendezvous_stream(edge_conn)) {
+ const char *chosen_exit_digest =
+ circ->build_state->chosen_exit->identity_digest;
+ log_info(LD_APP,"Address '%s' refused due to '%s'. Considering retrying.",
+ safe_str(conn->socks_request->address),
+ stream_end_reason_to_string(reason));
+ exitrouter = node_get_mutable_by_id(chosen_exit_digest);
+ switch (reason) {
+ case END_STREAM_REASON_EXITPOLICY: {
+ tor_addr_t addr;
+ tor_addr_make_unspec(&addr);
+ if (rh->length >= 5) {
+ int ttl = -1;
+ tor_addr_make_unspec(&addr);
+ if (rh->length == 5 || rh->length == 9) {
+ tor_addr_from_ipv4n(&addr,
+ get_uint32(cell->payload+RELAY_HEADER_SIZE+1));
+ if (rh->length == 9)
+ ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5));
+ } else if (rh->length == 17 || rh->length == 21) {
+ tor_addr_from_ipv6_bytes(&addr,
+ (char*)(cell->payload+RELAY_HEADER_SIZE+1));
+ if (rh->length == 21)
+ ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+17));
+ }
+ if (tor_addr_is_null(&addr)) {
+ log_info(LD_APP,"Address '%s' resolved to 0.0.0.0. Closing,",
+ safe_str(conn->socks_request->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return 0;
+ }
+
+ if ((tor_addr_family(&addr) == AF_INET &&
+ !conn->entry_cfg.ipv4_traffic) ||
+ (tor_addr_family(&addr) == AF_INET6 &&
+ !conn->entry_cfg.ipv6_traffic)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Got an EXITPOLICY failure on a connection with a "
+ "mismatched family. Closing.");
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return 0;
+ }
+ if (get_options()->ClientDNSRejectInternalAddresses &&
+ tor_addr_is_internal(&addr, 0)) {
+ log_info(LD_APP,"Address '%s' resolved to internal. Closing,",
+ safe_str(conn->socks_request->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+ return 0;
+ }
+
+ client_dns_set_addressmap(conn,
+ conn->socks_request->address, &addr,
+ conn->chosen_exit_name, ttl);
+
+ {
+ char new_addr[TOR_ADDR_BUF_LEN];
+ tor_addr_to_str(new_addr, &addr, sizeof(new_addr), 1);
+ if (strcmp(conn->socks_request->address, new_addr)) {
+ strlcpy(conn->socks_request->address, new_addr,
+ sizeof(conn->socks_request->address));
+ control_event_stream_status(conn, STREAM_EVENT_REMAP, 0);
+ }
+ }
+ }
+ /* check if the exit *ought* to have allowed it */
+
+ adjust_exit_policy_from_exitpolicy_failure(circ,
+ conn,
+ exitrouter,
+ &addr);
+
+ if (conn->chosen_exit_optional ||
+ conn->chosen_exit_retries) {
+ /* stop wanting a specific exit */
+ conn->chosen_exit_optional = 0;
+ /* A non-zero chosen_exit_retries can happen if we set a
+ * TrackHostExits for this address under a port that the exit
+ * relay allows, but then try the same address with a different
+ * port that it doesn't allow to exit. We shouldn't unregister
+ * the mapping, since it is probably still wanted on the
+ * original port. But now we give away to the exit relay that
+ * we probably have a TrackHostExits on it. So be it. */
+ conn->chosen_exit_retries = 0;
+ tor_free(conn->chosen_exit_name); /* clears it */
+ }
+ if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
+ return 0;
+ /* else, conn will get closed below */
+ break;
+ }
+ case END_STREAM_REASON_CONNECTREFUSED:
+ if (!conn->chosen_exit_optional)
+ break; /* break means it'll close, below */
+ /* Else fall through: expire this circuit, clear the
+ * chosen_exit_name field, and try again. */
+ /* Falls through. */
+ case END_STREAM_REASON_RESOLVEFAILED:
+ case END_STREAM_REASON_TIMEOUT:
+ case END_STREAM_REASON_MISC:
+ case END_STREAM_REASON_NOROUTE:
+ if (client_dns_incr_failures(conn->socks_request->address)
+ < MAX_RESOLVE_FAILURES) {
+ /* We haven't retried too many times; reattach the connection. */
+ circuit_log_path(LOG_INFO,LD_APP,circ);
+ /* Mark this circuit "unusable for new streams". */
+ mark_circuit_unusable_for_new_conns(circ);
+
+ if (conn->chosen_exit_optional) {
+ /* stop wanting a specific exit */
+ conn->chosen_exit_optional = 0;
+ tor_free(conn->chosen_exit_name); /* clears it */
+ }
+ if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
+ return 0;
+ /* else, conn will get closed below */
+ } else {
+ log_notice(LD_APP,
+ "Have tried resolving or connecting to address '%s' "
+ "at %d different places. Giving up.",
+ safe_str(conn->socks_request->address),
+ MAX_RESOLVE_FAILURES);
+ /* clear the failures, so it will have a full try next time */
+ client_dns_clear_failures(conn->socks_request->address);
+ }
+ break;
+ case END_STREAM_REASON_HIBERNATING:
+ case END_STREAM_REASON_RESOURCELIMIT:
+ if (exitrouter) {
+ policies_set_node_exitpolicy_to_reject_all(exitrouter);
+ }
+ if (conn->chosen_exit_optional) {
+ /* stop wanting a specific exit */
+ conn->chosen_exit_optional = 0;
+ tor_free(conn->chosen_exit_name); /* clears it */
+ }
+ if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
+ return 0;
+ /* else, will close below */
+ break;
+ } /* end switch */
+ log_info(LD_APP,"Giving up on retrying; conn can't be handled.");
+ }
+
+ log_info(LD_APP,
+ "Edge got end (%s) before we're connected. Marking for close.",
+ stream_end_reason_to_string(rh->length > 0 ? reason : -1));
+ circuit_log_path(LOG_INFO,LD_APP,circ);
+ /* need to test because of detach_retriable */
+ if (!ENTRY_TO_CONN(conn)->marked_for_close)
+ connection_mark_unattached_ap(conn, control_reason);
+ return 0;
+}
+
+/** Called when we have gotten an END_REASON_EXITPOLICY failure on <b>circ</b>
+ * for <b>conn</b>, while attempting to connect via <b>node</b>. If the node
+ * told us which address it rejected, then <b>addr</b> is that address;
+ * otherwise it is AF_UNSPEC.
+ *
+ * If we are sure the node should have allowed this address, mark the node as
+ * having a reject *:* exit policy. Otherwise, mark the circuit as unusable
+ * for this particular address.
+ **/
+static void
+adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ,
+ entry_connection_t *conn,
+ node_t *node,
+ const tor_addr_t *addr)
+{
+ int make_reject_all = 0;
+ const sa_family_t family = tor_addr_family(addr);
+
+ if (node) {
+ tor_addr_t tmp;
+ int asked_for_family = tor_addr_parse(&tmp, conn->socks_request->address);
+ if (family == AF_UNSPEC) {
+ make_reject_all = 1;
+ } else if (node_exit_policy_is_exact(node, family) &&
+ asked_for_family != -1 && !conn->chosen_exit_name) {
+ make_reject_all = 1;
+ }
+
+ if (make_reject_all) {
+ log_info(LD_APP,
+ "Exitrouter %s seems to be more restrictive than its exit "
+ "policy. Not using this router as exit for now.",
+ node_describe(node));
+ policies_set_node_exitpolicy_to_reject_all(node);
+ }
+ }
+
+ if (family != AF_UNSPEC)
+ addr_policy_append_reject_addr(&circ->prepend_policy, addr);
+}
+
+/** Helper: change the socks_request->address field on conn to the
+ * dotted-quad representation of <b>new_addr</b>,
+ * and send an appropriate REMAP event. */
+static void
+remap_event_helper(entry_connection_t *conn, const tor_addr_t *new_addr)
+{
+ tor_addr_to_str(conn->socks_request->address, new_addr,
+ sizeof(conn->socks_request->address),
+ 1);
+ control_event_stream_status(conn, STREAM_EVENT_REMAP,
+ REMAP_STREAM_SOURCE_EXIT);
+}
+
+/** Extract the contents of a connected cell in <b>cell</b>, whose relay
+ * header has already been parsed into <b>rh</b>. On success, set
+ * <b>addr_out</b> to the address we're connected to, and <b>ttl_out</b> to
+ * the ttl of that address, in seconds, and return 0. On failure, return
+ * -1.
+ *
+ * Note that the resulting address can be UNSPEC if the connected cell had no
+ * address (as for a stream to an union service or a tunneled directory
+ * connection), and that the ttl can be absent (in which case <b>ttl_out</b>
+ * is set to -1). */
+STATIC int
+connected_cell_parse(const relay_header_t *rh, const cell_t *cell,
+ tor_addr_t *addr_out, int *ttl_out)
+{
+ uint32_t bytes;
+ const uint8_t *payload = cell->payload + RELAY_HEADER_SIZE;
+
+ tor_addr_make_unspec(addr_out);
+ *ttl_out = -1;
+ if (rh->length == 0)
+ return 0;
+ if (rh->length < 4)
+ return -1;
+ bytes = ntohl(get_uint32(payload));
+
+ /* If bytes is 0, this is maybe a v6 address. Otherwise it's a v4 address */
+ if (bytes != 0) {
+ /* v4 address */
+ tor_addr_from_ipv4h(addr_out, bytes);
+ if (rh->length >= 8) {
+ bytes = ntohl(get_uint32(payload + 4));
+ if (bytes <= INT32_MAX)
+ *ttl_out = bytes;
+ }
+ } else {
+ if (rh->length < 25) /* 4 bytes of 0s, 1 addr, 16 ipv4, 4 ttl. */
+ return -1;
+ if (get_uint8(payload + 4) != 6)
+ return -1;
+ tor_addr_from_ipv6_bytes(addr_out, (char*)(payload + 5));
+ bytes = ntohl(get_uint32(payload + 21));
+ if (bytes <= INT32_MAX)
+ *ttl_out = (int) bytes;
+ }
+ return 0;
+}
+
+/** Drop all storage held by <b>addr</b>. */
+STATIC void
+address_ttl_free_(address_ttl_t *addr)
+{
+ if (!addr)
+ return;
+ tor_free(addr->hostname);
+ tor_free(addr);
+}
+
+/** Parse a resolved cell in <b>cell</b>, with parsed header in <b>rh</b>.
+ * Return -1 on parse error. On success, add one or more newly allocated
+ * address_ttl_t to <b>addresses_out</b>; set *<b>errcode_out</b> to
+ * one of 0, RESOLVED_TYPE_ERROR, or RESOLVED_TYPE_ERROR_TRANSIENT, and
+ * return 0. */
+STATIC int
+resolved_cell_parse(const cell_t *cell, const relay_header_t *rh,
+ smartlist_t *addresses_out, int *errcode_out)
+{
+ const uint8_t *cp;
+ uint8_t answer_type;
+ size_t answer_len;
+ address_ttl_t *addr;
+ size_t remaining;
+ int errcode = 0;
+ smartlist_t *addrs;
+
+ tor_assert(cell);
+ tor_assert(rh);
+ tor_assert(addresses_out);
+ tor_assert(errcode_out);
+
+ *errcode_out = 0;
+
+ if (rh->length > RELAY_PAYLOAD_SIZE)
+ return -1;
+
+ addrs = smartlist_new();
+
+ cp = cell->payload + RELAY_HEADER_SIZE;
+
+ remaining = rh->length;
+ while (remaining) {
+ const uint8_t *cp_orig = cp;
+ if (remaining < 2)
+ goto err;
+ answer_type = *cp++;
+ answer_len = *cp++;
+ if (remaining < 2 + answer_len + 4) {
+ goto err;
+ }
+ if (answer_type == RESOLVED_TYPE_IPV4) {
+ if (answer_len != 4) {
+ goto err;
+ }
+ addr = tor_malloc_zero(sizeof(*addr));
+ tor_addr_from_ipv4n(&addr->addr, get_uint32(cp));
+ cp += 4;
+ addr->ttl = ntohl(get_uint32(cp));
+ cp += 4;
+ smartlist_add(addrs, addr);
+ } else if (answer_type == RESOLVED_TYPE_IPV6) {
+ if (answer_len != 16)
+ goto err;
+ addr = tor_malloc_zero(sizeof(*addr));
+ tor_addr_from_ipv6_bytes(&addr->addr, (const char*) cp);
+ cp += 16;
+ addr->ttl = ntohl(get_uint32(cp));
+ cp += 4;
+ smartlist_add(addrs, addr);
+ } else if (answer_type == RESOLVED_TYPE_HOSTNAME) {
+ if (answer_len == 0) {
+ goto err;
+ }
+ addr = tor_malloc_zero(sizeof(*addr));
+ addr->hostname = tor_memdup_nulterm(cp, answer_len);
+ cp += answer_len;
+ addr->ttl = ntohl(get_uint32(cp));
+ cp += 4;
+ smartlist_add(addrs, addr);
+ } else if (answer_type == RESOLVED_TYPE_ERROR_TRANSIENT ||
+ answer_type == RESOLVED_TYPE_ERROR) {
+ errcode = answer_type;
+ /* Ignore the error contents */
+ cp += answer_len + 4;
+ } else {
+ cp += answer_len + 4;
+ }
+ tor_assert(((ssize_t)remaining) >= (cp - cp_orig));
+ remaining -= (cp - cp_orig);
+ }
+
+ if (errcode && smartlist_len(addrs) == 0) {
+ /* Report an error only if there were no results. */
+ *errcode_out = errcode;
+ }
+
+ smartlist_add_all(addresses_out, addrs);
+ smartlist_free(addrs);
+
+ return 0;
+
+ err:
+ /* On parse error, don't report any results */
+ SMARTLIST_FOREACH(addrs, address_ttl_t *, a, address_ttl_free(a));
+ smartlist_free(addrs);
+ return -1;
+}
+
+/** Helper for connection_edge_process_resolved_cell: given an error code,
+ * an entry_connection, and a list of address_ttl_t *, report the best answer
+ * to the entry_connection. */
+static void
+connection_ap_handshake_socks_got_resolved_cell(entry_connection_t *conn,
+ int error_code,
+ smartlist_t *results)
+{
+ address_ttl_t *addr_ipv4 = NULL;
+ address_ttl_t *addr_ipv6 = NULL;
+ address_ttl_t *addr_hostname = NULL;
+ address_ttl_t *addr_best = NULL;
+
+ /* If it's an error code, that's easy. */
+ if (error_code) {
+ tor_assert(error_code == RESOLVED_TYPE_ERROR ||
+ error_code == RESOLVED_TYPE_ERROR_TRANSIENT);
+ connection_ap_handshake_socks_resolved(conn,
+ error_code,0,NULL,-1,-1);
+ return;
+ }
+
+ /* Get the first answer of each type. */
+ SMARTLIST_FOREACH_BEGIN(results, address_ttl_t *, addr) {
+ if (addr->hostname) {
+ if (!addr_hostname) {
+ addr_hostname = addr;
+ }
+ } else if (tor_addr_family(&addr->addr) == AF_INET) {
+ if (!addr_ipv4 && conn->entry_cfg.ipv4_traffic) {
+ addr_ipv4 = addr;
+ }
+ } else if (tor_addr_family(&addr->addr) == AF_INET6) {
+ if (!addr_ipv6 && conn->entry_cfg.ipv6_traffic) {
+ addr_ipv6 = addr;
+ }
+ }
+ } SMARTLIST_FOREACH_END(addr);
+
+ /* Now figure out which type we wanted to deliver. */
+ if (conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) {
+ if (addr_hostname) {
+ connection_ap_handshake_socks_resolved(conn,
+ RESOLVED_TYPE_HOSTNAME,
+ strlen(addr_hostname->hostname),
+ (uint8_t*)addr_hostname->hostname,
+ addr_hostname->ttl,-1);
+ } else {
+ connection_ap_handshake_socks_resolved(conn,
+ RESOLVED_TYPE_ERROR,0,NULL,-1,-1);
+ }
+ return;
+ }
+
+ if (conn->entry_cfg.prefer_ipv6) {
+ addr_best = addr_ipv6 ? addr_ipv6 : addr_ipv4;
+ } else {
+ addr_best = addr_ipv4 ? addr_ipv4 : addr_ipv6;
+ }
+
+ /* Now convert it to the ugly old interface */
+ if (! addr_best) {
+ connection_ap_handshake_socks_resolved(conn,
+ RESOLVED_TYPE_ERROR,0,NULL,-1,-1);
+ return;
+ }
+
+ connection_ap_handshake_socks_resolved_addr(conn,
+ &addr_best->addr,
+ addr_best->ttl,
+ -1);
+
+ remap_event_helper(conn, &addr_best->addr);
+}
+
+/** Handle a RELAY_COMMAND_RESOLVED cell that we received on a non-open AP
+ * stream. */
+STATIC int
+connection_edge_process_resolved_cell(edge_connection_t *conn,
+ const cell_t *cell,
+ const relay_header_t *rh)
+{
+ entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
+ smartlist_t *resolved_addresses = NULL;
+ int errcode = 0;
+
+ if (conn->base_.state != AP_CONN_STATE_RESOLVE_WAIT) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got a 'resolved' cell while "
+ "not in state resolve_wait. Dropping.");
+ return 0;
+ }
+ tor_assert(SOCKS_COMMAND_IS_RESOLVE(entry_conn->socks_request->command));
+
+ resolved_addresses = smartlist_new();
+ if (resolved_cell_parse(cell, rh, resolved_addresses, &errcode)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Dropping malformed 'resolved' cell");
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL);
+ goto done;
+ }
+
+ if (get_options()->ClientDNSRejectInternalAddresses) {
+ int orig_len = smartlist_len(resolved_addresses);
+ SMARTLIST_FOREACH_BEGIN(resolved_addresses, address_ttl_t *, addr) {
+ if (addr->hostname == NULL && tor_addr_is_internal(&addr->addr, 0)) {
+ log_info(LD_APP, "Got a resolved cell with answer %s; dropping that "
+ "answer.",
+ safe_str_client(fmt_addr(&addr->addr)));
+ address_ttl_free(addr);
+ SMARTLIST_DEL_CURRENT(resolved_addresses, addr);
+ }
+ } SMARTLIST_FOREACH_END(addr);
+ if (orig_len && smartlist_len(resolved_addresses) == 0) {
+ log_info(LD_APP, "Got a resolved cell with only private addresses; "
+ "dropping it.");
+ connection_ap_handshake_socks_resolved(entry_conn,
+ RESOLVED_TYPE_ERROR_TRANSIENT,
+ 0, NULL, 0, TIME_MAX);
+ connection_mark_unattached_ap(entry_conn,
+ END_STREAM_REASON_TORPROTOCOL);
+ goto done;
+ }
+ }
+
+ /* This is valid data at this point. Count it */
+ if (conn->on_circuit && CIRCUIT_IS_ORIGIN(conn->on_circuit)) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(conn->on_circuit),
+ rh->length);
+ }
+
+ connection_ap_handshake_socks_got_resolved_cell(entry_conn,
+ errcode,
+ resolved_addresses);
+
+ connection_mark_unattached_ap(entry_conn,
+ END_STREAM_REASON_DONE |
+ END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+
+ done:
+ SMARTLIST_FOREACH(resolved_addresses, address_ttl_t *, addr,
+ address_ttl_free(addr));
+ smartlist_free(resolved_addresses);
+ return 0;
+}
+
+/** An incoming relay cell has arrived from circuit <b>circ</b> to
+ * stream <b>conn</b>.
+ *
+ * The arguments here are the same as in
+ * connection_edge_process_relay_cell() below; this function is called
+ * from there when <b>conn</b> is defined and not in an open state.
+ */
+static int
+connection_edge_process_relay_cell_not_open(
+ relay_header_t *rh, cell_t *cell, circuit_t *circ,
+ edge_connection_t *conn, crypt_path_t *layer_hint)
+{
+ if (rh->command == RELAY_COMMAND_END) {
+ if (CIRCUIT_IS_ORIGIN(circ) && conn->base_.type == CONN_TYPE_AP) {
+ return connection_ap_process_end_not_open(rh, cell,
+ TO_ORIGIN_CIRCUIT(circ),
+ EDGE_TO_ENTRY_CONN(conn),
+ layer_hint);
+ } else {
+ /* we just got an 'end', don't need to send one */
+ conn->edge_has_sent_end = 1;
+ conn->end_reason = *(cell->payload+RELAY_HEADER_SIZE) |
+ END_STREAM_REASON_FLAG_REMOTE;
+ connection_mark_for_close(TO_CONN(conn));
+ return 0;
+ }
+ }
+
+ if (conn->base_.type == CONN_TYPE_AP &&
+ rh->command == RELAY_COMMAND_CONNECTED) {
+ tor_addr_t addr;
+ int ttl;
+ entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
+ tor_assert(CIRCUIT_IS_ORIGIN(circ));
+ if (conn->base_.state != AP_CONN_STATE_CONNECT_WAIT) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Got 'connected' while not in state connect_wait. Dropping.");
+ return 0;
+ }
+ CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
+ conn->base_.state = AP_CONN_STATE_OPEN;
+ log_info(LD_APP,"'connected' received for circid %u streamid %d "
+ "after %d seconds.",
+ (unsigned)circ->n_circ_id,
+ rh->stream_id,
+ (int)(time(NULL) - conn->base_.timestamp_last_read_allowed));
+ if (connected_cell_parse(rh, cell, &addr, &ttl) < 0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Got a badly formatted connected cell. Closing.");
+ connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+ connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL);
+ return 0;
+ }
+ if (tor_addr_family(&addr) != AF_UNSPEC) {
+ /* The family is not UNSPEC: so we were given an address in the
+ * connected cell. (This is normal, except for BEGINDIR and onion
+ * service streams.) */
+ const sa_family_t family = tor_addr_family(&addr);
+ if (tor_addr_is_null(&addr) ||
+ (get_options()->ClientDNSRejectInternalAddresses &&
+ tor_addr_is_internal(&addr, 0))) {
+ log_info(LD_APP, "...but it claims the IP address was %s. Closing.",
+ fmt_addr(&addr));
+ connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+ connection_mark_unattached_ap(entry_conn,
+ END_STREAM_REASON_TORPROTOCOL);
+ return 0;
+ }
+
+ if ((family == AF_INET && ! entry_conn->entry_cfg.ipv4_traffic) ||
+ (family == AF_INET6 && ! entry_conn->entry_cfg.ipv6_traffic)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Got a connected cell to %s with unsupported address family."
