1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file relay.c
9 * \brief Handle relay cell encryption/decryption, plus packaging and
10 * receiving from circuits, plus queuing on circuits.
11 *
12 * This is a core modules that makes Tor work. It's responsible for
13 * dealing with RELAY cells (the ones that travel more than one hop along a
14 * circuit), by:
15 * <ul>
16 * <li>constructing relays cells,
17 * <li>encrypting relay cells,
18 * <li>decrypting relay cells,
19 * <li>demultiplexing relay cells as they arrive on a connection,
20 * <li>queueing relay cells for retransmission,
21 * <li>or handling relay cells that are for us to receive (as an exit or a
22 * client).
23 * </ul>
24 *
25 * RELAY cells are generated throughout the code at the client or relay side,
26 * using relay_send_command_from_edge() or one of the functions like
27 * connection_edge_send_command() that calls it. Of particular interest is
28 * connection_edge_package_raw_inbuf(), which takes information that has
29 * arrived on an edge connection socket, and packages it as a RELAY_DATA cell
30 * -- this is how information is actually sent across the Tor network. The
31 * cryptography for these functions is handled deep in
32 * circuit_package_relay_cell(), which either adds a single layer of
33 * encryption (if we're an exit), or multiple layers (if we're the origin of
34 * the circuit). After construction and encryption, the RELAY cells are
35 * passed to append_cell_to_circuit_queue(), which queues them for
36 * transmission and tells the circuitmux (see circuitmux.c) that the circuit
37 * is waiting to send something.
38 *
39 * Incoming RELAY cells arrive at circuit_receive_relay_cell(), called from
40 * command.c. There they are decrypted and, if they are for us, are passed to
41 * connection_edge_process_relay_cell(). If they're not for us, they're
42 * re-queued for retransmission again with append_cell_to_circuit_queue().
43 *
44 * The connection_edge_process_relay_cell() function handles all the different
45 * types of relay cells, launching requests or transmitting data as needed.
46 **/
47
48 #define RELAY_PRIVATE
49 #include "core/or/or.h"
50 #include "feature/client/addressmap.h"
51 #include "lib/err/backtrace.h"
52 #include "lib/buf/buffers.h"
53 #include "core/or/channel.h"
54 #include "feature/client/circpathbias.h"
55 #include "core/or/circuitbuild.h"
56 #include "core/or/circuitlist.h"
57 #include "core/or/circuituse.h"
58 #include "core/or/circuitpadding.h"
59 #include "core/or/extendinfo.h"
60 #include "lib/compress/compress.h"
61 #include "app/config/config.h"
62 #include "core/mainloop/connection.h"
63 #include "core/or/connection_edge.h"
64 #include "core/or/connection_or.h"
65 #include "feature/control/control_events.h"
66 #include "lib/crypt_ops/crypto_rand.h"
67 #include "lib/crypt_ops/crypto_util.h"
68 #include "feature/dircommon/directory.h"
69 #include "feature/relay/dns.h"
70 #include "feature/relay/circuitbuild_relay.h"
71 #include "feature/stats/geoip_stats.h"
72 #include "feature/hs/hs_cache.h"
73 #include "core/mainloop/mainloop.h"
74 #include "feature/nodelist/networkstatus.h"
75 #include "feature/nodelist/nodelist.h"
76 #include "core/or/onion.h"
77 #include "core/or/policies.h"
78 #include "core/or/reasons.h"
79 #include "core/or/relay.h"
80 #include "core/crypto/relay_crypto.h"
81 #include "feature/rend/rendcommon.h"
82 #include "feature/nodelist/describe.h"
83 #include "feature/nodelist/routerlist.h"
84 #include "core/or/scheduler.h"
85 #include "feature/hs/hs_metrics.h"
86 #include "feature/stats/rephist.h"
87
88 #include "core/or/cell_st.h"
89 #include "core/or/cell_queue_st.h"
90 #include "core/or/cpath_build_state_st.h"
91 #include "feature/dircommon/dir_connection_st.h"
92 #include "core/or/destroy_cell_queue_st.h"
93 #include "core/or/entry_connection_st.h"
94 #include "core/or/extend_info_st.h"
95 #include "core/or/or_circuit_st.h"
96 #include "core/or/origin_circuit_st.h"
97 #include "feature/nodelist/routerinfo_st.h"
98 #include "core/or/socks_request_st.h"
99 #include "core/or/sendme.h"
100
101 static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell,
102 cell_direction_t cell_direction,
103 crypt_path_t *layer_hint);
104
105 static void circuit_resume_edge_reading(circuit_t *circ,
106 crypt_path_t *layer_hint);
107 static int circuit_resume_edge_reading_helper(edge_connection_t *conn,
108 circuit_t *circ,
109 crypt_path_t *layer_hint);
110 static int circuit_consider_stop_edge_reading(circuit_t *circ,
111 crypt_path_t *layer_hint);
112 static int circuit_queue_streams_are_blocked(circuit_t *circ);
113 static void adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ,
114 entry_connection_t *conn,
115 node_t *node,
116 const tor_addr_t *addr);
117
118 /** Stop reading on edge connections when we have this many cells
119 * waiting on the appropriate queue. */
120 #define CELL_QUEUE_HIGHWATER_SIZE 256
121 /** Start reading from edge connections again when we get down to this many
122 * cells. */
123 #define CELL_QUEUE_LOWWATER_SIZE 64
124
125 /** Stats: how many relay cells have originated at this hop, or have
126 * been relayed onward (not recognized at this hop)?
127 */
128 uint64_t stats_n_relay_cells_relayed = 0;
129 /** Stats: how many relay cells have been delivered to streams at this
130 * hop?
131 */
132 uint64_t stats_n_relay_cells_delivered = 0;
133 /** Stats: how many circuits have we closed due to the cell queue limit being
134 * reached (see append_cell_to_circuit_queue()) */
135 uint64_t stats_n_circ_max_cell_reached = 0;
136
137 /**
138 * Update channel usage state based on the type of relay cell and
139 * circuit properties.
140 *
141 * This is needed to determine if a client channel is being
142 * used for application traffic, and if a relay channel is being
143 * used for multihop circuits and application traffic. The decision
144 * to pad in channelpadding.c depends upon this info (as well as
145 * consensus parameters) to decide what channels to pad.
146 */
147 static void
circuit_update_channel_usage(circuit_t * circ,cell_t * cell)148 circuit_update_channel_usage(circuit_t *circ, cell_t *cell)
149 {
150 if (CIRCUIT_IS_ORIGIN(circ)) {
151 /*
152 * The client state was first set much earlier in
153 * circuit_send_next_onion_skin(), so we can start padding as early as
154 * possible.
155 *
156 * However, if padding turns out to be expensive, we may want to not do
157 * it until actual application traffic starts flowing (which is controlled
158 * via consensus param nf_pad_before_usage).
159 *
160 * So: If we're an origin circuit and we've created a full length circuit,
161 * then any CELL_RELAY cell means application data. Increase the usage
162 * state of the channel to indicate this.
163 *
164 * We want to wait for CELL_RELAY specifically here, so we know that
165 * the channel was definitely being used for data and not for extends.
166 * By default, we pad as soon as a channel has been used for *any*
167 * circuits, so this state is irrelevant to the padding decision in
168 * the default case. However, if padding turns out to be expensive,
169 * we would like the ability to avoid padding until we're absolutely
170 * sure that a channel is used for enough application data to be worth
171 * padding.
172 *
173 * (So it does not matter that CELL_RELAY_EARLY can actually contain
174 * application data. This is only a load reducing option and that edge
175 * case does not matter if we're desperately trying to reduce overhead
176 * anyway. See also consensus parameter nf_pad_before_usage).
177 */
178 if (BUG(!circ->n_chan))
179 return;
180
181 if (circ->n_chan->channel_usage == CHANNEL_USED_FOR_FULL_CIRCS &&
182 cell->command == CELL_RELAY) {
183 circ->n_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC;
184 }
185 } else {
186 /* If we're a relay circuit, the question is more complicated. Basically:
187 * we only want to pad connections that carry multihop (anonymous)
188 * circuits.
189 *
190 * We assume we're more than one hop if either the previous hop
191 * is not a client, or if the previous hop is a client and there's
192 * a next hop. Then, circuit traffic starts at RELAY_EARLY, and
193 * user application traffic starts when we see RELAY cells.
194 */
195 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
196
197 if (BUG(!or_circ->p_chan))
198 return;
199
200 if (!channel_is_client(or_circ->p_chan) ||
201 (channel_is_client(or_circ->p_chan) && circ->n_chan)) {
202 if (cell->command == CELL_RELAY_EARLY) {
203 if (or_circ->p_chan->channel_usage < CHANNEL_USED_FOR_FULL_CIRCS) {
204 or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_FULL_CIRCS;
205 }
206 } else if (cell->command == CELL_RELAY) {
207 or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC;
208 }
209 }
210 }
211 }
212
213 /** Receive a relay cell:
214 * - Crypt it (encrypt if headed toward the origin or if we <b>are</b> the
215 * origin; decrypt if we're headed toward the exit).
216 * - Check if recognized (if exitward).
217 * - If recognized and the digest checks out, then find if there's a stream
218 * that the cell is intended for, and deliver it to the right
219 * connection_edge.
220 * - If not recognized, then we need to relay it: append it to the appropriate
221 * cell_queue on <b>circ</b>.
222 *
223 * Return -<b>reason</b> on failure.
224 */
225 int
circuit_receive_relay_cell(cell_t * cell,circuit_t * circ,cell_direction_t cell_direction)226 circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
227 cell_direction_t cell_direction)
228 {
229 channel_t *chan = NULL;
230 crypt_path_t *layer_hint=NULL;
231 char recognized=0;
232 int reason;
233
234 tor_assert(cell);
235 tor_assert(circ);
236 tor_assert(cell_direction == CELL_DIRECTION_OUT ||
237 cell_direction == CELL_DIRECTION_IN);
238 if (circ->marked_for_close)
239 return 0;
240
241 if (relay_decrypt_cell(circ, cell, cell_direction, &layer_hint, &recognized)
242 < 0) {
243 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
244 "relay crypt failed. Dropping connection.");
245 return -END_CIRC_REASON_INTERNAL;
246 }
247
248 circuit_update_channel_usage(circ, cell);
249
250 if (recognized) {
251 edge_connection_t *conn = NULL;
252
253 /* Recognized cell, the cell digest has been updated, we'll record it for
254 * the SENDME if need be. */
255 sendme_record_received_cell_digest(circ, layer_hint);
256
257 if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
258 if (pathbias_check_probe_response(circ, cell) == -1) {
259 pathbias_count_valid_cells(circ, cell);
260 }
261
262 /* We need to drop this cell no matter what to avoid code that expects
263 * a certain purpose (such as the hidserv code). */
264 return 0;
265 }
266
267 conn = relay_lookup_conn(circ, cell, cell_direction, layer_hint);
268 if (cell_direction == CELL_DIRECTION_OUT) {
269 ++stats_n_relay_cells_delivered;
270 log_debug(LD_OR,"Sending away from origin.");
271 reason = connection_edge_process_relay_cell(cell, circ, conn, NULL);
272 if (reason < 0) {
273 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
274 "connection_edge_process_relay_cell (away from origin) "
275 "failed.");
276 return reason;
277 }
278 }
279 if (cell_direction == CELL_DIRECTION_IN) {
280 ++stats_n_relay_cells_delivered;
281 log_debug(LD_OR,"Sending to origin.");
282 reason = connection_edge_process_relay_cell(cell, circ, conn,
283 layer_hint);
284 if (reason < 0) {
285 /* If a client is trying to connect to unknown hidden service port,
286 * END_CIRC_AT_ORIGIN is sent back so we can then close the circuit.
287 * Do not log warn as this is an expected behavior for a service. */
288 if (reason != END_CIRC_AT_ORIGIN) {
289 log_warn(LD_OR,
290 "connection_edge_process_relay_cell (at origin) failed.");
291 }
292 return reason;
293 }
294 }
295 return 0;
296 }
297
298 /* not recognized. inform circpad and pass it on. */
299 circpad_deliver_unrecognized_cell_events(circ, cell_direction);
300
301 if (cell_direction == CELL_DIRECTION_OUT) {
302 cell->circ_id = circ->n_circ_id; /* switch it */
303 chan = circ->n_chan;
304 } else if (! CIRCUIT_IS_ORIGIN(circ)) {
305 cell->circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; /* switch it */
306 chan = TO_OR_CIRCUIT(circ)->p_chan;
307 } else {
308 log_fn(LOG_PROTOCOL_WARN, LD_OR,
309 "Dropping unrecognized inbound cell on origin circuit.");
310 /* If we see unrecognized cells on path bias testing circs,
311 * it's bad mojo. Those circuits need to die.
312 * XXX: Shouldn't they always die? */
313 if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
314 TO_ORIGIN_CIRCUIT(circ)->path_state = PATH_STATE_USE_FAILED;
315 return -END_CIRC_REASON_TORPROTOCOL;
316 } else {
317 return 0;
318 }
319 }
320
321 if (!chan) {
322 // XXXX Can this splice stuff be done more cleanly?
323 if (! CIRCUIT_IS_ORIGIN(circ) &&
324 TO_OR_CIRCUIT(circ)->rend_splice &&
325 cell_direction == CELL_DIRECTION_OUT) {
326 or_circuit_t *splice_ = TO_OR_CIRCUIT(circ)->rend_splice;
327 tor_assert(circ->purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED);
328 tor_assert(splice_->base_.purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED);
329 cell->circ_id = splice_->p_circ_id;
330 cell->command = CELL_RELAY; /* can't be relay_early anyway */
331 if ((reason = circuit_receive_relay_cell(cell, TO_CIRCUIT(splice_),
332 CELL_DIRECTION_IN)) < 0) {
333 log_warn(LD_REND, "Error relaying cell across rendezvous; closing "
334 "circuits");
335 /* XXXX Do this here, or just return -1? */
336 circuit_mark_for_close(circ, -reason);
337 return reason;
338 }
339 return 0;
340 }
341 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
342 "Didn't recognize cell, but circ stops here! Closing circ.");
343 return -END_CIRC_REASON_TORPROTOCOL;
344 }
345
346 log_debug(LD_OR,"Passing on unrecognized cell.");
347
348 ++stats_n_relay_cells_relayed; /* XXXX no longer quite accurate {cells}
349 * we might kill the circ before we relay
350 * the cells. */
351
352 append_cell_to_circuit_queue(circ, chan, cell, cell_direction, 0);
353 return 0;
354 }
355
356 /** Package a relay cell from an edge:
357 * - Encrypt it to the right layer
358 * - Append it to the appropriate cell_queue on <b>circ</b>.
359 */
360 MOCK_IMPL(int,
361 circuit_package_relay_cell, (cell_t *cell, circuit_t *circ,
362 cell_direction_t cell_direction,
363 crypt_path_t *layer_hint, streamid_t on_stream,
364 const char *filename, int lineno))
365 {
366 channel_t *chan; /* where to send the cell */
367
368 if (circ->marked_for_close) {
369 /* Circuit is marked; send nothing. */
370 return 0;
371 }
372
373 if (cell_direction == CELL_DIRECTION_OUT) {
374 chan = circ->n_chan;
375 if (!chan) {
376 log_warn(LD_BUG,"outgoing relay cell sent from %s:%d has n_chan==NULL."
377 " Dropping. Circuit is in state %s (%d), and is "
378 "%smarked for close. (%s:%d, %d)", filename, lineno,
379 circuit_state_to_string(circ->state), circ->state,
380 circ->marked_for_close ? "" : "not ",
381 circ->marked_for_close_file?circ->marked_for_close_file:"",
382 circ->marked_for_close, circ->marked_for_close_reason);
383 if (CIRCUIT_IS_ORIGIN(circ)) {
384 circuit_log_path(LOG_WARN, LD_BUG, TO_ORIGIN_CIRCUIT(circ));
385 }
386 log_backtrace(LOG_WARN,LD_BUG,"");
387 return 0; /* just drop it */
388 }
389 if (!CIRCUIT_IS_ORIGIN(circ)) {
390 log_warn(LD_BUG,"outgoing relay cell sent from %s:%d on non-origin "
391 "circ. Dropping.", filename, lineno);
392 log_backtrace(LOG_WARN,LD_BUG,"");
393 return 0; /* just drop it */
394 }
395
396 relay_encrypt_cell_outbound(cell, TO_ORIGIN_CIRCUIT(circ), layer_hint);
397
398 /* Update circ written totals for control port */
399 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
400 ocirc->n_written_circ_bw = tor_add_u32_nowrap(ocirc->n_written_circ_bw,
401 CELL_PAYLOAD_SIZE);
402
403 } else { /* incoming cell */
404 if (CIRCUIT_IS_ORIGIN(circ)) {
405 /* We should never package an _incoming_ cell from the circuit
406 * origin; that means we messed up somewhere. */
407 log_warn(LD_BUG,"incoming relay cell at origin circuit. Dropping.");
408 assert_circuit_ok(circ);
409 return 0; /* just drop it */
410 }
411 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
412 relay_encrypt_cell_inbound(cell, or_circ);
413 chan = or_circ->p_chan;
414 }
415 ++stats_n_relay_cells_relayed;
416
417 append_cell_to_circuit_queue(circ, chan, cell, cell_direction, on_stream);
418 return 0;
419 }
420
421 /** If cell's stream_id matches the stream_id of any conn that's
422 * attached to circ, return that conn, else return NULL.
