Move circuitbuildtimeout config check.

We want it to be under our control so it doesn't mess
up initialization. This is likely the cause for
the bug the previous assert-adding commit (09a75ad) was
trying to address.

src/or/circuitbuild.c

@@ -141,6 +141,11 @@ circuit_build_times_init(circuit_build_times_t *cbt)
 
   if (!unit_tests && get_options()->CircuitBuildTimeout) {
     cbt->timeout = get_options()->CircuitBuildTimeout;
+    if (cbt->timeout < BUILD_TIMEOUT_MIN_VALUE) {
+      log_warn(LD_CIRC, "Config CircuitBuildTimeout too low. Setting to %d",
+               BUILD_TIMEOUT_MIN_VALUE);
+      cbt->timeout = BUILD_TIMEOUT_MIN_VALUE;
+    }
   } else {
     cbt->timeout = BUILD_TIMEOUT_INITIAL_VALUE;
   }
@@ -697,6 +702,12 @@ circuit_build_times_check_too_many_timeouts(circuit_build_times_t *cbt)
 
   cbt->timeout = lround(timeout/1000.0);
 
+  if (cbt->timeout < BUILD_TIMEOUT_MIN_VALUE) {
+    log_warn(LD_CIRC, "Reset buildtimeout to low value %lf. Setting to %d",
+             timeout, BUILD_TIMEOUT_MIN_VALUE);
+    cbt->timeout = BUILD_TIMEOUT_MIN_VALUE;
+  }
+
   log_notice(LD_CIRC,
              "Reset circuit build timeout to %d (%lf, Xm: %d, a: %lf) based "
              "on %d recent circuit times", cbt->timeout, timeout, cbt->Xm,
@@ -761,6 +772,12 @@ circuit_build_times_set_timeout(circuit_build_times_t *cbt)
   cbt->have_computed_timeout = 1;
   cbt->timeout = lround(timeout/1000.0);
 
+  if (cbt->timeout < BUILD_TIMEOUT_MIN_VALUE) {
+    log_warn(LD_CIRC, "Set buildtimeout to low value %lf. Setting to %d",
+             timeout, BUILD_TIMEOUT_MIN_VALUE);
+    cbt->timeout = BUILD_TIMEOUT_MIN_VALUE;
+  }
+
   log_info(LD_CIRC,
            "Set circuit build timeout to %d (%lf, Xm: %d, a: %lf) based on "
            "%d circuit times", cbt->timeout, timeout, cbt->Xm, cbt->alpha,

src/or/config.c

@@ -2919,11 +2919,6 @@ compute_publishserverdescriptor(or_options_t *options)
 /** Highest allowable value for RendPostPeriod. */
 #define MAX_DIR_PERIOD (MIN_ONION_KEY_LIFETIME/2)
 
-/** Lowest allowable value for CircuitBuildTimeout; values too low will
- * increase network load because of failing connections being retried, and
- * might prevent users from connecting to the network at all. */
-#define MIN_CIRCUIT_BUILD_TIMEOUT 3
-
 /** Lowest allowable value for MaxCircuitDirtiness; if this is too low, Tor
  * will generate too many circuits and potentially overload the network. */
 #define MIN_MAX_CIRCUIT_DIRTINESS 10
@@ -3370,12 +3365,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
     options->RendPostPeriod = MAX_DIR_PERIOD;
   }
 
-  if (options->CircuitBuildTimeout < MIN_CIRCUIT_BUILD_TIMEOUT) {
-    log(LOG_WARN, LD_CONFIG, "CircuitBuildTimeout option is too short; "
-      "raising to %d seconds.", MIN_CIRCUIT_BUILD_TIMEOUT);
-    options->CircuitBuildTimeout = MIN_CIRCUIT_BUILD_TIMEOUT;
-  }
-
   if (options->MaxCircuitDirtiness < MIN_MAX_CIRCUIT_DIRTINESS) {
     log(LOG_WARN, LD_CONFIG, "MaxCircuitDirtiness option is too short; "
       "raising to %d seconds.", MIN_MAX_CIRCUIT_DIRTINESS);

src/or/or.h

@@ -2887,6 +2887,9 @@ typedef uint32_t build_time_t;
 /** Have we received a cell in the last 90 seconds? */
 #define NETWORK_LIVE_INTERVAL 90
 
+/** Lowest allowable value for CircuitBuildTimeout */
+#define BUILD_TIMEOUT_MIN_VALUE 3
+
 /** Initial circuit build timeout */
 #define BUILD_TIMEOUT_INITIAL_VALUE 60