+ " Closing.", fmt_addr(&addr));
+ connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+ connection_mark_unattached_ap(entry_conn,
+ END_STREAM_REASON_TORPROTOCOL);
+ return 0;
+ }
+
+ client_dns_set_addressmap(entry_conn,
+ entry_conn->socks_request->address, &addr,
+ entry_conn->chosen_exit_name, ttl);
+
+ remap_event_helper(entry_conn, &addr);
+ }
+ circuit_log_path(LOG_INFO,LD_APP,TO_ORIGIN_CIRCUIT(circ));
+ /* don't send a socks reply to transparent conns */
+ tor_assert(entry_conn->socks_request != NULL);
+ if (!entry_conn->socks_request->has_finished) {
+ connection_ap_handshake_socks_reply(entry_conn, NULL, 0, 0);
+ }
+
+ /* Was it a linked dir conn? If so, a dir request just started to
+ * fetch something; this could be a bootstrap status milestone. */
+ log_debug(LD_APP, "considering");
+ if (TO_CONN(conn)->linked_conn &&
+ TO_CONN(conn)->linked_conn->type == CONN_TYPE_DIR) {
+ connection_t *dirconn = TO_CONN(conn)->linked_conn;
+ log_debug(LD_APP, "it is! %d", dirconn->purpose);
+ switch (dirconn->purpose) {
+ case DIR_PURPOSE_FETCH_CERTIFICATE:
+ if (consensus_is_waiting_for_certs())
+ control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_KEYS, 0);
+ break;
+ case DIR_PURPOSE_FETCH_CONSENSUS:
+ control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_STATUS, 0);
+ break;
+ case DIR_PURPOSE_FETCH_SERVERDESC:
+ case DIR_PURPOSE_FETCH_MICRODESC:
+ if (TO_DIR_CONN(dirconn)->router_purpose == ROUTER_PURPOSE_GENERAL)
+ control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_DESCRIPTORS,
+ count_loading_descriptors_progress());
+ break;
+ }
+ }
+ /* This is definitely a success, so forget about any pending data we
+ * had sent. */
+ if (entry_conn->pending_optimistic_data) {
+ buf_free(entry_conn->pending_optimistic_data);
+ entry_conn->pending_optimistic_data = NULL;
+ }
+
+ /* This is valid data at this point. Count it */
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length);
+
+ /* handle anything that might have queued */
+ if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) {
+ /* (We already sent an end cell if possible) */
+ connection_mark_for_close(TO_CONN(conn));
+ return 0;
+ }
+ return 0;
+ }
+ if (conn->base_.type == CONN_TYPE_AP &&
+ rh->command == RELAY_COMMAND_RESOLVED) {
+ return connection_edge_process_resolved_cell(conn, cell, rh);
+ }
+
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Got an unexpected relay command %d, in state %d (%s). Dropping.",
+ rh->command, conn->base_.state,
+ conn_state_to_string(conn->base_.type, conn->base_.state));
+ return 0; /* for forward compatibility, don't kill the circuit */
+// connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+// connection_mark_for_close(conn);
+// return -1;
+}
+
+/** An incoming relay cell has arrived on circuit <b>circ</b>. If
+ * <b>conn</b> is NULL this is a control cell, else <b>cell</b> is
+ * destined for <b>conn</b>.
+ *
+ * If <b>layer_hint</b> is defined, then we're the origin of the
+ * circuit, and it specifies the hop that packaged <b>cell</b>.
+ *
+ * Return -reason if you want to warn and tear down the circuit, else 0.
+ */
+STATIC int
+connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
+ edge_connection_t *conn,
+ crypt_path_t *layer_hint)
+{
+ static int num_seen=0;
+ relay_header_t rh;
+ unsigned domain = layer_hint?LD_APP:LD_EXIT;
+ int reason;
+ int optimistic_data = 0; /* Set to 1 if we receive data on a stream
+ * that's in the EXIT_CONN_STATE_RESOLVING
+ * or EXIT_CONN_STATE_CONNECTING states. */
+
+ tor_assert(cell);
+ tor_assert(circ);
+
+ relay_header_unpack(&rh, cell->payload);
+// log_fn(LOG_DEBUG,"command %d stream %d", rh.command, rh.stream_id);
+ num_seen++;
+ log_debug(domain, "Now seen %d relay cells here (command %d, stream %d).",
+ num_seen, rh.command, rh.stream_id);
+
+ if (rh.length > RELAY_PAYLOAD_SIZE) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Relay cell length field too long. Closing circuit.");
+ return - END_CIRC_REASON_TORPROTOCOL;
+ }
+
+ if (rh.stream_id == 0) {
+ switch (rh.command) {
+ case RELAY_COMMAND_BEGIN:
+ case RELAY_COMMAND_CONNECTED:
+ case RELAY_COMMAND_END:
+ case RELAY_COMMAND_RESOLVE:
+ case RELAY_COMMAND_RESOLVED:
+ case RELAY_COMMAND_BEGIN_DIR:
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero "
+ "stream_id. Dropping.", (int)rh.command);
+ return 0;
+ default:
+ ;
+ }
+ }
+
+ /* either conn is NULL, in which case we've got a control cell, or else
+ * conn points to the recognized stream. */
+
+ if (conn && !connection_state_is_open(TO_CONN(conn))) {
+ if (conn->base_.type == CONN_TYPE_EXIT &&
+ (conn->base_.state == EXIT_CONN_STATE_CONNECTING ||
+ conn->base_.state == EXIT_CONN_STATE_RESOLVING) &&
+ rh.command == RELAY_COMMAND_DATA) {
+ /* Allow DATA cells to be delivered to an exit node in state
+ * EXIT_CONN_STATE_CONNECTING or EXIT_CONN_STATE_RESOLVING.
+ * This speeds up HTTP, for example. */
+ optimistic_data = 1;
+ } else if (rh.stream_id == 0 && rh.command == RELAY_COMMAND_DATA) {
+ log_warn(LD_BUG, "Somehow I had a connection that matched a "
+ "data cell with stream ID 0.");
+ } else {
+ return connection_edge_process_relay_cell_not_open(
+ &rh, cell, circ, conn, layer_hint);
+ }
+ }
+
+ switch (rh.command) {
+ case RELAY_COMMAND_DROP:
+ rep_hist_padding_count_read(PADDING_TYPE_DROP);
+// log_info(domain,"Got a relay-level padding cell. Dropping.");
+ return 0;
+ case RELAY_COMMAND_BEGIN:
+ case RELAY_COMMAND_BEGIN_DIR:
+ if (layer_hint &&
+ circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Relay begin request unsupported at AP. Dropping.");
+ return 0;
+ }
+ if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED &&
+ layer_hint != TO_ORIGIN_CIRCUIT(circ)->cpath->prev) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Relay begin request to Hidden Service "
+ "from intermediary node. Dropping.");
+ return 0;
+ }
+ if (conn) {
+ log_fn(LOG_PROTOCOL_WARN, domain,
+ "Begin cell for known stream. Dropping.");
+ return 0;
+ }
+ if (rh.command == RELAY_COMMAND_BEGIN_DIR &&
+ circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
+ /* Assign this circuit and its app-ward OR connection a unique ID,
+ * so that we can measure download times. The local edge and dir
+ * connection will be assigned the same ID when they are created
+ * and linked. */
+ static uint64_t next_id = 0;
+ circ->dirreq_id = ++next_id;
+ TO_OR_CIRCUIT(circ)->p_chan->dirreq_id = circ->dirreq_id;
+ }
+ return connection_exit_begin_conn(cell, circ);
+ case RELAY_COMMAND_DATA:
+ ++stats_n_data_cells_received;
+ if (( layer_hint && --layer_hint->deliver_window < 0) ||
+ (!layer_hint && --circ->deliver_window < 0)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "(relay data) circ deliver_window below 0. Killing.");
+ if (conn) {
+ /* XXXX Do we actually need to do this? Will killing the circuit
+ * not send an END and mark the stream for close as appropriate? */
+ connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+ connection_mark_for_close(TO_CONN(conn));
+ }
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ log_debug(domain,"circ deliver_window now %d.", layer_hint ?
+ layer_hint->deliver_window : circ->deliver_window);
+
+ circuit_consider_sending_sendme(circ, layer_hint);
+
+ if (rh.stream_id == 0) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay data cell with zero "
+ "stream_id. Dropping.");
+ return 0;
+ } else if (!conn) {
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
++ if (connection_half_edge_is_valid_data(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(ocirc, rh.length);
++ log_info(domain,
++ "data cell on circ %u valid on half-closed "
++ "stream id %d", ocirc->global_identifier, rh.stream_id);
++ }
++ }
++
+ log_info(domain,"data cell dropped, unknown stream (streamid %d).",
+ rh.stream_id);
+ return 0;
+ }
+
+ if (--conn->deliver_window < 0) { /* is it below 0 after decrement? */
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "(relay data) conn deliver_window below 0. Killing.");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ /* Total all valid application bytes delivered */
+ if (CIRCUIT_IS_ORIGIN(circ) && rh.length > 0) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
+ }
+
+ stats_n_data_bytes_received += rh.length;
+ connection_buf_add((char*)(cell->payload + RELAY_HEADER_SIZE),
+ rh.length, TO_CONN(conn));
+
+#ifdef MEASUREMENTS_21206
+ /* Count number of RELAY_DATA cells received on a linked directory
+ * connection. */
+ connection_t *linked_conn = TO_CONN(conn)->linked_conn;
+
+ if (linked_conn && linked_conn->type == CONN_TYPE_DIR) {
+ ++(TO_DIR_CONN(linked_conn)->data_cells_received);
+ }
+#endif /* defined(MEASUREMENTS_21206) */
+
+ if (!optimistic_data) {
+ /* Only send a SENDME if we're not getting optimistic data; otherwise
+ * a SENDME could arrive before the CONNECTED.
+ */
+ connection_edge_consider_sending_sendme(conn);
+ }
+
+ return 0;
+ case RELAY_COMMAND_END:
+ reason = rh.length > 0 ?
+ get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
+ if (!conn) {
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
++ if (connection_half_edge_is_valid_end(ocirc->half_streams,
++ rh.stream_id)) {
++
++ circuit_read_valid_data(ocirc, rh.length);
++ log_info(domain,
++ "end cell (%s) on circ %u valid on half-closed "
++ "stream id %d",
++ stream_end_reason_to_string(reason),
++ ocirc->global_identifier, rh.stream_id);
++ return 0;
++ }
++ }
+ log_info(domain,"end cell (%s) dropped, unknown stream.",
+ stream_end_reason_to_string(reason));
+ return 0;
+ }
+/* XXX add to this log_fn the exit node's nickname? */
+ log_info(domain,TOR_SOCKET_T_FORMAT": end cell (%s) for stream %d. "
+ "Removing stream.",
+ conn->base_.s,
+ stream_end_reason_to_string(reason),
+ conn->stream_id);
+ if (conn->base_.type == CONN_TYPE_AP) {
+ entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
+ if (entry_conn->socks_request &&
+ !entry_conn->socks_request->has_finished)
+ log_warn(LD_BUG,
+ "open stream hasn't sent socks answer yet? Closing.");
+ }
+ /* We just *got* an end; no reason to send one. */
+ conn->edge_has_sent_end = 1;
+ if (!conn->end_reason)
+ conn->end_reason = reason | END_STREAM_REASON_FLAG_REMOTE;
+ if (!conn->base_.marked_for_close) {
+ /* only mark it if not already marked. it's possible to
+ * get the 'end' right around when the client hangs up on us. */
+ connection_mark_and_flush(TO_CONN(conn));
+
+ /* Total all valid application bytes delivered */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
+ }
+ }
+ return 0;
+ case RELAY_COMMAND_EXTEND:
+ case RELAY_COMMAND_EXTEND2: {
+ static uint64_t total_n_extend=0, total_nonearly=0;
+ total_n_extend++;
+ if (rh.stream_id) {
+ log_fn(LOG_PROTOCOL_WARN, domain,
+ "'extend' cell received for non-zero stream. Dropping.");
+ return 0;
+ }
+ if (cell->command != CELL_RELAY_EARLY &&
+ !networkstatus_get_param(NULL,"AllowNonearlyExtend",0,0,1)) {
+#define EARLY_WARNING_INTERVAL 3600
+ static ratelim_t early_warning_limit =
+ RATELIM_INIT(EARLY_WARNING_INTERVAL);
+ char *m;
+ if (cell->command == CELL_RELAY) {
+ ++total_nonearly;
+ if ((m = rate_limit_log(&early_warning_limit, approx_time()))) {
+ double percentage = ((double)total_nonearly)/total_n_extend;
+ percentage *= 100;
+ log_fn(LOG_PROTOCOL_WARN, domain, "EXTEND cell received, "
+ "but not via RELAY_EARLY. Dropping.%s", m);
+ log_fn(LOG_PROTOCOL_WARN, domain, " (We have dropped %.02f%% of "
+ "all EXTEND cells for this reason)", percentage);
+ tor_free(m);
+ }
+ } else {
+ log_fn(LOG_WARN, domain,
+ "EXTEND cell received, in a cell with type %d! Dropping.",
+ cell->command);
+ }
+ return 0;
+ }
+ return circuit_extend(cell, circ);
+ }
+ case RELAY_COMMAND_EXTENDED:
+ case RELAY_COMMAND_EXTENDED2:
+ if (!layer_hint) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "'extended' unsupported at non-origin. Dropping.");
+ return 0;
+ }
+ log_debug(domain,"Got an extended cell! Yay.");
+ {
+ extended_cell_t extended_cell;
+ if (extended_cell_parse(&extended_cell, rh.command,
+ (const uint8_t*)cell->payload+RELAY_HEADER_SIZE,
+ rh.length)<0) {
+ log_warn(LD_PROTOCOL,
+ "Can't parse EXTENDED cell; killing circuit.");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ if ((reason = circuit_finish_handshake(TO_ORIGIN_CIRCUIT(circ),
+ &extended_cell.created_cell)) < 0) {
+ circuit_mark_for_close(circ, -reason);
+ return 0; /* We don't want to cause a warning, so we mark the circuit
+ * here. */
+ }
+ }
+ if ((reason=circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ)))<0) {
+ log_info(domain,"circuit_send_next_onion_skin() failed.");
+ return reason;
+ }
+ /* Total all valid bytes delivered. */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
+ }
+ return 0;
+ case RELAY_COMMAND_TRUNCATE:
+ if (layer_hint) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "'truncate' unsupported at origin. Dropping.");
+ return 0;
+ }
+ if (circ->n_hop) {
+ if (circ->n_chan)
+ log_warn(LD_BUG, "n_chan and n_hop set on the same circuit!");
+ extend_info_free(circ->n_hop);
+ circ->n_hop = NULL;
+ tor_free(circ->n_chan_create_cell);
+ circuit_set_state(circ, CIRCUIT_STATE_OPEN);
+ }
+ if (circ->n_chan) {
+ uint8_t trunc_reason = get_uint8(cell->payload + RELAY_HEADER_SIZE);
+ circuit_clear_cell_queue(circ, circ->n_chan);
+ channel_send_destroy(circ->n_circ_id, circ->n_chan,
+ trunc_reason);
+ circuit_set_n_circid_chan(circ, 0, NULL);
+ }
+ log_debug(LD_EXIT, "Processed 'truncate', replying.");
+ {
+ char payload[1];
+ payload[0] = (char)END_CIRC_REASON_REQUESTED;
+ relay_send_command_from_edge(0, circ, RELAY_COMMAND_TRUNCATED,
+ payload, sizeof(payload), NULL);
+ }
+ return 0;
+ case RELAY_COMMAND_TRUNCATED:
+ if (!layer_hint) {
+ log_fn(LOG_PROTOCOL_WARN, LD_EXIT,
+ "'truncated' unsupported at non-origin. Dropping.");
+ return 0;
+ }
- circuit_truncated(TO_ORIGIN_CIRCUIT(circ), layer_hint,
++
++ /* Count the truncated as valid, for completeness. The
++ * circuit is being torn down anyway, though. */
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ),
++ rh.length);
++ }
++ circuit_truncated(TO_ORIGIN_CIRCUIT(circ),
+ get_uint8(cell->payload + RELAY_HEADER_SIZE));
+ return 0;
+ case RELAY_COMMAND_CONNECTED:
+ if (conn) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "'connected' unsupported while open. Closing circ.");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
++
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
++ if (connection_half_edge_is_valid_connected(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(ocirc, rh.length);
++ log_info(domain,
++ "connected cell on circ %u valid on half-closed "
++ "stream id %d", ocirc->global_identifier, rh.stream_id);
++ return 0;
++ }
++ }
++
+ log_info(domain,
+ "'connected' received on circid %u for streamid %d, "
+ "no conn attached anymore. Ignoring.",
+ (unsigned)circ->n_circ_id, rh.stream_id);
+ return 0;
+ case RELAY_COMMAND_SENDME:
+ if (!rh.stream_id) {
+ if (layer_hint) {
+ if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
+ CIRCWINDOW_START_MAX) {
+ static struct ratelim_t exit_warn_ratelim = RATELIM_INIT(600);
+ log_fn_ratelim(&exit_warn_ratelim, LOG_WARN, LD_PROTOCOL,
+ "Unexpected sendme cell from exit relay. "
+ "Closing circ.");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ layer_hint->package_window += CIRCWINDOW_INCREMENT;
+ log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
+ layer_hint->package_window);
+ circuit_resume_edge_reading(circ, layer_hint);
+
+ /* We count circuit-level sendme's as valid delivered data because
+ * they are rate limited.
+ */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ),
+ rh.length);
+ }
+
+ } else {
+ if (circ->package_window + CIRCWINDOW_INCREMENT >
+ CIRCWINDOW_START_MAX) {
+ static struct ratelim_t client_warn_ratelim = RATELIM_INIT(600);
+ log_fn_ratelim(&client_warn_ratelim,LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Unexpected sendme cell from client. "
+ "Closing circ (window %d).",
+ circ->package_window);
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ circ->package_window += CIRCWINDOW_INCREMENT;
+ log_debug(LD_APP,
+ "circ-level sendme at non-origin, packagewindow %d.",
+ circ->package_window);
+ circuit_resume_edge_reading(circ, layer_hint);
+ }
+ return 0;
+ }
+ if (!conn) {
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
++ if (connection_half_edge_is_valid_sendme(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(ocirc, rh.length);
++ log_info(domain,
++ "sendme cell on circ %u valid on half-closed "
++ "stream id %d", ocirc->global_identifier, rh.stream_id);
++ }
++ }
++
+ log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",
+ rh.stream_id);
+ return 0;
+ }
+
+ /* Don't allow the other endpoint to request more than our maximum
+ * (i.e. initial) stream SENDME window worth of data. Well-behaved
+ * stock clients will not request more than this max (as per the check
+ * in the while loop of connection_edge_consider_sending_sendme()).
+ */
+ if (conn->package_window + STREAMWINDOW_INCREMENT >
+ STREAMWINDOW_START_MAX) {
+ static struct ratelim_t stream_warn_ratelim = RATELIM_INIT(600);
+ log_fn_ratelim(&stream_warn_ratelim, LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Unexpected stream sendme cell. Closing circ (window %d).",
+ conn->package_window);
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+
+ /* At this point, the stream sendme is valid */
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ),
+ rh.length);
+ }
+
+ conn->package_window += STREAMWINDOW_INCREMENT;
+ log_debug(domain,"stream-level sendme, packagewindow now %d.",
+ conn->package_window);
+ if (circuit_queue_streams_are_blocked(circ)) {
+ /* Still waiting for queue to flush; don't touch conn */
+ return 0;
+ }
+ connection_start_reading(TO_CONN(conn));
+ /* handle whatever might still be on the inbuf */
+ if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) {
+ /* (We already sent an end cell if possible) */
+ connection_mark_for_close(TO_CONN(conn));
+ return 0;
+ }
+ return 0;
+ case RELAY_COMMAND_RESOLVE:
+ if (layer_hint) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "resolve request unsupported at AP; dropping.");
+ return 0;
+ } else if (conn) {
+ log_fn(LOG_PROTOCOL_WARN, domain,
+ "resolve request for known stream; dropping.");
+ return 0;
+ } else if (circ->purpose != CIRCUIT_PURPOSE_OR) {
+ log_fn(LOG_PROTOCOL_WARN, domain,
+ "resolve request on circ with purpose %d; dropping",
+ circ->purpose);
+ return 0;
+ }
+ connection_exit_begin_resolve(cell, TO_OR_CIRCUIT(circ));
+ return 0;
+ case RELAY_COMMAND_RESOLVED:
+ if (conn) {
+ log_fn(LOG_PROTOCOL_WARN, domain,
+ "'resolved' unsupported while open. Closing circ.");
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
++
++ if (CIRCUIT_IS_ORIGIN(circ)) {
++ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
++ if (connection_half_edge_is_valid_resolved(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(ocirc, rh.length);
++ log_info(domain,
++ "resolved cell on circ %u valid on half-closed "
++ "stream id %d", ocirc->global_identifier, rh.stream_id);
++ return 0;
++ }
++ }
++
+ log_info(domain,
+ "'resolved' received, no conn attached anymore. Ignoring.");
+ return 0;
+ case RELAY_COMMAND_ESTABLISH_INTRO:
+ case RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
+ case RELAY_COMMAND_INTRODUCE1:
+ case RELAY_COMMAND_INTRODUCE2:
+ case RELAY_COMMAND_INTRODUCE_ACK:
+ case RELAY_COMMAND_RENDEZVOUS1:
+ case RELAY_COMMAND_RENDEZVOUS2:
+ case RELAY_COMMAND_INTRO_ESTABLISHED:
+ case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
+ rend_process_relay_cell(circ, layer_hint,
+ rh.command, rh.length,
+ cell->payload+RELAY_HEADER_SIZE);
+ return 0;
+ }
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Received unknown relay command %d. Perhaps the other side is using "
+ "a newer version of Tor? Dropping.",
+ rh.command);
+ return 0; /* for forward compatibility, don't kill the circuit */
+}
+
+/** How many relay_data cells have we built, ever? */
+uint64_t stats_n_data_cells_packaged = 0;
+/** How many bytes of data have we put in relay_data cells have we built,
+ * ever? This would be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if
+ * every relay cell we ever sent were completely full of data. */
+uint64_t stats_n_data_bytes_packaged = 0;
+/** How many relay_data cells have we received, ever? */
+uint64_t stats_n_data_cells_received = 0;
+/** How many bytes of data have we received relay_data cells, ever? This would
+ * be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if every relay cell we
+ * ever received were completely full of data. */
+uint64_t stats_n_data_bytes_received = 0;
+
+/** If <b>conn</b> has an entire relay payload of bytes on its inbuf (or
+ * <b>package_partial</b> is true), and the appropriate package windows aren't
+ * empty, grab a cell and send it down the circuit.
+ *
+ * If *<b>max_cells</b> is given, package no more than max_cells. Decrement
+ * *<b>max_cells</b> by the number of cells packaged.