423 */
424 static edge_connection_t *
relay_lookup_conn(circuit_t * circ,cell_t * cell,cell_direction_t cell_direction,crypt_path_t * layer_hint)425 relay_lookup_conn(circuit_t *circ, cell_t *cell,
426 cell_direction_t cell_direction, crypt_path_t *layer_hint)
427 {
428 edge_connection_t *tmpconn;
429 relay_header_t rh;
430
431 relay_header_unpack(&rh, cell->payload);
432
433 if (!rh.stream_id)
434 return NULL;
435
436 /* IN or OUT cells could have come from either direction, now
437 * that we allow rendezvous *to* an OP.
438 */
439
440 if (CIRCUIT_IS_ORIGIN(circ)) {
441 for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn;
442 tmpconn=tmpconn->next_stream) {
443 if (rh.stream_id == tmpconn->stream_id &&
444 !tmpconn->base_.marked_for_close &&
445 tmpconn->cpath_layer == layer_hint) {
446 log_debug(LD_APP,"found conn for stream %d.", rh.stream_id);
447 return tmpconn;
448 }
449 }
450 } else {
451 for (tmpconn = TO_OR_CIRCUIT(circ)->n_streams; tmpconn;
452 tmpconn=tmpconn->next_stream) {
453 if (rh.stream_id == tmpconn->stream_id &&
454 !tmpconn->base_.marked_for_close) {
455 log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id);
456 if (cell_direction == CELL_DIRECTION_OUT ||
457 connection_edge_is_rendezvous_stream(tmpconn))
458 return tmpconn;
459 }
460 }
461 for (tmpconn = TO_OR_CIRCUIT(circ)->resolving_streams; tmpconn;
462 tmpconn=tmpconn->next_stream) {
463 if (rh.stream_id == tmpconn->stream_id &&
464 !tmpconn->base_.marked_for_close) {
465 log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id);
466 return tmpconn;
467 }
468 }
469 }
470 return NULL; /* probably a begin relay cell */
471 }
472
473 /** Pack the relay_header_t host-order structure <b>src</b> into
474 * network-order in the buffer <b>dest</b>. See tor-spec.txt for details
475 * about the wire format.
476 */
477 void
relay_header_pack(uint8_t * dest,const relay_header_t * src)478 relay_header_pack(uint8_t *dest, const relay_header_t *src)
479 {
480 set_uint8(dest, src->command);
481 set_uint16(dest+1, htons(src->recognized));
482 set_uint16(dest+3, htons(src->stream_id));
483 memcpy(dest+5, src->integrity, 4);
484 set_uint16(dest+9, htons(src->length));
485 }
486
487 /** Unpack the network-order buffer <b>src</b> into a host-order
488 * relay_header_t structure <b>dest</b>.
489 */
490 void
relay_header_unpack(relay_header_t * dest,const uint8_t * src)491 relay_header_unpack(relay_header_t *dest, const uint8_t *src)
492 {
493 dest->command = get_uint8(src);
494 dest->recognized = ntohs(get_uint16(src+1));
495 dest->stream_id = ntohs(get_uint16(src+3));
496 memcpy(dest->integrity, src+5, 4);
497 dest->length = ntohs(get_uint16(src+9));
498 }
499
500 /** Convert the relay <b>command</b> into a human-readable string. */
501 static const char *
relay_command_to_string(uint8_t command)502 relay_command_to_string(uint8_t command)
503 {
504 static char buf[64];
505 switch (command) {
506 case RELAY_COMMAND_BEGIN: return "BEGIN";
507 case RELAY_COMMAND_DATA: return "DATA";
508 case RELAY_COMMAND_END: return "END";
509 case RELAY_COMMAND_CONNECTED: return "CONNECTED";
510 case RELAY_COMMAND_SENDME: return "SENDME";
511 case RELAY_COMMAND_EXTEND: return "EXTEND";
512 case RELAY_COMMAND_EXTENDED: return "EXTENDED";
513 case RELAY_COMMAND_TRUNCATE: return "TRUNCATE";
514 case RELAY_COMMAND_TRUNCATED: return "TRUNCATED";
515 case RELAY_COMMAND_DROP: return "DROP";
516 case RELAY_COMMAND_RESOLVE: return "RESOLVE";
517 case RELAY_COMMAND_RESOLVED: return "RESOLVED";
518 case RELAY_COMMAND_BEGIN_DIR: return "BEGIN_DIR";
519 case RELAY_COMMAND_ESTABLISH_INTRO: return "ESTABLISH_INTRO";
520 case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: return "ESTABLISH_RENDEZVOUS";
521 case RELAY_COMMAND_INTRODUCE1: return "INTRODUCE1";
522 case RELAY_COMMAND_INTRODUCE2: return "INTRODUCE2";
523 case RELAY_COMMAND_RENDEZVOUS1: return "RENDEZVOUS1";
524 case RELAY_COMMAND_RENDEZVOUS2: return "RENDEZVOUS2";
525 case RELAY_COMMAND_INTRO_ESTABLISHED: return "INTRO_ESTABLISHED";
526 case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
527 return "RENDEZVOUS_ESTABLISHED";
528 case RELAY_COMMAND_INTRODUCE_ACK: return "INTRODUCE_ACK";
529 case RELAY_COMMAND_EXTEND2: return "EXTEND2";
530 case RELAY_COMMAND_EXTENDED2: return "EXTENDED2";
531 case RELAY_COMMAND_PADDING_NEGOTIATE: return "PADDING_NEGOTIATE";
532 case RELAY_COMMAND_PADDING_NEGOTIATED: return "PADDING_NEGOTIATED";
533 default:
534 tor_snprintf(buf, sizeof(buf), "Unrecognized relay command %u",
535 (unsigned)command);
536 return buf;
537 }
538 }
539
540 /** When padding a cell with randomness, leave this many zeros after the
541 * payload. */
542 #define CELL_PADDING_GAP 4
543
544 /** Return the offset where the padding should start. The <b>data_len</b> is
545 * the relay payload length expected to be put in the cell. It can not be
546 * bigger than RELAY_PAYLOAD_SIZE else this function assert().
547 *
548 * Value will always be smaller than CELL_PAYLOAD_SIZE because this offset is
549 * for the entire cell length not just the data payload length. Zero is
550 * returned if there is no room for padding.
551 *
552 * This function always skips the first 4 bytes after the payload because
553 * having some unused zero bytes has saved us a lot of times in the past. */
554
555 STATIC size_t
get_pad_cell_offset(size_t data_len)556 get_pad_cell_offset(size_t data_len)
557 {
558 /* This is never supposed to happen but in case it does, stop right away
559 * because if tor is tricked somehow into not adding random bytes to the
560 * payload with this function returning 0 for a bad data_len, the entire
561 * authenticated SENDME design can be bypassed leading to bad denial of
562 * service attacks. */
563 tor_assert(data_len <= RELAY_PAYLOAD_SIZE);
564
565 /* If the offset is larger than the cell payload size, we return an offset
566 * of zero indicating that no padding needs to be added. */
567 size_t offset = RELAY_HEADER_SIZE + data_len + CELL_PADDING_GAP;
568 if (offset >= CELL_PAYLOAD_SIZE) {
569 return 0;
570 }
571 return offset;
572 }
573
574 /* Add random bytes to the unused portion of the payload, to foil attacks
575 * where the other side can predict all of the bytes in the payload and thus
576 * compute the authenticated SENDME cells without seeing the traffic. See
577 * proposal 289. */
578 static void
pad_cell_payload(uint8_t * cell_payload,size_t data_len)579 pad_cell_payload(uint8_t *cell_payload, size_t data_len)
580 {
581 size_t pad_offset, pad_len;
582
583 tor_assert(cell_payload);
584
585 pad_offset = get_pad_cell_offset(data_len);
586 if (pad_offset == 0) {
587 /* We can't add padding so we are done. */
588 return;
589 }
590
591 /* Remember here that the cell_payload is the length of the header and
592 * payload size so we offset it using the full length of the cell. */
593 pad_len = CELL_PAYLOAD_SIZE - pad_offset;
594 crypto_fast_rng_getbytes(get_thread_fast_rng(),
595 cell_payload + pad_offset, pad_len);
596 }
597
598 /** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and send
599 * it onto the open circuit <b>circ</b>. <b>stream_id</b> is the ID on
600 * <b>circ</b> for the stream that's sending the relay cell, or 0 if it's a
601 * control cell. <b>cpath_layer</b> is NULL for OR->OP cells, or the
602 * destination hop for OP->OR cells.
603 *
604 * If you can't send the cell, mark the circuit for close and return -1. Else
605 * return 0.
606 */
607 MOCK_IMPL(int,
608 relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *circ,
609 uint8_t relay_command, const char *payload,
610 size_t payload_len, crypt_path_t *cpath_layer,
611 const char *filename, int lineno))
612 {
613 cell_t cell;
614 relay_header_t rh;
615 cell_direction_t cell_direction;
616 /* XXXX NM Split this function into a separate versions per circuit type? */
617
618 tor_assert(circ);
619 tor_assert(payload_len <= RELAY_PAYLOAD_SIZE);
620
621 memset(&cell, 0, sizeof(cell_t));
622 cell.command = CELL_RELAY;
623 if (CIRCUIT_IS_ORIGIN(circ)) {
624 tor_assert(cpath_layer);
625 cell.circ_id = circ->n_circ_id;
626 cell_direction = CELL_DIRECTION_OUT;
627 } else {
628 tor_assert(! cpath_layer);
629 cell.circ_id = TO_OR_CIRCUIT(circ)->p_circ_id;
630 cell_direction = CELL_DIRECTION_IN;
631 }
632
633 memset(&rh, 0, sizeof(rh));
634 rh.command = relay_command;
635 rh.stream_id = stream_id;
636 rh.length = payload_len;
637 relay_header_pack(cell.payload, &rh);
638 if (payload_len)
639 memcpy(cell.payload+RELAY_HEADER_SIZE, payload, payload_len);
640
641 /* Add random padding to the cell if we can. */
642 pad_cell_payload(cell.payload, payload_len);
643
644 log_debug(LD_OR,"delivering %d cell %s.", relay_command,
645 cell_direction == CELL_DIRECTION_OUT ? "forward" : "backward");
646
647 /* Tell circpad we're sending a relay cell */
648 circpad_deliver_sent_relay_cell_events(circ, relay_command);
649
650 /* If we are sending an END cell and this circuit is used for a tunneled
651 * directory request, advance its state. */
652 if (relay_command == RELAY_COMMAND_END && circ->dirreq_id)
653 geoip_change_dirreq_state(circ->dirreq_id, DIRREQ_TUNNELED,
654 DIRREQ_END_CELL_SENT);
655
656 if (cell_direction == CELL_DIRECTION_OUT && circ->n_chan) {
657 /* if we're using relaybandwidthrate, this conn wants priority */
658 channel_timestamp_client(circ->n_chan);
659 }
660
661 if (cell_direction == CELL_DIRECTION_OUT) {
662 origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ);
663 if (origin_circ->remaining_relay_early_cells > 0 &&
664 (relay_command == RELAY_COMMAND_EXTEND ||
665 relay_command == RELAY_COMMAND_EXTEND2 ||
666 cpath_layer != origin_circ->cpath)) {
667 /* If we've got any relay_early cells left and (we're sending
668 * an extend cell or we're not talking to the first hop), use
669 * one of them. Don't worry about the conn protocol version:
670 * append_cell_to_circuit_queue will fix it up. */
671 cell.command = CELL_RELAY_EARLY;
672 /* If we're out of relay early cells, tell circpad */
673 if (--origin_circ->remaining_relay_early_cells == 0)
674 circpad_machine_event_circ_has_no_relay_early(origin_circ);
675 log_debug(LD_OR, "Sending a RELAY_EARLY cell; %d remaining.",
676 (int)origin_circ->remaining_relay_early_cells);
677 /* Memorize the command that is sent as RELAY_EARLY cell; helps debug
678 * task 878. */
679 origin_circ->relay_early_commands[
680 origin_circ->relay_early_cells_sent++] = relay_command;
681 } else if (relay_command == RELAY_COMMAND_EXTEND ||
682 relay_command == RELAY_COMMAND_EXTEND2) {
683 /* If no RELAY_EARLY cells can be sent over this circuit, log which
684 * commands have been sent as RELAY_EARLY cells before; helps debug
685 * task 878. */
686 smartlist_t *commands_list = smartlist_new();
687 int i = 0;
688 char *commands = NULL;
689 for (; i < origin_circ->relay_early_cells_sent; i++)
690 smartlist_add(commands_list, (char *)
691 relay_command_to_string(origin_circ->relay_early_commands[i]));
692 commands = smartlist_join_strings(commands_list, ",", 0, NULL);
693 log_warn(LD_BUG, "Uh-oh. We're sending a RELAY_COMMAND_EXTEND cell, "
694 "but we have run out of RELAY_EARLY cells on that circuit. "
695 "Commands sent before: %s", commands);
696 tor_free(commands);
697 smartlist_free(commands_list);
698 }
699
700 /* Let's assume we're well-behaved: Anything that we decide to send is
701 * valid, delivered data. */
702 circuit_sent_valid_data(origin_circ, rh.length);
703 }
704
705 if (circuit_package_relay_cell(&cell, circ, cell_direction, cpath_layer,
706 stream_id, filename, lineno) < 0) {
707 log_warn(LD_BUG,"circuit_package_relay_cell failed. Closing.");
708 circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
709 return -1;
710 }
711
712 /* If applicable, note the cell digest for the SENDME version 1 purpose if
713 * we need to. This call needs to be after the circuit_package_relay_cell()
714 * because the cell digest is set within that function. */
715 if (relay_command == RELAY_COMMAND_DATA) {
716 sendme_record_cell_digest_on_circ(circ, cpath_layer);
717 }
718
719 return 0;
720 }
721
722 /** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and
723 * send it onto the open circuit <b>circ</b>. <b>fromconn</b> is the stream
724 * that's sending the relay cell, or NULL if it's a control cell.
725 * <b>cpath_layer</b> is NULL for OR->OP cells, or the destination hop
726 * for OP->OR cells.
727 *
728 * If you can't send the cell, mark the circuit for close and
729 * return -1. Else return 0.
730 */
731 int
connection_edge_send_command(edge_connection_t * fromconn,uint8_t relay_command,const char * payload,size_t payload_len)732 connection_edge_send_command(edge_connection_t *fromconn,
733 uint8_t relay_command, const char *payload,
734 size_t payload_len)
735 {
736 /* XXXX NM Split this function into a separate versions per circuit type? */
737 circuit_t *circ;
738 crypt_path_t *cpath_layer = fromconn->cpath_layer;
739 tor_assert(fromconn);
740 circ = fromconn->on_circuit;
741
742 if (fromconn->base_.marked_for_close) {
743 log_warn(LD_BUG,
744 "called on conn that's already marked for close at %s:%d.",
745 fromconn->base_.marked_for_close_file,
746 fromconn->base_.marked_for_close);
747 return 0;
748 }
749
750 if (!circ) {
751 if (fromconn->base_.type == CONN_TYPE_AP) {
752 log_info(LD_APP,"no circ. Closing conn.");
753 connection_mark_unattached_ap(EDGE_TO_ENTRY_CONN(fromconn),
754 END_STREAM_REASON_INTERNAL);
755 } else {
756 log_info(LD_EXIT,"no circ. Closing conn.");
757 fromconn->edge_has_sent_end = 1; /* no circ to send to */
758 fromconn->end_reason = END_STREAM_REASON_INTERNAL;
759 connection_mark_for_close(TO_CONN(fromconn));
760 }
761 return -1;
762 }
763
764 if (circ->marked_for_close) {
765 /* The circuit has been marked, but not freed yet. When it's freed, it
766 * will mark this connection for close. */
767 return -1;
768 }
769
770 #ifdef MEASUREMENTS_21206
771 /* Keep track of the number of RELAY_DATA cells sent for directory
772 * connections. */
773 connection_t *linked_conn = TO_CONN(fromconn)->linked_conn;
774
775 if (linked_conn && linked_conn->type == CONN_TYPE_DIR) {
776 ++(TO_DIR_CONN(linked_conn)->data_cells_sent);
777 }
778 #endif /* defined(MEASUREMENTS_21206) */
779
780 return relay_send_command_from_edge(fromconn->stream_id, circ,
781 relay_command, payload,
782 payload_len, cpath_layer);
783 }
784
785 /** How many times will I retry a stream that fails due to DNS
786 * resolve failure or misc error?
787 */
788 #define MAX_RESOLVE_FAILURES 3
789
790 /** Return 1 if reason is something that you should retry if you
791 * get the end cell before you've connected; else return 0. */
792 static int
edge_reason_is_retriable(int reason)793 edge_reason_is_retriable(int reason)
794 {
795 return reason == END_STREAM_REASON_HIBERNATING ||
796 reason == END_STREAM_REASON_RESOURCELIMIT ||
797 reason == END_STREAM_REASON_EXITPOLICY ||
798 reason == END_STREAM_REASON_RESOLVEFAILED ||
799 reason == END_STREAM_REASON_MISC ||
800 reason == END_STREAM_REASON_NOROUTE;
801 }
802
803 /** Called when we receive an END cell on a stream that isn't open yet,
804 * from the client side.
805 * Arguments are as for connection_edge_process_relay_cell().
806 */
807 static int
connection_ap_process_end_not_open(relay_header_t * rh,cell_t * cell,origin_circuit_t * circ,entry_connection_t * conn,crypt_path_t * layer_hint)808 connection_ap_process_end_not_open(
809 relay_header_t *rh, cell_t *cell, origin_circuit_t *circ,
810 entry_connection_t *conn, crypt_path_t *layer_hint)
811 {
812 node_t *exitrouter;
813 int reason = *(cell->payload+RELAY_HEADER_SIZE);
814 int control_reason;
815 edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn);
816 (void) layer_hint; /* unused */
817
818 if (rh->length > 0) {
819 if (reason == END_STREAM_REASON_TORPROTOCOL ||
820 reason == END_STREAM_REASON_DESTROY) {
821 /* Both of these reasons could mean a failed tag
822 * hit the exit and it complained. Do not probe.
