[tor/master] hs-v3: Add consensus parameters for DoS defenses - tor-commits

7 Aug 2019

commit c5b00c5a514a6b40e5245bc1fd78fe5490922739
Author: David Goulet dgoulet@torproject.org
Date:   Tue Jun 11 08:28:13 2019 -0400
hs-v3: Add consensus parameters for DoS defenses
Part of #15516
Signed-off-by: David Goulet dgoulet@torproject.org
---
 scripts/maint/practracker/exceptions.txt | 24 +++++++++
 src/app/main/main.c                      |  5 ++
 src/feature/hs/hs_common.c               |  2 +
 src/feature/hs/hs_dos.c                  | 85 ++++++++++++++++++++++++++++++++
 src/feature/hs/hs_dos.h                  | 25 ++++------
 src/feature/nodelist/networkstatus.c     |  2 +
 src/test/test_hs_dos.c                   |  2 +
 src/test/test_hs_intropoint.c            | 19 +++++++
 8 files changed, 148 insertions(+), 16 deletions(-)

diff --git a/scripts/maint/practracker/exceptions.txt b/scripts/maint/practracker/exceptions.txt
index d437726fe..af3ab3304 100644
--- a/scripts/maint/practracker/exceptions.txt
+++ b/scripts/maint/practracker/exceptions.txt
@@ -39,6 +39,7 @@ problem function-size /src/app/config/config.c:options_init_from_torrc() 207
 problem function-size /src/app/config/config.c:options_init_from_string() 171
 problem function-size /src/app/config/config.c:options_init_logs() 145
 problem function-size /src/app/config/config.c:parse_bridge_line() 104
+<<<<<<< HEAD
 problem function-size /src/app/config/config.c:parse_transport_line() 189
 problem function-size /src/app/config/config.c:parse_dir_authority_line() 150
 problem function-size /src/app/config/config.c:parse_dir_fallback_line() 101
@@ -48,6 +49,19 @@ problem function-size /src/app/config/config.c:getinfo_helper_config() 113
 problem include-count /src/app/main/main.c 67
 problem function-size /src/app/main/main.c:dumpstats() 102
 problem function-size /src/app/main/main.c:tor_init() 133
+=======
+problem function-size /src/app/config/config.c:parse_transport_line() 191
+problem function-size /src/app/config/config.c:parse_dir_authority_line() 151
+problem function-size /src/app/config/config.c:parse_dir_fallback_line() 102
+problem function-size /src/app/config/config.c:parse_port_config() 452
+problem function-size /src/app/config/config.c:parse_ports() 170
+problem function-size /src/app/config/config.c:getinfo_helper_config() 116
+problem function-size /src/app/config/confparse.c:config_assign_value() 205
+problem function-size /src/app/config/confparse.c:config_get_assigned_option() 129
+problem include-count /src/app/main/main.c 68
+problem function-size /src/app/main/main.c:dumpstats() 102
+problem function-size /src/app/main/main.c:tor_init() 141
+>>>>>>> hs-v3: Add consensus parameters for DoS defenses
 problem function-size /src/app/main/main.c:sandbox_init_filter() 291
 problem function-size /src/app/main/main.c:run_tor_main_loop() 105
 problem function-size /src/app/main/ntmain.c:nt_service_install() 126
@@ -206,6 +220,7 @@ problem function-size /src/feature/nodelist/authcert.c:trusted_dirs_load_certs_f
 problem function-size /src/feature/nodelist/authcert.c:authority_certs_fetch_missing() 295
 problem function-size /src/feature/nodelist/fmt_routerstatus.c:routerstatus_format_entry() 162
 problem function-size /src/feature/nodelist/microdesc.c:microdesc_cache_rebuild() 134
+<<<<<<< HEAD
 problem include-count /src/feature/nodelist/networkstatus.c 62
 problem function-size /src/feature/nodelist/networkstatus.c:networkstatus_check_consensus_signature() 175