+ *
+ * Return -1 (and send a RELAY_COMMAND_END cell if necessary) if conn should
+ * be marked for close, else return 0.
+ */
+int
+connection_edge_package_raw_inbuf(edge_connection_t *conn, int package_partial,
+ int *max_cells)
+{
+ size_t bytes_to_process, length;
+ char payload[CELL_PAYLOAD_SIZE];
+ circuit_t *circ;
+ const unsigned domain = conn->base_.type == CONN_TYPE_AP ? LD_APP : LD_EXIT;
+ int sending_from_optimistic = 0;
+ entry_connection_t *entry_conn =
+ conn->base_.type == CONN_TYPE_AP ? EDGE_TO_ENTRY_CONN(conn) : NULL;
+ const int sending_optimistically =
+ entry_conn &&
+ conn->base_.type == CONN_TYPE_AP &&
+ conn->base_.state != AP_CONN_STATE_OPEN;
+ crypt_path_t *cpath_layer = conn->cpath_layer;
+
+ tor_assert(conn);
+
+ if (conn->base_.marked_for_close) {
+ log_warn(LD_BUG,
+ "called on conn that's already marked for close at %s:%d.",
+ conn->base_.marked_for_close_file, conn->base_.marked_for_close);
+ return 0;
+ }
+
+ if (max_cells && *max_cells <= 0)
+ return 0;
+
+ repeat_connection_edge_package_raw_inbuf:
+
+ circ = circuit_get_by_edge_conn(conn);
+ if (!circ) {
+ log_info(domain,"conn has no circuit! Closing.");
+ conn->end_reason = END_STREAM_REASON_CANT_ATTACH;
+ return -1;
+ }
+
+ if (circuit_consider_stop_edge_reading(circ, cpath_layer))
+ return 0;
+
+ if (conn->package_window <= 0) {
+ log_info(domain,"called with package_window %d. Skipping.",
+ conn->package_window);
+ connection_stop_reading(TO_CONN(conn));
+ return 0;
+ }
+
+ sending_from_optimistic = entry_conn &&
+ entry_conn->sending_optimistic_data != NULL;
+
+ if (PREDICT_UNLIKELY(sending_from_optimistic)) {
+ bytes_to_process = buf_datalen(entry_conn->sending_optimistic_data);
+ if (PREDICT_UNLIKELY(!bytes_to_process)) {
+ log_warn(LD_BUG, "sending_optimistic_data was non-NULL but empty");
+ bytes_to_process = connection_get_inbuf_len(TO_CONN(conn));
+ sending_from_optimistic = 0;
+ }
+ } else {
+ bytes_to_process = connection_get_inbuf_len(TO_CONN(conn));
+ }
+
+ if (!bytes_to_process)
+ return 0;
+
+ if (!package_partial && bytes_to_process < RELAY_PAYLOAD_SIZE)
+ return 0;
+
+ if (bytes_to_process > RELAY_PAYLOAD_SIZE) {
+ length = RELAY_PAYLOAD_SIZE;
+ } else {
+ length = bytes_to_process;
+ }
+ stats_n_data_bytes_packaged += length;
+ stats_n_data_cells_packaged += 1;
+
+ if (PREDICT_UNLIKELY(sending_from_optimistic)) {
+ /* XXXX We could be more efficient here by sometimes packing
+ * previously-sent optimistic data in the same cell with data
+ * from the inbuf. */
+ buf_get_bytes(entry_conn->sending_optimistic_data, payload, length);
+ if (!buf_datalen(entry_conn->sending_optimistic_data)) {
+ buf_free(entry_conn->sending_optimistic_data);
+ entry_conn->sending_optimistic_data = NULL;
+ }
+ } else {
+ connection_buf_get_bytes(payload, length, TO_CONN(conn));
+ }
+
+ log_debug(domain,TOR_SOCKET_T_FORMAT": Packaging %d bytes (%d waiting).",
+ conn->base_.s,
+ (int)length, (int)connection_get_inbuf_len(TO_CONN(conn)));
+
+ if (sending_optimistically && !sending_from_optimistic) {
+ /* This is new optimistic data; remember it in case we need to detach and
+ retry */
+ if (!entry_conn->pending_optimistic_data)
+ entry_conn->pending_optimistic_data = buf_new();
+ buf_add(entry_conn->pending_optimistic_data, payload, length);
+ }
+
+ if (connection_edge_send_command(conn, RELAY_COMMAND_DATA,
+ payload, length) < 0 ) {
+ /* circuit got marked for close, don't continue, don't need to mark conn */
+ return 0;
+ }
+
+ if (!cpath_layer) { /* non-rendezvous exit */
+ tor_assert(circ->package_window > 0);
+ circ->package_window--;
+ } else { /* we're an AP, or an exit on a rendezvous circ */
+ tor_assert(cpath_layer->package_window > 0);
+ cpath_layer->package_window--;
+ }
+
+ if (--conn->package_window <= 0) { /* is it 0 after decrement? */
+ connection_stop_reading(TO_CONN(conn));
+ log_debug(domain,"conn->package_window reached 0.");
+ circuit_consider_stop_edge_reading(circ, cpath_layer);
+ return 0; /* don't process the inbuf any more */
+ }
+ log_debug(domain,"conn->package_window is now %d",conn->package_window);
+
+ if (max_cells) {
+ *max_cells -= 1;
+ if (*max_cells <= 0)
+ return 0;
+ }
+
+ /* handle more if there's more, or return 0 if there isn't */
+ goto repeat_connection_edge_package_raw_inbuf;
+}
+
+/** Called when we've just received a relay data cell, when
+ * we've just finished flushing all bytes to stream <b>conn</b>,
+ * or when we've flushed *some* bytes to the stream <b>conn</b>.
+ *
+ * If conn->outbuf is not too full, and our deliver window is
+ * low, send back a suitable number of stream-level sendme cells.
+ */
+void
+connection_edge_consider_sending_sendme(edge_connection_t *conn)
+{
+ circuit_t *circ;
+
+ if (connection_outbuf_too_full(TO_CONN(conn)))
+ return;
+
+ circ = circuit_get_by_edge_conn(conn);
+ if (!circ) {
+ /* this can legitimately happen if the destroy has already
+ * arrived and torn down the circuit */
+ log_info(LD_APP,"No circuit associated with conn. Skipping.");
+ return;
+ }
+
+ while (conn->deliver_window <= STREAMWINDOW_START - STREAMWINDOW_INCREMENT) {
+ log_debug(conn->base_.type == CONN_TYPE_AP ?LD_APP:LD_EXIT,
+ "Outbuf %d, Queuing stream sendme.",
+ (int)conn->base_.outbuf_flushlen);
+ conn->deliver_window += STREAMWINDOW_INCREMENT;
+ if (connection_edge_send_command(conn, RELAY_COMMAND_SENDME,
+ NULL, 0) < 0) {
+ log_warn(LD_APP,"connection_edge_send_command failed. Skipping.");
+ return; /* the circuit's closed, don't continue */
+ }
+ }
+}
+
+/** The circuit <b>circ</b> has received a circuit-level sendme
+ * (on hop <b>layer_hint</b>, if we're the OP). Go through all the
+ * attached streams and let them resume reading and packaging, if
+ * their stream windows allow it.
+ */
+static void
+circuit_resume_edge_reading(circuit_t *circ, crypt_path_t *layer_hint)
+{
+ if (circuit_queue_streams_are_blocked(circ)) {
+ log_debug(layer_hint?LD_APP:LD_EXIT,"Too big queue, no resuming");
+ return;
+ }
+ log_debug(layer_hint?LD_APP:LD_EXIT,"resuming");
+
+ if (CIRCUIT_IS_ORIGIN(circ))
+ circuit_resume_edge_reading_helper(TO_ORIGIN_CIRCUIT(circ)->p_streams,
+ circ, layer_hint);
+ else
+ circuit_resume_edge_reading_helper(TO_OR_CIRCUIT(circ)->n_streams,
+ circ, layer_hint);
+}
+
+void
+stream_choice_seed_weak_rng(void)
+{
+ crypto_seed_weak_rng(&stream_choice_rng);
+}
+
+/** A helper function for circuit_resume_edge_reading() above.
+ * The arguments are the same, except that <b>conn</b> is the head
+ * of a linked list of edge streams that should each be considered.
+ */
+static int
+circuit_resume_edge_reading_helper(edge_connection_t *first_conn,
+ circuit_t *circ,
+ crypt_path_t *layer_hint)
+{
+ edge_connection_t *conn;
+ int n_packaging_streams, n_streams_left;
+ int packaged_this_round;
+ int cells_on_queue;
+ int cells_per_conn;
+ edge_connection_t *chosen_stream = NULL;
+ int max_to_package;
+
+ if (first_conn == NULL) {
+ /* Don't bother to try to do the rest of this if there are no connections
+ * to resume. */
+ return 0;
+ }
+
+ /* How many cells do we have space for? It will be the minimum of
+ * the number needed to exhaust the package window, and the minimum
+ * needed to fill the cell queue. */
+ max_to_package = circ->package_window;
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ cells_on_queue = circ->n_chan_cells.n;
+ } else {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ cells_on_queue = or_circ->p_chan_cells.n;
+ }
+ if (CELL_QUEUE_HIGHWATER_SIZE - cells_on_queue < max_to_package)
+ max_to_package = CELL_QUEUE_HIGHWATER_SIZE - cells_on_queue;
+
+ /* Once we used to start listening on the streams in the order they
+ * appeared in the linked list. That leads to starvation on the
+ * streams that appeared later on the list, since the first streams
+ * would always get to read first. Instead, we just pick a random
+ * stream on the list, and enable reading for streams starting at that
+ * point (and wrapping around as if the list were circular). It would
+ * probably be better to actually remember which streams we've
+ * serviced in the past, but this is simple and effective. */
+
+ /* Select a stream uniformly at random from the linked list. We
+ * don't need cryptographic randomness here. */
+ {
+ int num_streams = 0;
+ for (conn = first_conn; conn; conn = conn->next_stream) {
+ num_streams++;
+ if (tor_weak_random_one_in_n(&stream_choice_rng, num_streams)) {
+ chosen_stream = conn;
+ }
+ /* Invariant: chosen_stream has been chosen uniformly at random from
+ * among the first num_streams streams on first_conn.
+ *
+ * (Note that we iterate over every stream on the circuit, so that after
+ * we've considered the first stream, we've chosen it with P=1; and
+ * after we consider the second stream, we've switched to it with P=1/2
+ * and stayed with the first stream with P=1/2; and after we've
+ * considered the third stream, we've switched to it with P=1/3 and
+ * remained with one of the first two streams with P=(2/3), giving each
+ * one P=(1/2)(2/3) )=(1/3).) */
+ }
+ }
+
+ /* Count how many non-marked streams there are that have anything on
+ * their inbuf, and enable reading on all of the connections. */
+ n_packaging_streams = 0;
+ /* Activate reading starting from the chosen stream */
+ for (conn=chosen_stream; conn; conn = conn->next_stream) {
+ /* Start reading for the streams starting from here */
+ if (conn->base_.marked_for_close || conn->package_window <= 0)
+ continue;
+ if (!layer_hint || conn->cpath_layer == layer_hint) {
+ connection_start_reading(TO_CONN(conn));
+
+ if (connection_get_inbuf_len(TO_CONN(conn)) > 0)
+ ++n_packaging_streams;
+ }
+ }
+ /* Go back and do the ones we skipped, circular-style */
+ for (conn = first_conn; conn != chosen_stream; conn = conn->next_stream) {
+ if (conn->base_.marked_for_close || conn->package_window <= 0)
+ continue;
+ if (!layer_hint || conn->cpath_layer == layer_hint) {
+ connection_start_reading(TO_CONN(conn));
+
+ if (connection_get_inbuf_len(TO_CONN(conn)) > 0)
+ ++n_packaging_streams;
+ }
+ }
+
+ if (n_packaging_streams == 0) /* avoid divide-by-zero */
+ return 0;
+
+ again:
+
+ cells_per_conn = CEIL_DIV(max_to_package, n_packaging_streams);
+
+ packaged_this_round = 0;
+ n_streams_left = 0;
+
+ /* Iterate over all connections. Package up to cells_per_conn cells on
+ * each. Update packaged_this_round with the total number of cells
+ * packaged, and n_streams_left with the number that still have data to
+ * package.
+ */
+ for (conn=first_conn; conn; conn=conn->next_stream) {
+ if (conn->base_.marked_for_close || conn->package_window <= 0)
+ continue;
+ if (!layer_hint || conn->cpath_layer == layer_hint) {
+ int n = cells_per_conn, r;
+ /* handle whatever might still be on the inbuf */
+ r = connection_edge_package_raw_inbuf(conn, 1, &n);
+
+ /* Note how many we packaged */
+ packaged_this_round += (cells_per_conn-n);
+
+ if (r<0) {
+ /* Problem while packaging. (We already sent an end cell if
+ * possible) */
+ connection_mark_for_close(TO_CONN(conn));
+ continue;
+ }
+
+ /* If there's still data to read, we'll be coming back to this stream. */
+ if (connection_get_inbuf_len(TO_CONN(conn)))
+ ++n_streams_left;
+
+ /* If the circuit won't accept any more data, return without looking
+ * at any more of the streams. Any connections that should be stopped
+ * have already been stopped by connection_edge_package_raw_inbuf. */
+ if (circuit_consider_stop_edge_reading(circ, layer_hint))
+ return -1;
+ /* XXXX should we also stop immediately if we fill up the cell queue?
+ * Probably. */
+ }
+ }
+
+ /* If we made progress, and we are willing to package more, and there are
+ * any streams left that want to package stuff... try again!
+ */
+ if (packaged_this_round && packaged_this_round < max_to_package &&
+ n_streams_left) {
+ max_to_package -= packaged_this_round;
+ n_packaging_streams = n_streams_left;
+ goto again;
+ }
+
+ return 0;
+}
+
+/** Check if the package window for <b>circ</b> is empty (at
+ * hop <b>layer_hint</b> if it's defined).
+ *
+ * If yes, tell edge streams to stop reading and return 1.
+ * Else return 0.
+ */
+static int
+circuit_consider_stop_edge_reading(circuit_t *circ, crypt_path_t *layer_hint)
+{
+ edge_connection_t *conn = NULL;
+ unsigned domain = layer_hint ? LD_APP : LD_EXIT;
+
+ if (!layer_hint) {
+ or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
+ log_debug(domain,"considering circ->package_window %d",
+ circ->package_window);
+ if (circ->package_window <= 0) {
+ log_debug(domain,"yes, not-at-origin. stopped.");
+ for (conn = or_circ->n_streams; conn; conn=conn->next_stream)
+ connection_stop_reading(TO_CONN(conn));
+ return 1;
+ }
+ return 0;
+ }
+ /* else, layer hint is defined, use it */
+ log_debug(domain,"considering layer_hint->package_window %d",
+ layer_hint->package_window);
+ if (layer_hint->package_window <= 0) {
+ log_debug(domain,"yes, at-origin. stopped.");
+ for (conn = TO_ORIGIN_CIRCUIT(circ)->p_streams; conn;
+ conn=conn->next_stream) {
+ if (conn->cpath_layer == layer_hint)
+ connection_stop_reading(TO_CONN(conn));
+ }
+ return 1;
+ }
+ return 0;
+}
+
+/** Check if the deliver_window for circuit <b>circ</b> (at hop
+ * <b>layer_hint</b> if it's defined) is low enough that we should
+ * send a circuit-level sendme back down the circuit. If so, send
+ * enough sendmes that the window would be overfull if we sent any
+ * more.
+ */
+static void
+circuit_consider_sending_sendme(circuit_t *circ, crypt_path_t *layer_hint)
+{
+// log_fn(LOG_INFO,"Considering: layer_hint is %s",
+// layer_hint ? "defined" : "null");
+ while ((layer_hint ? layer_hint->deliver_window : circ->deliver_window) <=
+ CIRCWINDOW_START - CIRCWINDOW_INCREMENT) {
+ log_debug(LD_CIRC,"Queuing circuit sendme.");
+ if (layer_hint)
+ layer_hint->deliver_window += CIRCWINDOW_INCREMENT;
+ else
+ circ->deliver_window += CIRCWINDOW_INCREMENT;
+ if (relay_send_command_from_edge(0, circ, RELAY_COMMAND_SENDME,
+ NULL, 0, layer_hint) < 0) {
+ log_warn(LD_CIRC,
+ "relay_send_command_from_edge failed. Circuit's closed.");
+ return; /* the circuit's closed, don't continue */
+ }
+ }
+}
+
+/** The total number of cells we have allocated. */
+static size_t total_cells_allocated = 0;
+
+/** Release storage held by <b>cell</b>. */
+static inline void
+packed_cell_free_unchecked(packed_cell_t *cell)
+{
+ --total_cells_allocated;
+ tor_free(cell);
+}
+
+/** Allocate and return a new packed_cell_t. */
+STATIC packed_cell_t *
+packed_cell_new(void)
+{
+ ++total_cells_allocated;
+ return tor_malloc_zero(sizeof(packed_cell_t));
+}
+
+/** Return a packed cell used outside by channel_t lower layer */
+void
+packed_cell_free_(packed_cell_t *cell)
+{
+ if (!cell)
+ return;
+ packed_cell_free_unchecked(cell);
+}
+
+/** Log current statistics for cell pool allocation at log level
+ * <b>severity</b>. */
+void
+dump_cell_pool_usage(int severity)
+{
+ int n_circs = 0;
+ int n_cells = 0;
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, c) {
+ n_cells += c->n_chan_cells.n;
+ if (!CIRCUIT_IS_ORIGIN(c))
+ n_cells += TO_OR_CIRCUIT(c)->p_chan_cells.n;
+ ++n_circs;
+ }
+ SMARTLIST_FOREACH_END(c);
+ tor_log(severity, LD_MM,
+ "%d cells allocated on %d circuits. %d cells leaked.",
+ n_cells, n_circs, (int)total_cells_allocated - n_cells);
+}
+
+/** Allocate a new copy of packed <b>cell</b>. */
+static inline packed_cell_t *
+packed_cell_copy(const cell_t *cell, int wide_circ_ids)
+{
+ packed_cell_t *c = packed_cell_new();
+ cell_pack(c, cell, wide_circ_ids);
+ return c;
+}
+
+/** Append <b>cell</b> to the end of <b>queue</b>. */
+void
+cell_queue_append(cell_queue_t *queue, packed_cell_t *cell)
+{
+ TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next);
+ ++queue->n;
+}
+
+/** Append a newly allocated copy of <b>cell</b> to the end of the
+ * <b>exitward</b> (or app-ward) <b>queue</b> of <b>circ</b>. If
+ * <b>use_stats</b> is true, record statistics about the cell.
+ */
+void
+cell_queue_append_packed_copy(circuit_t *circ, cell_queue_t *queue,
+ int exitward, const cell_t *cell,
+ int wide_circ_ids, int use_stats)
+{
+ packed_cell_t *copy = packed_cell_copy(cell, wide_circ_ids);
+ (void)circ;
+ (void)exitward;
+ (void)use_stats;
+
+ copy->inserted_timestamp = monotime_coarse_get_stamp();
+
+ cell_queue_append(queue, copy);
+}
+
+/** Initialize <b>queue</b> as an empty cell queue. */
+void
+cell_queue_init(cell_queue_t *queue)
+{
+ memset(queue, 0, sizeof(cell_queue_t));
+ TOR_SIMPLEQ_INIT(&queue->head);
+}
+
+/** Remove and free every cell in <b>queue</b>. */
+void
+cell_queue_clear(cell_queue_t *queue)
+{
+ packed_cell_t *cell;
+ while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) {
+ TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
+ packed_cell_free_unchecked(cell);
+ }
+ TOR_SIMPLEQ_INIT(&queue->head);
+ queue->n = 0;
+}
+
+/** Extract and return the cell at the head of <b>queue</b>; return NULL if
+ * <b>queue</b> is empty. */
+STATIC packed_cell_t *
+cell_queue_pop(cell_queue_t *queue)
+{
+ packed_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head);
+ if (!cell)
+ return NULL;
+ TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
+ --queue->n;
+ return cell;
+}
+
+/** Initialize <b>queue</b> as an empty cell queue. */
+void
+destroy_cell_queue_init(destroy_cell_queue_t *queue)
+{
+ memset(queue, 0, sizeof(destroy_cell_queue_t));
+ TOR_SIMPLEQ_INIT(&queue->head);
+}
+
+/** Remove and free every cell in <b>queue</b>. */
+void
+destroy_cell_queue_clear(destroy_cell_queue_t *queue)
+{
+ destroy_cell_t *cell;
+ while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) {
+ TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
+ tor_free(cell);
+ }
+ TOR_SIMPLEQ_INIT(&queue->head);
+ queue->n = 0;
+}
+
+/** Extract and return the cell at the head of <b>queue</b>; return NULL if
+ * <b>queue</b> is empty. */
+STATIC destroy_cell_t *
+destroy_cell_queue_pop(destroy_cell_queue_t *queue)
+{
+ destroy_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head);
+ if (!cell)
+ return NULL;
+ TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
+ --queue->n;
+ return cell;
+}
+
+/** Append a destroy cell for <b>circid</b> to <b>queue</b>. */
+void
+destroy_cell_queue_append(destroy_cell_queue_t *queue,
+ circid_t circid,
+ uint8_t reason)
+{
+ destroy_cell_t *cell = tor_malloc_zero(sizeof(destroy_cell_t));
+ cell->circid = circid;
+ cell->reason = reason;
+ /* Not yet used, but will be required for OOM handling. */
+ cell->inserted_timestamp = monotime_coarse_get_stamp();
+
+ TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next);
+ ++queue->n;
+}
+
+/** Convert a destroy_cell_t to a newly allocated cell_t. Frees its input. */
+static packed_cell_t *
+destroy_cell_to_packed_cell(destroy_cell_t *inp, int wide_circ_ids)
+{
+ packed_cell_t *packed = packed_cell_new();
+ cell_t cell;
+ memset(&cell, 0, sizeof(cell));
+ cell.circ_id = inp->circid;
+ cell.command = CELL_DESTROY;
+ cell.payload[0] = inp->reason;
+ cell_pack(packed, &cell, wide_circ_ids);
+
+ tor_free(inp);
+ return packed;
+}
+
+/** Return the total number of bytes used for each packed_cell in a queue.