823 * Fail the circuit. */
824 circ->path_state = PATH_STATE_USE_FAILED;
825 return -END_CIRC_REASON_TORPROTOCOL;
826 } else if (reason == END_STREAM_REASON_INTERNAL) {
827 /* We can't infer success or failure, since older Tors report
828 * ENETUNREACH as END_STREAM_REASON_INTERNAL. */
829 } else {
830 /* Path bias: If we get a valid reason code from the exit,
831 * it wasn't due to tagging.
832 *
833 * We rely on recognized+digest being strong enough to make
834 * tags unlikely to allow us to get tagged, yet 'recognized'
835 * reason codes here. */
836 pathbias_mark_use_success(circ);
837 }
838 }
839
840 /* This end cell is now valid. */
841 circuit_read_valid_data(circ, rh->length);
842
843 if (rh->length == 0) {
844 reason = END_STREAM_REASON_MISC;
845 }
846
847 control_reason = reason | END_STREAM_REASON_FLAG_REMOTE;
848
849 if (edge_reason_is_retriable(reason) &&
850 /* avoid retry if rend */
851 !connection_edge_is_rendezvous_stream(edge_conn)) {
852 const char *chosen_exit_digest =
853 circ->build_state->chosen_exit->identity_digest;
854 log_info(LD_APP,"Address '%s' refused due to '%s'. Considering retrying.",
855 safe_str(conn->socks_request->address),
856 stream_end_reason_to_string(reason));
857 exitrouter = node_get_mutable_by_id(chosen_exit_digest);
858 switch (reason) {
859 case END_STREAM_REASON_EXITPOLICY: {
860 tor_addr_t addr;
861 tor_addr_make_unspec(&addr);
862 if (rh->length >= 5) {
863 int ttl = -1;
864 tor_addr_make_unspec(&addr);
865 if (rh->length == 5 || rh->length == 9) {
866 tor_addr_from_ipv4n(&addr,
867 get_uint32(cell->payload+RELAY_HEADER_SIZE+1));
868 if (rh->length == 9)
869 ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5));
870 } else if (rh->length == 17 || rh->length == 21) {
871 tor_addr_from_ipv6_bytes(&addr,
872 (cell->payload+RELAY_HEADER_SIZE+1));
873 if (rh->length == 21)
874 ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+17));
875 }
876 if (tor_addr_is_null(&addr)) {
877 log_info(LD_APP,"Address '%s' resolved to 0.0.0.0. Closing,",
878 safe_str(conn->socks_request->address));
879 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
880 return 0;
881 }
882
883 if ((tor_addr_family(&addr) == AF_INET &&
884 !conn->entry_cfg.ipv4_traffic) ||
885 (tor_addr_family(&addr) == AF_INET6 &&
886 !conn->entry_cfg.ipv6_traffic)) {
887 log_fn(LOG_PROTOCOL_WARN, LD_APP,
888 "Got an EXITPOLICY failure on a connection with a "
889 "mismatched family. Closing.");
890 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
891 return 0;
892 }
893 if (get_options()->ClientDNSRejectInternalAddresses &&
894 tor_addr_is_internal(&addr, 0)) {
895 log_info(LD_APP,"Address '%s' resolved to internal. Closing,",
896 safe_str(conn->socks_request->address));
897 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
898 return 0;
899 }
900
901 client_dns_set_addressmap(conn,
902 conn->socks_request->address, &addr,
903 conn->chosen_exit_name, ttl);
904
905 {
906 char new_addr[TOR_ADDR_BUF_LEN];
907 tor_addr_to_str(new_addr, &addr, sizeof(new_addr), 1);
908 if (strcmp(conn->socks_request->address, new_addr)) {
909 strlcpy(conn->socks_request->address, new_addr,
910 sizeof(conn->socks_request->address));
911 control_event_stream_status(conn, STREAM_EVENT_REMAP, 0);
912 }
913 }
914 }
915 /* check if the exit *ought* to have allowed it */
916
917 adjust_exit_policy_from_exitpolicy_failure(circ,
918 conn,
919 exitrouter,
920 &addr);
921
922 if (conn->chosen_exit_optional ||
923 conn->chosen_exit_retries) {
924 /* stop wanting a specific exit */
925 conn->chosen_exit_optional = 0;
926 /* A non-zero chosen_exit_retries can happen if we set a
927 * TrackHostExits for this address under a port that the exit
928 * relay allows, but then try the same address with a different
929 * port that it doesn't allow to exit. We shouldn't unregister
930 * the mapping, since it is probably still wanted on the
931 * original port. But now we give away to the exit relay that
932 * we probably have a TrackHostExits on it. So be it. */
933 conn->chosen_exit_retries = 0;
934 tor_free(conn->chosen_exit_name); /* clears it */
935 }
936 if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
937 return 0;
938 /* else, conn will get closed below */
939 break;
940 }
941 case END_STREAM_REASON_CONNECTREFUSED:
942 if (!conn->chosen_exit_optional)
943 break; /* break means it'll close, below */
944 /* Else fall through: expire this circuit, clear the
945 * chosen_exit_name field, and try again. */
946 FALLTHROUGH;
947 case END_STREAM_REASON_RESOLVEFAILED:
948 case END_STREAM_REASON_TIMEOUT:
949 case END_STREAM_REASON_MISC:
950 case END_STREAM_REASON_NOROUTE:
951 if (client_dns_incr_failures(conn->socks_request->address)
952 < MAX_RESOLVE_FAILURES) {
953 /* We haven't retried too many times; reattach the connection. */
954 circuit_log_path(LOG_INFO,LD_APP,circ);
955 /* Mark this circuit "unusable for new streams". */
956 mark_circuit_unusable_for_new_conns(circ);
957
958 if (conn->chosen_exit_optional) {
959 /* stop wanting a specific exit */
960 conn->chosen_exit_optional = 0;
961 tor_free(conn->chosen_exit_name); /* clears it */
962 }
963 if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
964 return 0;
965 /* else, conn will get closed below */
966 } else {
967 log_notice(LD_APP,
968 "Have tried resolving or connecting to address '%s' "
969 "at %d different places. Giving up.",
970 safe_str(conn->socks_request->address),
971 MAX_RESOLVE_FAILURES);
972 /* clear the failures, so it will have a full try next time */
973 client_dns_clear_failures(conn->socks_request->address);
974 }
975 break;
976 case END_STREAM_REASON_HIBERNATING:
977 case END_STREAM_REASON_RESOURCELIMIT:
978 if (exitrouter) {
979 policies_set_node_exitpolicy_to_reject_all(exitrouter);
980 }
981 if (conn->chosen_exit_optional) {
982 /* stop wanting a specific exit */
983 conn->chosen_exit_optional = 0;
984 tor_free(conn->chosen_exit_name); /* clears it */
985 }
986 if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
987 return 0;
988 /* else, will close below */
989 break;
990 } /* end switch */
991 log_info(LD_APP,"Giving up on retrying; conn can't be handled.");
992 }
993
994 log_info(LD_APP,
995 "Edge got end (%s) before we're connected. Marking for close.",
996 stream_end_reason_to_string(rh->length > 0 ? reason : -1));
997 circuit_log_path(LOG_INFO,LD_APP,circ);
998 /* need to test because of detach_retriable */
999 if (!ENTRY_TO_CONN(conn)->marked_for_close)
1000 connection_mark_unattached_ap(conn, control_reason);
1001 return 0;
1002 }
1003
1004 /** Called when we have gotten an END_REASON_EXITPOLICY failure on <b>circ</b>
1005 * for <b>conn</b>, while attempting to connect via <b>node</b>. If the node
1006 * told us which address it rejected, then <b>addr</b> is that address;
1007 * otherwise it is AF_UNSPEC.
1008 *
1009 * If we are sure the node should have allowed this address, mark the node as
1010 * having a reject *:* exit policy. Otherwise, mark the circuit as unusable
1011 * for this particular address.
1012 **/
1013 static void
adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t * circ,entry_connection_t * conn,node_t * node,const tor_addr_t * addr)1014 adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ,
1015 entry_connection_t *conn,
1016 node_t *node,
1017 const tor_addr_t *addr)
1018 {
1019 int make_reject_all = 0;
1020 const sa_family_t family = tor_addr_family(addr);
1021
1022 if (node) {
1023 tor_addr_t tmp;
1024 int asked_for_family = tor_addr_parse(&tmp, conn->socks_request->address);
1025 if (family == AF_UNSPEC) {
1026 make_reject_all = 1;
1027 } else if (node_exit_policy_is_exact(node, family) &&
1028 asked_for_family != -1 && !conn->chosen_exit_name) {
1029 make_reject_all = 1;
1030 }
1031
1032 if (make_reject_all) {
1033 log_info(LD_APP,
1034 "Exitrouter %s seems to be more restrictive than its exit "
1035 "policy. Not using this router as exit for now.",
1036 node_describe(node));
1037 policies_set_node_exitpolicy_to_reject_all(node);
1038 }
1039 }
1040
1041 if (family != AF_UNSPEC)
1042 addr_policy_append_reject_addr(&circ->prepend_policy, addr);
1043 }
1044
1045 /** Helper: change the socks_request->address field on conn to the
1046 * dotted-quad representation of <b>new_addr</b>,
1047 * and send an appropriate REMAP event. */
1048 static void
remap_event_helper(entry_connection_t * conn,const tor_addr_t * new_addr)1049 remap_event_helper(entry_connection_t *conn, const tor_addr_t *new_addr)
1050 {
1051 tor_addr_to_str(conn->socks_request->address, new_addr,
1052 sizeof(conn->socks_request->address),
1053 1);
1054 control_event_stream_status(conn, STREAM_EVENT_REMAP,
1055 REMAP_STREAM_SOURCE_EXIT);
1056 }
1057
1058 /** Extract the contents of a connected cell in <b>cell</b>, whose relay
1059 * header has already been parsed into <b>rh</b>. On success, set
1060 * <b>addr_out</b> to the address we're connected to, and <b>ttl_out</b> to
1061 * the ttl of that address, in seconds, and return 0. On failure, return
1062 * -1.
1063 *
1064 * Note that the resulting address can be UNSPEC if the connected cell had no
1065 * address (as for a stream to an union service or a tunneled directory
1066 * connection), and that the ttl can be absent (in which case <b>ttl_out</b>
1067 * is set to -1). */
1068 STATIC int
connected_cell_parse(const relay_header_t * rh,const cell_t * cell,tor_addr_t * addr_out,int * ttl_out)1069 connected_cell_parse(const relay_header_t *rh, const cell_t *cell,
1070 tor_addr_t *addr_out, int *ttl_out)
1071 {
1072 uint32_t bytes;
1073 const uint8_t *payload = cell->payload + RELAY_HEADER_SIZE;
1074
1075 tor_addr_make_unspec(addr_out);
1076 *ttl_out = -1;
1077 if (rh->length == 0)
1078 return 0;
1079 if (rh->length < 4)
1080 return -1;
1081 bytes = ntohl(get_uint32(payload));
1082
1083 /* If bytes is 0, this is maybe a v6 address. Otherwise it's a v4 address */
1084 if (bytes != 0) {
1085 /* v4 address */
1086 tor_addr_from_ipv4h(addr_out, bytes);
1087 if (rh->length >= 8) {
1088 bytes = ntohl(get_uint32(payload + 4));
1089 if (bytes <= INT32_MAX)
1090 *ttl_out = bytes;
1091 }
1092 } else {
1093 if (rh->length < 25) /* 4 bytes of 0s, 1 addr, 16 ipv4, 4 ttl. */
1094 return -1;
1095 if (get_uint8(payload + 4) != 6)
1096 return -1;
1097 tor_addr_from_ipv6_bytes(addr_out, (payload + 5));
1098 bytes = ntohl(get_uint32(payload + 21));
1099 if (bytes <= INT32_MAX)
1100 *ttl_out = (int) bytes;
1101 }
1102 return 0;
1103 }
1104
1105 /** Drop all storage held by <b>addr</b>. */
1106 STATIC void
address_ttl_free_(address_ttl_t * addr)1107 address_ttl_free_(address_ttl_t *addr)
1108 {
1109 if (!addr)
1110 return;
1111 tor_free(addr->hostname);
1112 tor_free(addr);
1113 }
1114
1115 /** Parse a resolved cell in <b>cell</b>, with parsed header in <b>rh</b>.
1116 * Return -1 on parse error. On success, add one or more newly allocated
1117 * address_ttl_t to <b>addresses_out</b>; set *<b>errcode_out</b> to
1118 * one of 0, RESOLVED_TYPE_ERROR, or RESOLVED_TYPE_ERROR_TRANSIENT, and
1119 * return 0. */
1120 STATIC int
resolved_cell_parse(const cell_t * cell,const relay_header_t * rh,smartlist_t * addresses_out,int * errcode_out)1121 resolved_cell_parse(const cell_t *cell, const relay_header_t *rh,
1122 smartlist_t *addresses_out, int *errcode_out)
1123 {
1124 const uint8_t *cp;
1125 uint8_t answer_type;
1126 size_t answer_len;
1127 address_ttl_t *addr;
1128 size_t remaining;
1129 int errcode = 0;
1130 smartlist_t *addrs;
1131
1132 tor_assert(cell);
1133 tor_assert(rh);
1134 tor_assert(addresses_out);
1135 tor_assert(errcode_out);
1136
1137 *errcode_out = 0;
1138
1139 if (rh->length > RELAY_PAYLOAD_SIZE)
1140 return -1;
1141
1142 addrs = smartlist_new();
1143
1144 cp = cell->payload + RELAY_HEADER_SIZE;
1145
1146 remaining = rh->length;
1147 while (remaining) {
1148 const uint8_t *cp_orig = cp;
1149 if (remaining < 2)
1150 goto err;
1151 answer_type = *cp++;
1152 answer_len = *cp++;
1153 if (remaining < 2 + answer_len + 4) {
1154 goto err;
1155 }
1156 if (answer_type == RESOLVED_TYPE_IPV4) {
1157 if (answer_len != 4) {
1158 goto err;
1159 }
1160 addr = tor_malloc_zero(sizeof(*addr));
1161 tor_addr_from_ipv4n(&addr->addr, get_uint32(cp));
1162 cp += 4;
1163 addr->ttl = ntohl(get_uint32(cp));
1164 cp += 4;
1165 smartlist_add(addrs, addr);
1166 } else if (answer_type == RESOLVED_TYPE_IPV6) {
1167 if (answer_len != 16)
1168 goto err;
1169 addr = tor_malloc_zero(sizeof(*addr));
1170 tor_addr_from_ipv6_bytes(&addr->addr, cp);
1171 cp += 16;
1172 addr->ttl = ntohl(get_uint32(cp));
1173 cp += 4;
1174 smartlist_add(addrs, addr);
1175 } else if (answer_type == RESOLVED_TYPE_HOSTNAME) {
1176 if (answer_len == 0) {
1177 goto err;
1178 }
1179 addr = tor_malloc_zero(sizeof(*addr));
1180 addr->hostname = tor_memdup_nulterm(cp, answer_len);
1181 cp += answer_len;
1182 addr->ttl = ntohl(get_uint32(cp));
1183 cp += 4;
1184 smartlist_add(addrs, addr);
1185 } else if (answer_type == RESOLVED_TYPE_ERROR_TRANSIENT ||
1186 answer_type == RESOLVED_TYPE_ERROR) {
1187 errcode = answer_type;
1188 /* Ignore the error contents */
1189 cp += answer_len + 4;
1190 } else {
1191 cp += answer_len + 4;
1192 }
1193 tor_assert(((ssize_t)remaining) >= (cp - cp_orig));
1194 remaining -= (cp - cp_orig);
1195 }
1196
1197 if (errcode && smartlist_len(addrs) == 0) {
1198 /* Report an error only if there were no results. */
1199 *errcode_out = errcode;
1200 }
1201
1202 smartlist_add_all(addresses_out, addrs);
1203 smartlist_free(addrs);
1204
1205 return 0;
1206
1207 err:
1208 /* On parse error, don't report any results */
1209 SMARTLIST_FOREACH(addrs, address_ttl_t *, a, address_ttl_free(a));
1210 smartlist_free(addrs);
1211 return -1;
1212 }
1213
1214 /** Helper for connection_edge_process_resolved_cell: given an error code,
1215 * an entry_connection, and a list of address_ttl_t *, report the best answer
1216 * to the entry_connection. */
1217 static void
connection_ap_handshake_socks_got_resolved_cell(entry_connection_t * conn,int error_code,smartlist_t * results)1218 connection_ap_handshake_socks_got_resolved_cell(entry_connection_t *conn,
1219 int error_code,
1220 smartlist_t *results)
1221 {
1222 address_ttl_t *addr_ipv4 = NULL;
1223 address_ttl_t *addr_ipv6 = NULL;
1224 address_ttl_t *addr_hostname = NULL;
1225 address_ttl_t *addr_best = NULL;
1226
1227 /* If it's an error code, that's easy. */
1228 if (error_code) {
1229 tor_assert(error_code == RESOLVED_TYPE_ERROR ||
1230 error_code == RESOLVED_TYPE_ERROR_TRANSIENT);
1231 connection_ap_handshake_socks_resolved(conn,
1232 error_code,0,NULL,-1,-1);
1233 return;
1234 }
1235
1236 /* Get the first answer of each type. */
1237 SMARTLIST_FOREACH_BEGIN(results, address_ttl_t *, addr) {
1238 if (addr->hostname) {
1239 if (!addr_hostname) {
1240 addr_hostname = addr;
1241 }
1242 } else if (tor_addr_family(&addr->addr) == AF_INET) {
1243 if (!addr_ipv4 && conn->entry_cfg.ipv4_traffic) {
1244 addr_ipv4 = addr;
1245 }
1246 } else if (tor_addr_family(&addr->addr) == AF_INET6) {
1247 if (!addr_ipv6 && conn->entry_cfg.ipv6_traffic) {
1248 addr_ipv6 = addr;
1249 }
1250 }
1251 } SMARTLIST_FOREACH_END(addr);
1252
1253 /* Now figure out which type we wanted to deliver. */
1254 if (conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) {
1255 if (addr_hostname) {
1256 connection_ap_handshake_socks_resolved(conn,
1257 RESOLVED_TYPE_HOSTNAME,
1258 strlen(addr_hostname->hostname),
1259 (uint8_t*)addr_hostname->hostname,
1260 addr_hostname->ttl,-1);
1261 } else {
1262 connection_ap_handshake_socks_resolved(conn,
1263 RESOLVED_TYPE_ERROR,0,NULL,-1,-1);
1264 }
1265 return;
1266 }
1267
1268 if (conn->entry_cfg.prefer_ipv6) {
1269 addr_best = addr_ipv6 ? addr_ipv6 : addr_ipv4;
1270 } else {
1271 addr_best = addr_ipv4 ? addr_ipv4 : addr_ipv6;
1272 }
1273
1274 /* Now convert it to the ugly old interface */
1275 if (! addr_best) {
1276 connection_ap_handshake_socks_resolved(conn,
1277 RESOLVED_TYPE_ERROR,0,NULL,-1,-1);
1278 return;
1279 }
1280
1281 connection_ap_handshake_socks_resolved_addr(conn,
1282 &addr_best->addr,
1283 addr_best->ttl,
1284 -1);
1285
1286 remap_event_helper(conn, &addr_best->addr);
1287 }
1288
1289 /** Handle a RELAY_COMMAND_RESOLVED cell that we received on a non-open AP
1290 * stream. */
1291 STATIC int
connection_edge_process_resolved_cell(edge_connection_t * conn,const cell_t * cell,const relay_header_t * rh)1292 connection_edge_process_resolved_cell(edge_connection_t *conn,
1293 const cell_t *cell,
1294 const relay_header_t *rh)
1295 {
1296 entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
1297 smartlist_t *resolved_addresses = NULL;
1298 int errcode = 0;
1299
1300 if (conn->base_.state != AP_CONN_STATE_RESOLVE_WAIT) {
1301 log_fn(LOG_PROTOCOL_WARN, LD_APP, "Got a 'resolved' cell while "
1302 "not in state resolve_wait. Dropping.");
1303 return 0;
1304 }
1305 tor_assert(SOCKS_COMMAND_IS_RESOLVE(entry_conn->socks_request->command));
1306
1307 resolved_addresses = smartlist_new();
1308 if (resolved_cell_parse(cell, rh, resolved_addresses, &errcode)) {
1309 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1310 "Dropping malformed 'resolved' cell");
1311 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL);
1312 goto done;
1313 }
1314
1315 if (get_options()->ClientDNSRejectInternalAddresses) {
1316 int orig_len = smartlist_len(resolved_addresses);
1317 SMARTLIST_FOREACH_BEGIN(resolved_addresses, address_ttl_t *, addr) {
1318 if (addr->hostname == NULL && tor_addr_is_internal(&addr->addr, 0)) {
1319 log_info(LD_APP, "Got a resolved cell with answer %s; dropping that "
1320 "answer.",
1321 safe_str_client(fmt_addr(&addr->addr)));
1322 address_ttl_free(addr);
1323 SMARTLIST_DEL_CURRENT(resolved_addresses, addr);
1324 }
1325 } SMARTLIST_FOREACH_END(addr);
1326 if (orig_len && smartlist_len(resolved_addresses) == 0) {
1327 log_info(LD_APP, "Got a resolved cell with only private addresses; "
1328 "dropping it.");
1329 connection_ap_handshake_socks_resolved(entry_conn,
1330 RESOLVED_TYPE_ERROR_TRANSIENT,
1331 0, NULL, 0, TIME_MAX);
1332 connection_mark_unattached_ap(entry_conn,
1333 END_STREAM_REASON_TORPROTOCOL);
1334 goto done;
1335 }
1336 }
1337
1338 /* This is valid data at this point. Count it */
1339 if (conn->on_circuit && CIRCUIT_IS_ORIGIN(conn->on_circuit)) {
1340 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(conn->on_circuit),
1341 rh->length);
1342 }
1343
1344 connection_ap_handshake_socks_got_resolved_cell(entry_conn,
1345 errcode,
1346 resolved_addresses);
1347
1348 connection_mark_unattached_ap(entry_conn,
1349 END_STREAM_REASON_DONE |
1350 END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
1351
1352 done:
1353 SMARTLIST_FOREACH(resolved_addresses, address_ttl_t *, addr,
1354 address_ttl_free(addr));
1355 smartlist_free(resolved_addresses);
1356 return 0;
1357 }
1358
1359 /** An incoming relay cell has arrived from circuit <b>circ</b> to
1360 * stream <b>conn</b>.
