mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
token_bucket_ctr: replace 32-bit wallclock time with monotime
This started as a response to ticket #40792 where Coverity is complaining about a potential year 2038 bug where we cast time_t from approx_time() to uint32_t for use in token_bucket_ctr. There was a larger can of worms though, since token_bucket really doesn't want to be using wallclock time here. I audited the call sites for approx_time() and changed any that used a 32-bit cast or made inappropriate use of wallclock time. Things like certificate lifetime, consensus intervals, etc. need wallclock time. Measurements of rates over time, however, are better served with a monotonic timer that does not try and sync with wallclock ever. Looking closer at token_bucket, its design is a bit odd because it was initially intended for use with tick units but later forked into token_bucket_rw which uses ticks to count bytes per second, and token_bucket_ctr which uses seconds to count slower events. The rates represented by either token bucket can't be lower than 1 per second, so the slower timer in 'ctr' is necessary to represent the slower rates of things like connections or introduction packets or rendezvous attempts. I considered modifying token_bucket to use 64-bit timestamps overall instead of 32-bit, but that seemed like an unnecessarily invasive change that would grant some peace of mind but probably not help much. I was more interested in removing the dependency on wallclock time. The token_bucket_rw timer already uses monotonic time. This patch converts token_bucket_ctr to use monotonic time as well. It introduces a new monotime_coarse_absolute_sec(), which is currently the same as nsec divided by a billion but could be optimized easily if we ever need to. This patch also might fix a rollover bug.. I haven't tested this extensively but I don't think the previous version of the rollover code on either token bucket was correct, and I would expect it to get stuck after the first rollover. Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
This commit is contained in:
parent
a3ff3155c2
commit
23f4a28f97
@ -21,6 +21,7 @@
|
|||||||
#include "feature/relay/routermode.h"
|
#include "feature/relay/routermode.h"
|
||||||
#include "feature/stats/geoip_stats.h"
|
#include "feature/stats/geoip_stats.h"
|
||||||
#include "lib/crypt_ops/crypto_rand.h"
|
#include "lib/crypt_ops/crypto_rand.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
#include "core/or/dos.h"
|
#include "core/or/dos.h"
|
||||||
#include "core/or/dos_sys.h"
|
#include "core/or/dos_sys.h"
|
||||||
@ -528,7 +529,8 @@ conn_update_on_connect(conn_client_stats_t *stats, const tor_addr_t *addr)
|
|||||||
stats->concurrent_count++;
|
stats->concurrent_count++;
|
||||||
|
|
||||||
/* Refill connect connection count. */
|
/* Refill connect connection count. */
|
||||||
token_bucket_ctr_refill(&stats->connect_count, (uint32_t) approx_time());
|
token_bucket_ctr_refill(&stats->connect_count,
|
||||||
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
|
|
||||||
/* Decrement counter for this new connection. */
|
/* Decrement counter for this new connection. */
|
||||||
if (token_bucket_ctr_get(&stats->connect_count) > 0) {
|
if (token_bucket_ctr_get(&stats->connect_count) > 0) {
|
||||||
@ -808,7 +810,7 @@ dos_geoip_entry_init(clientmap_entry_t *geoip_ent)
|
|||||||
* can be enabled at runtime and these counters need to be valid. */
|
* can be enabled at runtime and these counters need to be valid. */
|
||||||
token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count,
|
token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count,
|
||||||
dos_conn_connect_rate, dos_conn_connect_burst,
|
dos_conn_connect_rate, dos_conn_connect_burst,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Note that the given channel has sent outbound the maximum amount of cell
|
/** Note that the given channel has sent outbound the maximum amount of cell
|
||||||
|
@ -35,6 +35,7 @@
|
|||||||
#include "lib/crypt_ops/crypto_dh.h"
|
#include "lib/crypt_ops/crypto_dh.h"
|
||||||
#include "lib/crypt_ops/crypto_rand.h"
|
#include "lib/crypt_ops/crypto_rand.h"
|
||||||
#include "lib/crypt_ops/crypto_util.h"
|
#include "lib/crypt_ops/crypto_util.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
/* Trunnel. */
|
/* Trunnel. */
|
||||||
#include "trunnel/ed25519_cert.h"
|
#include "trunnel/ed25519_cert.h"
|
||||||
@ -794,7 +795,7 @@ handle_rend_pqueue_cb(mainloop_event_t *ev, void *arg)
|
|||||||
|