+ * Approximate. */
+size_t
+packed_cell_mem_cost(void)
+{
+ return sizeof(packed_cell_t);
+}
+
+/* DOCDOC */
+size_t
+cell_queues_get_total_allocation(void)
+{
+ return total_cells_allocated * packed_cell_mem_cost();
+}
+
+/** How long after we've been low on memory should we try to conserve it? */
+#define MEMORY_PRESSURE_INTERVAL (30*60)
+
+/** The time at which we were last low on memory. */
+static time_t last_time_under_memory_pressure = 0;
+
+/** Check whether we've got too much space used for cells. If so,
+ * call the OOM handler and return 1. Otherwise, return 0. */
+STATIC int
+cell_queues_check_size(void)
+{
+ time_t now = time(NULL);
+ size_t alloc = cell_queues_get_total_allocation();
+ alloc += buf_get_total_allocation();
+ alloc += tor_compress_get_total_allocation();
+ const size_t rend_cache_total = rend_cache_get_total_allocation();
+ alloc += rend_cache_total;
+ const size_t geoip_client_cache_total =
+ geoip_client_cache_total_allocation();
+ alloc += geoip_client_cache_total;
+ const size_t dns_cache_total = dns_cache_total_allocation();
+ alloc += dns_cache_total;
+ if (alloc >= get_options()->MaxMemInQueues_low_threshold) {
+ last_time_under_memory_pressure = approx_time();
+ if (alloc >= get_options()->MaxMemInQueues) {
+ /* If we're spending over 20% of the memory limit on hidden service
+ * descriptors, free them until we're down to 10%. Do the same for geoip
+ * client cache. */
+ if (rend_cache_total > get_options()->MaxMemInQueues / 5) {
+ const size_t bytes_to_remove =
+ rend_cache_total - (size_t)(get_options()->MaxMemInQueues / 10);
+ alloc -= hs_cache_handle_oom(now, bytes_to_remove);
+ }
+ if (geoip_client_cache_total > get_options()->MaxMemInQueues / 5) {
+ const size_t bytes_to_remove =
+ geoip_client_cache_total -
+ (size_t)(get_options()->MaxMemInQueues / 10);
+ alloc -= geoip_client_cache_handle_oom(now, bytes_to_remove);
+ }
+ if (dns_cache_total > get_options()->MaxMemInQueues / 5) {
+ const size_t bytes_to_remove =
+ dns_cache_total - (size_t)(get_options()->MaxMemInQueues / 10);
+ alloc -= dns_cache_handle_oom(now, bytes_to_remove);
+ }
+ circuits_handle_oom(alloc);
+ return 1;
+ }
+ }
+ return 0;
+}
+
+/** Return true if we've been under memory pressure in the last
+ * MEMORY_PRESSURE_INTERVAL seconds. */
+int
+have_been_under_memory_pressure(void)
+{
+ return last_time_under_memory_pressure + MEMORY_PRESSURE_INTERVAL
+ < approx_time();
+}
+
+/**
+ * Update the number of cells available on the circuit's n_chan or p_chan's
+ * circuit mux.
+ */
+void
+update_circuit_on_cmux_(circuit_t *circ, cell_direction_t direction,
+ const char *file, int lineno)
+{
+ channel_t *chan = NULL;
+ or_circuit_t *or_circ = NULL;
+ circuitmux_t *cmux = NULL;
+
+ tor_assert(circ);
+
+ /* Okay, get the channel */
+ if (direction == CELL_DIRECTION_OUT) {
+ chan = circ->n_chan;
+ } else {
+ or_circ = TO_OR_CIRCUIT(circ);
+ chan = or_circ->p_chan;
+ }
+
+ tor_assert(chan);
+ tor_assert(chan->cmux);
+
+ /* Now get the cmux */
+ cmux = chan->cmux;
+
+ /* Cmux sanity check */
+ if (! circuitmux_is_circuit_attached(cmux, circ)) {
+ log_warn(LD_BUG, "called on non-attached circuit from %s:%d",
+ file, lineno);
+ return;
+ }
+ tor_assert(circuitmux_attached_circuit_direction(cmux, circ) == direction);
+
+ /* Update the number of cells we have for the circuit mux */
+ if (direction == CELL_DIRECTION_OUT) {
+ circuitmux_set_num_cells(cmux, circ, circ->n_chan_cells.n);
+ } else {
+ circuitmux_set_num_cells(cmux, circ, or_circ->p_chan_cells.n);
+ }
+}
+
+/** Remove all circuits from the cmux on <b>chan</b>.
+ *
+ * If <b>circuits_out</b> is non-NULL, add all detached circuits to
+ * <b>circuits_out</b>.
+ **/
+void
+channel_unlink_all_circuits(channel_t *chan, smartlist_t *circuits_out)
+{
+ tor_assert(chan);
+ tor_assert(chan->cmux);
+
+ circuitmux_detach_all_circuits(chan->cmux, circuits_out);
+ chan->num_n_circuits = 0;
+ chan->num_p_circuits = 0;
+}
+
+/** Block (if <b>block</b> is true) or unblock (if <b>block</b> is false)
+ * every edge connection that is using <b>circ</b> to write to <b>chan</b>,
+ * and start or stop reading as appropriate.
+ *
+ * If <b>stream_id</b> is nonzero, block only the edge connection whose
+ * stream_id matches it.
+ *
+ * Returns the number of streams whose status we changed.
+ */
+static int
+set_streams_blocked_on_circ(circuit_t *circ, channel_t *chan,
+ int block, streamid_t stream_id)
+{
+ edge_connection_t *edge = NULL;
+ int n = 0;
+ if (circ->n_chan == chan) {
+ circ->streams_blocked_on_n_chan = block;
+ if (CIRCUIT_IS_ORIGIN(circ))
+ edge = TO_ORIGIN_CIRCUIT(circ)->p_streams;
+ } else {
+ circ->streams_blocked_on_p_chan = block;
+ tor_assert(!CIRCUIT_IS_ORIGIN(circ));
+ edge = TO_OR_CIRCUIT(circ)->n_streams;
+ }
+
+ for (; edge; edge = edge->next_stream) {
+ connection_t *conn = TO_CONN(edge);
+ if (stream_id && edge->stream_id != stream_id)
+ continue;
+
+ if (edge->edge_blocked_on_circ != block) {
+ ++n;
+ edge->edge_blocked_on_circ = block;
+ }
+
+ if (!conn->read_event) {
+ /* This connection is a placeholder for something; probably a DNS
+ * request. It can't actually stop or start reading.*/
+ continue;
+ }
+
+ if (block) {
+ if (connection_is_reading(conn))
+ connection_stop_reading(conn);
+ } else {
+ /* Is this right? */
+ if (!connection_is_reading(conn))
+ connection_start_reading(conn);
+ }
+ }
+
+ return n;
+}
+
+/** Extract the command from a packed cell. */
+static uint8_t
+packed_cell_get_command(const packed_cell_t *cell, int wide_circ_ids)
+{
+ if (wide_circ_ids) {
+ return get_uint8(cell->body+4);
+ } else {
+ return get_uint8(cell->body+2);
+ }
+}
+
+/** Extract the circuit ID from a packed cell. */
+circid_t
+packed_cell_get_circid(const packed_cell_t *cell, int wide_circ_ids)
+{
+ if (wide_circ_ids) {
+ return ntohl(get_uint32(cell->body));
+ } else {
+ return ntohs(get_uint16(cell->body));
+ }
+}
+
+/** Pull as many cells as possible (but no more than <b>max</b>) from the
+ * queue of the first active circuit on <b>chan</b>, and write them to
+ * <b>chan</b>->outbuf. Return the number of cells written. Advance
+ * the active circuit pointer to the next active circuit in the ring. */
+MOCK_IMPL(int,
+channel_flush_from_first_active_circuit, (channel_t *chan, int max))
+{
+ circuitmux_t *cmux = NULL;
+ int n_flushed = 0;
+ cell_queue_t *queue;
+ destroy_cell_queue_t *destroy_queue=NULL;
+ circuit_t *circ;
+ or_circuit_t *or_circ;
+ int streams_blocked;
+ packed_cell_t *cell;
+
+ /* Get the cmux */
+ tor_assert(chan);
+ tor_assert(chan->cmux);
+ cmux = chan->cmux;
+
+ /* Main loop: pick a circuit, send a cell, update the cmux */
+ while (n_flushed < max) {
+ circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue);
+ if (destroy_queue) {
+ destroy_cell_t *dcell;
+ /* this code is duplicated from some of the logic below. Ugly! XXXX */
+ /* If we are given a destroy_queue here, then it is required to be
+ * nonempty... */
+ tor_assert(destroy_queue->n > 0);
+ dcell = destroy_cell_queue_pop(destroy_queue);
+ /* ...and pop() will always yield a cell from a nonempty queue. */
+ tor_assert(dcell);
+ /* frees dcell */
+ cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids);
+ /* Send the DESTROY cell. It is very unlikely that this fails but just
+ * in case, get rid of the channel. */
+ if (channel_write_packed_cell(chan, cell) < 0) {
+ /* The cell has been freed. */
+ channel_mark_for_close(chan);
+ continue;
+ }
+ /* Update the cmux destroy counter */
+ circuitmux_notify_xmit_destroy(cmux);
+ cell = NULL;
+ ++n_flushed;
+ continue;
+ }
+ /* If it returns NULL, no cells left to send */
+ if (!circ) break;
+
+ if (circ->n_chan == chan) {
+ queue = &circ->n_chan_cells;
+ streams_blocked = circ->streams_blocked_on_n_chan;
+ } else {
+ or_circ = TO_OR_CIRCUIT(circ);
+ tor_assert(or_circ->p_chan == chan);
+ queue = &TO_OR_CIRCUIT(circ)->p_chan_cells;
+ streams_blocked = circ->streams_blocked_on_p_chan;
+ }
+
+ /* Circuitmux told us this was active, so it should have cells */
+ if (/*BUG(*/ queue->n == 0 /*)*/) {
+ log_warn(LD_BUG, "Found a supposedly active circuit with no cells "
+ "to send. Trying to recover.");
+ circuitmux_set_num_cells(cmux, circ, 0);
+ if (! circ->marked_for_close)
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+ continue;
+ }
+
+ tor_assert(queue->n > 0);
+
+ /*
+ * Get just one cell here; once we've sent it, that can change the circuit
+ * selection, so we have to loop around for another even if this circuit
+ * has more than one.
+ */
+ cell = cell_queue_pop(queue);
+
+ /* Calculate the exact time that this cell has spent in the queue. */
+ if (get_options()->CellStatistics ||
+ get_options()->TestingEnableCellStatsEvent) {
+ uint32_t timestamp_now = monotime_coarse_get_stamp();
+ uint32_t msec_waiting =
+ (uint32_t) monotime_coarse_stamp_units_to_approx_msec(
+ timestamp_now - cell->inserted_timestamp);
+
+ if (get_options()->CellStatistics && !CIRCUIT_IS_ORIGIN(circ)) {
+ or_circ = TO_OR_CIRCUIT(circ);
+ or_circ->total_cell_waiting_time += msec_waiting;
+ or_circ->processed_cells++;
+ }
+
+ if (get_options()->TestingEnableCellStatsEvent) {
+ uint8_t command = packed_cell_get_command(cell, chan->wide_circ_ids);
+
+ testing_cell_stats_entry_t *ent =
+ tor_malloc_zero(sizeof(testing_cell_stats_entry_t));
+ ent->command = command;
+ ent->waiting_time = msec_waiting / 10;
+ ent->removed = 1;
+ if (circ->n_chan == chan)
+ ent->exitward = 1;
+ if (!circ->testing_cell_stats)
+ circ->testing_cell_stats = smartlist_new();
+ smartlist_add(circ->testing_cell_stats, ent);
+ }
+ }
+
+ /* If we just flushed our queue and this circuit is used for a
+ * tunneled directory request, possibly advance its state. */
+ if (queue->n == 0 && chan->dirreq_id)
+ geoip_change_dirreq_state(chan->dirreq_id,
+ DIRREQ_TUNNELED,
+ DIRREQ_CIRC_QUEUE_FLUSHED);
+
+ /* Now send the cell. It is very unlikely that this fails but just in
+ * case, get rid of the channel. */
+ if (channel_write_packed_cell(chan, cell) < 0) {
+ /* The cell has been freed at this point. */
+ channel_mark_for_close(chan);
+ continue;
+ }
+ cell = NULL;
+
+ /*
+ * Don't packed_cell_free_unchecked(cell) here because the channel will
+ * do so when it gets out of the channel queue (probably already did, in
+ * which case that was an immediate double-free bug).
+ */
+
+ /* Update the counter */
+ ++n_flushed;
+
+ /*
+ * Now update the cmux; tell it we've just sent a cell, and how many
+ * we have left.
+ */
+ circuitmux_notify_xmit_cells(cmux, circ, 1);
+ circuitmux_set_num_cells(cmux, circ, queue->n);
+ if (queue->n == 0)
+ log_debug(LD_GENERAL, "Made a circuit inactive.");
+
+ /* Is the cell queue low enough to unblock all the streams that are waiting
+ * to write to this circuit? */
+ if (streams_blocked && queue->n <= CELL_QUEUE_LOWWATER_SIZE)
+ set_streams_blocked_on_circ(circ, chan, 0, 0); /* unblock streams */
+
+ /* If n_flushed < max still, loop around and pick another circuit */
+ }
+
+ /* Okay, we're done sending now */
+ return n_flushed;
+}
+
+/* Minimum value is the maximum circuit window size.
+ *
+ * SENDME cells makes it that we can control how many cells can be inflight on
+ * a circuit from end to end. This logic makes it that on any circuit cell
+ * queue, we have a maximum of cells possible.
+ *
+ * Because the Tor protocol allows for a client to exit at any hop in a
+ * circuit and a circuit can be of a maximum of 8 hops, so in theory the
+ * normal worst case will be the circuit window start value times the maximum
+ * number of hops (8). Having more cells then that means something is wrong.
+ *
+ * However, because padding cells aren't counted in the package window, we set
+ * the maximum size to a reasonably large size for which we expect that we'll
+ * never reach in theory. And if we ever do because of future changes, we'll
+ * be able to control it with a consensus parameter.
+ *
+ * XXX: Unfortunately, END cells aren't accounted for in the circuit window
+ * which means that for instance if a client opens 8001 streams, the 8001
+ * following END cells will queue up in the circuit which will get closed if
+ * the max limit is 8000. Which is sad because it is allowed by the Tor
+ * protocol. But, we need an upper bound on circuit queue in order to avoid
+ * DoS memory pressure so the default size is a middle ground between not
+ * having any limit and having a very restricted one. This is why we can also
+ * control it through a consensus parameter. */
+#define RELAY_CIRC_CELL_QUEUE_SIZE_MIN CIRCWINDOW_START_MAX
+/* We can't have a consensus parameter above this value. */
+#define RELAY_CIRC_CELL_QUEUE_SIZE_MAX INT32_MAX
+/* Default value is set to a large value so we can handle padding cells
+ * properly which aren't accounted for in the SENDME window. Default is 50000
+ * allowed cells in the queue resulting in ~25MB. */
+#define RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT \
+ (50 * RELAY_CIRC_CELL_QUEUE_SIZE_MIN)
+
+/* The maximum number of cell a circuit queue can contain. This is updated at
+ * every new consensus and controlled by a parameter. */
+static int32_t max_circuit_cell_queue_size =
+ RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT;
+
+/* Called when the consensus has changed. At this stage, the global consensus
+ * object has NOT been updated. It is called from
+ * notify_before_networkstatus_changes(). */
+void
+relay_consensus_has_changed(const networkstatus_t *ns)
+{
+ tor_assert(ns);
+
+ /* Update the circuit max cell queue size from the consensus. */
+ max_circuit_cell_queue_size =
+ networkstatus_get_param(ns, "circ_max_cell_queue_size",
+ RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT,
+ RELAY_CIRC_CELL_QUEUE_SIZE_MIN,
+ RELAY_CIRC_CELL_QUEUE_SIZE_MAX);
+}
+
+/** Add <b>cell</b> to the queue of <b>circ</b> writing to <b>chan</b>
+ * transmitting in <b>direction</b>.
+ *
+ * The given <b>cell</b> is copied onto the circuit queue so the caller must
+ * cleanup the memory.
+ *
+ * This function is part of the fast path. */
+void
+append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan,
+ cell_t *cell, cell_direction_t direction,
+ streamid_t fromstream)
+{
+ or_circuit_t *orcirc = NULL;
+ cell_queue_t *queue;
+ int streams_blocked;
+ int exitward;
+ if (circ->marked_for_close)
+ return;
+
+ exitward = (direction == CELL_DIRECTION_OUT);
+ if (exitward) {
+ queue = &circ->n_chan_cells;
+ streams_blocked = circ->streams_blocked_on_n_chan;
+ } else {
+ orcirc = TO_OR_CIRCUIT(circ);
+ queue = &orcirc->p_chan_cells;
+ streams_blocked = circ->streams_blocked_on_p_chan;
+ }
+
+ if (PREDICT_UNLIKELY(queue->n >= max_circuit_cell_queue_size)) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "%s circuit has %d cells in its queue, maximum allowed is %d. "
+ "Closing circuit for safety reasons.",
+ (exitward) ? "Outbound" : "Inbound", queue->n,
+ max_circuit_cell_queue_size);
+ circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT);
+ stats_n_circ_max_cell_reached++;
+ return;
+ }
+
+ /* Very important that we copy to the circuit queue because all calls to
+ * this function use the stack for the cell memory. */
+ cell_queue_append_packed_copy(circ, queue, exitward, cell,
+ chan->wide_circ_ids, 1);
+
+ /* Check and run the OOM if needed. */
+ if (PREDICT_UNLIKELY(cell_queues_check_size())) {
+ /* We ran the OOM handler which might have closed this circuit. */
+ if (circ->marked_for_close)
+ return;
+ }
+
+ /* If we have too many cells on the circuit, we should stop reading from
+ * the edge streams for a while. */
+ if (!streams_blocked && queue->n >= CELL_QUEUE_HIGHWATER_SIZE)
+ set_streams_blocked_on_circ(circ, chan, 1, 0); /* block streams */
+
+ if (streams_blocked && fromstream) {
+ /* This edge connection is apparently not blocked; block it. */
+ set_streams_blocked_on_circ(circ, chan, 1, fromstream);
+ }
+
+ update_circuit_on_cmux(circ, direction);
+ if (queue->n == 1) {
+ /* This was the first cell added to the queue. We just made this
+ * circuit active. */
+ log_debug(LD_GENERAL, "Made a circuit active.");
+ }
+
+ /* New way: mark this as having waiting cells for the scheduler */
+ scheduler_channel_has_waiting_cells(chan);
+}
+
+/** Append an encoded value of <b>addr</b> to <b>payload_out</b>, which must
+ * have at least 18 bytes of free space. The encoding is, as specified in
+ * tor-spec.txt:
+ * RESOLVED_TYPE_IPV4 or RESOLVED_TYPE_IPV6 [1 byte]
+ * LENGTH [1 byte]
+ * ADDRESS [length bytes]
+ * Return the number of bytes added, or -1 on error */
+int
+append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr)
+{
+ uint32_t a;
+ switch (tor_addr_family(addr)) {
+ case AF_INET:
+ payload_out[0] = RESOLVED_TYPE_IPV4;
+ payload_out[1] = 4;
+ a = tor_addr_to_ipv4n(addr);
+ memcpy(payload_out+2, &a, 4);
+ return 6;
+ case AF_INET6:
+ payload_out[0] = RESOLVED_TYPE_IPV6;
+ payload_out[1] = 16;
+ memcpy(payload_out+2, tor_addr_to_in6_addr8(addr), 16);
+ return 18;
+ case AF_UNSPEC:
+ default:
+ return -1;
+ }
+}
+
+/** Given <b>payload_len</b> bytes at <b>payload</b>, starting with an address
+ * encoded as by append_address_to_payload(), try to decode the address into
+ * *<b>addr_out</b>. Return the next byte in the payload after the address on
+ * success, or NULL on failure. */
+const uint8_t *
+decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload,
+ int payload_len)
+{
+ if (payload_len < 2)
+ return NULL;
+ if (payload_len < 2+payload[1])
+ return NULL;
+
+ switch (payload[0]) {
+ case RESOLVED_TYPE_IPV4:
+ if (payload[1] != 4)
+ return NULL;
+ tor_addr_from_ipv4n(addr_out, get_uint32(payload+2));
+ break;
+ case RESOLVED_TYPE_IPV6:
+ if (payload[1] != 16)
+ return NULL;
+ tor_addr_from_ipv6_bytes(addr_out, (char*)(payload+2));
+ break;
+ default:
+ tor_addr_make_unspec(addr_out);
+ break;
+ }
+ return payload + 2 + payload[1];
+}
+
+/** Remove all the cells queued on <b>circ</b> for <b>chan</b>. */
+void
+circuit_clear_cell_queue(circuit_t *circ, channel_t *chan)
+{
+ cell_queue_t *queue;
+ cell_direction_t direction;
+
+ if (circ->n_chan == chan) {
+ queue = &circ->n_chan_cells;
+ direction = CELL_DIRECTION_OUT;
+ } else {
+ or_circuit_t *orcirc = TO_OR_CIRCUIT(circ);
+ tor_assert(orcirc->p_chan == chan);
+ queue = &orcirc->p_chan_cells;
+ direction = CELL_DIRECTION_IN;
+ }
+
+ /* Clear the queue */
+ cell_queue_clear(queue);
+
+ /* Update the cell counter in the cmux */
+ if (chan->cmux && circuitmux_is_circuit_attached(chan->cmux, circ))
+ update_circuit_on_cmux(circ, direction);
+}
+
+/** Return 1 if we shouldn't restart reading on this circuit, even if
+ * we get a SENDME. Else return 0.
+*/
+static int
+circuit_queue_streams_are_blocked(circuit_t *circ)
+{
+ if (CIRCUIT_IS_ORIGIN(circ)) {
+ return circ->streams_blocked_on_n_chan;
+ } else {
+ return circ->streams_blocked_on_p_chan;
+ }
+}
diff --cc src/feature/client/circpathbias.c
index 1ee29c639,000000000..9f2ed9347
mode 100644,000000..100644
--- a/src/feature/client/circpathbias.c
+++ b/src/feature/client/circpathbias.c
@@@ -1,1578 -1,0 +1,1641 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file circpathbias.c
+ *
+ * \brief Code to track success/failure rates of circuits built through
+ * different tor nodes, in an attempt to detect attacks where
+ * an attacker deliberately causes circuits to fail until the client
+ * choses a path they like.
+ *
+ * This code is currently configured in a warning-only mode, though false
+ * positives appear to be rare in practice. There is also support for
+ * disabling really bad guards, but it's quite experimental and may have bad
+ * anonymity effects.
+ *
+ * The information here is associated with the entry_guard_t object for
+ * each guard, and stored persistently in the state file.