1361 *
1362 * The arguments here are the same as in
1363 * connection_edge_process_relay_cell() below; this function is called
1364 * from there when <b>conn</b> is defined and not in an open state.
1365 */
1366 static int
connection_edge_process_relay_cell_not_open(relay_header_t * rh,cell_t * cell,circuit_t * circ,edge_connection_t * conn,crypt_path_t * layer_hint)1367 connection_edge_process_relay_cell_not_open(
1368 relay_header_t *rh, cell_t *cell, circuit_t *circ,
1369 edge_connection_t *conn, crypt_path_t *layer_hint)
1370 {
1371 if (rh->command == RELAY_COMMAND_END) {
1372 if (CIRCUIT_IS_ORIGIN(circ) && conn->base_.type == CONN_TYPE_AP) {
1373 return connection_ap_process_end_not_open(rh, cell,
1374 TO_ORIGIN_CIRCUIT(circ),
1375 EDGE_TO_ENTRY_CONN(conn),
1376 layer_hint);
1377 } else {
1378 /* we just got an 'end', don't need to send one */
1379 conn->edge_has_sent_end = 1;
1380 conn->end_reason = *(cell->payload+RELAY_HEADER_SIZE) |
1381 END_STREAM_REASON_FLAG_REMOTE;
1382 connection_mark_for_close(TO_CONN(conn));
1383 return 0;
1384 }
1385 }
1386
1387 if (conn->base_.type == CONN_TYPE_AP &&
1388 rh->command == RELAY_COMMAND_CONNECTED) {
1389 tor_addr_t addr;
1390 int ttl;
1391 entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
1392 tor_assert(CIRCUIT_IS_ORIGIN(circ));
1393 if (conn->base_.state != AP_CONN_STATE_CONNECT_WAIT) {
1394 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1395 "Got 'connected' while not in state connect_wait. Dropping.");
1396 return 0;
1397 }
1398 CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
1399 conn->base_.state = AP_CONN_STATE_OPEN;
1400 log_info(LD_APP,"'connected' received for circid %u streamid %d "
1401 "after %d seconds.",
1402 (unsigned)circ->n_circ_id,
1403 rh->stream_id,
1404 (int)(time(NULL) - conn->base_.timestamp_last_read_allowed));
1405 if (connected_cell_parse(rh, cell, &addr, &ttl) < 0) {
1406 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1407 "Got a badly formatted connected cell. Closing.");
1408 connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
1409 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TORPROTOCOL);
1410 return 0;
1411 }
1412 if (tor_addr_family(&addr) != AF_UNSPEC) {
1413 /* The family is not UNSPEC: so we were given an address in the
1414 * connected cell. (This is normal, except for BEGINDIR and onion
1415 * service streams.) */
1416 const sa_family_t family = tor_addr_family(&addr);
1417 if (tor_addr_is_null(&addr) ||
1418 (get_options()->ClientDNSRejectInternalAddresses &&
1419 tor_addr_is_internal(&addr, 0))) {
1420 log_info(LD_APP, "...but it claims the IP address was %s. Closing.",
1421 fmt_addr(&addr));
1422 connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
1423 connection_mark_unattached_ap(entry_conn,
1424 END_STREAM_REASON_TORPROTOCOL);
1425 return 0;
1426 }
1427
1428 if ((family == AF_INET && ! entry_conn->entry_cfg.ipv4_traffic) ||
1429 (family == AF_INET6 && ! entry_conn->entry_cfg.ipv6_traffic)) {
1430 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1431 "Got a connected cell to %s with unsupported address family."
1432 " Closing.", fmt_addr(&addr));
1433 connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
1434 connection_mark_unattached_ap(entry_conn,
1435 END_STREAM_REASON_TORPROTOCOL);
1436 return 0;
1437 }
1438
1439 client_dns_set_addressmap(entry_conn,
1440 entry_conn->socks_request->address, &addr,
1441 entry_conn->chosen_exit_name, ttl);
1442
1443 remap_event_helper(entry_conn, &addr);
1444 }
1445 circuit_log_path(LOG_INFO,LD_APP,TO_ORIGIN_CIRCUIT(circ));
1446 /* don't send a socks reply to transparent conns */
1447 tor_assert(entry_conn->socks_request != NULL);
1448 if (!entry_conn->socks_request->has_finished) {
1449 connection_ap_handshake_socks_reply(entry_conn, NULL, 0, 0);
1450 }
1451
1452 /* Was it a linked dir conn? If so, a dir request just started to
1453 * fetch something; this could be a bootstrap status milestone. */
1454 log_debug(LD_APP, "considering");
1455 if (TO_CONN(conn)->linked_conn &&
1456 TO_CONN(conn)->linked_conn->type == CONN_TYPE_DIR) {
1457 connection_t *dirconn = TO_CONN(conn)->linked_conn;
1458 log_debug(LD_APP, "it is! %d", dirconn->purpose);
1459 switch (dirconn->purpose) {
1460 case DIR_PURPOSE_FETCH_CERTIFICATE:
1461 if (consensus_is_waiting_for_certs())
1462 control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_KEYS, 0);
1463 break;
1464 case DIR_PURPOSE_FETCH_CONSENSUS:
1465 control_event_bootstrap(BOOTSTRAP_STATUS_LOADING_STATUS, 0);
1466 break;
1467 case DIR_PURPOSE_FETCH_SERVERDESC:
1468 case DIR_PURPOSE_FETCH_MICRODESC:
1469 if (TO_DIR_CONN(dirconn)->router_purpose == ROUTER_PURPOSE_GENERAL)
1470 control_event_boot_dir(BOOTSTRAP_STATUS_LOADING_DESCRIPTORS,
1471 count_loading_descriptors_progress());
1472 break;
1473 }
1474 }
1475 /* This is definitely a success, so forget about any pending data we
1476 * had sent. */
1477 if (entry_conn->pending_optimistic_data) {
1478 buf_free(entry_conn->pending_optimistic_data);
1479 entry_conn->pending_optimistic_data = NULL;
1480 }
1481
1482 /* This is valid data at this point. Count it */
1483 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length);
1484
1485 /* handle anything that might have queued */
1486 if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) {
1487 /* (We already sent an end cell if possible) */
1488 connection_mark_for_close(TO_CONN(conn));
1489 return 0;
1490 }
1491 return 0;
1492 }
1493 if (conn->base_.type == CONN_TYPE_AP &&
1494 rh->command == RELAY_COMMAND_RESOLVED) {
1495 return connection_edge_process_resolved_cell(conn, cell, rh);
1496 }
1497
1498 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1499 "Got an unexpected relay command %d, in state %d (%s). Dropping.",
1500 rh->command, conn->base_.state,
1501 conn_state_to_string(conn->base_.type, conn->base_.state));
1502 return 0; /* for forward compatibility, don't kill the circuit */
1503 // connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
1504 // connection_mark_for_close(conn);
1505 // return -1;
1506 }
1507
1508 /**
1509 * Return true iff our decryption layer_hint is from the last hop
1510 * in a circuit.
1511 */
1512 static bool
relay_crypt_from_last_hop(origin_circuit_t * circ,crypt_path_t * layer_hint)1513 relay_crypt_from_last_hop(origin_circuit_t *circ, crypt_path_t *layer_hint)
1514 {
1515 tor_assert(circ);
1516 tor_assert(layer_hint);
1517 tor_assert(circ->cpath);
1518
1519 if (layer_hint != circ->cpath->prev) {
1520 log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
1521 "Got unexpected relay data from intermediate hop");
1522 return false;
1523 }
1524 return true;
1525 }
1526
1527 /** Process a SENDME cell that arrived on <b>circ</b>. If it is a stream level
1528 * cell, it is destined for the given <b>conn</b>. If it is a circuit level
1529 * cell, it is destined for the <b>layer_hint</b>. The <b>domain</b> is the
1530 * logging domain that should be used.
1531 *
1532 * Return 0 if everything went well or a negative value representing a circuit
1533 * end reason on error for which the caller is responsible for closing it. */
1534 static int
process_sendme_cell(const relay_header_t * rh,const cell_t * cell,circuit_t * circ,edge_connection_t * conn,crypt_path_t * layer_hint,int domain)1535 process_sendme_cell(const relay_header_t *rh, const cell_t *cell,
1536 circuit_t *circ, edge_connection_t *conn,
1537 crypt_path_t *layer_hint, int domain)
1538 {
1539 int ret;
1540
1541 tor_assert(rh);
1542
1543 if (!rh->stream_id) {
1544 /* Circuit level SENDME cell. */
1545 ret = sendme_process_circuit_level(layer_hint, circ,
1546 cell->payload + RELAY_HEADER_SIZE,
1547 rh->length);
1548 if (ret < 0) {
1549 return ret;
1550 }
1551 /* Resume reading on any streams now that we've processed a valid
1552 * SENDME cell that updated our package window. */
1553 circuit_resume_edge_reading(circ, layer_hint);
1554 /* We are done, the rest of the code is for the stream level. */
1555 return 0;
1556 }
1557
1558 /* No connection, might be half edge state. We are done if so. */
1559 if (!conn) {
1560 if (CIRCUIT_IS_ORIGIN(circ)) {
1561 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
1562 if (connection_half_edge_is_valid_sendme(ocirc->half_streams,
1563 rh->stream_id)) {
1564 circuit_read_valid_data(ocirc, rh->length);
1565 log_info(domain, "Sendme cell on circ %u valid on half-closed "
1566 "stream id %d",
1567 ocirc->global_identifier, rh->stream_id);
1568 }
1569 }
1570
1571 log_info(domain, "SENDME cell dropped, unknown stream (streamid %d).",
1572 rh->stream_id);
1573 return 0;
1574 }
1575
1576 /* Stream level SENDME cell. */
1577 ret = sendme_process_stream_level(conn, circ, rh->length);
1578 if (ret < 0) {
1579 /* Means we need to close the circuit with reason ret. */
1580 return ret;
1581 }
1582
1583 /* We've now processed properly a SENDME cell, all windows have been
1584 * properly updated, we'll read on the edge connection to see if we can
1585 * get data out towards the end point (Exit or client) since we are now
1586 * allowed to deliver more cells. */
1587
1588 if (circuit_queue_streams_are_blocked(circ)) {
1589 /* Still waiting for queue to flush; don't touch conn */
1590 return 0;
1591 }
1592 connection_start_reading(TO_CONN(conn));
1593 /* handle whatever might still be on the inbuf */
1594 if (connection_edge_package_raw_inbuf(conn, 1, NULL) < 0) {
1595 /* (We already sent an end cell if possible) */
1596 connection_mark_for_close(TO_CONN(conn));
1597 return 0;
1598 }
1599 return 0;
1600 }
1601
1602 /** A helper for connection_edge_process_relay_cell(): Actually handles the
1603 * cell that we received on the connection.
1604 *
1605 * The arguments are the same as in the parent function
1606 * connection_edge_process_relay_cell(), plus the relay header <b>rh</b> as
1607 * unpacked by the parent function, and <b>optimistic_data</b> as set by the
1608 * parent function.
1609 */
1610 STATIC int
handle_relay_cell_command(cell_t * cell,circuit_t * circ,edge_connection_t * conn,crypt_path_t * layer_hint,relay_header_t * rh,int optimistic_data)1611 handle_relay_cell_command(cell_t *cell, circuit_t *circ,
1612 edge_connection_t *conn, crypt_path_t *layer_hint,
1613 relay_header_t *rh, int optimistic_data)
1614 {
1615 unsigned domain = layer_hint?LD_APP:LD_EXIT;
1616 int reason;
1617
1618 tor_assert(rh);
1619
1620 /* First pass the cell to the circuit padding subsystem, in case it's a
1621 * padding cell or circuit that should be handled there. */
1622 if (circpad_check_received_cell(cell, circ, layer_hint, rh) == 0) {
1623 log_debug(domain, "Cell handled as circuit padding");
1624 return 0;
1625 }
1626
1627 /* Now handle all the other commands */
1628 switch (rh->command) {
1629 case RELAY_COMMAND_BEGIN:
1630 case RELAY_COMMAND_BEGIN_DIR:
1631 if (layer_hint &&
1632 circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
1633 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1634 "Relay begin request unsupported at AP. Dropping.");
1635 return 0;
1636 }
1637 if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED &&
1638 layer_hint != TO_ORIGIN_CIRCUIT(circ)->cpath->prev) {
1639 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1640 "Relay begin request to Hidden Service "
1641 "from intermediary node. Dropping.");
1642 return 0;
1643 }
1644 if (conn) {
1645 log_fn(LOG_PROTOCOL_WARN, domain,
1646 "Begin cell for known stream. Dropping.");
1647 return 0;
1648 }
1649 if (rh->command == RELAY_COMMAND_BEGIN_DIR &&
1650 circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
1651 /* Assign this circuit and its app-ward OR connection a unique ID,
1652 * so that we can measure download times. The local edge and dir
1653 * connection will be assigned the same ID when they are created
1654 * and linked. */
1655 static uint64_t next_id = 0;
1656 circ->dirreq_id = ++next_id;
1657 TO_OR_CIRCUIT(circ)->p_chan->dirreq_id = circ->dirreq_id;
1658 }
1659 return connection_exit_begin_conn(cell, circ);
1660 case RELAY_COMMAND_DATA:
1661 ++stats_n_data_cells_received;
1662
1663 /* Update our circuit-level deliver window that we received a DATA cell.