|
||||||
if (pow_state->using_pqueue_bucket) {
|
if (pow_state->using_pqueue_bucket) {
|
||||||
token_bucket_ctr_refill(&pow_state->pqueue_bucket,
|
token_bucket_ctr_refill(&pow_state->pqueue_bucket,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
|
|
||||||
if (token_bucket_ctr_get(&pow_state->pqueue_bucket) > 0) {
|
if (token_bucket_ctr_get(&pow_state->pqueue_bucket) > 0) {
|
||||||
token_bucket_ctr_dec(&pow_state->pqueue_bucket, 1);
|
token_bucket_ctr_dec(&pow_state->pqueue_bucket, 1);
|
||||||
|
@ -28,6 +28,7 @@
|
|||||||
#include "feature/relay/routermode.h"
|
#include "feature/relay/routermode.h"
|
||||||
|
|
||||||
#include "lib/evloop/token_bucket.h"
|
#include "lib/evloop/token_bucket.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
#include "feature/hs/hs_dos.h"
|
#include "feature/hs/hs_dos.h"
|
||||||
|
|
||||||
@ -143,7 +144,7 @@ hs_dos_setup_default_intro2_defenses(or_circuit_t *circ)
|
|||||||
token_bucket_ctr_init(&circ->introduce2_bucket,
|
token_bucket_ctr_init(&circ->introduce2_bucket,
|
||||||
consensus_param_introduce_rate_per_sec,
|
consensus_param_introduce_rate_per_sec,
|
||||||
consensus_param_introduce_burst_per_sec,
|
consensus_param_introduce_burst_per_sec,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Called when the consensus has changed. We might have new consensus
|
/** Called when the consensus has changed. We might have new consensus
|
||||||
@ -188,7 +189,7 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
|
|||||||
|
|
||||||
/* Refill INTRODUCE2 bucket. */
|
/* Refill INTRODUCE2 bucket. */
|
||||||
token_bucket_ctr_refill(&s_intro_circ->introduce2_bucket,
|
token_bucket_ctr_refill(&s_intro_circ->introduce2_bucket,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
|
|
||||||
/* Decrement the bucket for this valid INTRODUCE1 cell we just got. Don't
|
/* Decrement the bucket for this valid INTRODUCE1 cell we just got. Don't
|
||||||
* underflow else we end up with a too big of a bucket. */
|
* underflow else we end up with a too big of a bucket. */
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
#include "feature/rend/rendmid.h"
|
#include "feature/rend/rendmid.h"
|
||||||
#include "feature/stats/rephist.h"
|
#include "feature/stats/rephist.h"
|
||||||
#include "lib/crypt_ops/crypto_format.h"
|
#include "lib/crypt_ops/crypto_format.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
/* Trunnel */
|
/* Trunnel */
|
||||||
#include "trunnel/ed25519_cert.h"
|
#include "trunnel/ed25519_cert.h"
|
||||||
@ -316,7 +317,7 @@ handle_establish_intro_cell_dos_extension(
|
|||||||
token_bucket_ctr_init(&circ->introduce2_bucket,
|
token_bucket_ctr_init(&circ->introduce2_bucket,
|
||||||
(uint32_t) intro2_rate_per_sec,
|
(uint32_t) intro2_rate_per_sec,
|
||||||
(uint32_t) intro2_burst_per_sec,
|
(uint32_t) intro2_burst_per_sec,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
|
log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
|
||||||
" and Burst is %" PRIu64,
|
" and Burst is %" PRIu64,
|
||||||
intro2_rate_per_sec, intro2_burst_per_sec);
|
intro2_rate_per_sec, intro2_burst_per_sec);
|
||||||
|
@ -34,6 +34,7 @@
|
|||||||
#include "lib/crypt_ops/crypto_rand.h"
|
#include "lib/crypt_ops/crypto_rand.h"
|
||||||
#include "lib/crypt_ops/crypto_util.h"
|
#include "lib/crypt_ops/crypto_util.h"
|
||||||
#include "lib/time/tvdiff.h"
|
#include "lib/time/tvdiff.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
#include "feature/hs/hs_circuit.h"
|
#include "feature/hs/hs_circuit.h"
|
||||||
#include "feature/hs/hs_common.h"
|
#include "feature/hs/hs_common.h"
|
||||||
@ -290,7 +291,7 @@ initialize_pow_defenses(hs_service_t *service)
|
|||||||
token_bucket_ctr_init(&pow_state->pqueue_bucket,
|
token_bucket_ctr_init(&pow_state->pqueue_bucket,
|
||||||
service->config.pow_queue_rate,
|
service->config.pow_queue_rate,
|
||||||
service->config.pow_queue_burst,
|
service->config.pow_queue_burst,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
|
|
||||||
pow_state->pqueue_low_level = MAX(8, service->config.pow_queue_rate / 4);
|
pow_state->pqueue_low_level = MAX(8, service->config.pow_queue_rate / 4);
|
||||||
pow_state->pqueue_high_level =
|
pow_state->pqueue_high_level =
|
||||||
|
@ -111,7 +111,9 @@ token_bucket_raw_dec(token_bucket_raw_t *bucket,
|
|||||||
return becomes_empty;
|
return becomes_empty;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Convert a rate in bytes per second to a rate in bytes per step */
|
/** Convert a rate in bytes per second to a rate in bytes per step.