+ */
+
+#include "core/or/or.h"
+#include "core/or/channel.h"
+#include "feature/client/circpathbias.h"
+#include "core/or/circuitbuild.h"
+#include "core/or/circuitlist.h"
+#include "core/or/circuituse.h"
+#include "core/or/circuitstats.h"
+#include "core/or/connection_edge.h"
+#include "app/config/config.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "feature/client/entrynodes.h"
+#include "feature/nodelist/networkstatus.h"
+#include "core/or/relay.h"
+#include "lib/math/fp.h"
+#include "lib/math/laplace.h"
+
+#include "core/or/cell_st.h"
+#include "core/or/cpath_build_state_st.h"
+#include "core/or/crypt_path_st.h"
+#include "core/or/extend_info_st.h"
+#include "core/or/origin_circuit_st.h"
+
+static void pathbias_count_successful_close(origin_circuit_t *circ);
+static void pathbias_count_collapse(origin_circuit_t *circ);
+static void pathbias_count_use_failed(origin_circuit_t *circ);
+static void pathbias_measure_use_rate(entry_guard_t *guard);
+static void pathbias_measure_close_rate(entry_guard_t *guard);
+static void pathbias_scale_use_rates(entry_guard_t *guard);
+static void pathbias_scale_close_rates(entry_guard_t *guard);
+static int entry_guard_inc_circ_attempt_count(entry_guard_t *guard);
+
+/** Increment the number of times we successfully extended a circuit to
+ * <b>guard</b>, first checking if the failure rate is high enough that
+ * we should eliminate the guard. Return -1 if the guard looks no good;
+ * return 0 if the guard looks fine.
+ */
+static int
+entry_guard_inc_circ_attempt_count(entry_guard_t *guard)
+{
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ entry_guards_changed();
+
+ pathbias_measure_close_rate(guard);
+
+ if (pb->path_bias_disabled)
+ return -1;
+
+ pathbias_scale_close_rates(guard);
+ pb->circ_attempts++;
+
+ log_info(LD_CIRC, "Got success count %f/%f for guard %s",
+ pb->circ_successes, pb->circ_attempts,
+ entry_guard_describe(guard));
+ return 0;
+}
+
+/** The minimum number of circuit attempts before we start
+ * thinking about warning about path bias and dropping guards */
+static int
+pathbias_get_min_circs(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_MIN_CIRC 150
+ if (options->PathBiasCircThreshold >= 5)
+ return options->PathBiasCircThreshold;
+ else
+ return networkstatus_get_param(NULL, "pb_mincircs",
+ DFLT_PATH_BIAS_MIN_CIRC,
+ 5, INT32_MAX);
+}
+
+/** The circuit success rate below which we issue a notice */
+static double
+pathbias_get_notice_rate(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_NOTICE_PCT 70
+ if (options->PathBiasNoticeRate >= 0.0)
+ return options->PathBiasNoticeRate;
+ else
+ return networkstatus_get_param(NULL, "pb_noticepct",
+ DFLT_PATH_BIAS_NOTICE_PCT, 0, 100)/100.0;
+}
+
+/** The circuit success rate below which we issue a warn */
+static double
+pathbias_get_warn_rate(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_WARN_PCT 50
+ if (options->PathBiasWarnRate >= 0.0)
+ return options->PathBiasWarnRate;
+ else
+ return networkstatus_get_param(NULL, "pb_warnpct",
+ DFLT_PATH_BIAS_WARN_PCT, 0, 100)/100.0;
+}
+
+/* XXXX I'd like to have this be static again, but entrynodes.c needs it. */
+/**
+ * The extreme rate is the rate at which we would drop the guard,
+ * if pb_dropguard is also set. Otherwise we just warn.
+ */
+double
+pathbias_get_extreme_rate(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_EXTREME_PCT 30
+ if (options->PathBiasExtremeRate >= 0.0)
+ return options->PathBiasExtremeRate;
+ else
+ return networkstatus_get_param(NULL, "pb_extremepct",
+ DFLT_PATH_BIAS_EXTREME_PCT, 0, 100)/100.0;
+}
+
+/* XXXX I'd like to have this be static again, but entrynodes.c needs it. */
+/**
+ * If 1, we actually disable use of guards that fall below
+ * the extreme_pct.
+ */
+int
+pathbias_get_dropguards(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_DROP_GUARDS 0
+ if (options->PathBiasDropGuards >= 0)
+ return options->PathBiasDropGuards;
+ else
+ return networkstatus_get_param(NULL, "pb_dropguards",
+ DFLT_PATH_BIAS_DROP_GUARDS, 0, 1);
+}
+
+/**
+ * This is the number of circuits at which we scale our
+ * counts by mult_factor/scale_factor. Note, this count is
+ * not exact, as we only perform the scaling in the event
+ * of no integer truncation.
+ */
+static int
+pathbias_get_scale_threshold(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_SCALE_THRESHOLD 300
+ if (options->PathBiasScaleThreshold >= 10)
+ return options->PathBiasScaleThreshold;
+ else
+ return networkstatus_get_param(NULL, "pb_scalecircs",
+ DFLT_PATH_BIAS_SCALE_THRESHOLD, 10,
+ INT32_MAX);
+}
+
+/**
+ * Compute the path bias scaling ratio from the consensus
+ * parameters pb_multfactor/pb_scalefactor.
+ *
+ * Returns a value in (0, 1.0] which we multiply our pathbias
+ * counts with to scale them down.
+ */
+static double
+pathbias_get_scale_ratio(const or_options_t *options)
+{
+ /*
+ * The scale factor is the denominator for our scaling
+ * of circuit counts for our path bias window.
+ *
+ * Note that our use of doubles for the path bias state
+ * file means that powers of 2 work best here.
+ */
+ int denominator = networkstatus_get_param(NULL, "pb_scalefactor",
+ 2, 2, INT32_MAX);
+ (void) options;
+ /**
+ * The mult factor is the numerator for our scaling
+ * of circuit counts for our path bias window. It
+ * allows us to scale by fractions.
+ */
+ return networkstatus_get_param(NULL, "pb_multfactor",
+ 1, 1, denominator)/((double)denominator);
+}
+
+/** The minimum number of circuit usage attempts before we start
+ * thinking about warning about path use bias and dropping guards */
+static int
+pathbias_get_min_use(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_MIN_USE 20
+ if (options->PathBiasUseThreshold >= 3)
+ return options->PathBiasUseThreshold;
+ else
+ return networkstatus_get_param(NULL, "pb_minuse",
+ DFLT_PATH_BIAS_MIN_USE,
+ 3, INT32_MAX);
+}
+
+/** The circuit use success rate below which we issue a notice */
+static double
+pathbias_get_notice_use_rate(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_NOTICE_USE_PCT 80
+ if (options->PathBiasNoticeUseRate >= 0.0)
+ return options->PathBiasNoticeUseRate;
+ else
+ return networkstatus_get_param(NULL, "pb_noticeusepct",
+ DFLT_PATH_BIAS_NOTICE_USE_PCT,
+ 0, 100)/100.0;
+}
+
+/**
+ * The extreme use rate is the rate at which we would drop the guard,
+ * if pb_dropguard is also set. Otherwise we just warn.
+ */
+double
+pathbias_get_extreme_use_rate(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_EXTREME_USE_PCT 60
+ if (options->PathBiasExtremeUseRate >= 0.0)
+ return options->PathBiasExtremeUseRate;
+ else
+ return networkstatus_get_param(NULL, "pb_extremeusepct",
+ DFLT_PATH_BIAS_EXTREME_USE_PCT,
+ 0, 100)/100.0;
+}
+
+/**
+ * This is the number of circuits at which we scale our
+ * use counts by mult_factor/scale_factor. Note, this count is
+ * not exact, as we only perform the scaling in the event
+ * of no integer truncation.
+ */
+static int
+pathbias_get_scale_use_threshold(const or_options_t *options)
+{
+#define DFLT_PATH_BIAS_SCALE_USE_THRESHOLD 100
+ if (options->PathBiasScaleUseThreshold >= 10)
+ return options->PathBiasScaleUseThreshold;
+ else
+ return networkstatus_get_param(NULL, "pb_scaleuse",
+ DFLT_PATH_BIAS_SCALE_USE_THRESHOLD,
+ 10, INT32_MAX);
+}
+
+/**
+ * Convert a Guard's path state to string.
+ */
+const char *
+pathbias_state_to_string(path_state_t state)
+{
+ switch (state) {
+ case PATH_STATE_NEW_CIRC:
+ return "new";
+ case PATH_STATE_BUILD_ATTEMPTED:
+ return "build attempted";
+ case PATH_STATE_BUILD_SUCCEEDED:
+ return "build succeeded";
+ case PATH_STATE_USE_ATTEMPTED:
+ return "use attempted";
+ case PATH_STATE_USE_SUCCEEDED:
+ return "use succeeded";
+ case PATH_STATE_USE_FAILED:
+ return "use failed";
+ case PATH_STATE_ALREADY_COUNTED:
+ return "already counted";
+ }
+
+ return "unknown";
+}
+
+/**
+ * This function decides if a circuit has progressed far enough to count
+ * as a circuit "attempt". As long as end-to-end tagging is possible,
+ * we assume the adversary will use it over hop-to-hop failure. Therefore,
+ * we only need to account bias for the last hop. This should make us
+ * much more resilient to ambient circuit failure, and also make that
+ * failure easier to measure (we only need to measure Exit failure rates).
+ */
+static int
+pathbias_is_new_circ_attempt(origin_circuit_t *circ)
+{
+#define N2N_TAGGING_IS_POSSIBLE
+#ifdef N2N_TAGGING_IS_POSSIBLE
+ /* cpath is a circular list. We want circs with more than one hop,
+ * and the second hop must be waiting for keys still (it's just
+ * about to get them). */
+ return circ->cpath &&
+ circ->cpath->next != circ->cpath &&
+ circ->cpath->next->state == CPATH_STATE_AWAITING_KEYS;
+#else /* !(defined(N2N_TAGGING_IS_POSSIBLE)) */
+ /* If tagging attacks are no longer possible, we probably want to
+ * count bias from the first hop. However, one could argue that
+ * timing-based tagging is still more useful than per-hop failure.
+ * In which case, we'd never want to use this.
+ */
+ return circ->cpath &&
+ circ->cpath->state == CPATH_STATE_AWAITING_KEYS;
+#endif /* defined(N2N_TAGGING_IS_POSSIBLE) */
+}
+
+/**
+ * Decide if the path bias code should count a circuit.
+ *
+ * @returns 1 if we should count it, 0 otherwise.
+ */
+static int
+pathbias_should_count(origin_circuit_t *circ)
+{
+#define PATHBIAS_COUNT_INTERVAL (600)
+ static ratelim_t count_limit =
+ RATELIM_INIT(PATHBIAS_COUNT_INTERVAL);
+ char *rate_msg = NULL;
+
+ /* We can't do path bias accounting without entry guards.
+ * Testing and controller circuits also have no guards.
+ *
+ * We also don't count server-side rends, because their
+ * endpoint could be chosen maliciously.
+ * Similarly, we can't count client-side intro attempts,
+ * because clients can be manipulated into connecting to
+ * malicious intro points. */
+ if (get_options()->UseEntryGuards == 0 ||
+ circ->base_.purpose == CIRCUIT_PURPOSE_TESTING ||
+ circ->base_.purpose == CIRCUIT_PURPOSE_CONTROLLER ||
+ circ->base_.purpose == CIRCUIT_PURPOSE_S_CONNECT_REND ||
+ circ->base_.purpose == CIRCUIT_PURPOSE_S_REND_JOINED ||
+ (circ->base_.purpose >= CIRCUIT_PURPOSE_C_INTRODUCING &&
+ circ->base_.purpose <= CIRCUIT_PURPOSE_C_INTRODUCE_ACKED)) {
+
+ /* Check to see if the shouldcount result has changed due to a
+ * unexpected purpose change that would affect our results.
+ *
+ * The reason we check the path state too here is because for the
+ * cannibalized versions of these purposes, we count them as successful
+ * before their purpose change.
+ */
+ if (circ->pathbias_shouldcount == PATHBIAS_SHOULDCOUNT_COUNTED
+ && circ->path_state != PATH_STATE_ALREADY_COUNTED) {
+ log_info(LD_BUG,
+ "Circuit %d is now being ignored despite being counted "
+ "in the past. Purpose is %s, path state is %s",
+ circ->global_identifier,
+ circuit_purpose_to_string(circ->base_.purpose),
+ pathbias_state_to_string(circ->path_state));
+ }
+ circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_IGNORED;
+ return 0;
+ }
+
+ /* Completely ignore one hop circuits */
+ if (circ->build_state->onehop_tunnel ||
+ circ->build_state->desired_path_len == 1) {
+ /* Check for inconsistency */
+ if (circ->build_state->desired_path_len != 1 ||
+ !circ->build_state->onehop_tunnel) {
+ if ((rate_msg = rate_limit_log(&count_limit, approx_time()))) {
+ log_info(LD_BUG,
+ "One-hop circuit has length %d. Path state is %s. "
+ "Circuit is a %s currently %s.%s",
+ circ->build_state->desired_path_len,
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ tor_fragile_assert();
+ }
+
+ /* Check to see if the shouldcount result has changed due to a
+ * unexpected change that would affect our results */
+ if (circ->pathbias_shouldcount == PATHBIAS_SHOULDCOUNT_COUNTED) {
+ log_info(LD_BUG,
+ "One-hop circuit %d is now being ignored despite being counted "
+ "in the past. Purpose is %s, path state is %s",
+ circ->global_identifier,
+ circuit_purpose_to_string(circ->base_.purpose),
+ pathbias_state_to_string(circ->path_state));
+ }
+ circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_IGNORED;
+ return 0;
+ }
+
+ /* Check to see if the shouldcount result has changed due to a
+ * unexpected purpose change that would affect our results */
+ if (circ->pathbias_shouldcount == PATHBIAS_SHOULDCOUNT_IGNORED) {
+ log_info(LD_BUG,
+ "Circuit %d is now being counted despite being ignored "
+ "in the past. Purpose is %s, path state is %s",
+ circ->global_identifier,
+ circuit_purpose_to_string(circ->base_.purpose),
+ pathbias_state_to_string(circ->path_state));
+ }
+ circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_COUNTED;
+
+ return 1;
+}
+
+/**
+ * Check our circuit state to see if this is a successful circuit attempt.
+ * If so, record it in the current guard's path bias circ_attempt count.
+ *
+ * Also check for several potential error cases for bug #6475.
+ */
+int
+pathbias_count_build_attempt(origin_circuit_t *circ)
+{
+#define CIRC_ATTEMPT_NOTICE_INTERVAL (600)
+ static ratelim_t circ_attempt_notice_limit =
+ RATELIM_INIT(CIRC_ATTEMPT_NOTICE_INTERVAL);
+ char *rate_msg = NULL;
+
+ if (!pathbias_should_count(circ)) {
+ return 0;
+ }
+
+ if (pathbias_is_new_circ_attempt(circ)) {
+ /* Help track down the real cause of bug #6475: */
+ if (circ->has_opened && circ->path_state != PATH_STATE_BUILD_ATTEMPTED) {
+ if ((rate_msg = rate_limit_log(&circ_attempt_notice_limit,
+ approx_time()))) {
+ log_info(LD_BUG,
+ "Opened circuit is in strange path state %s. "
+ "Circuit is a %s currently %s.%s",
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ }
+
+ /* Don't re-count cannibalized circs.. */
+ if (!circ->has_opened) {
+ entry_guard_t *guard = NULL;
+
+ if (circ->cpath && circ->cpath->extend_info) {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ } else if (circ->base_.n_chan) {
+ guard =
+ entry_guard_get_by_id_digest(circ->base_.n_chan->identity_digest);
+ }
+
+ if (guard) {
+ if (circ->path_state == PATH_STATE_NEW_CIRC) {
+ circ->path_state = PATH_STATE_BUILD_ATTEMPTED;
+
+ if (entry_guard_inc_circ_attempt_count(guard) < 0) {
+ /* Bogus guard; we already warned. */
+ return -END_CIRC_REASON_TORPROTOCOL;
+ }
+ } else {
+ if ((rate_msg = rate_limit_log(&circ_attempt_notice_limit,
+ approx_time()))) {
+ log_info(LD_BUG,
+ "Unopened circuit has strange path state %s. "
+ "Circuit is a %s currently %s.%s",
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ }
+ } else {
+ if ((rate_msg = rate_limit_log(&circ_attempt_notice_limit,
+ approx_time()))) {
+ log_info(LD_CIRC,
+ "Unopened circuit has no known guard. "
+ "Circuit is a %s currently %s.%s",
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ }
+ }
+ }
+
+ return 0;
+}
+
+/**
+ * Check our circuit state to see if this is a successful circuit
+ * completion. If so, record it in the current guard's path bias
+ * success count.
+ *
+ * Also check for several potential error cases for bug #6475.
+ */
+void
+pathbias_count_build_success(origin_circuit_t *circ)
+{
+#define SUCCESS_NOTICE_INTERVAL (600)
+ static ratelim_t success_notice_limit =
+ RATELIM_INIT(SUCCESS_NOTICE_INTERVAL);
+ char *rate_msg = NULL;
+ entry_guard_t *guard = NULL;
+
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ /* Don't count cannibalized/reused circs for path bias
+ * "build" success, since they get counted under "use" success. */
+ if (!circ->has_opened) {
+ if (circ->cpath && circ->cpath->extend_info) {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ }
+
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ if (circ->path_state == PATH_STATE_BUILD_ATTEMPTED) {
+ circ->path_state = PATH_STATE_BUILD_SUCCEEDED;
+ pb->circ_successes++;
+ entry_guards_changed();
+
+ log_info(LD_CIRC, "Got success count %f/%f for guard %s",
+ pb->circ_successes, pb->circ_attempts,
+ entry_guard_describe(guard));
+ } else {
+ if ((rate_msg = rate_limit_log(&success_notice_limit,
+ approx_time()))) {
+ log_info(LD_BUG,
+ "Succeeded circuit is in strange path state %s. "
+ "Circuit is a %s currently %s.%s",
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ }
+
+ if (pb->circ_attempts < pb->circ_successes) {
+ log_notice(LD_BUG, "Unexpectedly high successes counts (%f/%f) "
+ "for guard %s",
+ pb->circ_successes, pb->circ_attempts,
+ entry_guard_describe(guard));
+ }
+ /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
+ * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
+ * No need to log that case. */
+ } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
+ if ((rate_msg = rate_limit_log(&success_notice_limit,
+ approx_time()))) {
+ log_info(LD_CIRC,
+ "Completed circuit has no known guard. "
+ "Circuit is a %s currently %s.%s",
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ }
+ } else {
+ if (circ->path_state < PATH_STATE_BUILD_SUCCEEDED) {
+ if ((rate_msg = rate_limit_log(&success_notice_limit,
+ approx_time()))) {
+ log_info(LD_BUG,
+ "Opened circuit is in strange path state %s. "
+ "Circuit is a %s currently %s.%s",
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state),
+ rate_msg);
+ tor_free(rate_msg);
+ }
+ }
+ }
+}
+
+/**
+ * Record an attempt to use a circuit. Changes the circuit's
+ * path state and update its guard's usage counter.
+ *
+ * Used for path bias usage accounting.
+ */
+void
+pathbias_count_use_attempt(origin_circuit_t *circ)
+{
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ if (circ->path_state < PATH_STATE_BUILD_SUCCEEDED) {
+ log_notice(LD_BUG,
+ "Used circuit is in strange path state %s. "
+ "Circuit is a %s currently %s.",
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+ } else if (circ->path_state < PATH_STATE_USE_ATTEMPTED) {
+ entry_guard_t *guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ pathbias_measure_use_rate(guard);
+ pathbias_scale_use_rates(guard);
+ pb->use_attempts++;
+ entry_guards_changed();
+
+ log_debug(LD_CIRC,
+ "Marked circuit %d (%f/%f) as used for guard %s.",
+ circ->global_identifier,
+ pb->use_successes, pb->use_attempts,
+ entry_guard_describe(guard));
+ }
+
+ circ->path_state = PATH_STATE_USE_ATTEMPTED;
+ } else {
+ /* Harmless but educational log message */
+ log_info(LD_CIRC,
+ "Used circuit %d is already in path state %s. "
+ "Circuit is a %s currently %s.",
+ circ->global_identifier,
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+ }
+
+ return;
+}
+
+/**
+ * Check the circuit's path state is appropriate and mark it as
+ * successfully used. Used for path bias usage accounting.
+ *
+ * We don't actually increment the guard's counters until
+ * pathbias_check_close(), because the circuit can still transition
+ * back to PATH_STATE_USE_ATTEMPTED if a stream fails later (this
+ * is done so we can probe the circuit for liveness at close).
+ */
+void
+pathbias_mark_use_success(origin_circuit_t *circ)
+{
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ if (circ->path_state < PATH_STATE_USE_ATTEMPTED) {
+ log_notice(LD_BUG,
+ "Used circuit %d is in strange path state %s. "
+ "Circuit is a %s currently %s.",
+ circ->global_identifier,
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+
+ pathbias_count_use_attempt(circ);
+ }
+
+ /* We don't do any accounting at the guard until actual circuit close */
+ circ->path_state = PATH_STATE_USE_SUCCEEDED;
+
+ return;
+}
+
+/**
+ * If a stream ever detatches from a circuit in a retriable way,
+ * we need to mark this circuit as still needing either another
+ * successful stream, or in need of a probe.
+ *
+ * An adversary could let the first stream request succeed (ie the
+ * resolve), but then tag and timeout the remainder (via cell
+ * dropping), forcing them on new circuits.
+ *
+ * Rolling back the state will cause us to probe such circuits, which
+ * should lead to probe failures in the event of such tagging due to
+ * either unrecognized cells coming in while we wait for the probe,
+ * or the cipher state getting out of sync in the case of dropped cells.
+ */
+void
+pathbias_mark_use_rollback(origin_circuit_t *circ)
+{
+ if (circ->path_state == PATH_STATE_USE_SUCCEEDED) {
+ log_info(LD_CIRC,
+ "Rolling back pathbias use state to 'attempted' for detached "
+ "circuit %d", circ->global_identifier);
+ circ->path_state = PATH_STATE_USE_ATTEMPTED;
+ }
+}
+
+/**
+ * Actually count a circuit success towards a guard's usage counters
+ * if the path state is appropriate.