 problem function-size /src/feature/nodelist/networkstatus.c:networkstatus_set_current_consensus() 289
@@ -213,6 +228,15 @@ problem function-size /src/feature/nodelist/node_select.c:router_pick_directory_
 problem function-size /src/feature/nodelist/node_select.c:compute_weighted_bandwidths() 203
 problem function-size /src/feature/nodelist/node_select.c:router_pick_trusteddirserver_impl() 112
 problem function-size /src/feature/nodelist/nodelist.c:compute_frac_paths_available() 190
+=======
+problem include-count /src/feature/nodelist/networkstatus.c 63
+problem function-size /src/feature/nodelist/networkstatus.c:networkstatus_check_consensus_signature() 176
+problem function-size /src/feature/nodelist/networkstatus.c:networkstatus_set_current_consensus() 293
+problem function-size /src/feature/nodelist/node_select.c:router_pick_directory_server_impl() 123
+problem function-size /src/feature/nodelist/node_select.c:compute_weighted_bandwidths() 206
+problem function-size /src/feature/nodelist/node_select.c:router_pick_trusteddirserver_impl() 114
+problem function-size /src/feature/nodelist/nodelist.c:compute_frac_paths_available() 193
+>>>>>>> hs-v3: Add consensus parameters for DoS defenses
 problem file-size /src/feature/nodelist/routerlist.c 3239
 problem function-size /src/feature/nodelist/routerlist.c:router_rebuild_store() 148
 problem function-size /src/feature/nodelist/routerlist.c:router_add_to_routerlist() 168
diff --git a/src/app/main/main.c b/src/app/main/main.c
index 31cee3763..3bdf8f146 100644
--- a/src/app/main/main.c
+++ b/src/app/main/main.c
@@ -41,6 +41,7 @@
 #include "feature/dircache/consdiffmgr.h"
 #include "feature/dirparse/routerparse.h"
 #include "feature/hibernate/hibernate.h"
+#include "feature/hs/hs_dos.h"
 #include "feature/nodelist/authcert.h"
 #include "feature/nodelist/networkstatus.h"
 #include "feature/nodelist/routerlist.h"
@@ -637,6 +638,10 @@ tor_init(int argc, char *argv[])
   /* Initialize circuit padding to defaults+torrc until we get a consensus */
   circpad_machines_init();
+  /* Initialize hidden service DoS subsystem. We need to do this once the
+   * configuration object has been set because it can be accessed. */
+  hs_dos_init();
+
   /* Initialize predicted ports list after loading options */
   predicted_ports_init();
diff --git a/src/feature/hs/hs_common.c b/src/feature/hs/hs_common.c
index a5747fe17..8661ce046 100644
--- a/src/feature/hs/hs_common.c
+++ b/src/feature/hs/hs_common.c
@@ -21,6 +21,7 @@
 #include "feature/hs/hs_circuitmap.h"
 #include "feature/hs/hs_client.h"
 #include "feature/hs/hs_common.h"
+#include "feature/hs/hs_dos.h"
 #include "feature/hs/hs_ident.h"
 #include "feature/hs/hs_service.h"
 #include "feature/hs_common/shared_random_client.h"
@@ -30,6 +31,7 @@
 #include "feature/nodelist/routerset.h"
 #include "feature/rend/rendcommon.h"
 #include "feature/rend/rendservice.h"
+#include "feature/relay/routermode.h"
 #include "lib/crypt_ops/crypto_rand.h"
 #include "lib/crypt_ops/crypto_util.h"
diff --git a/src/feature/hs/hs_dos.c b/src/feature/hs/hs_dos.c
index ad9d044f4..25d282adb 100644
--- a/src/feature/hs/hs_dos.c
+++ b/src/feature/hs/hs_dos.c
@@ -18,14 +18,92 @@
#define HS_DOS_PRIVATE
+#include "core/or/or.h"
+#include "app/config/config.h"
+
 #include "core/or/circuitlist.h"
+#include "feature/nodelist/networkstatus.h"
+#include "feature/relay/routermode.h"
+
+#include "lib/evloop/token_bucket.h"
+