|
||||||
|
* This is used for the 'rw' style (tick based) token buckets but not for
|
||||||
|
* the 'ctr' style buckets which count seconds. */
|
||||||
STATIC uint32_t
|
STATIC uint32_t
|
||||||
rate_per_sec_to_rate_per_step(uint32_t rate)
|
rate_per_sec_to_rate_per_step(uint32_t rate)
|
||||||
{
|
{
|
||||||
@ -130,18 +132,18 @@ rate_per_sec_to_rate_per_step(uint32_t rate)
|
|||||||
/**
|
/**
|
||||||
* Initialize a token bucket in *<b>bucket</b>, set up to allow <b>rate</b>
|
* Initialize a token bucket in *<b>bucket</b>, set up to allow <b>rate</b>
|
||||||
* bytes per second, with a maximum burst of <b>burst</b> bytes. The bucket
|
* bytes per second, with a maximum burst of <b>burst</b> bytes. The bucket
|
||||||
* is created such that <b>now_ts</b> is the current timestamp. The bucket
|
* is created such that <b>now_ts_stamp</b> is the current time in coarse stamp
|
||||||
* starts out full.
|
* units. The bucket starts out full.
|
||||||
*/
|
*/
|
||||||
void
|
void
|
||||||
token_bucket_rw_init(token_bucket_rw_t *bucket,
|
token_bucket_rw_init(token_bucket_rw_t *bucket,
|
||||||
uint32_t rate,
|
uint32_t rate,
|
||||||
uint32_t burst,
|
uint32_t burst,
|
||||||
uint32_t now_ts)
|
uint32_t now_ts_stamp)
|
||||||
{
|
{
|
||||||
memset(bucket, 0, sizeof(token_bucket_rw_t));
|
memset(bucket, 0, sizeof(token_bucket_rw_t));
|
||||||
token_bucket_rw_adjust(bucket, rate, burst);
|
token_bucket_rw_adjust(bucket, rate, burst);
|
||||||
token_bucket_rw_reset(bucket, now_ts);
|
token_bucket_rw_reset(bucket, now_ts_stamp);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -161,56 +163,54 @@ token_bucket_rw_adjust(token_bucket_rw_t *bucket,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Reset <b>bucket</b> to be full, as of timestamp <b>now_ts</b>.
|
* Reset <b>bucket</b> to be full, as of timestamp <b>now_ts_stamp</b>.
|
||||||
*/
|
*/
|
||||||
void
|
void
|
||||||
token_bucket_rw_reset(token_bucket_rw_t *bucket,
|
token_bucket_rw_reset(token_bucket_rw_t *bucket,
|
||||||
uint32_t now_ts)
|
uint32_t now_ts_stamp)
|
||||||
{
|
{
|
||||||
token_bucket_raw_reset(&bucket->read_bucket, &bucket->cfg);
|
token_bucket_raw_reset(&bucket->read_bucket, &bucket->cfg);
|
||||||
token_bucket_raw_reset(&bucket->write_bucket, &bucket->cfg);
|
token_bucket_raw_reset(&bucket->write_bucket, &bucket->cfg);
|
||||||
bucket->last_refilled_at_timestamp = now_ts;
|
bucket->last_refilled_at_timestamp = now_ts_stamp;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Refill <b>bucket</b> as appropriate, given that the current timestamp
|
* Refill <b>bucket</b> as appropriate, given that the current timestamp
|
||||||
* is <b>now_ts</b>.
|
* is <b>now_ts_stamp</b> in coarse timestamp units.