+ */
+static void
+pathbias_count_use_success(origin_circuit_t *circ)
+{
+ entry_guard_t *guard;
+
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ if (circ->path_state != PATH_STATE_USE_SUCCEEDED) {
+ log_notice(LD_BUG,
+ "Successfully used circuit %d is in strange path state %s. "
+ "Circuit is a %s currently %s.",
+ circ->global_identifier,
+ pathbias_state_to_string(circ->path_state),
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+ } else {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ pb->use_successes++;
+ entry_guards_changed();
+
+ if (pb->use_attempts < pb->use_successes) {
+ log_notice(LD_BUG, "Unexpectedly high use successes counts (%f/%f) "
+ "for guard %s",
+ pb->use_successes, pb->use_attempts,
+ entry_guard_describe(guard));
+ }
+
+ log_debug(LD_CIRC,
+ "Marked circuit %d (%f/%f) as used successfully for guard %s",
+ circ->global_identifier, pb->use_successes,
+ pb->use_attempts,
+ entry_guard_describe(guard));
+ }
+ }
+
+ return;
+}
+
+/**
+ * Send a probe down a circuit that the client attempted to use,
+ * but for which the stream timed out/failed. The probe is a
+ * RELAY_BEGIN cell with a 0.a.b.c destination address, which
+ * the exit will reject and reply back, echoing that address.
+ *
+ * The reason for such probes is because it is possible to bias
+ * a user's paths simply by causing timeouts, and these timeouts
+ * are not possible to differentiate from unresponsive servers.
+ *
+ * The probe is sent at the end of the circuit lifetime for two
+ * reasons: to prevent cryptographic taggers from being able to
+ * drop cells to cause timeouts, and to prevent easy recognition
+ * of probes before any real client traffic happens.
+ *
+ * Returns -1 if we couldn't probe, 0 otherwise.
+ */
+static int
+pathbias_send_usable_probe(circuit_t *circ)
+{
+ /* Based on connection_ap_handshake_send_begin() */
+ char payload[CELL_PAYLOAD_SIZE];
+ int payload_len;
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+ crypt_path_t *cpath_layer = NULL;
+ char *probe_nonce = NULL;
+
+ tor_assert(ocirc);
+
+ cpath_layer = ocirc->cpath->prev;
+
+ if (cpath_layer->state != CPATH_STATE_OPEN) {
+ /* This can happen for cannibalized circuits. Their
+ * last hop isn't yet open */
+ log_info(LD_CIRC,
+ "Got pathbias probe request for unopened circuit %d. "
+ "Opened %d, len %d", ocirc->global_identifier,
+ ocirc->has_opened, ocirc->build_state->desired_path_len);
+ return -1;
+ }
+
+ /* We already went down this road. */
+ if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING &&
+ ocirc->pathbias_probe_id) {
+ log_info(LD_CIRC,
+ "Got pathbias probe request for circuit %d with "
+ "outstanding probe", ocirc->global_identifier);
+ return -1;
+ }
+
+ /* Can't probe if the channel isn't open */
+ if (circ->n_chan == NULL ||
+ (!CHANNEL_IS_OPEN(circ->n_chan)
+ && !CHANNEL_IS_MAINT(circ->n_chan))) {
+ log_info(LD_CIRC,
+ "Skipping pathbias probe for circuit %d: Channel is not open.",
+ ocirc->global_identifier);
+ return -1;
+ }
+
+ circuit_change_purpose(circ, CIRCUIT_PURPOSE_PATH_BIAS_TESTING);
+
+ /* Update timestamp for when circuit_expire_building() should kill us */
+ tor_gettimeofday(&circ->timestamp_began);
+
+ /* Generate a random address for the nonce */
+ crypto_rand((char*)ô->pathbias_probe_nonce,
+ sizeof(ocirc->pathbias_probe_nonce));
+ ocirc->pathbias_probe_nonce &= 0x00ffffff;
+ probe_nonce = tor_dup_ip(ocirc->pathbias_probe_nonce);
+
+ tor_snprintf(payload,RELAY_PAYLOAD_SIZE, "%s:25", probe_nonce);
+ payload_len = (int)strlen(payload)+1;
+
+ // XXX: need this? Can we assume ipv4 will always be supported?
+ // If not, how do we tell?
+ //if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
+ // set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
+ // payload_len += 4;
+ //}
+
+ /* Generate+Store stream id, make sure it's non-zero */
+ ocirc->pathbias_probe_id = get_unique_stream_id_by_circ(ocirc);
+
+ if (ocirc->pathbias_probe_id==0) {
+ log_warn(LD_CIRC,
+ "Ran out of stream IDs on circuit %u during "
+ "pathbias probe attempt.", ocirc->global_identifier);
+ tor_free(probe_nonce);
+ return -1;
+ }
+
+ log_info(LD_CIRC,
+ "Sending pathbias testing cell to %s:25 on stream %d for circ %d.",
+ probe_nonce, ocirc->pathbias_probe_id, ocirc->global_identifier);
+ tor_free(probe_nonce);
+
+ /* Send a test relay cell */
+ if (relay_send_command_from_edge(ocirc->pathbias_probe_id, circ,
+ RELAY_COMMAND_BEGIN, payload,
+ payload_len, cpath_layer) < 0) {
+ log_notice(LD_CIRC,
+ "Failed to send pathbias probe cell on circuit %d.",
+ ocirc->global_identifier);
+ return -1;
+ }
+
+ /* Mark it freshly dirty so it doesn't get expired in the meantime */
+ circ->timestamp_dirty = time(NULL);
+
+ return 0;
+}
+
+/**
+ * Check the response to a pathbias probe, to ensure the
+ * cell is recognized and the nonce and other probe
+ * characteristics are as expected.
+ *
+ * If the response is valid, return 0. Otherwise return < 0.
+ */
+int
+pathbias_check_probe_response(circuit_t *circ, const cell_t *cell)
+{
+ /* Based on connection_edge_process_relay_cell() */
+ relay_header_t rh;
+ int reason;
+ uint32_t ipv4_host;
+ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+
+ tor_assert(cell);
+ tor_assert(ocirc);
+ tor_assert(circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING);
+
+ relay_header_unpack(&rh, cell->payload);
+
+ reason = rh.length > 0 ?
+ get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
+
+ if (rh.command == RELAY_COMMAND_END &&
+ reason == END_STREAM_REASON_EXITPOLICY &&
+ ocirc->pathbias_probe_id == rh.stream_id) {
+
+ /* Check length+extract host: It is in network order after the reason code.
+ * See connection_edge_end(). */
+ if (rh.length < 9) { /* reason+ipv4+dns_ttl */
+ log_notice(LD_PROTOCOL,
+ "Short path bias probe response length field (%d).", rh.length);
+ return - END_CIRC_REASON_TORPROTOCOL;
+ }
+
+ ipv4_host = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+1));
+
+ /* Check nonce */
+ if (ipv4_host == ocirc->pathbias_probe_nonce) {
+ pathbias_mark_use_success(ocirc);
++ circuit_read_valid_data(ocirc, rh.length);
+ circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED);
+ log_info(LD_CIRC,
+ "Got valid path bias probe back for circ %d, stream %d.",
+ ocirc->global_identifier, ocirc->pathbias_probe_id);
+ return 0;
+ } else {
+ log_notice(LD_CIRC,
+ "Got strange probe value 0x%x vs 0x%x back for circ %d, "
+ "stream %d.", ipv4_host, ocirc->pathbias_probe_nonce,
+ ocirc->global_identifier, ocirc->pathbias_probe_id);
+ return -1;
+ }
+ }
+ log_info(LD_CIRC,
+ "Got another cell back back on pathbias probe circuit %d: "
+ "Command: %d, Reason: %d, Stream-id: %d",
+ ocirc->global_identifier, rh.command, reason, rh.stream_id);
+ return -1;
+}
+
+/**
++ * Check if a cell is counts as valid data for a circuit,
++ * and if so, count it as valid.
++ */
++void
++pathbias_count_valid_cells(circuit_t *circ, const cell_t *cell)
++{
++ origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
++ relay_header_t rh;
++
++ relay_header_unpack(&rh, cell->payload);
++
++ /* Check to see if this is a cell from a previous connection,
++ * or is a request to close the circuit. */
++ switch (rh.command) {
++ case RELAY_COMMAND_TRUNCATED:
++ /* Truncated cells can arrive on path bias circs. When they do,
++ * just process them. This closes the circ, but it was junk anyway.
++ * No reason to wait for the probe. */
++ circuit_read_valid_data(ocirc, rh.length);
++ circuit_truncated(TO_ORIGIN_CIRCUIT(circ),
++ get_uint8(cell->payload + RELAY_HEADER_SIZE));
++
++ break;
++
++ case RELAY_COMMAND_END:
++ if (connection_half_edge_is_valid_end(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
++ }
++ break;
++
++ case RELAY_COMMAND_DATA:
++ if (connection_half_edge_is_valid_data(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
++ }
++ break;
++
++ case RELAY_COMMAND_SENDME:
++ if (connection_half_edge_is_valid_sendme(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
++ }
++ break;
++
++ case RELAY_COMMAND_CONNECTED:
++ if (connection_half_edge_is_valid_connected(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
++ }
++ break;
++
++ case RELAY_COMMAND_RESOLVED:
++ if (connection_half_edge_is_valid_resolved(ocirc->half_streams,
++ rh.stream_id)) {
++ circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh.length);
++ }
++ break;
++ }
++}
++
++/**
+ * Check if a circuit was used and/or closed successfully.
+ *
+ * If we attempted to use the circuit to carry a stream but failed
+ * for whatever reason, or if the circuit mysteriously died before
+ * we could attach any streams, record these two cases.
+ *
+ * If we *have* successfully used the circuit, or it appears to
+ * have been closed by us locally, count it as a success.
+ *
+ * Returns 0 if we're done making decisions with the circ,
+ * or -1 if we want to probe it first.
+ */
+int
+pathbias_check_close(origin_circuit_t *ocirc, int reason)
+{
+ circuit_t *circ = ô->base_;
+
+ if (!pathbias_should_count(ocirc)) {
+ return 0;
+ }
+
+ switch (ocirc->path_state) {
+ /* If the circuit was closed after building, but before use, we need
+ * to ensure we were the ones who tried to close it (and not a remote
+ * actor). */
+ case PATH_STATE_BUILD_SUCCEEDED:
+ if (reason & END_CIRC_REASON_FLAG_REMOTE) {
+ /* Remote circ close reasons on an unused circuit all could be bias */
+ log_info(LD_CIRC,
+ "Circuit %d remote-closed without successful use for reason %d. "
+ "Circuit purpose %d currently %d,%s. Len %d.",
+ ocirc->global_identifier,
+ reason, circ->purpose, ocirc->has_opened,
+ circuit_state_to_string(circ->state),
+ ocirc->build_state->desired_path_len);
+ pathbias_count_collapse(ocirc);
+ } else if ((reason & ~END_CIRC_REASON_FLAG_REMOTE)
+ == END_CIRC_REASON_CHANNEL_CLOSED &&
+ circ->n_chan &&
+ circ->n_chan->reason_for_closing
+ != CHANNEL_CLOSE_REQUESTED) {
+ /* If we didn't close the channel ourselves, it could be bias */
+ /* XXX: Only count bias if the network is live?
+ * What about clock jumps/suspends? */
+ log_info(LD_CIRC,
+ "Circuit %d's channel closed without successful use for reason "
+ "%d, channel reason %d. Circuit purpose %d currently %d,%s. Len "
+ "%d.", ocirc->global_identifier,
+ reason, circ->n_chan->reason_for_closing,
+ circ->purpose, ocirc->has_opened,
+ circuit_state_to_string(circ->state),
+ ocirc->build_state->desired_path_len);
+ pathbias_count_collapse(ocirc);
+ } else {
+ pathbias_count_successful_close(ocirc);
+ }
+ break;
+
+ /* If we tried to use a circuit but failed, we should probe it to ensure
+ * it has not been tampered with. */
+ case PATH_STATE_USE_ATTEMPTED:
+ /* XXX: Only probe and/or count failure if the network is live?
+ * What about clock jumps/suspends? */
+ if (pathbias_send_usable_probe(circ) == 0)
+ return -1;
+ else
+ pathbias_count_use_failed(ocirc);
+
+ /* Any circuit where there were attempted streams but no successful
+ * streams could be bias */
+ log_info(LD_CIRC,
+ "Circuit %d closed without successful use for reason %d. "
+ "Circuit purpose %d currently %d,%s. Len %d.",
+ ocirc->global_identifier,
+ reason, circ->purpose, ocirc->has_opened,
+ circuit_state_to_string(circ->state),
+ ocirc->build_state->desired_path_len);
+ break;
+
+ case PATH_STATE_USE_SUCCEEDED:
+ pathbias_count_successful_close(ocirc);
+ pathbias_count_use_success(ocirc);
+ break;
+
+ case PATH_STATE_USE_FAILED:
+ pathbias_count_use_failed(ocirc);
+ break;
+
+ case PATH_STATE_NEW_CIRC:
+ case PATH_STATE_BUILD_ATTEMPTED:
+ case PATH_STATE_ALREADY_COUNTED:
+ default:
+ // Other states are uninteresting. No stats to count.
+ break;
+ }
+
+ ocirc->path_state = PATH_STATE_ALREADY_COUNTED;
+
+ return 0;
+}
+
+/**
+ * Count a successfully closed circuit.
+ */
+static void
+pathbias_count_successful_close(origin_circuit_t *circ)
+{
+ entry_guard_t *guard = NULL;
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ if (circ->cpath && circ->cpath->extend_info) {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ }
+
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ /* In the long run: circuit_success ~= successful_circuit_close +
+ * circ_failure + stream_failure */
+ pb->successful_circuits_closed++;
+ entry_guards_changed();
+ } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
+ /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
+ * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
+ * No need to log that case. */
+ log_info(LD_CIRC,
+ "Successfully closed circuit has no known guard. "
+ "Circuit is a %s currently %s",
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+ }
+}
+
+/**
+ * Count a circuit that fails after it is built, but before it can
+ * carry any traffic.
+ *
+ * This is needed because there are ways to destroy a
+ * circuit after it has successfully completed. Right now, this is
+ * used for purely informational/debugging purposes.
+ */
+static void
+pathbias_count_collapse(origin_circuit_t *circ)
+{
+ entry_guard_t *guard = NULL;
+
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ if (circ->cpath && circ->cpath->extend_info) {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ }
+
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ pb->collapsed_circuits++;
+ entry_guards_changed();
+ } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
+ /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
+ * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
+ * No need to log that case. */
+ log_info(LD_CIRC,
+ "Destroyed circuit has no known guard. "
+ "Circuit is a %s currently %s",
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+ }
+}
+
+/**
+ * Count a known failed circuit (because we could not probe it).
+ *
+ * This counter is informational.
+ */
+static void
+pathbias_count_use_failed(origin_circuit_t *circ)
+{
+ entry_guard_t *guard = NULL;
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ if (circ->cpath && circ->cpath->extend_info) {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ }
+
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ pb->unusable_circuits++;
+ entry_guards_changed();
+ } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
+ /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
+ * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
+ * No need to log that case. */
+ /* XXX note cut-and-paste code in this function compared to nearby
+ * functions. Would be nice to refactor. -RD */
+ log_info(LD_CIRC,
+ "Stream-failing circuit has no known guard. "
+ "Circuit is a %s currently %s",
+ circuit_purpose_to_string(circ->base_.purpose),
+ circuit_state_to_string(circ->base_.state));
+ }
+}
+
+/**
+ * Count timeouts for path bias log messages.
+ *
+ * These counts are purely informational.
+ */
+void
+pathbias_count_timeout(origin_circuit_t *circ)
+{
+ entry_guard_t *guard = NULL;
+
+ if (!pathbias_should_count(circ)) {
+ return;
+ }
+
+ /* For hidden service circs, they can actually be used
+ * successfully and then time out later (because
+ * the other side declines to use them). */
+ if (circ->path_state == PATH_STATE_USE_SUCCEEDED) {
+ return;
+ }
+
+ if (circ->cpath && circ->cpath->extend_info) {
+ guard = entry_guard_get_by_id_digest(
+ circ->cpath->extend_info->identity_digest);
+ }
+
+ if (guard) {
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ pb->timeouts++;
+ entry_guards_changed();
+ }
+}
+
+/**
+ * Helper function to count all of the currently opened circuits
+ * for a guard that are in a given path state range. The state
+ * range is inclusive on both ends.
+ */
+static int
+pathbias_count_circs_in_states(entry_guard_t *guard,
+ path_state_t from,
+ path_state_t to)
+{
+ int open_circuits = 0;
+
+ /* Count currently open circuits. Give them the benefit of the doubt. */
+ SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, circ) {
+ origin_circuit_t *ocirc = NULL;
+ if (!CIRCUIT_IS_ORIGIN(circ) || /* didn't originate here */
+ circ->marked_for_close) /* already counted */
+ continue;
+
+ ocirc = TO_ORIGIN_CIRCUIT(circ);
+
+ if (!ocirc->cpath || !ocirc->cpath->extend_info)
+ continue;
+
+ if (ocirc->path_state >= from &&
+ ocirc->path_state <= to &&
+ pathbias_should_count(ocirc) &&
+ fast_memeq(entry_guard_get_rsa_id_digest(guard),
+ ocirc->cpath->extend_info->identity_digest,
+ DIGEST_LEN)) {
+ log_debug(LD_CIRC, "Found opened circuit %d in path_state %s",
+ ocirc->global_identifier,
+ pathbias_state_to_string(ocirc->path_state));
+ open_circuits++;
+ }
+ }
+ SMARTLIST_FOREACH_END(circ);
+
+ return open_circuits;
+}
+
+/**
+ * Return the number of circuits counted as successfully closed for
+ * this guard.
+ *
+ * Also add in the currently open circuits to give them the benefit
+ * of the doubt.
+ */
+double
+pathbias_get_close_success_count(entry_guard_t *guard)
+{
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ return pb->successful_circuits_closed +
+ pathbias_count_circs_in_states(guard,
+ PATH_STATE_BUILD_SUCCEEDED,
+ PATH_STATE_USE_SUCCEEDED);
+}
+
+/**
+ * Return the number of circuits counted as successfully used
+ * this guard.
+ *
+ * Also add in the currently open circuits that we are attempting
+ * to use to give them the benefit of the doubt.
+ */
+double
+pathbias_get_use_success_count(entry_guard_t *guard)
+{
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ return pb->use_successes +
+ pathbias_count_circs_in_states(guard,
+ PATH_STATE_USE_ATTEMPTED,
+ PATH_STATE_USE_SUCCEEDED);
+}
+
+/**
+ * Check the path bias use rate against our consensus parameter limits.
+ *
+ * Emits a log message if the use success rates are too low.
+ *
+ * If pathbias_get_dropguards() is set, we also disable the use of
+ * very failure prone guards.
+ */
+static void
+pathbias_measure_use_rate(entry_guard_t *guard)
+{
+ const or_options_t *options = get_options();
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ if (pb->use_attempts > pathbias_get_min_use(options)) {
+ /* Note: We rely on the < comparison here to allow us to set a 0
+ * rate and disable the feature entirely. If refactoring, don't
+ * change to <= */
+ if (pathbias_get_use_success_count(guard)/pb->use_attempts
+ < pathbias_get_extreme_use_rate(options)) {
+ /* Dropping is currently disabled by default. */
+ if (pathbias_get_dropguards(options)) {
+ if (!pb->path_bias_disabled) {
+ log_warn(LD_CIRC,
+ "Your Guard %s is failing to carry an extremely large "
+ "amount of stream on its circuits. "
+ "To avoid potential route manipulation attacks, Tor has "
+ "disabled use of this guard. "
+ "Use counts are %ld/%ld. Success counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ pb->path_bias_disabled = 1;
+ return;
+ }
+ } else if (!pb->path_bias_use_extreme) {
+ pb->path_bias_use_extreme = 1;
+ log_warn(LD_CIRC,
+ "Your Guard %s is failing to carry an extremely large "
+ "amount of streams on its circuits. "
+ "This could indicate a route manipulation attack, network "
+ "overload, bad local network connectivity, or a bug. "
+ "Use counts are %ld/%ld. Success counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ }
+ } else if (pathbias_get_use_success_count(guard)/pb->use_attempts
+ < pathbias_get_notice_use_rate(options)) {
+ if (!pb->path_bias_use_noticed) {
+ pb->path_bias_use_noticed = 1;
+ log_notice(LD_CIRC,
+ "Your Guard %s is failing to carry more streams on its "
+ "circuits than usual. "
+ "Most likely this means the Tor network is overloaded "
+ "or your network connection is poor. "
+ "Use counts are %ld/%ld. Success counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ }
+ }
+ }
+}
+
+/**
+ * Check the path bias circuit close status rates against our consensus
+ * parameter limits.
+ *
+ * Emits a log message if the use success rates are too low.
+ *
+ * If pathbias_get_dropguards() is set, we also disable the use of
+ * very failure prone guards.
+ *
+ * XXX: This function shares similar log messages and checks to
+ * pathbias_measure_use_rate(). It may be possible to combine them
+ * eventually, especially if we can ever remove the need for 3
+ * levels of closure warns (if the overall circuit failure rate
+ * goes down with ntor). One way to do so would be to multiply
+ * the build rate with the use rate to get an idea of the total
+ * fraction of the total network paths the user is able to use.
+ * See ticket #8159.
+ */
+static void
+pathbias_measure_close_rate(entry_guard_t *guard)
+{
+ const or_options_t *options = get_options();
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ if (pb->circ_attempts > pathbias_get_min_circs(options)) {
+ /* Note: We rely on the < comparison here to allow us to set a 0
+ * rate and disable the feature entirely. If refactoring, don't
+ * change to <= */
+ if (pathbias_get_close_success_count(guard)/pb->circ_attempts
+ < pathbias_get_extreme_rate(options)) {
+ /* Dropping is currently disabled by default. */
+ if (pathbias_get_dropguards(options)) {
+ if (!pb->path_bias_disabled) {
+ log_warn(LD_CIRC,
+ "Your Guard %s is failing an extremely large "
+ "amount of circuits. "
+ "To avoid potential route manipulation attacks, Tor has "
+ "disabled use of this guard. "
+ "Success counts are %ld/%ld. Use counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ pb->path_bias_disabled = 1;
+ return;
+ }
+ } else if (!pb->path_bias_extreme) {
+ pb->path_bias_extreme = 1;
+ log_warn(LD_CIRC,
+ "Your Guard %s is failing an extremely large "
+ "amount of circuits. "
+ "This could indicate a route manipulation attack, "
+ "extreme network overload, or a bug. "
+ "Success counts are %ld/%ld. Use counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ }
+ } else if (pathbias_get_close_success_count(guard)/pb->circ_attempts
+ < pathbias_get_warn_rate(options)) {
+ if (!pb->path_bias_warned) {
+ pb->path_bias_warned = 1;
+ log_warn(LD_CIRC,
+ "Your Guard %s is failing a very large "
+ "amount of circuits. "
+ "Most likely this means the Tor network is "
+ "overloaded, but it could also mean an attack against "
+ "you or potentially the guard itself. "
+ "Success counts are %ld/%ld. Use counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ }
+ } else if (pathbias_get_close_success_count(guard)/pb->circ_attempts
+ < pathbias_get_notice_rate(options)) {
+ if (!pb->path_bias_noticed) {
+ pb->path_bias_noticed = 1;
+ log_notice(LD_CIRC,
+ "Your Guard %s is failing more circuits than "
+ "usual. "
+ "Most likely this means the Tor network is overloaded. "
+ "Success counts are %ld/%ld. Use counts are %ld/%ld. "
+ "%ld circuits completed, %ld were unusable, %ld collapsed, "
+ "and %ld timed out. "
+ "For reference, your timeout cutoff is %ld seconds.",
+ entry_guard_describe(guard),
+ tor_lround(pathbias_get_close_success_count(guard)),
+ tor_lround(pb->circ_attempts),
+ tor_lround(pathbias_get_use_success_count(guard)),
+ tor_lround(pb->use_attempts),
+ tor_lround(pb->circ_successes),
+ tor_lround(pb->unusable_circuits),
+ tor_lround(pb->collapsed_circuits),
+ tor_lround(pb->timeouts),
+ tor_lround(get_circuit_build_close_time_ms()/1000));
+ }
+ }
+ }
+}
+
+/**
+ * This function scales the path bias use rates if we have
+ * more data than the scaling threshold. This allows us to
+ * be more sensitive to recent measurements.