1664 * If the deliver window goes below 0, we end the circuit and stream due
1665 * to a protocol failure. */
1666 if (sendme_circuit_data_received(circ, layer_hint) < 0) {
1667 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1668 "(relay data) circ deliver_window below 0. Killing.");
1669 connection_edge_end_close(conn, END_STREAM_REASON_TORPROTOCOL);
1670 return -END_CIRC_REASON_TORPROTOCOL;
1671 }
1672
1673 /* Consider sending a circuit-level SENDME cell. */
1674 sendme_circuit_consider_sending(circ, layer_hint);
1675
1676 if (rh->stream_id == 0) {
1677 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay data cell with zero "
1678 "stream_id. Dropping.");
1679 return 0;
1680 } else if (!conn) {
1681 if (CIRCUIT_IS_ORIGIN(circ)) {
1682 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
1683 if (connection_half_edge_is_valid_data(ocirc->half_streams,
1684 rh->stream_id)) {
1685 circuit_read_valid_data(ocirc, rh->length);
1686 log_info(domain,
1687 "data cell on circ %u valid on half-closed "
1688 "stream id %d", ocirc->global_identifier, rh->stream_id);
1689 }
1690 }
1691
1692 log_info(domain,"data cell dropped, unknown stream (streamid %d).",
1693 rh->stream_id);
1694 return 0;
1695 }
1696
1697 /* Update our stream-level deliver window that we just received a DATA
1698 * cell. Going below 0 means we have a protocol level error so the
1699 * stream and circuit are closed. */
1700
1701 if (sendme_stream_data_received(conn) < 0) {
1702 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1703 "(relay data) conn deliver_window below 0. Killing.");
1704 connection_edge_end_close(conn, END_STREAM_REASON_TORPROTOCOL);
1705 return -END_CIRC_REASON_TORPROTOCOL;
1706 }
1707 /* Total all valid application bytes delivered */
1708 if (CIRCUIT_IS_ORIGIN(circ) && rh->length > 0) {
1709 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length);
1710 }
1711
1712 /* For onion service connection, update the metrics. */
1713 if (conn->hs_ident) {
1714 hs_metrics_app_write_bytes(&conn->hs_ident->identity_pk,
1715 conn->hs_ident->orig_virtual_port,
1716 rh->length);
1717 }
1718
1719 stats_n_data_bytes_received += rh->length;
1720 connection_buf_add((char*)(cell->payload + RELAY_HEADER_SIZE),
1721 rh->length, TO_CONN(conn));
1722
1723 #ifdef MEASUREMENTS_21206
1724 /* Count number of RELAY_DATA cells received on a linked directory
1725 * connection. */
1726 connection_t *linked_conn = TO_CONN(conn)->linked_conn;
1727
1728 if (linked_conn && linked_conn->type == CONN_TYPE_DIR) {
1729 ++(TO_DIR_CONN(linked_conn)->data_cells_received);
1730 }
1731 #endif /* defined(MEASUREMENTS_21206) */
1732
1733 if (!optimistic_data) {
1734 /* Only send a SENDME if we're not getting optimistic data; otherwise
1735 * a SENDME could arrive before the CONNECTED.
1736 */
1737 sendme_connection_edge_consider_sending(conn);
1738 }
1739
1740 return 0;
1741 case RELAY_COMMAND_END:
1742 reason = rh->length > 0 ?
1743 get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
1744 if (!conn) {
1745 if (CIRCUIT_IS_ORIGIN(circ)) {
1746 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
1747 if (relay_crypt_from_last_hop(ocirc, layer_hint) &&
1748 connection_half_edge_is_valid_end(ocirc->half_streams,
1749 rh->stream_id)) {
1750
1751 circuit_read_valid_data(ocirc, rh->length);
1752 log_info(domain,
1753 "end cell (%s) on circ %u valid on half-closed "
1754 "stream id %d",
1755 stream_end_reason_to_string(reason),
1756 ocirc->global_identifier, rh->stream_id);
1757 return 0;
1758 }
1759 }
1760 log_info(domain,"end cell (%s) dropped, unknown stream.",
1761 stream_end_reason_to_string(reason));
1762 return 0;
1763 }
1764 /* XXX add to this log_fn the exit node's nickname? */
1765 log_info(domain,TOR_SOCKET_T_FORMAT": end cell (%s) for stream %d. "
1766 "Removing stream.",
1767 conn->base_.s,
1768 stream_end_reason_to_string(reason),
1769 conn->stream_id);
1770 if (conn->base_.type == CONN_TYPE_AP) {
1771 entry_connection_t *entry_conn = EDGE_TO_ENTRY_CONN(conn);
1772 if (entry_conn->socks_request &&
1773 !entry_conn->socks_request->has_finished)
1774 log_warn(LD_BUG,
1775 "open stream hasn't sent socks answer yet? Closing.");
1776 }
1777 /* We just *got* an end; no reason to send one. */
1778 conn->edge_has_sent_end = 1;
1779 if (!conn->end_reason)
1780 conn->end_reason = reason | END_STREAM_REASON_FLAG_REMOTE;
1781 if (!conn->base_.marked_for_close) {
1782 /* only mark it if not already marked. it's possible to
1783 * get the 'end' right around when the client hangs up on us. */
1784 connection_mark_and_flush(TO_CONN(conn));
1785
1786 /* Total all valid application bytes delivered */
1787 if (CIRCUIT_IS_ORIGIN(circ)) {
1788 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length);
1789 }
1790 }
1791 return 0;
1792 case RELAY_COMMAND_EXTEND:
1793 case RELAY_COMMAND_EXTEND2: {
1794 static uint64_t total_n_extend=0, total_nonearly=0;
1795 total_n_extend++;
1796 if (rh->stream_id) {
1797 log_fn(LOG_PROTOCOL_WARN, domain,
1798 "'extend' cell received for non-zero stream. Dropping.");
1799 return 0;
1800 }
1801 if (cell->command != CELL_RELAY_EARLY &&
1802 !networkstatus_get_param(NULL,"AllowNonearlyExtend",0,0,1)) {
1803 #define EARLY_WARNING_INTERVAL 3600
1804 static ratelim_t early_warning_limit =
1805 RATELIM_INIT(EARLY_WARNING_INTERVAL);
1806 char *m;
1807 if (cell->command == CELL_RELAY) {
1808 ++total_nonearly;
1809 if ((m = rate_limit_log(&early_warning_limit, approx_time()))) {
1810 double percentage = ((double)total_nonearly)/total_n_extend;
1811 percentage *= 100;
1812 log_fn(LOG_PROTOCOL_WARN, domain, "EXTEND cell received, "
1813 "but not via RELAY_EARLY. Dropping.%s", m);
1814 log_fn(LOG_PROTOCOL_WARN, domain, " (We have dropped %.02f%% of "
1815 "all EXTEND cells for this reason)", percentage);
1816 tor_free(m);
1817 }
1818 } else {
1819 log_fn(LOG_WARN, domain,
1820 "EXTEND cell received, in a cell with type %d! Dropping.",
1821 cell->command);
1822 }
1823 return 0;
1824 }
1825 return circuit_extend(cell, circ);
1826 }
1827 case RELAY_COMMAND_EXTENDED:
1828 case RELAY_COMMAND_EXTENDED2:
1829 if (!layer_hint) {
1830 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1831 "'extended' unsupported at non-origin. Dropping.");
1832 return 0;
1833 }
1834 log_debug(domain,"Got an extended cell! Yay.");
1835 {
1836 extended_cell_t extended_cell;
1837 if (extended_cell_parse(&extended_cell, rh->command,
1838 (const uint8_t*)cell->payload+RELAY_HEADER_SIZE,
1839 rh->length)<0) {
1840 log_warn(LD_PROTOCOL,
1841 "Can't parse EXTENDED cell; killing circuit.");
1842 return -END_CIRC_REASON_TORPROTOCOL;
1843 }
1844 if ((reason = circuit_finish_handshake(TO_ORIGIN_CIRCUIT(circ),
1845 &extended_cell.created_cell)) < 0) {
1846 circuit_mark_for_close(circ, -reason);
1847 return 0; /* We don't want to cause a warning, so we mark the circuit
1848 * here. */
1849 }
1850 }
1851 if ((reason=circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ)))<0) {
1852 log_info(domain,"circuit_send_next_onion_skin() failed.");
1853 return reason;
1854 }
1855 /* Total all valid bytes delivered. */
1856 if (CIRCUIT_IS_ORIGIN(circ)) {
1857 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), rh->length);
1858 }
1859 return 0;
1860 case RELAY_COMMAND_TRUNCATE:
1861 if (layer_hint) {
1862 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1863 "'truncate' unsupported at origin. Dropping.");
1864 return 0;
1865 }
1866 if (circ->n_hop) {
1867 if (circ->n_chan)
1868 log_warn(LD_BUG, "n_chan and n_hop set on the same circuit!");
1869 extend_info_free(circ->n_hop);
1870 circ->n_hop = NULL;
1871 tor_free(circ->n_chan_create_cell);
1872 circuit_set_state(circ, CIRCUIT_STATE_OPEN);
1873 }
1874 if (circ->n_chan) {
1875 uint8_t trunc_reason = get_uint8(cell->payload + RELAY_HEADER_SIZE);
1876 circuit_synchronize_written_or_bandwidth(circ, CIRCUIT_N_CHAN);
1877 circuit_clear_cell_queue(circ, circ->n_chan);
1878 channel_send_destroy(circ->n_circ_id, circ->n_chan,
1879 trunc_reason);
1880 circuit_set_n_circid_chan(circ, 0, NULL);
1881 }
1882 log_debug(LD_EXIT, "Processed 'truncate', replying.");
1883 {
1884 char payload[1];
1885 payload[0] = (char)END_CIRC_REASON_REQUESTED;
1886 relay_send_command_from_edge(0, circ, RELAY_COMMAND_TRUNCATED,
1887 payload, sizeof(payload), NULL);
1888 }
1889 return 0;
1890 case RELAY_COMMAND_TRUNCATED:
1891 if (!layer_hint) {
1892 log_fn(LOG_PROTOCOL_WARN, LD_EXIT,
1893 "'truncated' unsupported at non-origin. Dropping.");
1894 return 0;
1895 }
1896
1897 /* Count the truncated as valid, for completeness. The
1898 * circuit is being torn down anyway, though. */
1899 if (CIRCUIT_IS_ORIGIN(circ)) {
1900 circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ),
1901 rh->length);
1902 }
1903 circuit_truncated(TO_ORIGIN_CIRCUIT(circ),
1904 get_uint8(cell->payload + RELAY_HEADER_SIZE));
1905 return 0;
1906 case RELAY_COMMAND_CONNECTED:
1907 if (conn) {
1908 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1909 "'connected' unsupported while open. Closing circ.");
1910 return -END_CIRC_REASON_TORPROTOCOL;
1911 }
1912
1913 if (CIRCUIT_IS_ORIGIN(circ)) {
1914 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
1915 if (connection_half_edge_is_valid_connected(ocirc->half_streams,
1916 rh->stream_id)) {
1917 circuit_read_valid_data(ocirc, rh->length);
1918 log_info(domain,
1919 "connected cell on circ %u valid on half-closed "
1920 "stream id %d", ocirc->global_identifier, rh->stream_id);
1921 return 0;
1922 }
1923 }
1924
1925 log_info(domain,
1926 "'connected' received on circid %u for streamid %d, "
1927 "no conn attached anymore. Ignoring.",
1928 (unsigned)circ->n_circ_id, rh->stream_id);
1929 return 0;
1930 case RELAY_COMMAND_SENDME:
1931 return process_sendme_cell(rh, cell, circ, conn, layer_hint, domain);
1932 case RELAY_COMMAND_RESOLVE:
1933 if (layer_hint) {
1934 log_fn(LOG_PROTOCOL_WARN, LD_APP,
1935 "resolve request unsupported at AP; dropping.");
1936 return 0;
1937 } else if (conn) {
1938 log_fn(LOG_PROTOCOL_WARN, domain,
1939 "resolve request for known stream; dropping.");
1940 return 0;
1941 } else if (circ->purpose != CIRCUIT_PURPOSE_OR) {
1942 log_fn(LOG_PROTOCOL_WARN, domain,
1943 "resolve request on circ with purpose %d; dropping",
1944 circ->purpose);
1945 return 0;
1946 }
1947 connection_exit_begin_resolve(cell, TO_OR_CIRCUIT(circ));
1948 return 0;
1949 case RELAY_COMMAND_RESOLVED:
1950 if (conn) {
1951 log_fn(LOG_PROTOCOL_WARN, domain,
1952 "'resolved' unsupported while open. Closing circ.");
1953 return -END_CIRC_REASON_TORPROTOCOL;
1954 }
1955
1956 if (CIRCUIT_IS_ORIGIN(circ)) {
1957 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
1958 if (relay_crypt_from_last_hop(ocirc, layer_hint) &&
1959 connection_half_edge_is_valid_resolved(ocirc->half_streams,
1960 rh->stream_id)) {
1961 circuit_read_valid_data(ocirc, rh->length);
1962 log_info(domain,
1963 "resolved cell on circ %u valid on half-closed "
1964 "stream id %d", ocirc->global_identifier, rh->stream_id);
1965 return 0;
1966 }
1967 }
1968
1969 log_info(domain,
1970 "'resolved' received, no conn attached anymore. Ignoring.");
1971 return 0;
1972 case RELAY_COMMAND_ESTABLISH_INTRO:
1973 case RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
1974 case RELAY_COMMAND_INTRODUCE1:
1975 case RELAY_COMMAND_INTRODUCE2:
1976 case RELAY_COMMAND_INTRODUCE_ACK:
1977 case RELAY_COMMAND_RENDEZVOUS1:
1978 case RELAY_COMMAND_RENDEZVOUS2:
1979 case RELAY_COMMAND_INTRO_ESTABLISHED:
1980 case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
1981 rend_process_relay_cell(circ, layer_hint,
1982 rh->command, rh->length,
1983 cell->payload+RELAY_HEADER_SIZE);
1984 return 0;
1985 }
1986 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
1987 "Received unknown relay command %d. Perhaps the other side is using "
1988 "a newer version of Tor? Dropping.",
1989 rh->command);
1990 return 0; /* for forward compatibility, don't kill the circuit */
1991 }
1992
1993 /** An incoming relay cell has arrived on circuit <b>circ</b>. If
1994 * <b>conn</b> is NULL this is a control cell, else <b>cell</b> is
1995 * destined for <b>conn</b>.
1996 *
1997 * If <b>layer_hint</b> is defined, then we're the origin of the
1998 * circuit, and it specifies the hop that packaged <b>cell</b>.
1999 *
2000 * Return -reason if you want to warn and tear down the circuit, else 0.
2001 */
2002 STATIC int
connection_edge_process_relay_cell(cell_t * cell,circuit_t * circ,edge_connection_t * conn,crypt_path_t * layer_hint)2003 connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
2004 edge_connection_t *conn,
2005 crypt_path_t *layer_hint)
2006 {
2007 static int num_seen=0;
2008 relay_header_t rh;
2009 unsigned domain = layer_hint?LD_APP:LD_EXIT;
2010 int optimistic_data = 0; /* Set to 1 if we receive data on a stream
2011 * that's in the EXIT_CONN_STATE_RESOLVING
2012 * or EXIT_CONN_STATE_CONNECTING states. */
2013
2014 tor_assert(cell);
2015 tor_assert(circ);
2016
2017 relay_header_unpack(&rh, cell->payload);
2018 // log_fn(LOG_DEBUG,"command %d stream %d", rh.command, rh.stream_id);
2019 num_seen++;
2020 log_debug(domain, "Now seen %d relay cells here (command %d, stream %d).",
2021 num_seen, rh.command, rh.stream_id);
2022
2023 if (rh.length > RELAY_PAYLOAD_SIZE) {
2024 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2025 "Relay cell length field too long. Closing circuit.");
2026 return - END_CIRC_REASON_TORPROTOCOL;
2027 }
2028
2029 if (rh.stream_id == 0) {
2030 switch (rh.command) {
2031 case RELAY_COMMAND_BEGIN:
2032 case RELAY_COMMAND_CONNECTED:
2033 case RELAY_COMMAND_END:
2034 case RELAY_COMMAND_RESOLVE:
2035 case RELAY_COMMAND_RESOLVED:
2036 case RELAY_COMMAND_BEGIN_DIR:
2037 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero "
2038 "stream_id. Dropping.", (int)rh.command);
2039 return 0;
2040 default:
2041 ;
2042 }
2043 }
2044
2045 /* Tell circpad that we've received a recognized cell */
2046 circpad_deliver_recognized_relay_cell_events(circ, rh.command, layer_hint);
2047
2048 /* either conn is NULL, in which case we've got a control cell, or else
2049 * conn points to the recognized stream. */
2050 if (conn && !connection_state_is_open(TO_CONN(conn))) {
2051 if (conn->base_.type == CONN_TYPE_EXIT &&
2052 (conn->base_.state == EXIT_CONN_STATE_CONNECTING ||
2053 conn->base_.state == EXIT_CONN_STATE_RESOLVING) &&
2054 rh.command == RELAY_COMMAND_DATA) {
2055 /* Allow DATA cells to be delivered to an exit node in state
2056 * EXIT_CONN_STATE_CONNECTING or EXIT_CONN_STATE_RESOLVING.