 #include "hs_dos.h"
+/* Default value of the allowed INTRODUCE2 cell rate per second. Above that
+ * value per second, the introduction is denied. */
+#define HS_DOS_INTRODUCE_CELL_RATE_PER_SEC 25
+
+/* Default value of the allowed INTRODUCE2 cell burst per second. This is the
+ * maximum value a token bucket has per second. We thus allow up to this value
+ * of INTRODUCE2 cell per second but the bucket is refilled by the rate value
+ * but never goes above that burst value. */
+#define HS_DOS_INTRODUCE_CELL_BURST_PER_SEC 200
+
+/* Consensus parameters. */
+static uint32_t hs_dos_introduce_rate_per_sec =
+  HS_DOS_INTRODUCE_CELL_RATE_PER_SEC;
+static uint32_t hs_dos_introduce_burst_per_sec =
+  HS_DOS_INTRODUCE_CELL_BURST_PER_SEC;
+
+/* Return the parameter for the introduction rate per sec. */
+static uint32_t
+get_param_rate_per_sec(const networkstatus_t *ns)
+{
+  return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSRatePerSec",
+                                 HS_DOS_INTRODUCE_CELL_RATE_PER_SEC,
+                                 0, INT32_MAX);
+}
+
+/* Return the parameter for the introduction burst per sec. */
+static uint32_t
+get_param_burst_per_sec(const networkstatus_t *ns)
+{
+  return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSBurstPerSec",
+                                 HS_DOS_INTRODUCE_CELL_BURST_PER_SEC,
+                                 0, INT32_MAX);
+}
+
+/* Set consensus parameters. */
+static void
+set_consensus_parameters(const networkstatus_t *ns)
+{
+  hs_dos_introduce_rate_per_sec = get_param_rate_per_sec(ns);
+  hs_dos_introduce_burst_per_sec = get_param_burst_per_sec(ns);
+}
+
 /*
  * Public API.
  */
+/* Return the INTRODUCE2 cell rate per second. */
+uint32_t
+hs_dos_get_intro2_rate(void)
+{
+  return hs_dos_introduce_rate_per_sec;
+}
+
+/* Return the INTRODUCE2 cell burst per second. */
+uint32_t
+hs_dos_get_intro2_burst(void)
+{
+  return hs_dos_introduce_burst_per_sec;
+}
+
+/* Called when the consensus has changed. We might have new consensus
+ * parameters to look at. */
+void
+hs_dos_consensus_has_changed(const networkstatus_t *ns)
+{
+  /* No point on updating these values if we are not a public relay that can
+   * be picked to be an introduction point. */
+  if (!public_server_mode(get_options())) {
+    return;
+  }
+
+  set_consensus_parameters(ns);
+}
+
 /* Return true iff an INTRODUCE2 cell can be sent on the given service
  * introduction circuit. */
 bool
@@ -58,3 +136,10 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
   /* Finally, we can send a new INTRODUCE2 if there are still tokens. */
   return token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0;
 }
+
+/* Initialize the onion service Denial of Service subsystem. */
+void
+hs_dos_init(void)
+{
+  set_consensus_parameters(NULL);
+}
diff --git a/src/feature/hs/hs_dos.h b/src/feature/hs/hs_dos.h
index e3a83a103..9fba00b52 100644
--- a/src/feature/hs/hs_dos.h
+++ b/src/feature/hs/hs_dos.h
@@ -12,26 +12,19 @@
#include "core/or/or_circuit_st.h"
-#include "lib/evloop/token_bucket.h"
+#include "feature/nodelist/networkstatus_st.h"
-#define HS_DOS_INTRODUCE_CELL_RATE_PER_SEC 25
-#define HS_DOS_INTRODUCE_CELL_BURST_PER_SEC 200
+/* Init */
+void hs_dos_init(void);
+
+/* Consensus. */
+void hs_dos_consensus_has_changed(const networkstatus_t *ns);
bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ);
-/* Return the INTRODUCE2 cell rate per second. */
-static inline
-uint32_t hs_dos_get_intro2_rate(void)