+ *
+ * XXX: The attempt count transfer stuff here might be done
+ * better by keeping separate pending counters that get
+ * transferred at circuit close. See ticket #8160.
+ */
+static void
+pathbias_scale_close_rates(entry_guard_t *guard)
+{
+ const or_options_t *options = get_options();
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ /* If we get a ton of circuits, just scale everything down */
+ if (pb->circ_attempts > pathbias_get_scale_threshold(options)) {
+ double scale_ratio = pathbias_get_scale_ratio(options);
+ int opened_attempts = pathbias_count_circs_in_states(guard,
+ PATH_STATE_BUILD_ATTEMPTED, PATH_STATE_BUILD_ATTEMPTED);
+ int opened_built = pathbias_count_circs_in_states(guard,
+ PATH_STATE_BUILD_SUCCEEDED,
+ PATH_STATE_USE_FAILED);
+ /* Verify that the counts are sane before and after scaling */
+ int counts_are_sane = (pb->circ_attempts >= pb->circ_successes);
+
+ pb->circ_attempts -= (opened_attempts+opened_built);
+ pb->circ_successes -= opened_built;
+
+ pb->circ_attempts *= scale_ratio;
+ pb->circ_successes *= scale_ratio;
+ pb->timeouts *= scale_ratio;
+ pb->successful_circuits_closed *= scale_ratio;
+ pb->collapsed_circuits *= scale_ratio;
+ pb->unusable_circuits *= scale_ratio;
+
+ pb->circ_attempts += (opened_attempts+opened_built);
+ pb->circ_successes += opened_built;
+
+ entry_guards_changed();
+
+ log_info(LD_CIRC,
+ "Scaled pathbias counts to (%f,%f)/%f (%d/%d open) for guard "
+ "%s",
+ pb->circ_successes, pb->successful_circuits_closed,
+ pb->circ_attempts, opened_built, opened_attempts,
+ entry_guard_describe(guard));
+
+ /* Have the counts just become invalid by this scaling attempt? */
+ if (counts_are_sane && pb->circ_attempts < pb->circ_successes) {
+ log_notice(LD_BUG,
+ "Scaling has mangled pathbias counts to %f/%f (%d/%d open) "
+ "for guard %s",
+ pb->circ_successes, pb->circ_attempts, opened_built,
+ opened_attempts,
+ entry_guard_describe(guard));
+ }
+ }
+}
+
+/**
+ * This function scales the path bias circuit close rates if we have
+ * more data than the scaling threshold. This allows us to be more
+ * sensitive to recent measurements.
+ *
+ * XXX: The attempt count transfer stuff here might be done
+ * better by keeping separate pending counters that get
+ * transferred at circuit close. See ticket #8160.
+ */
+void
+pathbias_scale_use_rates(entry_guard_t *guard)
+{
+ const or_options_t *options = get_options();
+ guard_pathbias_t *pb = entry_guard_get_pathbias_state(guard);
+
+ /* If we get a ton of circuits, just scale everything down */
+ if (pb->use_attempts > pathbias_get_scale_use_threshold(options)) {
+ double scale_ratio = pathbias_get_scale_ratio(options);
+ int opened_attempts = pathbias_count_circs_in_states(guard,
+ PATH_STATE_USE_ATTEMPTED, PATH_STATE_USE_SUCCEEDED);
+ /* Verify that the counts are sane before and after scaling */
+ int counts_are_sane = (pb->use_attempts >= pb->use_successes);
+
+ pb->use_attempts -= opened_attempts;
+
+ pb->use_attempts *= scale_ratio;
+ pb->use_successes *= scale_ratio;
+
+ pb->use_attempts += opened_attempts;
+
+ log_info(LD_CIRC,
+ "Scaled pathbias use counts to %f/%f (%d open) for guard %s",
+ pb->use_successes, pb->use_attempts, opened_attempts,
+ entry_guard_describe(guard));
+
+ /* Have the counts just become invalid by this scaling attempt? */
+ if (counts_are_sane && pb->use_attempts < pb->use_successes) {
+ log_notice(LD_BUG,
+ "Scaling has mangled pathbias usage counts to %f/%f "
+ "(%d open) for guard %s",
+ pb->circ_successes, pb->circ_attempts,
+ opened_attempts, entry_guard_describe(guard));
+ }
+
+ entry_guards_changed();
+ }
+}
diff --cc src/feature/client/circpathbias.h
index c99d1277b,000000000..9ce4a6b23
mode 100644,000000..100644
--- a/src/feature/client/circpathbias.h
+++ b/src/feature/client/circpathbias.h
@@@ -1,28 -1,0 +1,29 @@@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file circuitbuild.h
+ * \brief Header file for circuitbuild.c.
+ **/
+
+#ifndef TOR_CIRCPATHBIAS_H
+#define TOR_CIRCPATHBIAS_H
+
+double pathbias_get_extreme_rate(const or_options_t *options);
+double pathbias_get_extreme_use_rate(const or_options_t *options);
+int pathbias_get_dropguards(const or_options_t *options);
+void pathbias_count_timeout(origin_circuit_t *circ);
+void pathbias_count_build_success(origin_circuit_t *circ);
+int pathbias_count_build_attempt(origin_circuit_t *circ);
+int pathbias_check_close(origin_circuit_t *circ, int reason);
+int pathbias_check_probe_response(circuit_t *circ, const cell_t *cell);
++void pathbias_count_valid_cells(circuit_t *circ, const cell_t *cell);
+void pathbias_count_use_attempt(origin_circuit_t *circ);
+void pathbias_mark_use_success(origin_circuit_t *circ);
+void pathbias_mark_use_rollback(origin_circuit_t *circ);
+const char *pathbias_state_to_string(enum path_state_t state);
+
+#endif /* !defined(TOR_CIRCPATHBIAS_H) */
diff --cc src/lib/container/smartlist.c
index 4b29d834d,000000000..64cabfcc6
mode 100644,000000..100644
--- a/src/lib/container/smartlist.c
+++ b/src/lib/container/smartlist.c
@@@ -1,866 -1,0 +1,866 @@@
+/* Copyright (c) 2003-2004, Roger Dingledine
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file smartlist.c
+ *
+ * \brief Higher-level functions for the "smartlist" resizeable array
+ * abstraction.
+ *
+ * The functions declared here use higher-level functionality than those in
+ * smartlist_core.c, and handle things like smartlists of different types,
+ * sorting, searching, heap-structured smartlists, and other convenience
+ * functions.
+ **/
+
+#include "lib/container/smartlist.h"
+#include "lib/err/torerr.h"
+#include "lib/malloc/malloc.h"
+#include "lib/defs/digest_sizes.h"
+#include "lib/ctime/di_ops.h"
+#include "lib/string/compat_ctype.h"
+#include "lib/string/compat_string.h"
+#include "lib/string/util_string.h"
+#include "lib/string/printf.h"
+
+#include "lib/log/util_bug.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+/** Append the string produced by tor_asprintf(<b>pattern</b>, <b>...</b>)
+ * to <b>sl</b>. */
+void
+smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern, ...)
+{
+ va_list ap;
+ va_start(ap, pattern);
+ smartlist_add_vasprintf(sl, pattern, ap);
+ va_end(ap);
+}
+
+/** va_list-based backend of smartlist_add_asprintf. */
+void
+smartlist_add_vasprintf(struct smartlist_t *sl, const char *pattern,
+ va_list args)
+{
+ char *str = NULL;
+
+ tor_vasprintf(&str, pattern, args);
+ tor_assert(str != NULL);
+
+ smartlist_add(sl, str);
+}
+
+/** Reverse the order of the items in <b>sl</b>. */
+void
+smartlist_reverse(smartlist_t *sl)
+{
+ int i, j;
+ void *tmp;
+ tor_assert(sl);
+ for (i = 0, j = sl->num_used-1; i < j; ++i, --j) {
+ tmp = sl->list[i];
+ sl->list[i] = sl->list[j];
+ sl->list[j] = tmp;
+ }
+}
+
+/** If there are any strings in sl equal to element, remove and free them.
+ * Does not preserve order. */
+void
+smartlist_string_remove(smartlist_t *sl, const char *element)
+{
+ int i;
+ tor_assert(sl);
+ tor_assert(element);
+ for (i = 0; i < sl->num_used; ++i) {
+ if (!strcmp(element, sl->list[i])) {
+ tor_free(sl->list[i]);
+ sl->list[i] = sl->list[--sl->num_used]; /* swap with the end */
+ i--; /* so we process the new i'th element */
+ sl->list[sl->num_used] = NULL;
+ }
+ }
+}
+
+/** Return true iff <b>sl</b> has some element E such that
+ * !strcmp(E,<b>element</b>)
+ */
+int
+smartlist_contains_string(const smartlist_t *sl, const char *element)
+{
+ int i;
+ if (!sl) return 0;
+ for (i=0; i < sl->num_used; i++)
+ if (strcmp((const char*)sl->list[i],element)==0)
+ return 1;
+ return 0;
+}
+
+/** If <b>element</b> is equal to an element of <b>sl</b>, return that
+ * element's index. Otherwise, return -1. */
+int
+smartlist_string_pos(const smartlist_t *sl, const char *element)
+{
+ int i;
+ if (!sl) return -1;
+ for (i=0; i < sl->num_used; i++)
+ if (strcmp((const char*)sl->list[i],element)==0)
+ return i;
+ return -1;
+}
+
+/** If <b>element</b> is the same pointer as an element of <b>sl</b>, return
+ * that element's index. Otherwise, return -1. */
+int
+smartlist_pos(const smartlist_t *sl, const void *element)
+{
+ int i;
+ if (!sl) return -1;
+ for (i=0; i < sl->num_used; i++)
+ if (element == sl->list[i])
+ return i;
+ return -1;
+}
+
+/** Return true iff <b>sl</b> has some element E such that
+ * !strcasecmp(E,<b>element</b>)
+ */
+int
+smartlist_contains_string_case(const smartlist_t *sl, const char *element)
+{
+ int i;
+ if (!sl) return 0;
+ for (i=0; i < sl->num_used; i++)
+ if (strcasecmp((const char*)sl->list[i],element)==0)
+ return 1;
+ return 0;
+}
+
+/** Return true iff <b>sl</b> has some element E such that E is equal
+ * to the decimal encoding of <b>num</b>.
+ */
+int
+smartlist_contains_int_as_string(const smartlist_t *sl, int num)
+{
+ char buf[32]; /* long enough for 64-bit int, and then some. */
+ tor_snprintf(buf,sizeof(buf),"%d", num);
+ return smartlist_contains_string(sl, buf);
+}
+
+/** Return true iff the two lists contain the same strings in the same
+ * order, or if they are both NULL. */
+int
+smartlist_strings_eq(const smartlist_t *sl1, const smartlist_t *sl2)
+{
+ if (sl1 == NULL)
+ return sl2 == NULL;
+ if (sl2 == NULL)
+ return 0;
+ if (smartlist_len(sl1) != smartlist_len(sl2))
+ return 0;
+ SMARTLIST_FOREACH(sl1, const char *, cp1, {
+ const char *cp2 = smartlist_get(sl2, cp1_sl_idx);
+ if (strcmp(cp1, cp2))
+ return 0;
+ });
+ return 1;
+}
+
+/** Return true iff the two lists contain the same int pointer values in
+ * the same order, or if they are both NULL. */
+int
+smartlist_ints_eq(const smartlist_t *sl1, const smartlist_t *sl2)
+{
+ if (sl1 == NULL)
+ return sl2 == NULL;
+ if (sl2 == NULL)
+ return 0;
+ if (smartlist_len(sl1) != smartlist_len(sl2))
+ return 0;
+ SMARTLIST_FOREACH(sl1, int *, cp1, {
+ int *cp2 = smartlist_get(sl2, cp1_sl_idx);
+ if (*cp1 != *cp2)
+ return 0;
+ });
+ return 1;
+}
+
+/**
+ * Return true if there is shallow equality between smartlists -
+ * i.e. all indices correspond to exactly same object (pointer
+ * values are matching). Otherwise, return false.
+ */
+int
+smartlist_ptrs_eq(const smartlist_t *s1, const smartlist_t *s2)
+{
+ if (s1 == s2)
+ return 1;
+
+ // Note: pointers cannot both be NULL at this point, because
+ // above check.
+ if (s1 == NULL || s2 == NULL)
+ return 0;
+
+ if (smartlist_len(s1) != smartlist_len(s2))
+ return 0;
+
+ for (int i = 0; i < smartlist_len(s1); i++) {
+ if (smartlist_get(s1, i) != smartlist_get(s2, i))
+ return 0;
+ }
+
+ return 1;
+}
+
+/** Return true iff <b>sl</b> has some element E such that
+ * tor_memeq(E,<b>element</b>,DIGEST_LEN)
+ */
+int
+smartlist_contains_digest(const smartlist_t *sl, const char *element)
+{
+ int i;
+ if (!sl) return 0;
+ for (i=0; i < sl->num_used; i++)
+ if (tor_memeq((const char*)sl->list[i],element,DIGEST_LEN))
+ return 1;
+ return 0;
+}
+
+/** Return true iff some element E of sl2 has smartlist_contains(sl1,E).
+ */
+int
+smartlist_overlap(const smartlist_t *sl1, const smartlist_t *sl2)
+{
+ int i;
+ for (i=0; i < sl2->num_used; i++)
+ if (smartlist_contains(sl1, sl2->list[i]))
+ return 1;
+ return 0;
+}
+
+/** Remove every element E of sl1 such that !smartlist_contains(sl2,E).
+ * Does not preserve the order of sl1.
+ */
+void
+smartlist_intersect(smartlist_t *sl1, const smartlist_t *sl2)
+{
+ int i;
+ for (i=0; i < sl1->num_used; i++)
+ if (!smartlist_contains(sl2, sl1->list[i])) {
+ sl1->list[i] = sl1->list[--sl1->num_used]; /* swap with the end */
+ i--; /* so we process the new i'th element */
+ sl1->list[sl1->num_used] = NULL;
+ }
+}
+
+/** Remove every element E of sl1 such that smartlist_contains(sl2,E).
+ * Does not preserve the order of sl1.
+ */
+void
+smartlist_subtract(smartlist_t *sl1, const smartlist_t *sl2)
+{
+ int i;
+ for (i=0; i < sl2->num_used; i++)
+ smartlist_remove(sl1, sl2->list[i]);
+}
+
+/** Allocate and return a new string containing the concatenation of
+ * the elements of <b>sl</b>, in order, separated by <b>join</b>. If
+ * <b>terminate</b> is true, also terminate the string with <b>join</b>.
+ * If <b>len_out</b> is not NULL, set <b>len_out</b> to the length of
+ * the returned string. Requires that every element of <b>sl</b> is
+ * NUL-terminated string.
+ */
+char *
+smartlist_join_strings(smartlist_t *sl, const char *join,
+ int terminate, size_t *len_out)
+{
+ return smartlist_join_strings2(sl,join,strlen(join),terminate,len_out);
+}
+
+/** As smartlist_join_strings, but instead of separating/terminated with a
+ * NUL-terminated string <b>join</b>, uses the <b>join_len</b>-byte sequence
+ * at <b>join</b>. (Useful for generating a sequence of NUL-terminated
+ * strings.)
+ */
+char *
+smartlist_join_strings2(smartlist_t *sl, const char *join,
+ size_t join_len, int terminate, size_t *len_out)
+{
+ int i;
+ size_t n = 0;
+ char *r = NULL, *dst, *src;
+
+ tor_assert(sl);
+ tor_assert(join);
+
+ if (terminate)
+ n = join_len;
+
+ for (i = 0; i < sl->num_used; ++i) {
+ n += strlen(sl->list[i]);
+ if (i+1 < sl->num_used) /* avoid double-counting the last one */
+ n += join_len;
+ }
+ dst = r = tor_malloc(n+1);
+ for (i = 0; i < sl->num_used; ) {
+ for (src = sl->list[i]; *src; )
+ *dst++ = *src++;
+ if (++i < sl->num_used) {
+ memcpy(dst, join, join_len);
+ dst += join_len;
+ }
+ }
+ if (terminate) {
+ memcpy(dst, join, join_len);
+ dst += join_len;
+ }
+ *dst = '\0';
+
+ if (len_out)
+ *len_out = dst-r;
+ return r;
+}
+
+/** Sort the members of <b>sl</b> into an order defined by
+ * the ordering function <b>compare</b>, which returns less then 0 if a
+ * precedes b, greater than 0 if b precedes a, and 0 if a 'equals' b.
+ */
+void
+smartlist_sort(smartlist_t *sl, int (*compare)(const void **a, const void **b))
+{
+ if (!sl->num_used)
+ return;
+ qsort(sl->list, sl->num_used, sizeof(void*),
+ (int (*)(const void *,const void*))compare);
+}
+
+/** Given a smartlist <b>sl</b> sorted with the function <b>compare</b>,
+ * return the most frequent member in the list. Break ties in favor of
+ * later elements. If the list is empty, return NULL. If count_out is
+ * non-null, set it to the count of the most frequent member.
+ */
+void *
+smartlist_get_most_frequent_(const smartlist_t *sl,
+ int (*compare)(const void **a, const void **b),
+ int *count_out)
+{
+ const void *most_frequent = NULL;
+ int most_frequent_count = 0;
+
+ const void *cur = NULL;
+ int i, count=0;
+
+ if (!sl->num_used) {
+ if (count_out)
+ *count_out = 0;
+ return NULL;
+ }
+ for (i = 0; i < sl->num_used; ++i) {
+ const void *item = sl->list[i];
+ if (cur && 0 == compare(&cur, &item)) {
+ ++count;
+ } else {
+ if (cur && count >= most_frequent_count) {
+ most_frequent = cur;
+ most_frequent_count = count;
+ }
+ cur = item;
+ count = 1;
+ }
+ }
+ if (cur && count >= most_frequent_count) {
+ most_frequent = cur;
+ most_frequent_count = count;
+ }
+ if (count_out)
+ *count_out = most_frequent_count;
+ return (void*)most_frequent;
+}
+
+/** Given a sorted smartlist <b>sl</b> and the comparison function used to
+ * sort it, remove all duplicate members. If free_fn is provided, calls
+ * free_fn on each duplicate. Otherwise, just removes them. Preserves order.
+ */
+void
+smartlist_uniq(smartlist_t *sl,
+ int (*compare)(const void **a, const void **b),
+ void (*free_fn)(void *a))
+{
+ int i;
+ for (i=1; i < sl->num_used; ++i) {
+ if (compare((const void **)&(sl->list[i-1]),
+ (const void **)&(sl->list[i])) == 0) {
+ if (free_fn)
+ free_fn(sl->list[i]);
+ smartlist_del_keeporder(sl, i--);
+ }
+ }
+}
+
+/** Assuming the members of <b>sl</b> are in order, return a pointer to the
+ * member that matches <b>key</b>. Ordering and matching are defined by a
+ * <b>compare</b> function that returns 0 on a match; less than 0 if key is
+ * less than member, and greater than 0 if key is greater then member.
+ */
+void *
- smartlist_bsearch(smartlist_t *sl, const void *key,
++smartlist_bsearch(const smartlist_t *sl, const void *key,
+ int (*compare)(const void *key, const void **member))
+{
+ int found, idx;
+ idx = smartlist_bsearch_idx(sl, key, compare, &found);
+ return found ? smartlist_get(sl, idx) : NULL;
+}
+
+/** Assuming the members of <b>sl</b> are in order, return the index of the
+ * member that matches <b>key</b>. If no member matches, return the index of
+ * the first member greater than <b>key</b>, or smartlist_len(sl) if no member
+ * is greater than <b>key</b>. Set <b>found_out</b> to true on a match, to
+ * false otherwise. Ordering and matching are defined by a <b>compare</b>
+ * function that returns 0 on a match; less than 0 if key is less than member,
+ * and greater than 0 if key is greater then member.
+ */
+int
+smartlist_bsearch_idx(const smartlist_t *sl, const void *key,
+ int (*compare)(const void *key, const void **member),
+ int *found_out)
+{
+ int hi, lo, cmp, mid, len, diff;
+
+ tor_assert(sl);
+ tor_assert(compare);
+ tor_assert(found_out);
+
+ len = smartlist_len(sl);
+
+ /* Check for the trivial case of a zero-length list */
+ if (len == 0) {
+ *found_out = 0;
+ /* We already know smartlist_len(sl) is 0 in this case */
+ return 0;
+ }
+
+ /* Okay, we have a real search to do */
+ tor_assert(len > 0);
+ lo = 0;
+ hi = len - 1;
+
+ /*
+ * These invariants are always true:
+ *
+ * For all i such that 0 <= i < lo, sl[i] < key
+ * For all i such that hi < i <= len, sl[i] > key
+ */
+
+ while (lo <= hi) {
+ diff = hi - lo;
+ /*
+ * We want mid = (lo + hi) / 2, but that could lead to overflow, so
+ * instead diff = hi - lo (non-negative because of loop condition), and
+ * then hi = lo + diff, mid = (lo + lo + diff) / 2 = lo + (diff / 2).
+ */
+ mid = lo + (diff / 2);
+ cmp = compare(key, (const void**) &(sl->list[mid]));
+ if (cmp == 0) {
+ /* sl[mid] == key; we found it */
+ *found_out = 1;
+ return mid;
+ } else if (cmp > 0) {
+ /*
+ * key > sl[mid] and an index i such that sl[i] == key must
+ * have i > mid if it exists.