2057 * This speeds up HTTP, for example. */
2058 optimistic_data = 1;
2059 } else if (rh.stream_id == 0 && rh.command == RELAY_COMMAND_DATA) {
2060 log_warn(LD_BUG, "Somehow I had a connection that matched a "
2061 "data cell with stream ID 0.");
2062 } else {
2063 return connection_edge_process_relay_cell_not_open(
2064 &rh, cell, circ, conn, layer_hint);
2065 }
2066 }
2067
2068 return handle_relay_cell_command(cell, circ, conn, layer_hint,
2069 &rh, optimistic_data);
2070 }
2071
2072 /** How many relay_data cells have we built, ever? */
2073 uint64_t stats_n_data_cells_packaged = 0;
2074 /** How many bytes of data have we put in relay_data cells have we built,
2075 * ever? This would be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if
2076 * every relay cell we ever sent were completely full of data. */
2077 uint64_t stats_n_data_bytes_packaged = 0;
2078 /** How many relay_data cells have we received, ever? */
2079 uint64_t stats_n_data_cells_received = 0;
2080 /** How many bytes of data have we received relay_data cells, ever? This would
2081 * be RELAY_PAYLOAD_SIZE*stats_n_data_cells_packaged if every relay cell we
2082 * ever received were completely full of data. */
2083 uint64_t stats_n_data_bytes_received = 0;
2084
2085 /**
2086 * Called when initializing a circuit, or when we have reached the end of the
2087 * window in which we need to send some randomness so that incoming sendme
2088 * cells will be unpredictable. Resets the flags and picks a new window.
2089 */
2090 void
circuit_reset_sendme_randomness(circuit_t * circ)2091 circuit_reset_sendme_randomness(circuit_t *circ)
2092 {
2093 circ->have_sent_sufficiently_random_cell = 0;
2094 circ->send_randomness_after_n_cells = CIRCWINDOW_INCREMENT / 2 +
2095 crypto_fast_rng_get_uint(get_thread_fast_rng(), CIRCWINDOW_INCREMENT / 2);
2096 }
2097
2098 /**
2099 * Any relay data payload containing fewer than this many real bytes is
2100 * considered to have enough randomness to.
2101 **/
2102 #define RELAY_PAYLOAD_LENGTH_FOR_RANDOM_SENDMES \
2103 (RELAY_PAYLOAD_SIZE - CELL_PADDING_GAP - 16)
2104
2105 /**
2106 * Helper. Return the number of bytes that should be put into a cell from a
2107 * given edge connection on which <b>n_available</b> bytes are available.
2108 */
2109 STATIC size_t
connection_edge_get_inbuf_bytes_to_package(size_t n_available,int package_partial,circuit_t * on_circuit)2110 connection_edge_get_inbuf_bytes_to_package(size_t n_available,
2111 int package_partial,
2112 circuit_t *on_circuit)
2113 {
2114 if (!n_available)
2115 return 0;
2116
2117 /* Do we need to force this payload to have space for randomness? */
2118 const bool force_random_bytes =
2119 (on_circuit->send_randomness_after_n_cells == 0) &&
2120 (! on_circuit->have_sent_sufficiently_random_cell);
2121
2122 /* At most how much would we like to send in this cell? */
2123 size_t target_length;
2124 if (force_random_bytes) {
2125 target_length = RELAY_PAYLOAD_LENGTH_FOR_RANDOM_SENDMES;
2126 } else {
2127 target_length = RELAY_PAYLOAD_SIZE;
2128 }
2129
2130 /* Decide how many bytes we will actually put into this cell. */
2131 size_t package_length;
2132 if (n_available >= target_length) { /* A full payload is available. */
2133 package_length = target_length;
2134 } else { /* not a full payload available */
2135 if (package_partial)
2136 package_length = n_available; /* just take whatever's available now */
2137 else
2138 return 0; /* nothing to do until we have a full payload */
2139 }
2140
2141 /* If we reach this point, we will be definitely sending the cell. */
2142 tor_assert_nonfatal(package_length > 0);
2143
2144 if (package_length <= RELAY_PAYLOAD_LENGTH_FOR_RANDOM_SENDMES) {
2145 /* This cell will have enough randomness in the padding to make a future
2146 * sendme cell unpredictable. */
2147 on_circuit->have_sent_sufficiently_random_cell = 1;
2148 }
2149
2150 if (on_circuit->send_randomness_after_n_cells == 0) {
2151 /* Either this cell, or some previous cell, had enough padding to
2152 * ensure sendme unpredictability. */
2153 tor_assert_nonfatal(on_circuit->have_sent_sufficiently_random_cell);
2154 /* Pick a new interval in which we need to send randomness. */
2155 circuit_reset_sendme_randomness(on_circuit);
2156 }
2157
2158 --on_circuit->send_randomness_after_n_cells;
2159
2160 return package_length;
2161 }
2162
2163 /** If <b>conn</b> has an entire relay payload of bytes on its inbuf (or
2164 * <b>package_partial</b> is true), and the appropriate package windows aren't
2165 * empty, grab a cell and send it down the circuit.
2166 *
2167 * If *<b>max_cells</b> is given, package no more than max_cells. Decrement
2168 * *<b>max_cells</b> by the number of cells packaged.
2169 *
2170 * Return -1 (and send a RELAY_COMMAND_END cell if necessary) if conn should
2171 * be marked for close, else return 0.
2172 */
2173 int
connection_edge_package_raw_inbuf(edge_connection_t * conn,int package_partial,int * max_cells)2174 connection_edge_package_raw_inbuf(edge_connection_t *conn, int package_partial,
2175 int *max_cells)
2176 {
2177 size_t bytes_to_process, length;
2178 char payload[CELL_PAYLOAD_SIZE];
2179 circuit_t *circ;
2180 const unsigned domain = conn->base_.type == CONN_TYPE_AP ? LD_APP : LD_EXIT;
2181 int sending_from_optimistic = 0;
2182 entry_connection_t *entry_conn =
2183 conn->base_.type == CONN_TYPE_AP ? EDGE_TO_ENTRY_CONN(conn) : NULL;
2184 const int sending_optimistically =
2185 entry_conn &&
2186 conn->base_.type == CONN_TYPE_AP &&
2187 conn->base_.state != AP_CONN_STATE_OPEN;
2188 crypt_path_t *cpath_layer = conn->cpath_layer;
2189
2190 tor_assert(conn);
2191
2192 if (conn->base_.marked_for_close) {
2193 log_warn(LD_BUG,
2194 "called on conn that's already marked for close at %s:%d.",
2195 conn->base_.marked_for_close_file, conn->base_.marked_for_close);
2196 return 0;
2197 }
2198
2199 if (max_cells && *max_cells <= 0)
2200 return 0;
2201
2202 repeat_connection_edge_package_raw_inbuf:
2203
2204 circ = circuit_get_by_edge_conn(conn);
2205 if (!circ) {
2206 log_info(domain,"conn has no circuit! Closing.");
2207 conn->end_reason = END_STREAM_REASON_CANT_ATTACH;
2208 return -1;
2209 }
2210
2211 if (circuit_consider_stop_edge_reading(circ, cpath_layer))
2212 return 0;
2213
2214 if (conn->package_window <= 0) {
2215 log_info(domain,"called with package_window %d. Skipping.",
2216 conn->package_window);
2217 connection_stop_reading(TO_CONN(conn));
2218 return 0;
2219 }
2220
2221 sending_from_optimistic = entry_conn &&
2222 entry_conn->sending_optimistic_data != NULL;
2223
2224 if (PREDICT_UNLIKELY(sending_from_optimistic)) {
2225 bytes_to_process = buf_datalen(entry_conn->sending_optimistic_data);
2226 if (PREDICT_UNLIKELY(!bytes_to_process)) {
2227 log_warn(LD_BUG, "sending_optimistic_data was non-NULL but empty");
2228 bytes_to_process = connection_get_inbuf_len(TO_CONN(conn));
2229 sending_from_optimistic = 0;
2230 }
2231 } else {
2232 bytes_to_process = connection_get_inbuf_len(TO_CONN(conn));
2233 }
2234
2235 length = connection_edge_get_inbuf_bytes_to_package(bytes_to_process,
2236 package_partial, circ);
2237 if (!length)
2238 return 0;
2239
2240 /* If we reach this point, we will definitely be packaging bytes into
2241 * a cell. */
2242
2243 stats_n_data_bytes_packaged += length;
2244 stats_n_data_cells_packaged += 1;
2245
2246 if (PREDICT_UNLIKELY(sending_from_optimistic)) {
2247 /* XXXX We could be more efficient here by sometimes packing
2248 * previously-sent optimistic data in the same cell with data
2249 * from the inbuf. */
2250 buf_get_bytes(entry_conn->sending_optimistic_data, payload, length);
2251 if (!buf_datalen(entry_conn->sending_optimistic_data)) {
2252 buf_free(entry_conn->sending_optimistic_data);
2253 entry_conn->sending_optimistic_data = NULL;
2254 }
2255 } else {
2256 connection_buf_get_bytes(payload, length, TO_CONN(conn));
2257 }
2258
2259 log_debug(domain,TOR_SOCKET_T_FORMAT": Packaging %d bytes (%d waiting).",
2260 conn->base_.s,
2261 (int)length, (int)connection_get_inbuf_len(TO_CONN(conn)));
2262
2263 if (sending_optimistically && !sending_from_optimistic) {
2264 /* This is new optimistic data; remember it in case we need to detach and
2265 retry */
2266 if (!entry_conn->pending_optimistic_data)
2267 entry_conn->pending_optimistic_data = buf_new();
2268 buf_add(entry_conn->pending_optimistic_data, payload, length);
2269 }
2270
2271 if (connection_edge_send_command(conn, RELAY_COMMAND_DATA,
2272 payload, length) < 0 ) {
2273 /* circuit got marked for close, don't continue, don't need to mark conn */
2274 return 0;
2275 }
2276
2277 /* Handle the circuit-level SENDME package window. */
2278 if (sendme_note_circuit_data_packaged(circ, cpath_layer) < 0) {
2279 /* Package window has gone under 0. Protocol issue. */
2280 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
2281 "Circuit package window is below 0. Closing circuit.");
2282 conn->end_reason = END_STREAM_REASON_TORPROTOCOL;
2283 return -1;
2284 }
2285
2286 /* Handle the stream-level SENDME package window. */
2287 if (sendme_note_stream_data_packaged(conn) < 0) {
2288 connection_stop_reading(TO_CONN(conn));
2289 log_debug(domain,"conn->package_window reached 0.");
2290 circuit_consider_stop_edge_reading(circ, cpath_layer);
2291 return 0; /* don't process the inbuf any more */
2292 }
2293 log_debug(domain,"conn->package_window is now %d",conn->package_window);
2294
2295 if (max_cells) {
2296 *max_cells -= 1;
2297 if (*max_cells <= 0)
2298 return 0;
2299 }
2300
2301 /* handle more if there's more, or return 0 if there isn't */
2302 goto repeat_connection_edge_package_raw_inbuf;
2303 }
2304
2305 /** The circuit <b>circ</b> has received a circuit-level sendme
2306 * (on hop <b>layer_hint</b>, if we're the OP). Go through all the
2307 * attached streams and let them resume reading and packaging, if
2308 * their stream windows allow it.
2309 */
2310 static void
circuit_resume_edge_reading(circuit_t * circ,crypt_path_t * layer_hint)2311 circuit_resume_edge_reading(circuit_t *circ, crypt_path_t *layer_hint)
2312 {
2313 if (circuit_queue_streams_are_blocked(circ)) {
2314 log_debug(layer_hint?LD_APP:LD_EXIT,"Too big queue, no resuming");
2315 return;
2316 }
2317 log_debug(layer_hint?LD_APP:LD_EXIT,"resuming");
2318
2319 if (CIRCUIT_IS_ORIGIN(circ))
2320 circuit_resume_edge_reading_helper(TO_ORIGIN_CIRCUIT(circ)->p_streams,
2321 circ, layer_hint);
2322 else
2323 circuit_resume_edge_reading_helper(TO_OR_CIRCUIT(circ)->n_streams,
2324 circ, layer_hint);
2325 }
2326
2327 /** A helper function for circuit_resume_edge_reading() above.
2328 * The arguments are the same, except that <b>conn</b> is the head
2329 * of a linked list of edge streams that should each be considered.
2330 */
2331 static int
circuit_resume_edge_reading_helper(edge_connection_t * first_conn,circuit_t * circ,crypt_path_t * layer_hint)2332 circuit_resume_edge_reading_helper(edge_connection_t *first_conn,
2333 circuit_t *circ,
2334 crypt_path_t *layer_hint)
2335 {
2336 edge_connection_t *conn;
2337 int n_packaging_streams, n_streams_left;
2338 int packaged_this_round;
2339 int cells_on_queue;
2340 int cells_per_conn;
2341 edge_connection_t *chosen_stream = NULL;
2342 int max_to_package;
2343
2344 if (first_conn == NULL) {
2345 /* Don't bother to try to do the rest of this if there are no connections
2346 * to resume. */
2347 return 0;
2348 }
2349
2350 /* How many cells do we have space for? It will be the minimum of
2351 * the number needed to exhaust the package window, and the minimum
2352 * needed to fill the cell queue. */
2353 max_to_package = circ->package_window;
2354 if (CIRCUIT_IS_ORIGIN(circ)) {
2355 cells_on_queue = circ->n_chan_cells.n;
2356 } else {
2357 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
2358 cells_on_queue = or_circ->p_chan_cells.n;
2359 }
2360 if (CELL_QUEUE_HIGHWATER_SIZE - cells_on_queue < max_to_package)
2361 max_to_package = CELL_QUEUE_HIGHWATER_SIZE - cells_on_queue;
2362
2363 /* Once we used to start listening on the streams in the order they
2364 * appeared in the linked list. That leads to starvation on the
2365 * streams that appeared later on the list, since the first streams
2366 * would always get to read first. Instead, we just pick a random
2367 * stream on the list, and enable reading for streams starting at that
2368 * point (and wrapping around as if the list were circular). It would
2369 * probably be better to actually remember which streams we've
2370 * serviced in the past, but this is simple and effective. */
2371
2372 /* Select a stream uniformly at random from the linked list. We
2373 * don't need cryptographic randomness here. */
2374 {
2375 int num_streams = 0;
2376 for (conn = first_conn; conn; conn = conn->next_stream) {
2377 num_streams++;
2378
2379 if (crypto_fast_rng_one_in_n(get_thread_fast_rng(), num_streams)) {
2380 chosen_stream = conn;
2381 }
2382 /* Invariant: chosen_stream has been chosen uniformly at random from
2383 * among the first num_streams streams on first_conn.
2384 *
2385 * (Note that we iterate over every stream on the circuit, so that after
2386 * we've considered the first stream, we've chosen it with P=1; and
2387 * after we consider the second stream, we've switched to it with P=1/2
2388 * and stayed with the first stream with P=1/2; and after we've
2389 * considered the third stream, we've switched to it with P=1/3 and
2390 * remained with one of the first two streams with P=(2/3), giving each
2391 * one P=(1/2)(2/3) )=(1/3).) */
2392 }
2393 }
2394
2395 /* Count how many non-marked streams there are that have anything on
2396 * their inbuf, and enable reading on all of the connections. */
2397 n_packaging_streams = 0;
2398 /* Activate reading starting from the chosen stream */
2399 for (conn=chosen_stream; conn; conn = conn->next_stream) {
2400 /* Start reading for the streams starting from here */
2401 if (conn->base_.marked_for_close || conn->package_window <= 0)
2402 continue;
2403 if (!layer_hint || conn->cpath_layer == layer_hint) {
2404 connection_start_reading(TO_CONN(conn));
2405
2406 if (connection_get_inbuf_len(TO_CONN(conn)) > 0)
2407 ++n_packaging_streams;
2408 }
2409 }
2410 /* Go back and do the ones we skipped, circular-style */
2411 for (conn = first_conn; conn != chosen_stream; conn = conn->next_stream) {
2412 if (conn->base_.marked_for_close || conn->package_window <= 0)
2413 continue;
2414 if (!layer_hint || conn->cpath_layer == layer_hint) {
2415 connection_start_reading(TO_CONN(conn));
2416
2417 if (connection_get_inbuf_len(TO_CONN(conn)) > 0)
2418 ++n_packaging_streams;
2419 }
2420 }
2421
2422 if (n_packaging_streams == 0) /* avoid divide-by-zero */
2423 return 0;
2424
2425 again:
2426
2427 cells_per_conn = CEIL_DIV(max_to_package, n_packaging_streams);
2428
2429 packaged_this_round = 0;
2430 n_streams_left = 0;
2431
2432 /* Iterate over all connections. Package up to cells_per_conn cells on
2433 * each. Update packaged_this_round with the total number of cells
2434 * packaged, and n_streams_left with the number that still have data to
2435 * package.