-{
-  return HS_DOS_INTRODUCE_CELL_RATE_PER_SEC;
-}
-
-/* Return the INTRODUCE2 cell burst per second. */
-static inline
-uint32_t hs_dos_get_intro2_burst(void)
-{
-  return HS_DOS_INTRODUCE_CELL_BURST_PER_SEC;
-}
+/* Getters. */
+uint32_t hs_dos_get_intro2_rate(void);
+uint32_t hs_dos_get_intro2_burst(void);
#ifdef HS_DOS_PRIVATE
diff --git a/src/feature/nodelist/networkstatus.c b/src/feature/nodelist/networkstatus.c
index 2db293a8a..496bafb86 100644
--- a/src/feature/nodelist/networkstatus.c
+++ b/src/feature/nodelist/networkstatus.c
@@ -68,6 +68,7 @@
 #include "feature/dircommon/voting_schedule.h"
 #include "feature/dirparse/ns_parse.h"
 #include "feature/hibernate/hibernate.h"
+#include "feature/hs/hs_dos.h"
 #include "feature/nodelist/authcert.h"
 #include "feature/nodelist/dirlist.h"
 #include "feature/nodelist/fmt_routerstatus.h"
@@ -1674,6 +1675,7 @@ notify_before_networkstatus_changes(const networkstatus_t *old_c,
   notify_control_networkstatus_changed(old_c, new_c);
   dos_consensus_has_changed(new_c);
   relay_consensus_has_changed(new_c);
+  hs_dos_consensus_has_changed(new_c);
 }
/* Called after a new consensus has been put in the global state. It is safe
diff --git a/src/test/test_hs_dos.c b/src/test/test_hs_dos.c
index 6ade897b7..6b8261053 100644
--- a/src/test/test_hs_dos.c
+++ b/src/test/test_hs_dos.c
@@ -26,6 +26,8 @@ test_can_send_intro2(void *arg)
(void) arg;
+  hs_dos_init();
+
   or_circ =  or_circuit_new(1, NULL);
/* Make that circuit a service intro point. */
diff --git a/src/test/test_hs_intropoint.c b/src/test/test_hs_intropoint.c
index 87338b448..1d472397c 100644
--- a/src/test/test_hs_intropoint.c
+++ b/src/test/test_hs_intropoint.c
@@ -26,6 +26,7 @@
 #include "feature/hs/hs_cell.h"
 #include "feature/hs/hs_circuitmap.h"
 #include "feature/hs/hs_common.h"
+#include "feature/hs/hs_dos.h"
 #include "feature/hs/hs_intropoint.h"
 #include "feature/hs/hs_service.h"
@@ -185,6 +186,8 @@ test_establish_intro_wrong_purpose(void *arg)
(void)arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   memcpy(intro_circ->rend_circ_nonce, circ_nonce, DIGEST_LEN);
@@ -227,6 +230,8 @@ test_establish_intro_wrong_keytype(void *arg)
(void) arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -254,6 +259,8 @@ test_establish_intro_wrong_keytype2(void *arg)
(void) arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -290,6 +297,8 @@ test_establish_intro_wrong_mac(void *arg)
(void) arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -362,6 +371,8 @@ test_establish_intro_wrong_auth_key_len(void *arg)
(void) arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -407,6 +418,8 @@ test_establish_intro_wrong_sig_len(void *arg)
(void) arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -450,6 +463,8 @@ test_establish_intro_wrong_sig(void *arg)
(void) arg;
+  hs_dos_init();
+
   /* Get the auth key of the intro point */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -487,6 +502,8 @@ helper_establish_intro_v3(or_circuit_t *intro_circ)
tt_assert(intro_circ);
+  hs_dos_init();
+
   /* Prepare the circuit for the incoming ESTABLISH_INTRO */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);
@@ -522,6 +539,8 @@ helper_establish_intro_v2(or_circuit_t *intro_circ)
tt_assert(intro_circ);
+  hs_dos_init();
+
   /* Prepare the circuit for the incoming ESTABLISH_INTRO */
   crypto_rand(circ_nonce, sizeof(circ_nonce));
   helper_prepare_circ_for_intro(intro_circ, circ_nonce);

    