+ */
+
+ /*
+ * Since lo <= mid <= hi, hi can only decrease on each iteration (by
+ * being set to mid - 1) and hi is initially len - 1, mid < len should
+ * always hold, and this is not symmetric with the left end of list
+ * mid > 0 test below. A key greater than the right end of the list
+ * should eventually lead to lo == hi == mid == len - 1, and then
+ * we set lo to len below and fall out to the same exit we hit for
+ * a key in the middle of the list but not matching. Thus, we just
+ * assert for consistency here rather than handle a mid == len case.
+ */
+ tor_assert(mid < len);
+ /* Move lo to the element immediately after sl[mid] */
+ lo = mid + 1;
+ } else {
+ /* This should always be true in this case */
+ tor_assert(cmp < 0);
+
+ /*
+ * key < sl[mid] and an index i such that sl[i] == key must
+ * have i < mid if it exists.
+ */
+
+ if (mid > 0) {
+ /* Normal case, move hi to the element immediately before sl[mid] */
+ hi = mid - 1;
+ } else {
+ /* These should always be true in this case */
+ tor_assert(mid == lo);
+ tor_assert(mid == 0);
+ /*
+ * We were at the beginning of the list and concluded that every
+ * element e compares e > key.
+ */
+ *found_out = 0;
+ return 0;
+ }
+ }
+ }
+
+ /*
+ * lo > hi; we have no element matching key but we have elements falling
+ * on both sides of it. The lo index points to the first element > key.
+ */
+ tor_assert(lo == hi + 1); /* All other cases should have been handled */
+ tor_assert(lo >= 0);
+ tor_assert(lo <= len);
+ tor_assert(hi >= 0);
+ tor_assert(hi <= len);
+
+ if (lo < len) {
+ cmp = compare(key, (const void **) &(sl->list[lo]));
+ tor_assert(cmp < 0);
+ } else {
+ cmp = compare(key, (const void **) &(sl->list[len-1]));
+ tor_assert(cmp > 0);
+ }
+
+ *found_out = 0;
+ return lo;
+}
+
+/** Helper: compare two const char **s. */
+static int
+compare_string_ptrs_(const void **_a, const void **_b)
+{
+ return strcmp((const char*)*_a, (const char*)*_b);
+}
+
+/** Sort a smartlist <b>sl</b> containing strings into lexically ascending
+ * order. */
+void
+smartlist_sort_strings(smartlist_t *sl)
+{
+ smartlist_sort(sl, compare_string_ptrs_);
+}
+
+/** Return the most frequent string in the sorted list <b>sl</b> */
+const char *
+smartlist_get_most_frequent_string(smartlist_t *sl)
+{
+ return smartlist_get_most_frequent(sl, compare_string_ptrs_);
+}
+
+/** Return the most frequent string in the sorted list <b>sl</b>.
+ * If <b>count_out</b> is provided, set <b>count_out</b> to the
+ * number of times that string appears.
+ */
+const char *
+smartlist_get_most_frequent_string_(smartlist_t *sl, int *count_out)
+{
+ return smartlist_get_most_frequent_(sl, compare_string_ptrs_, count_out);
+}
+
+/** Remove duplicate strings from a sorted list, and free them with tor_free().
+ */
+void
+smartlist_uniq_strings(smartlist_t *sl)
+{
+ smartlist_uniq(sl, compare_string_ptrs_, tor_free_);
+}
+
+/** Helper: compare two pointers. */
+static int
+compare_ptrs_(const void **_a, const void **_b)
+{
+ const void *a = *_a, *b = *_b;
+ if (a<b)
+ return -1;
+ else if (a==b)
+ return 0;
+ else
+ return 1;
+}
+
+/** Sort <b>sl</b> in ascending order of the pointers it contains. */
+void
+smartlist_sort_pointers(smartlist_t *sl)
+{
+ smartlist_sort(sl, compare_ptrs_);
+}
+
+/* Heap-based priority queue implementation for O(lg N) insert and remove.
+ * Recall that the heap property is that, for every index I, h[I] <
+ * H[LEFT_CHILD[I]] and h[I] < H[RIGHT_CHILD[I]].
+ *
+ * For us to remove items other than the topmost item, each item must store
+ * its own index within the heap. When calling the pqueue functions, tell
+ * them about the offset of the field that stores the index within the item.
+ *
+ * Example:
+ *
+ * typedef struct timer_t {
+ * struct timeval tv;
+ * int heap_index;
+ * } timer_t;
+ *
+ * static int compare(const void *p1, const void *p2) {
+ * const timer_t *t1 = p1, *t2 = p2;
+ * if (t1->tv.tv_sec < t2->tv.tv_sec) {
+ * return -1;
+ * } else if (t1->tv.tv_sec > t2->tv.tv_sec) {
+ * return 1;
+ * } else {
+ * return t1->tv.tv_usec - t2->tv_usec;
+ * }
+ * }
+ *
+ * void timer_heap_insert(smartlist_t *heap, timer_t *timer) {
+ * smartlist_pqueue_add(heap, compare, offsetof(timer_t, heap_index),
+ * timer);
+ * }
+ *
+ * void timer_heap_pop(smartlist_t *heap) {
+ * return smartlist_pqueue_pop(heap, compare,
+ * offsetof(timer_t, heap_index));
+ * }
+ */
+
+/** @{ */
+/** Functions to manipulate heap indices to find a node's parent and children.
+ *
+ * For a 1-indexed array, we would use LEFT_CHILD[x] = 2*x and RIGHT_CHILD[x]
+ * = 2*x + 1. But this is C, so we have to adjust a little. */
+
+/* MAX_PARENT_IDX is the largest IDX in the smartlist which might have
+ * children whose indices fit inside an int.
+ * LEFT_CHILD(MAX_PARENT_IDX) == INT_MAX-2;
+ * RIGHT_CHILD(MAX_PARENT_IDX) == INT_MAX-1;
+ * LEFT_CHILD(MAX_PARENT_IDX + 1) == INT_MAX // impossible, see max list size.
+ */
+#define MAX_PARENT_IDX ((INT_MAX - 2) / 2)
+/* If this is true, then i is small enough to potentially have children
+ * in the smartlist, and it is save to use LEFT_CHILD/RIGHT_CHILD on it. */
+#define IDX_MAY_HAVE_CHILDREN(i) ((i) <= MAX_PARENT_IDX)
+#define LEFT_CHILD(i) ( 2*(i) + 1 )
+#define RIGHT_CHILD(i) ( 2*(i) + 2 )
+#define PARENT(i) ( ((i)-1) / 2 )
+/** }@ */
+
+/** @{ */
+/** Helper macros for heaps: Given a local variable <b>idx_field_offset</b>
+ * set to the offset of an integer index within the heap element structure,
+ * IDX_OF_ITEM(p) gives you the index of p, and IDXP(p) gives you a pointer to
+ * where p's index is stored. Given additionally a local smartlist <b>sl</b>,
+ * UPDATE_IDX(i) sets the index of the element at <b>i</b> to the correct
+ * value (that is, to <b>i</b>).
+ */
+#define IDXP(p) ((int*)STRUCT_VAR_P(p, idx_field_offset))
+
+#define UPDATE_IDX(i) do { \
+ void *updated = sl->list[i]; \
+ *IDXP(updated) = i; \
+ } while (0)
+
+#define IDX_OF_ITEM(p) (*IDXP(p))
+/** @} */
+
+/** Helper. <b>sl</b> may have at most one violation of the heap property:
+ * the item at <b>idx</b> may be greater than one or both of its children.
+ * Restore the heap property. */
+static inline void
+smartlist_heapify(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset,
+ int idx)
+{
+ while (1) {
+ if (! IDX_MAY_HAVE_CHILDREN(idx)) {
+ /* idx is so large that it cannot have any children, since doing so
+ * would mean the smartlist was over-capacity. Therefore it cannot
+ * violate the heap property by being greater than a child (since it
+ * doesn't have any). */
+ return;
+ }
+
+ int left_idx = LEFT_CHILD(idx);
+ int best_idx;
+
+ if (left_idx >= sl->num_used)
+ return;
+ if (compare(sl->list[idx],sl->list[left_idx]) < 0)
+ best_idx = idx;
+ else
+ best_idx = left_idx;
+ if (left_idx+1 < sl->num_used &&
+ compare(sl->list[left_idx+1],sl->list[best_idx]) < 0)
+ best_idx = left_idx + 1;
+
+ if (best_idx == idx) {
+ return;
+ } else {
+ void *tmp = sl->list[idx];
+ sl->list[idx] = sl->list[best_idx];
+ sl->list[best_idx] = tmp;
+ UPDATE_IDX(idx);
+ UPDATE_IDX(best_idx);
+
+ idx = best_idx;
+ }
+ }
+}
+
+/** Insert <b>item</b> into the heap stored in <b>sl</b>, where order is
+ * determined by <b>compare</b> and the offset of the item in the heap is
+ * stored in an int-typed field at position <b>idx_field_offset</b> within
+ * item.
+ */
+void
+smartlist_pqueue_add(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset,
+ void *item)
+{
+ int idx;
+ smartlist_add(sl,item);
+ UPDATE_IDX(sl->num_used-1);
+
+ for (idx = sl->num_used - 1; idx; ) {
+ int parent = PARENT(idx);
+ if (compare(sl->list[idx], sl->list[parent]) < 0) {
+ void *tmp = sl->list[parent];
+ sl->list[parent] = sl->list[idx];
+ sl->list[idx] = tmp;
+ UPDATE_IDX(parent);
+ UPDATE_IDX(idx);
+ idx = parent;
+ } else {
+ return;
+ }
+ }
+}
+
+/** Remove and return the top-priority item from the heap stored in <b>sl</b>,
+ * where order is determined by <b>compare</b> and the item's position is
+ * stored at position <b>idx_field_offset</b> within the item. <b>sl</b> must
+ * not be empty. */
+void *
+smartlist_pqueue_pop(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset)
+{
+ void *top;
+ tor_assert(sl->num_used);
+
+ top = sl->list[0];
+ *IDXP(top)=-1;
+ if (--sl->num_used) {
+ sl->list[0] = sl->list[sl->num_used];
+ sl->list[sl->num_used] = NULL;
+ UPDATE_IDX(0);
+ smartlist_heapify(sl, compare, idx_field_offset, 0);
+ }
+ sl->list[sl->num_used] = NULL;
+ return top;
+}
+
+/** Remove the item <b>item</b> from the heap stored in <b>sl</b>,
+ * where order is determined by <b>compare</b> and the item's position is
+ * stored at position <b>idx_field_offset</b> within the item. <b>sl</b> must
+ * not be empty. */
+void
+smartlist_pqueue_remove(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset,
+ void *item)
+{
+ int idx = IDX_OF_ITEM(item);
+ tor_assert(idx >= 0);
+ tor_assert(sl->list[idx] == item);
+ --sl->num_used;
+ *IDXP(item) = -1;
+ if (idx == sl->num_used) {
+ sl->list[sl->num_used] = NULL;
+ return;
+ } else {
+ sl->list[idx] = sl->list[sl->num_used];
+ sl->list[sl->num_used] = NULL;
+ UPDATE_IDX(idx);
+ smartlist_heapify(sl, compare, idx_field_offset, idx);
+ }
+}
+
+/** Assert that the heap property is correctly maintained by the heap stored
+ * in <b>sl</b>, where order is determined by <b>compare</b>. */
+void
+smartlist_pqueue_assert_ok(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset)
+{
+ int i;
+ for (i = sl->num_used - 1; i >= 0; --i) {
+ if (i>0)
+ tor_assert(compare(sl->list[PARENT(i)], sl->list[i]) <= 0);
+ tor_assert(IDX_OF_ITEM(sl->list[i]) == i);
+ }
+}
+
+/** Helper: compare two DIGEST_LEN digests. */
+static int
+compare_digests_(const void **_a, const void **_b)
+{
+ return tor_memcmp((const char*)*_a, (const char*)*_b, DIGEST_LEN);
+}
+
+/** Sort the list of DIGEST_LEN-byte digests into ascending order. */
+void
+smartlist_sort_digests(smartlist_t *sl)
+{
+ smartlist_sort(sl, compare_digests_);
+}
+
+/** Remove duplicate digests from a sorted list, and free them with tor_free().
+ */
+void
+smartlist_uniq_digests(smartlist_t *sl)
+{
+ smartlist_uniq(sl, compare_digests_, tor_free_);
+}
+
+/** Helper: compare two DIGEST256_LEN digests. */
+static int
+compare_digests256_(const void **_a, const void **_b)
+{
+ return tor_memcmp((const char*)*_a, (const char*)*_b, DIGEST256_LEN);
+}
+
+/** Sort the list of DIGEST256_LEN-byte digests into ascending order. */
+void
+smartlist_sort_digests256(smartlist_t *sl)
+{
+ smartlist_sort(sl, compare_digests256_);
+}
+
+/** Return the most frequent member of the sorted list of DIGEST256_LEN
+ * digests in <b>sl</b> */
+const uint8_t *
+smartlist_get_most_frequent_digest256(smartlist_t *sl)
+{
+ return smartlist_get_most_frequent(sl, compare_digests256_);
+}
+
+/** Remove duplicate 256-bit digests from a sorted list, and free them with
+ * tor_free().
+ */
+void
+smartlist_uniq_digests256(smartlist_t *sl)
+{
+ smartlist_uniq(sl, compare_digests256_, tor_free_);
+}
diff --cc src/lib/container/smartlist.h
index 9705396ac,000000000..0f5af3a92
mode 100644,000000..100644
--- a/src/lib/container/smartlist.h
+++ b/src/lib/container/smartlist.h
@@@ -1,168 -1,0 +1,168 @@@
+/* Copyright (c) 2003-2004, Roger Dingledine
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#ifndef TOR_SMARTLIST_H
+#define TOR_SMARTLIST_H
+
+/**
+ * \file smartlist.h
+ *
+ * \brief Header for smartlist.c
+ **/
+
+#include <stdarg.h>
+
+#include "lib/smartlist_core/smartlist_core.h"
+#include "lib/smartlist_core/smartlist_foreach.h"
+#include "lib/smartlist_core/smartlist_split.h"
+
+void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern, ...)
+ CHECK_PRINTF(2, 3);
+void smartlist_add_vasprintf(struct smartlist_t *sl, const char *pattern,
+ va_list args)
+ CHECK_PRINTF(2, 0);
+void smartlist_reverse(smartlist_t *sl);
+void smartlist_string_remove(smartlist_t *sl, const char *element);
+int smartlist_contains_string(const smartlist_t *sl, const char *element);
+int smartlist_pos(const smartlist_t *sl, const void *element);
+int smartlist_string_pos(const smartlist_t *, const char *elt);
+int smartlist_contains_string_case(const smartlist_t *sl, const char *element);
+int smartlist_contains_int_as_string(const smartlist_t *sl, int num);
+int smartlist_strings_eq(const smartlist_t *sl1, const smartlist_t *sl2);
+int smartlist_contains_digest(const smartlist_t *sl, const char *element);
+int smartlist_ints_eq(const smartlist_t *sl1, const smartlist_t *sl2);
+int smartlist_overlap(const smartlist_t *sl1, const smartlist_t *sl2);
+void smartlist_intersect(smartlist_t *sl1, const smartlist_t *sl2);
+void smartlist_subtract(smartlist_t *sl1, const smartlist_t *sl2);
+
+int smartlist_ptrs_eq(const smartlist_t *s1,
+ const smartlist_t *s2);
+
+void smartlist_sort(smartlist_t *sl,
+ int (*compare)(const void **a, const void **b));
+void *smartlist_get_most_frequent_(const smartlist_t *sl,
+ int (*compare)(const void **a, const void **b),
+ int *count_out);
+#define smartlist_get_most_frequent(sl, compare) \
+ smartlist_get_most_frequent_((sl), (compare), NULL)
+void smartlist_uniq(smartlist_t *sl,
+ int (*compare)(const void **a, const void **b),
+ void (*free_fn)(void *elt));
+
+void smartlist_sort_strings(smartlist_t *sl);
+void smartlist_sort_digests(smartlist_t *sl);
+void smartlist_sort_digests256(smartlist_t *sl);
+void smartlist_sort_pointers(smartlist_t *sl);
+
+const char *smartlist_get_most_frequent_string(smartlist_t *sl);
+const char *smartlist_get_most_frequent_string_(smartlist_t *sl,
+ int *count_out);
+const uint8_t *smartlist_get_most_frequent_digest256(smartlist_t *sl);
+
+void smartlist_uniq_strings(smartlist_t *sl);
+void smartlist_uniq_digests(smartlist_t *sl);
+void smartlist_uniq_digests256(smartlist_t *sl);
- void *smartlist_bsearch(smartlist_t *sl, const void *key,
++void *smartlist_bsearch(const smartlist_t *sl, const void *key,
+ int (*compare)(const void *key, const void **member));
+int smartlist_bsearch_idx(const smartlist_t *sl, const void *key,
+ int (*compare)(const void *key, const void **member),
+ int *found_out);
+
+void smartlist_pqueue_add(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset,
+ void *item);
+void *smartlist_pqueue_pop(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset);
+void smartlist_pqueue_remove(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset,
+ void *item);
+void smartlist_pqueue_assert_ok(smartlist_t *sl,
+ int (*compare)(const void *a, const void *b),
+ int idx_field_offset);
+
+char *smartlist_join_strings(smartlist_t *sl, const char *join, int terminate,
+ size_t *len_out) ATTR_MALLOC;
+char *smartlist_join_strings2(smartlist_t *sl, const char *join,
+ size_t join_len, int terminate, size_t *len_out)
+ ATTR_MALLOC;
+
+/* Helper: Given two lists of items, possibly of different types, such that
+ * both lists are sorted on some common field (as determined by a comparison
+ * expression <b>cmpexpr</b>), and such that one list (<b>sl1</b>) has no
+ * duplicates on the common field, loop through the lists in lockstep, and
+ * execute <b>unmatched_var2</b> on items in var2 that do not appear in
+ * var1.
+ *
+ * WARNING: It isn't safe to add remove elements from either list while the
+ * loop is in progress.
+ *
+ * Example use:
+ * SMARTLIST_FOREACH_JOIN(routerstatus_list, routerstatus_t *, rs,
+ * routerinfo_list, routerinfo_t *, ri,
+ * tor_memcmp(rs->identity_digest, ri->identity_digest, 20),
+ * log_info(LD_GENERAL,"No match for %s", ri->nickname)) {
+ * log_info(LD_GENERAL, "%s matches routerstatus %p", ri->nickname, rs);
+ * } SMARTLIST_FOREACH_JOIN_END(rs, ri);
+ **/
+/* The example above unpacks (approximately) to:
+ * int rs_sl_idx = 0, rs_sl_len = smartlist_len(routerstatus_list);
+ * int ri_sl_idx, ri_sl_len = smartlist_len(routerinfo_list);
+ * int rs_ri_cmp;
+ * routerstatus_t *rs;
+ * routerinfo_t *ri;
+ * for (; ri_sl_idx < ri_sl_len; ++ri_sl_idx) {
+ * ri = smartlist_get(routerinfo_list, ri_sl_idx);
+ * while (rs_sl_idx < rs_sl_len) {
+ * rs = smartlist_get(routerstatus_list, rs_sl_idx);
+ * rs_ri_cmp = tor_memcmp(rs->identity_digest, ri->identity_digest, 20);
+ * if (rs_ri_cmp > 0) {
+ * break;
+ * } else if (rs_ri_cmp == 0) {
+ * goto matched_ri;
+ * } else {
+ * ++rs_sl_idx;
+ * }
+ * }
+ * log_info(LD_GENERAL,"No match for %s", ri->nickname);
+ * continue;
+ * matched_ri: {
+ * log_info(LD_GENERAL,"%s matches with routerstatus %p",ri->nickname,rs);
+ * }
+ * }
+ */
+#define SMARTLIST_FOREACH_JOIN(sl1, type1, var1, sl2, type2, var2, \
+ cmpexpr, unmatched_var2) \
+ STMT_BEGIN \
+ int var1 ## _sl_idx = 0, var1 ## _sl_len=(sl1)->num_used; \
+ int var2 ## _sl_idx = 0, var2 ## _sl_len=(sl2)->num_used; \
+ int var1 ## _ ## var2 ## _cmp; \
+ type1 var1; \
+ type2 var2; \
+ for (; var2##_sl_idx < var2##_sl_len; ++var2##_sl_idx) { \
+ var2 = (sl2)->list[var2##_sl_idx]; \
+ while (var1##_sl_idx < var1##_sl_len) { \
+ var1 = (sl1)->list[var1##_sl_idx]; \
+ var1##_##var2##_cmp = (cmpexpr); \
+ if (var1##_##var2##_cmp > 0) { \
+ break; \
+ } else if (var1##_##var2##_cmp == 0) { \
+ goto matched_##var2; \
+ } else { \
+ ++var1##_sl_idx; \
+ } \
+ } \
+ /* Ran out of v1, or no match for var2. */ \
+ unmatched_var2; \
+ continue; \
+ matched_##var2: ; \
+
+#define SMARTLIST_FOREACH_JOIN_END(var1, var2) \
+ } \
+ STMT_END
+
+#endif /* !defined(TOR_CONTAINER_H) */
diff --cc src/test/test_relaycell.c
index eb30cab0e,3f84ee830..63820c996
--- a/src/test/test_relaycell.c
+++ b/src/test/test_relaycell.c
@@@ -5,22 -5,18 +5,25 @@@
#define RELAY_PRIVATE
#define CIRCUITLIST_PRIVATE
-#include "or.h"
-#include "main.h"
-#include "config.h"
-#include "connection.h"
-#include "crypto.h"
-#include "crypto_rand.h"
-#include "circuitbuild.h"
-#include "circuitlist.h"
-#include "connection_edge.h"
-#include "log_test_helpers.h"
-#include "relay.h"
-#include "test.h"
+#include "core/or/or.h"
+#include "core/mainloop/main.h"
+#include "app/config/config.h"
+#include "core/mainloop/connection.h"
+#include "lib/crypt_ops/crypto.h"
++#include "lib/crypt_ops/crypto_rand.h"
+#include "core/or/circuitbuild.h"
+#include "core/or/circuitlist.h"
+#include "core/or/connection_edge.h"
+#include "core/or/relay.h"
+#include "test/test.h"
++#include "test/log_test_helpers.h"
+
+#include "core/or/cell_st.h"
+#include "core/or/crypt_path_st.h"
+#include "core/or/entry_connection_st.h"
+#include "core/or/origin_circuit_st.h"
+#include "core/or/socks_request_st.h"
++#include "core/or/half_edge_st.h"
static int srm_ncalls;
static entry_connection_t *srm_conn;
[View Less]