2436 */
2437 for (conn=first_conn; conn; conn=conn->next_stream) {
2438 if (conn->base_.marked_for_close || conn->package_window <= 0)
2439 continue;
2440 if (!layer_hint || conn->cpath_layer == layer_hint) {
2441 int n = cells_per_conn, r;
2442 /* handle whatever might still be on the inbuf */
2443 r = connection_edge_package_raw_inbuf(conn, 1, &n);
2444
2445 /* Note how many we packaged */
2446 packaged_this_round += (cells_per_conn-n);
2447
2448 if (r<0) {
2449 /* Problem while packaging. (We already sent an end cell if
2450 * possible) */
2451 connection_mark_for_close(TO_CONN(conn));
2452 continue;
2453 }
2454
2455 /* If there's still data to read, we'll be coming back to this stream. */
2456 if (connection_get_inbuf_len(TO_CONN(conn)))
2457 ++n_streams_left;
2458
2459 /* If the circuit won't accept any more data, return without looking
2460 * at any more of the streams. Any connections that should be stopped
2461 * have already been stopped by connection_edge_package_raw_inbuf. */
2462 if (circuit_consider_stop_edge_reading(circ, layer_hint))
2463 return -1;
2464 /* XXXX should we also stop immediately if we fill up the cell queue?
2465 * Probably. */
2466 }
2467 }
2468
2469 /* If we made progress, and we are willing to package more, and there are
2470 * any streams left that want to package stuff... try again!
2471 */
2472 if (packaged_this_round && packaged_this_round < max_to_package &&
2473 n_streams_left) {
2474 max_to_package -= packaged_this_round;
2475 n_packaging_streams = n_streams_left;
2476 goto again;
2477 }
2478
2479 return 0;
2480 }
2481
2482 /** Check if the package window for <b>circ</b> is empty (at
2483 * hop <b>layer_hint</b> if it's defined).
2484 *
2485 * If yes, tell edge streams to stop reading and return 1.
2486 * Else return 0.
2487 */
2488 static int
circuit_consider_stop_edge_reading(circuit_t * circ,crypt_path_t * layer_hint)2489 circuit_consider_stop_edge_reading(circuit_t *circ, crypt_path_t *layer_hint)
2490 {
2491 edge_connection_t *conn = NULL;
2492 unsigned domain = layer_hint ? LD_APP : LD_EXIT;
2493
2494 if (!layer_hint) {
2495 or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
2496 log_debug(domain,"considering circ->package_window %d",
2497 circ->package_window);
2498 if (circ->package_window <= 0) {
2499 log_debug(domain,"yes, not-at-origin. stopped.");
2500 for (conn = or_circ->n_streams; conn; conn=conn->next_stream)
2501 connection_stop_reading(TO_CONN(conn));
2502 return 1;
2503 }
2504 return 0;
2505 }
2506 /* else, layer hint is defined, use it */
2507 log_debug(domain,"considering layer_hint->package_window %d",
2508 layer_hint->package_window);
2509 if (layer_hint->package_window <= 0) {
2510 log_debug(domain,"yes, at-origin. stopped.");
2511 for (conn = TO_ORIGIN_CIRCUIT(circ)->p_streams; conn;
2512 conn=conn->next_stream) {
2513 if (conn->cpath_layer == layer_hint)
2514 connection_stop_reading(TO_CONN(conn));
2515 }
2516 return 1;
2517 }
2518 return 0;
2519 }
2520
2521 /** The total number of cells we have allocated. */
2522 static size_t total_cells_allocated = 0;
2523
2524 /** Release storage held by <b>cell</b>. */
2525 static inline void
packed_cell_free_unchecked(packed_cell_t * cell)2526 packed_cell_free_unchecked(packed_cell_t *cell)
2527 {
2528 --total_cells_allocated;
2529 tor_free(cell);
2530 }
2531
2532 /** Allocate and return a new packed_cell_t. */
2533 STATIC packed_cell_t *
packed_cell_new(void)2534 packed_cell_new(void)
2535 {
2536 ++total_cells_allocated;
2537 return tor_malloc_zero(sizeof(packed_cell_t));
2538 }
2539
2540 /** Return a packed cell used outside by channel_t lower layer */
2541 void
packed_cell_free_(packed_cell_t * cell)2542 packed_cell_free_(packed_cell_t *cell)
2543 {
2544 if (!cell)
2545 return;
2546 packed_cell_free_unchecked(cell);
2547 }
2548
2549 /** Log current statistics for cell pool allocation at log level
2550 * <b>severity</b>. */
2551 void
dump_cell_pool_usage(int severity)2552 dump_cell_pool_usage(int severity)
2553 {
2554 int n_circs = 0;
2555 int n_cells = 0;
2556 SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t *, c) {
2557 n_cells += c->n_chan_cells.n;
2558 if (!CIRCUIT_IS_ORIGIN(c))
2559 n_cells += TO_OR_CIRCUIT(c)->p_chan_cells.n;
2560 ++n_circs;
2561 }
2562 SMARTLIST_FOREACH_END(c);
2563 tor_log(severity, LD_MM,
2564 "%d cells allocated on %d circuits. %d cells leaked.",
2565 n_cells, n_circs, (int)total_cells_allocated - n_cells);
2566 }
2567
2568 /** Allocate a new copy of packed <b>cell</b>. */
2569 static inline packed_cell_t *
packed_cell_copy(const cell_t * cell,int wide_circ_ids)2570 packed_cell_copy(const cell_t *cell, int wide_circ_ids)
2571 {
2572 packed_cell_t *c = packed_cell_new();
2573 cell_pack(c, cell, wide_circ_ids);
2574 return c;
2575 }
2576
2577 /** Append <b>cell</b> to the end of <b>queue</b>. */
2578 void
cell_queue_append(cell_queue_t * queue,packed_cell_t * cell)2579 cell_queue_append(cell_queue_t *queue, packed_cell_t *cell)
2580 {
2581 TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next);
2582 ++queue->n;
2583 }
2584
2585 /** Append a newly allocated copy of <b>cell</b> to the end of the
2586 * <b>exitward</b> (or app-ward) <b>queue</b> of <b>circ</b>. If
2587 * <b>use_stats</b> is true, record statistics about the cell.
2588 */
2589 void
cell_queue_append_packed_copy(circuit_t * circ,cell_queue_t * queue,int exitward,const cell_t * cell,int wide_circ_ids,int use_stats)2590 cell_queue_append_packed_copy(circuit_t *circ, cell_queue_t *queue,
2591 int exitward, const cell_t *cell,
2592 int wide_circ_ids, int use_stats)
2593 {
2594 packed_cell_t *copy = packed_cell_copy(cell, wide_circ_ids);
2595 (void)circ;
2596 (void)exitward;
2597 (void)use_stats;
2598
2599 copy->inserted_timestamp = monotime_coarse_get_stamp();
2600
2601 cell_queue_append(queue, copy);
2602 }
2603
2604 /** Initialize <b>queue</b> as an empty cell queue. */
2605 void
cell_queue_init(cell_queue_t * queue)2606 cell_queue_init(cell_queue_t *queue)
2607 {
2608 memset(queue, 0, sizeof(cell_queue_t));
2609 TOR_SIMPLEQ_INIT(&queue->head);
2610 }
2611
2612 /** Remove and free every cell in <b>queue</b>. */
2613 void
cell_queue_clear(cell_queue_t * queue)2614 cell_queue_clear(cell_queue_t *queue)
2615 {
2616 packed_cell_t *cell;
2617 while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) {
2618 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
2619 packed_cell_free_unchecked(cell);
2620 }
2621 TOR_SIMPLEQ_INIT(&queue->head);
2622 queue->n = 0;
2623 }
2624
2625 /** Extract and return the cell at the head of <b>queue</b>; return NULL if
2626 * <b>queue</b> is empty. */
2627 STATIC packed_cell_t *
cell_queue_pop(cell_queue_t * queue)2628 cell_queue_pop(cell_queue_t *queue)
2629 {
2630 packed_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head);
2631 if (!cell)
2632 return NULL;
2633 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
2634 --queue->n;
2635 return cell;
2636 }
2637
2638 /** Initialize <b>queue</b> as an empty cell queue. */
2639 void
destroy_cell_queue_init(destroy_cell_queue_t * queue)2640 destroy_cell_queue_init(destroy_cell_queue_t *queue)
2641 {
2642 memset(queue, 0, sizeof(destroy_cell_queue_t));
2643 TOR_SIMPLEQ_INIT(&queue->head);
2644 }
2645
2646 /** Remove and free every cell in <b>queue</b>. */
2647 void
destroy_cell_queue_clear(destroy_cell_queue_t * queue)2648 destroy_cell_queue_clear(destroy_cell_queue_t *queue)
2649 {
2650 destroy_cell_t *cell;
2651 while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) {
2652 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
2653 tor_free(cell);
2654 }
2655 TOR_SIMPLEQ_INIT(&queue->head);
2656 queue->n = 0;
2657 }
2658
2659 /** Extract and return the cell at the head of <b>queue</b>; return NULL if
2660 * <b>queue</b> is empty. */
2661 STATIC destroy_cell_t *
destroy_cell_queue_pop(destroy_cell_queue_t * queue)2662 destroy_cell_queue_pop(destroy_cell_queue_t *queue)
2663 {
2664 destroy_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head);
2665 if (!cell)
2666 return NULL;
2667 TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
2668 --queue->n;
2669 return cell;
2670 }
2671
2672 /** Append a destroy cell for <b>circid</b> to <b>queue</b>. */
2673 void
destroy_cell_queue_append(destroy_cell_queue_t * queue,circid_t circid,uint8_t reason)2674 destroy_cell_queue_append(destroy_cell_queue_t *queue,
2675 circid_t circid,
2676 uint8_t reason)
2677 {
2678 destroy_cell_t *cell = tor_malloc_zero(sizeof(destroy_cell_t));
2679 cell->circid = circid;
2680 cell->reason = reason;
2681 /* Not yet used, but will be required for OOM handling. */
2682 cell->inserted_timestamp = monotime_coarse_get_stamp();
2683
2684 TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next);
2685 ++queue->n;
2686 }
2687
2688 /** Convert a destroy_cell_t to a newly allocated cell_t. Frees its input. */
2689 static packed_cell_t *
destroy_cell_to_packed_cell(destroy_cell_t * inp,int wide_circ_ids)2690 destroy_cell_to_packed_cell(destroy_cell_t *inp, int wide_circ_ids)
2691 {
2692 packed_cell_t *packed = packed_cell_new();
2693 cell_t cell;
2694 memset(&cell, 0, sizeof(cell));
2695 cell.circ_id = inp->circid;
2696 cell.command = CELL_DESTROY;
2697 cell.payload[0] = inp->reason;
2698 cell_pack(packed, &cell, wide_circ_ids);
2699
2700 tor_free(inp);
2701 return packed;
2702 }
2703
2704 /** Return the total number of bytes used for each packed_cell in a queue.
2705 * Approximate. */
2706 size_t
packed_cell_mem_cost(void)2707 packed_cell_mem_cost(void)
2708 {
2709 return sizeof(packed_cell_t);
2710 }
2711
2712 /* DOCDOC */
2713 size_t
cell_queues_get_total_allocation(void)2714 cell_queues_get_total_allocation(void)
2715 {
2716 return total_cells_allocated * packed_cell_mem_cost();
2717 }
2718
2719 /** How long after we've been low on memory should we try to conserve it? */
2720 #define MEMORY_PRESSURE_INTERVAL (30*60)
2721
2722 /** The time at which we were last low on memory. */
2723 static time_t last_time_under_memory_pressure = 0;
2724
2725 /** Check whether we've got too much space used for cells. If so,
2726 * call the OOM handler and return 1. Otherwise, return 0. */
2727 STATIC int
cell_queues_check_size(void)2728 cell_queues_check_size(void)
2729 {
2730 time_t now = time(NULL);
2731 size_t alloc = cell_queues_get_total_allocation();
2732 alloc += half_streams_get_total_allocation();
2733 alloc += buf_get_total_allocation();
2734 alloc += tor_compress_get_total_allocation();
2735 const size_t hs_cache_total = hs_cache_get_total_allocation();
2736 alloc += hs_cache_total;
2737 const size_t geoip_client_cache_total =
2738 geoip_client_cache_total_allocation();
2739 alloc += geoip_client_cache_total;
2740 const size_t dns_cache_total = dns_cache_total_allocation();
2741 alloc += dns_cache_total;
2742 if (alloc >= get_options()->MaxMemInQueues_low_threshold) {
2743 last_time_under_memory_pressure = approx_time();
2744 if (alloc >= get_options()->MaxMemInQueues) {
2745 /* Note this overload down */
2746 rep_hist_note_overload(OVERLOAD_GENERAL);
2747
2748 /* If we're spending over 20% of the memory limit on hidden service
2749 * descriptors, free them until we're down to 10%. Do the same for geoip
2750 * client cache. */
2751 if (hs_cache_total > get_options()->MaxMemInQueues / 5) {
2752 const size_t bytes_to_remove =
2753 hs_cache_total - (size_t)(get_options()->MaxMemInQueues / 10);
2754 alloc -= hs_cache_handle_oom(now, bytes_to_remove);
2755 }
2756 if (geoip_client_cache_total > get_options()->MaxMemInQueues / 5) {
2757 const size_t bytes_to_remove =
2758 geoip_client_cache_total -
2759 (size_t)(get_options()->MaxMemInQueues / 10);
2760 alloc -= geoip_client_cache_handle_oom(now, bytes_to_remove);
2761 }
2762 if (dns_cache_total > get_options()->MaxMemInQueues / 5) {
2763 const size_t bytes_to_remove =
2764 dns_cache_total - (size_t)(get_options()->MaxMemInQueues / 10);
2765 alloc -= dns_cache_handle_oom(now, bytes_to_remove);
2766 }
2767 circuits_handle_oom(alloc);
2768 return 1;
2769 }
2770 }
2771 return 0;
2772 }
2773
2774 /** Return true if we've been under memory pressure in the last
2775 * MEMORY_PRESSURE_INTERVAL seconds. */
2776 int
have_been_under_memory_pressure(void)2777 have_been_under_memory_pressure(void)
2778 {
2779 return last_time_under_memory_pressure + MEMORY_PRESSURE_INTERVAL
2780 < approx_time();
2781 }
2782
2783 /**
2784 * Update the number of cells available on the circuit's n_chan or p_chan's
2785 * circuit mux.
2786 */
2787 void
update_circuit_on_cmux_(circuit_t * circ,cell_direction_t direction,const char * file,int lineno)2788 update_circuit_on_cmux_(circuit_t *circ, cell_direction_t direction,
2789 const char *file, int lineno)
2790 {
2791 channel_t *chan = NULL;
2792 or_circuit_t *or_circ = NULL;
2793 circuitmux_t *cmux = NULL;
2794
2795 tor_assert(circ);
2796
2797 /* Okay, get the channel */
2798 if (direction == CELL_DIRECTION_OUT) {
2799 chan = circ->n_chan;
2800 } else {
2801 or_circ = TO_OR_CIRCUIT(circ);
2802 chan = or_circ->p_chan;
2803 }
2804
2805 tor_assert(chan);
2806 tor_assert(chan->cmux);
2807
2808 /* Now get the cmux */
2809 cmux = chan->cmux;
2810
2811 /* Cmux sanity check */
2812 if (! circuitmux_is_circuit_attached(cmux, circ)) {
2813 log_warn(LD_BUG, "called on non-attached circuit from %s:%d",
2814 file, lineno);
2815 return;
2816 }
2817 tor_assert(circuitmux_attached_circuit_direction(cmux, circ) == direction);
2818
2819 /* Update the number of cells we have for the circuit mux */
2820 if (direction == CELL_DIRECTION_OUT) {
2821 circuitmux_set_num_cells(cmux, circ, circ->n_chan_cells.n);
2822 } else {
2823 circuitmux_set_num_cells(cmux, circ, or_circ->p_chan_cells.n);
2824 }
2825 }
2826
2827 /** Remove all circuits from the cmux on <b>chan</b>.
2828 *
2829 * If <b>circuits_out</b> is non-NULL, add all detached circuits to
2830 * <b>circuits_out</b>.
2831 **/
2832 void
channel_unlink_all_circuits(channel_t * chan,smartlist_t * circuits_out)2833 channel_unlink_all_circuits(channel_t *chan, smartlist_t *circuits_out)
2834 {
2835 tor_assert(chan);
2836 tor_assert(chan->cmux);
2837
2838 circuitmux_detach_all_circuits(chan->cmux, circuits_out);
2839 chan->num_n_circuits = 0;
2840 chan->num_p_circuits = 0;
2841 }
2842
2843 /** Block (if <b>block</b> is true) or unblock (if <b>block</b> is false)
2844 * every edge connection that is using <b>circ</b> to write to <b>chan</b>,
2845 * and start or stop reading as appropriate.
2846 *
2847 * If <b>stream_id</b> is nonzero, block only the edge connection whose
2848 * stream_id matches it.
2849 *
2850 * Returns the number of streams whose status we changed.