|
||||||
*
|
*
|
||||||
* Return a bitmask containing TB_READ iff read bucket was empty and became
|
* Return a bitmask containing TB_READ iff read bucket was empty and became
|
||||||
* nonempty, and TB_WRITE iff the write bucket was empty and became nonempty.
|
* nonempty, and TB_WRITE iff the write bucket was empty and became nonempty.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
token_bucket_rw_refill(token_bucket_rw_t *bucket,
|
token_bucket_rw_refill(token_bucket_rw_t *bucket,
|
||||||
uint32_t now_ts)
|
uint32_t now_ts_stamp)
|
||||||
{
|
{
|
||||||
const uint32_t elapsed_ticks =
|
const uint32_t elapsed_ticks =
|
||||||
(now_ts - bucket->last_refilled_at_timestamp);
|
(now_ts_stamp - bucket->last_refilled_at_timestamp);
|
||||||
if (elapsed_ticks > UINT32_MAX-(300*1000)) {
|
|
||||||
/* Either about 48 days have passed since the last refill, or the
|
|
||||||
* monotonic clock has somehow moved backwards. (We're looking at you,
|
|
||||||
* Windows.). We accept up to a 5 minute jump backwards as
|
|
||||||
* "unremarkable".
|
|
||||||
*/
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
const uint32_t elapsed_steps = elapsed_ticks / TICKS_PER_STEP;
|
|
||||||
|
|
||||||
if (!elapsed_steps) {
|
|
||||||
/* Note that if less than one whole step elapsed, we don't advance the
|
|
||||||
* time in last_refilled_at. That's intentional: we want to make sure
|
|
||||||
* that we add some bytes to it eventually. */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int flags = 0;
|
int flags = 0;
|
||||||
if (token_bucket_raw_refill_steps(&bucket->read_bucket,
|
|
||||||
&bucket->cfg, elapsed_steps))
|
|
||||||
flags |= TB_READ;
|
|
||||||
if (token_bucket_raw_refill_steps(&bucket->write_bucket,
|
|
||||||
&bucket->cfg, elapsed_steps))
|
|
||||||
flags |= TB_WRITE;
|
|
||||||
|
|
||||||
bucket->last_refilled_at_timestamp = now_ts;
|
/* Skip over updates that include an overflow or a very large jump.
|
||||||
|
* This can happen for platform specific reasons, such as the old ~48
|
||||||
|
* day windows timer. */
|
||||||
|
if (elapsed_ticks <= UINT32_MAX/4) {
|
||||||
|
const uint32_t elapsed_steps = elapsed_ticks / TICKS_PER_STEP;
|
||||||
|
|
||||||
|
if (!elapsed_steps) {
|
||||||
|
/* Note that if less than one whole step elapsed, we don't advance the
|
||||||
|
* time in last_refilled_at. That's intentional: we want to make sure
|
||||||
|
* that we add some bytes to it eventually. */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (token_bucket_raw_refill_steps(&bucket->read_bucket,
|
||||||
|
&bucket->cfg, elapsed_steps))
|
||||||
|
flags |= TB_READ;
|
||||||
|
if (token_bucket_raw_refill_steps(&bucket->write_bucket,
|
||||||
|
&bucket->cfg, elapsed_steps))
|
||||||
|
flags |= TB_WRITE;
|
||||||
|
}
|
||||||
|
|
||||||
|
bucket->last_refilled_at_timestamp = now_ts_stamp;
|
||||||
return flags;
|
return flags;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -259,15 +259,17 @@ token_bucket_rw_dec(token_bucket_rw_t *bucket,
|
|||||||
|
|
||||||
/** Initialize a token bucket in <b>bucket</b>, set up to allow <b>rate</b>
|
/** Initialize a token bucket in <b>bucket</b>, set up to allow <b>rate</b>
|
||||||
* per second, with a maximum burst of <b>burst</b>. The bucket is created
|
* per second, with a maximum burst of <b>burst</b>. The bucket is created
|
||||||
* such that <b>now_ts</b> is the current timestamp. The bucket starts out
|
* such that <b>now_ts_sec</b> is the current timestamp. The bucket starts
|
||||||
* full. */
|
* out full. Note that these counters use seconds instead of approximate
|
||||||
|
* milliseconds, in order to allow a lower minimum rate than the rw counters.
