commit 04866055e8dadc9eb5b09773b3bbdc81e3b4dbbf Author: Mike Perry mikeperry-git@fscked.org Date: Sun Dec 9 20:02:41 2012 -0800

Change from first hop accounting to 2nd hop accounting

This has several advantages, including more resilience to ambient failure.

I still need to rename all the first_hop vars tho.. Saving that for a separate commit. --- src/or/circuitbuild.c | 34 +++++++++++++++++++++++++++++----- 1 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 7282d57..ad52a6c 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -1146,6 +1146,34 @@ pathbias_state_to_string(path_state_t state) }

/** + * This function decides if a circuit has progressed far enough to count + * as a circuit "attempt". As long as end-to-end tagging is possible, + * we assume the adversary will use it over hop-to-hop failure. Therefore, + * we only need to account bias for the last hop. This should make us + * much more resilient to ambient circuit failure, and also make that + * failure easier to measure (we only need to measure Exit failure rates). + */ +static int +pathbias_is_new_circ_attempt(origin_circuit_t *circ) +{ +#define N2N_TAGGING_IS_POSSIBLE +#ifdef N2N_TAGGING_IS_POSSIBLE + /* cpath is a circular list. We want circs with more than one hop, + * and the second hop must be waiting for keys still (it's just + * about to get them). */ + return circ->cpath->next != circ->cpath && + circ->cpath->next->state == CPATH_STATE_AWAITING_KEYS; +#else + /* If tagging attacks are no longer possible, we probably want to + * count bias from the first hop. However, one could argue that + * timing-based tagging is still more useful than per-hop failure. + * In which case, we'd never want to use this. + */ + return circ->cpath->state == CPATH_STATE_AWAITING_KEYS; +#endif +} + +/** * Decide if the path bias code should count a circuit. * * @returns 1 if we should count it, 0 otherwise. @@ -1219,11 +1247,7 @@ pathbias_count_first_hop(origin_circuit_t *circ) return 0; }

- // XXX: Technically, we could make this only count from the *second* hop.. - // Until we get per-hop MACs or a lower circ failure rate, this might be - // better from a false positive POV. Should we s/first_hop/circ_attempt/g? - // Then we can control this check from the consensus. - if (circ->cpath->state == CPATH_STATE_AWAITING_KEYS) { + if (pathbias_is_new_circ_attempt(circ)) { /* Help track down the real cause of bug #6475: */ if (circ->has_opened && circ->path_state != PATH_STATE_DID_FIRST_HOP) { if ((rate_msg = rate_limit_log(&first_hop_notice_limit,