2851 */
2852 static int
set_streams_blocked_on_circ(circuit_t * circ,channel_t * chan,int block,streamid_t stream_id)2853 set_streams_blocked_on_circ(circuit_t *circ, channel_t *chan,
2854 int block, streamid_t stream_id)
2855 {
2856 edge_connection_t *edge = NULL;
2857 int n = 0;
2858 if (circ->n_chan == chan) {
2859 circ->streams_blocked_on_n_chan = block;
2860 if (CIRCUIT_IS_ORIGIN(circ))
2861 edge = TO_ORIGIN_CIRCUIT(circ)->p_streams;
2862 } else {
2863 circ->streams_blocked_on_p_chan = block;
2864 tor_assert(!CIRCUIT_IS_ORIGIN(circ));
2865 edge = TO_OR_CIRCUIT(circ)->n_streams;
2866 }
2867
2868 for (; edge; edge = edge->next_stream) {
2869 connection_t *conn = TO_CONN(edge);
2870 if (stream_id && edge->stream_id != stream_id)
2871 continue;
2872
2873 if (edge->edge_blocked_on_circ != block) {
2874 ++n;
2875 edge->edge_blocked_on_circ = block;
2876 }
2877
2878 if (!conn->read_event) {
2879 /* This connection is a placeholder for something; probably a DNS
2880 * request. It can't actually stop or start reading.*/
2881 continue;
2882 }
2883
2884 if (block) {
2885 if (connection_is_reading(conn))
2886 connection_stop_reading(conn);
2887 } else {
2888 /* Is this right? */
2889 if (!connection_is_reading(conn))
2890 connection_start_reading(conn);
2891 }
2892 }
2893
2894 return n;
2895 }
2896
2897 /** Extract the command from a packed cell. */
2898 uint8_t
packed_cell_get_command(const packed_cell_t * cell,int wide_circ_ids)2899 packed_cell_get_command(const packed_cell_t *cell, int wide_circ_ids)
2900 {
2901 if (wide_circ_ids) {
2902 return get_uint8(cell->body+4);
2903 } else {
2904 return get_uint8(cell->body+2);
2905 }
2906 }
2907
2908 /** Extract the circuit ID from a packed cell. */
2909 circid_t
packed_cell_get_circid(const packed_cell_t * cell,int wide_circ_ids)2910 packed_cell_get_circid(const packed_cell_t *cell, int wide_circ_ids)
2911 {
2912 if (wide_circ_ids) {
2913 return ntohl(get_uint32(cell->body));
2914 } else {
2915 return ntohs(get_uint16(cell->body));
2916 }
2917 }
2918
2919 /** Pull as many cells as possible (but no more than <b>max</b>) from the
2920 * queue of the first active circuit on <b>chan</b>, and write them to
2921 * <b>chan</b>->outbuf. Return the number of cells written. Advance
2922 * the active circuit pointer to the next active circuit in the ring. */
2923 MOCK_IMPL(int,
2924 channel_flush_from_first_active_circuit, (channel_t *chan, int max))
2925 {
2926 circuitmux_t *cmux = NULL;
2927 int n_flushed = 0;
2928 cell_queue_t *queue;
2929 destroy_cell_queue_t *destroy_queue=NULL;
2930 circuit_t *circ;
2931 or_circuit_t *or_circ;
2932 int streams_blocked;
2933 packed_cell_t *cell;
2934
2935 /* Get the cmux */
2936 tor_assert(chan);
2937 tor_assert(chan->cmux);
2938 cmux = chan->cmux;
2939
2940 /* Main loop: pick a circuit, send a cell, update the cmux */
2941 while (n_flushed < max) {
2942 circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue);
2943 if (destroy_queue) {
2944 destroy_cell_t *dcell;
2945 /* this code is duplicated from some of the logic below. Ugly! XXXX */
2946 /* If we are given a destroy_queue here, then it is required to be
2947 * nonempty... */
2948 tor_assert(destroy_queue->n > 0);
2949 dcell = destroy_cell_queue_pop(destroy_queue);
2950 /* ...and pop() will always yield a cell from a nonempty queue. */
2951 tor_assert(dcell);
2952 /* frees dcell */
2953 cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids);
2954 /* Send the DESTROY cell. It is very unlikely that this fails but just
2955 * in case, get rid of the channel. */
2956 if (channel_write_packed_cell(chan, cell) < 0) {
2957 /* The cell has been freed. */
2958 channel_mark_for_close(chan);
2959 continue;
2960 }
2961 /* Update the cmux destroy counter */
2962 circuitmux_notify_xmit_destroy(cmux);
2963 cell = NULL;
2964 ++n_flushed;
2965 continue;
2966 }
2967 /* If it returns NULL, no cells left to send */
2968 if (!circ) break;
2969
2970 if (circ->n_chan == chan) {
2971 queue = &circ->n_chan_cells;
2972 streams_blocked = circ->streams_blocked_on_n_chan;
2973 } else {
2974 or_circ = TO_OR_CIRCUIT(circ);
2975 tor_assert(or_circ->p_chan == chan);
2976 queue = &TO_OR_CIRCUIT(circ)->p_chan_cells;
2977 streams_blocked = circ->streams_blocked_on_p_chan;
2978 }
2979
2980 /* Circuitmux told us this was active, so it should have cells */
2981 if (/*BUG(*/ queue->n == 0 /*)*/) {
2982 log_warn(LD_BUG, "Found a supposedly active circuit with no cells "
2983 "to send. Trying to recover.");
2984 circuitmux_set_num_cells(cmux, circ, 0);
2985 if (! circ->marked_for_close)
2986 circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
2987 continue;
2988 }
2989
2990 tor_assert(queue->n > 0);
2991
2992 /*
2993 * Get just one cell here; once we've sent it, that can change the circuit
2994 * selection, so we have to loop around for another even if this circuit
2995 * has more than one.
2996 */
2997 cell = cell_queue_pop(queue);
2998
2999 /* Calculate the exact time that this cell has spent in the queue. */
3000 if (get_options()->CellStatistics ||
3001 get_options()->TestingEnableCellStatsEvent) {
3002 uint32_t timestamp_now = monotime_coarse_get_stamp();
3003 uint32_t msec_waiting =
3004 (uint32_t) monotime_coarse_stamp_units_to_approx_msec(
3005 timestamp_now - cell->inserted_timestamp);
3006
3007 if (get_options()->CellStatistics && !CIRCUIT_IS_ORIGIN(circ)) {
3008 or_circ = TO_OR_CIRCUIT(circ);
3009 or_circ->total_cell_waiting_time += msec_waiting;
3010 or_circ->processed_cells++;
3011 }
3012
3013 if (get_options()->TestingEnableCellStatsEvent) {
3014 uint8_t command = packed_cell_get_command(cell, chan->wide_circ_ids);
3015
3016 testing_cell_stats_entry_t *ent =
3017 tor_malloc_zero(sizeof(testing_cell_stats_entry_t));
3018 ent->command = command;
3019 ent->waiting_time = msec_waiting / 10;
3020 ent->removed = 1;
3021 if (circ->n_chan == chan)
3022 ent->exitward = 1;
3023 if (!circ->testing_cell_stats)
3024 circ->testing_cell_stats = smartlist_new();
3025 smartlist_add(circ->testing_cell_stats, ent);
3026 }
3027 }
3028
3029 /* If we just flushed our queue and this circuit is used for a
3030 * tunneled directory request, possibly advance its state. */
3031 if (queue->n == 0 && chan->dirreq_id)
3032 geoip_change_dirreq_state(chan->dirreq_id,
3033 DIRREQ_TUNNELED,
3034 DIRREQ_CIRC_QUEUE_FLUSHED);
3035
3036 /* Now send the cell. It is very unlikely that this fails but just in
3037 * case, get rid of the channel. */
3038 if (channel_write_packed_cell(chan, cell) < 0) {
3039 /* The cell has been freed at this point. */
3040 channel_mark_for_close(chan);
3041 continue;
3042 }
3043 cell = NULL;
3044
3045 /*
3046 * Don't packed_cell_free_unchecked(cell) here because the channel will
3047 * do so when it gets out of the channel queue (probably already did, in
3048 * which case that was an immediate double-free bug).
3049 */
3050
3051 /* Update the counter */
3052 ++n_flushed;
3053
3054 /*
3055 * Now update the cmux; tell it we've just sent a cell, and how many
3056 * we have left.
3057 */
3058 circuitmux_notify_xmit_cells(cmux, circ, 1);
3059 circuitmux_set_num_cells(cmux, circ, queue->n);
3060 if (queue->n == 0)
3061 log_debug(LD_GENERAL, "Made a circuit inactive.");
3062
3063 /* Is the cell queue low enough to unblock all the streams that are waiting
3064 * to write to this circuit? */
3065 if (streams_blocked && queue->n <= CELL_QUEUE_LOWWATER_SIZE)
3066 set_streams_blocked_on_circ(circ, chan, 0, 0); /* unblock streams */
3067
3068 /* If n_flushed < max still, loop around and pick another circuit */
3069 }
3070
3071 /* Okay, we're done sending now */
3072 return n_flushed;
3073 }
3074
3075 /* Minimum value is the maximum circuit window size.
3076 *
3077 * SENDME cells makes it that we can control how many cells can be inflight on
3078 * a circuit from end to end. This logic makes it that on any circuit cell
3079 * queue, we have a maximum of cells possible.
3080 *
3081 * Because the Tor protocol allows for a client to exit at any hop in a
3082 * circuit and a circuit can be of a maximum of 8 hops, so in theory the
3083 * normal worst case will be the circuit window start value times the maximum
3084 * number of hops (8). Having more cells then that means something is wrong.
3085 *
3086 * However, because padding cells aren't counted in the package window, we set
3087 * the maximum size to a reasonably large size for which we expect that we'll
3088 * never reach in theory. And if we ever do because of future changes, we'll
3089 * be able to control it with a consensus parameter.
3090 *
3091 * XXX: Unfortunately, END cells aren't accounted for in the circuit window
3092 * which means that for instance if a client opens 8001 streams, the 8001
3093 * following END cells will queue up in the circuit which will get closed if
3094 * the max limit is 8000. Which is sad because it is allowed by the Tor
3095 * protocol. But, we need an upper bound on circuit queue in order to avoid
3096 * DoS memory pressure so the default size is a middle ground between not
3097 * having any limit and having a very restricted one. This is why we can also
3098 * control it through a consensus parameter. */
3099 #define RELAY_CIRC_CELL_QUEUE_SIZE_MIN CIRCWINDOW_START_MAX
3100 /* We can't have a consensus parameter above this value. */
3101 #define RELAY_CIRC_CELL_QUEUE_SIZE_MAX INT32_MAX
3102 /* Default value is set to a large value so we can handle padding cells
3103 * properly which aren't accounted for in the SENDME window. Default is 50000
3104 * allowed cells in the queue resulting in ~25MB. */
3105 #define RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT \
3106 (50 * RELAY_CIRC_CELL_QUEUE_SIZE_MIN)
3107
3108 /* The maximum number of cell a circuit queue can contain. This is updated at
3109 * every new consensus and controlled by a parameter. */
3110 static int32_t max_circuit_cell_queue_size =
3111 RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT;
3112
3113 /* Called when the consensus has changed. At this stage, the global consensus
3114 * object has NOT been updated. It is called from
3115 * notify_before_networkstatus_changes(). */
3116 void
relay_consensus_has_changed(const networkstatus_t * ns)3117 relay_consensus_has_changed(const networkstatus_t *ns)
3118 {
3119 tor_assert(ns);
3120
3121 /* Update the circuit max cell queue size from the consensus. */
3122 max_circuit_cell_queue_size =
3123 networkstatus_get_param(ns, "circ_max_cell_queue_size",
3124 RELAY_CIRC_CELL_QUEUE_SIZE_DEFAULT,
3125 RELAY_CIRC_CELL_QUEUE_SIZE_MIN,
3126 RELAY_CIRC_CELL_QUEUE_SIZE_MAX);
3127 }
3128
3129 /** Add <b>cell</b> to the queue of <b>circ</b> writing to <b>chan</b>
3130 * transmitting in <b>direction</b>.
3131 *
3132 * The given <b>cell</b> is copied onto the circuit queue so the caller must
3133 * cleanup the memory.
3134 *
3135 * This function is part of the fast path. */
3136 void
append_cell_to_circuit_queue(circuit_t * circ,channel_t * chan,cell_t * cell,cell_direction_t direction,streamid_t fromstream)3137 append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan,
3138 cell_t *cell, cell_direction_t direction,
3139 streamid_t fromstream)
3140 {
3141 or_circuit_t *orcirc = NULL;
3142 cell_queue_t *queue;
3143 int streams_blocked;
3144 int exitward;
3145 if (circ->marked_for_close)
3146 return;
3147
3148 exitward = (direction == CELL_DIRECTION_OUT);
3149 if (exitward) {
3150 queue = &circ->n_chan_cells;
3151 streams_blocked = circ->streams_blocked_on_n_chan;
3152 } else {
3153 orcirc = TO_OR_CIRCUIT(circ);
3154 queue = &orcirc->p_chan_cells;
3155 streams_blocked = circ->streams_blocked_on_p_chan;
3156 }
3157
3158 if (PREDICT_UNLIKELY(queue->n >= max_circuit_cell_queue_size)) {
3159 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
3160 "%s circuit has %d cells in its queue, maximum allowed is %d. "
3161 "Closing circuit for safety reasons.",
3162 (exitward) ? "Outbound" : "Inbound", queue->n,
3163 max_circuit_cell_queue_size);
3164 circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT);
3165 stats_n_circ_max_cell_reached++;
3166 return;
3167 }
3168
3169 /* Very important that we copy to the circuit queue because all calls to
3170 * this function use the stack for the cell memory. */
3171 cell_queue_append_packed_copy(circ, queue, exitward, cell,
3172 chan->wide_circ_ids, 1);
3173
3174 /* Check and run the OOM if needed. */
3175 if (PREDICT_UNLIKELY(cell_queues_check_size())) {
3176 /* We ran the OOM handler which might have closed this circuit. */
3177 if (circ->marked_for_close)
3178 return;
3179 }
3180
3181 /* If we have too many cells on the circuit, we should stop reading from
3182 * the edge streams for a while. */
3183 if (!streams_blocked && queue->n >= CELL_QUEUE_HIGHWATER_SIZE)
3184 set_streams_blocked_on_circ(circ, chan, 1, 0); /* block streams */
3185
3186 if (streams_blocked && fromstream) {
3187 /* This edge connection is apparently not blocked; block it. */
3188 set_streams_blocked_on_circ(circ, chan, 1, fromstream);
3189 }
3190
3191 update_circuit_on_cmux(circ, direction);
3192 if (queue->n == 1) {
3193 /* This was the first cell added to the queue. We just made this
3194 * circuit active. */
3195 log_debug(LD_GENERAL, "Made a circuit active.");
3196 }
3197
3198 /* New way: mark this as having waiting cells for the scheduler */
3199 scheduler_channel_has_waiting_cells(chan);
3200 }
3201
3202 /** Append an encoded value of <b>addr</b> to <b>payload_out</b>, which must
3203 * have at least 18 bytes of free space. The encoding is, as specified in
3204 * tor-spec.txt:
3205 * RESOLVED_TYPE_IPV4 or RESOLVED_TYPE_IPV6 [1 byte]
3206 * LENGTH [1 byte]
3207 * ADDRESS [length bytes]
3208 * Return the number of bytes added, or -1 on error */
3209 int
append_address_to_payload(uint8_t * payload_out,const tor_addr_t * addr)3210 append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr)
3211 {
3212 uint32_t a;
3213 switch (tor_addr_family(addr)) {
3214 case AF_INET:
3215 payload_out[0] = RESOLVED_TYPE_IPV4;
3216 payload_out[1] = 4;
3217 a = tor_addr_to_ipv4n(addr);
3218 memcpy(payload_out+2, &a, 4);
3219 return 6;
3220 case AF_INET6:
3221 payload_out[0] = RESOLVED_TYPE_IPV6;
3222 payload_out[1] = 16;
3223 memcpy(payload_out+2, tor_addr_to_in6_addr8(addr), 16);
3224 return 18;
3225 case AF_UNSPEC:
3226 default:
3227 return -1;
3228 }
3229 }
3230
3231 /** Given <b>payload_len</b> bytes at <b>payload</b>, starting with an address
3232 * encoded as by append_address_to_payload(), try to decode the address into
3233 * *<b>addr_out</b>. Return the next byte in the payload after the address on
3234 * success, or NULL on failure. */
3235 const uint8_t *
decode_address_from_payload(tor_addr_t * addr_out,const uint8_t * payload,int payload_len)3236 decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload,
3237 int payload_len)
3238 {
3239 if (payload_len < 2)
3240 return NULL;
3241 if (payload_len < 2+payload[1])
3242 return NULL;
3243
3244 switch (payload[0]) {
3245 case RESOLVED_TYPE_IPV4:
3246 if (payload[1] != 4)
3247 return NULL;
3248 tor_addr_from_ipv4n(addr_out, get_uint32(payload+2));
3249 break;
3250 case RESOLVED_TYPE_IPV6:
3251 if (payload[1] != 16)
3252 return NULL;
3253 tor_addr_from_ipv6_bytes(addr_out, (payload+2));
3254 break;
3255 default:
3256 tor_addr_make_unspec(addr_out);
3257 break;
3258 }
3259 return payload + 2 + payload[1];
3260 }
3261
3262 /** Remove all the cells queued on <b>circ</b> for <b>chan</b>. */
3263 void
circuit_clear_cell_queue(circuit_t * circ,channel_t * chan)3264 circuit_clear_cell_queue(circuit_t *circ, channel_t *chan)
3265 {
3266 cell_queue_t *queue;
3267 cell_direction_t direction;
3268
3269 if (circ->n_chan == chan) {
3270 queue = &circ->n_chan_cells;
3271 direction = CELL_DIRECTION_OUT;
3272 } else {
3273 or_circuit_t *orcirc = TO_OR_CIRCUIT(circ);
3274 tor_assert(orcirc->p_chan == chan);
3275 queue = &orcirc->p_chan_cells;
3276 direction = CELL_DIRECTION_IN;
3277 }
3278
3279 /* Clear the queue */
3280 cell_queue_clear(queue);
3281
3282 /* Update the cell counter in the cmux */
3283 if (chan->cmux && circuitmux_is_circuit_attached(chan->cmux, circ))
3284 update_circuit_on_cmux(circ, direction);
3285 }
3286
3287 /** Return 1 if we shouldn't restart reading on this circuit, even if
3288 * we get a SENDME. Else return 0.
3289 */
3290 static int
circuit_queue_streams_are_blocked(circuit_t * circ)3291 circuit_queue_streams_are_blocked(circuit_t *circ)
3292 {
3293 if (CIRCUIT_IS_ORIGIN(circ)) {
3294 return circ->streams_blocked_on_n_chan;
3295 } else {
3296 return circ->streams_blocked_on_p_chan;
3297 }
3298 }
3299