|
||||||
|
*/
|
||||||
void
|
void
|
||||||
token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
|
token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
|
||||||
uint32_t burst, uint32_t now_ts)
|
uint32_t burst, uint32_t now_ts_sec)
|
||||||
{
|
{
|
||||||
memset(bucket, 0, sizeof(token_bucket_ctr_t));
|
memset(bucket, 0, sizeof(token_bucket_ctr_t));
|
||||||
token_bucket_ctr_adjust(bucket, rate, burst);
|
token_bucket_ctr_adjust(bucket, rate, burst);
|
||||||
token_bucket_ctr_reset(bucket, now_ts);
|
token_bucket_ctr_reset(bucket, now_ts_sec);
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Change the configured rate and burst of the given token bucket object in
|
/** Change the configured rate and burst of the given token bucket object in
|
||||||
@ -280,31 +282,28 @@ token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate,
|
|||||||
token_bucket_raw_adjust(&bucket->counter, &bucket->cfg);
|
token_bucket_raw_adjust(&bucket->counter, &bucket->cfg);
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Reset <b>bucket</b> to be full, as of timestamp <b>now_ts</b>. */
|
/** Reset <b>bucket</b> to be full, as of timestamp <b>now_ts_sec</b>. */
|
||||||
void
|
void
|
||||||
token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts)
|
token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts_sec)
|
||||||
{
|
{
|
||||||
token_bucket_raw_reset(&bucket->counter, &bucket->cfg);
|
token_bucket_raw_reset(&bucket->counter, &bucket->cfg);
|
||||||
bucket->last_refilled_at_timestamp = now_ts;
|
bucket->last_refilled_at_timestamp = now_ts_sec;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Refill <b>bucket</b> as appropriate, given that the current timestamp is
|
/** Refill <b>bucket</b> as appropriate, given that the current timestamp is
|
||||||
* <b>now_ts</b>. */
|
* <b>now_ts_sec</b> in seconds. */
|
||||||
void
|
void
|
||||||
token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts)
|
token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts_sec)
|
||||||
{
|
{
|
||||||
const uint32_t elapsed_ticks =
|
const uint32_t elapsed_sec =
|
||||||
(now_ts - bucket->last_refilled_at_timestamp);
|
(now_ts_sec - bucket->last_refilled_at_timestamp);
|
||||||
if (elapsed_ticks > UINT32_MAX-(300*1000)) {
|
|
||||||
/* Either about 48 days have passed since the last refill, or the
|
|
||||||
* monotonic clock has somehow moved backwards. (We're looking at you,
|
|
||||||
* Windows.). We accept up to a 5 minute jump backwards as
|
|
||||||
* "unremarkable".
|
|
||||||
*/
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
token_bucket_raw_refill_steps(&bucket->counter, &bucket->cfg,
|
/* Are we detecting a rollover or a similar extremely large jump? This
|
||||||
elapsed_ticks);
|
* shouldn't generally happen, but if it does for whatever (possibly
|
||||||
bucket->last_refilled_at_timestamp = now_ts;
|
* platform-specific) reason, ignore it. */
|
||||||
|
if (elapsed_sec <= UINT32_MAX/4) {
|
||||||
|
token_bucket_raw_refill_steps(&bucket->counter, &bucket->cfg,
|
||||||
|
elapsed_sec);
|
||||||
|
}
|
||||||
|
bucket->last_refilled_at_timestamp = now_ts_sec;
|
||||||
}
|
}
|
||||||
|
@ -66,19 +66,19 @@ typedef struct token_bucket_rw_t {
|
|||||||
void token_bucket_rw_init(token_bucket_rw_t *bucket,
|
void token_bucket_rw_init(token_bucket_rw_t *bucket,
|
||||||
uint32_t rate,
|
uint32_t rate,
|
||||||
uint32_t burst,
|
uint32_t burst,
|
||||||
uint32_t now_ts);
|
uint32_t now_ts_stamp);
|
||||||
|
|
||||||
void token_bucket_rw_adjust(token_bucket_rw_t *bucket,
|
void token_bucket_rw_adjust(token_bucket_rw_t *bucket,
|
||||||
uint32_t rate, uint32_t burst);
|
uint32_t rate, uint32_t burst);
|
||||||
|
|
||||||
void token_bucket_rw_reset(token_bucket_rw_t *bucket,
|
void token_bucket_rw_reset(token_bucket_rw_t *bucket,
|
||||||
uint32_t now_ts);
|
uint32_t now_ts_stamp);
|
||||||
|
|
||||||
#define TB_READ 1
|
#define TB_READ 1
|
||||||
#define TB_WRITE 2
|
#define TB_WRITE 2
|
||||||
|
|
||||||
int token_bucket_rw_refill(token_bucket_rw_t *bucket,
|
int token_bucket_rw_refill(token_bucket_rw_t *bucket,
|
||||||
uint32_t now_ts);
|
uint32_t now_ts_stamp);
|
||||||
|
|
||||||
int token_bucket_rw_dec_read(token_bucket_rw_t *bucket,
|
int token_bucket_rw_dec_read(token_bucket_rw_t *bucket,
|
||||||
ssize_t n);
|
ssize_t n);
|
||||||
@ -114,11 +114,11 @@ typedef struct token_bucket_ctr_t {
|
|||||||
} token_bucket_ctr_t;
|
} token_bucket_ctr_t;
|
||||||
|
|
||||||
void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
|
void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
|
||||||
uint32_t burst, uint32_t now_ts);
|
uint32_t burst, uint32_t now_ts_sec);
|
||||||
void token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate,
|
void token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate,
|
||||||
uint32_t burst);
|
uint32_t burst);
|
||||||
void token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts);
|
void token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts_sec);
|
||||||
void token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts);
|
void token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts_sec);
|
||||||
|
|
||||||
static inline bool
|
static inline bool
|
||||||
token_bucket_ctr_dec(token_bucket_ctr_t *bucket, ssize_t n)
|
token_bucket_ctr_dec(token_bucket_ctr_t *bucket, ssize_t n)
|
||||||
|
@ -812,6 +812,12 @@ monotime_absolute_msec(void)
|
|||||||
return monotime_absolute_nsec() / ONE_MILLION;
|
return monotime_absolute_nsec() / ONE_MILLION;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uint64_t
|
||||||
|
monotime_absolute_sec(void)
|
||||||
|
{
|
||||||
|
return monotime_absolute_nsec() / ONE_BILLION;
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef MONOTIME_COARSE_FN_IS_DIFFERENT
|
#ifdef MONOTIME_COARSE_FN_IS_DIFFERENT
|
||||||
uint64_t
|
uint64_t
|
||||||
monotime_coarse_absolute_nsec(void)
|
monotime_coarse_absolute_nsec(void)
|
||||||
@ -836,6 +842,17 @@ monotime_coarse_absolute_msec(void)
|
|||||||
{
|
{
|
||||||
return monotime_coarse_absolute_nsec() / ONE_MILLION;
|
return monotime_coarse_absolute_nsec() / ONE_MILLION;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uint64_t
|
||||||
|
monotime_coarse_absolute_sec(void)
|
||||||
|
{
|
||||||
|
/* Note: Right now I'm not too concerned about 64-bit division, but if this
|
||||||
|
* ever becomes a hotspot we need to optimize, we can modify this to grab
|
||||||
|
* tv_sec directly from CLOCK_MONOTONIC_COARSE on linux at least. Right now
|
||||||
|
* I'm choosing to make this simpler and easier to test, but this
|
||||||
|
* optimization is available easily if we need it. */
|
||||||
|
return monotime_coarse_absolute_nsec() / ONE_BILLION;
|
||||||
|
}
|
||||||
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
||||||
#define initialized_at_coarse initialized_at
|
#define initialized_at_coarse initialized_at
|
||||||
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
||||||
|
@ -89,6 +89,13 @@
|
|||||||
* A: In general, regular monotime uses something that requires a system call.
|
* A: In general, regular monotime uses something that requires a system call.
|
||||||
* On platforms where system calls are cheap, you win! Otherwise, you lose.
|
* On platforms where system calls are cheap, you win! Otherwise, you lose.
|
||||||
*
|
*
|
||||||
|
* XXX: This hasn't been true for a long time. Expect both coarse and fine
|
||||||
|
* monotime won't require a syscall, but they will have different
|
||||||
|
* costs in terms of low-level synchronization inside the vDSO and
|
||||||
|
* the hardware. The basic guidelines here still apply, but we aren't
|
||||||
|
* really worrying about system calls any more, and the integer div
|
||||||
|
* concerns are becoming nearly unimportant as well.
|
||||||
|
*
|
||||||
* On Windows, monotonic time uses QuereyPerformanceCounter. Storing
|
* On Windows, monotonic time uses QuereyPerformanceCounter. Storing
|
||||||
* monotime_t costs 8 bytes.
|
* monotime_t costs 8 bytes.
|
||||||
*
|
*
|
||||||
@ -232,7 +239,12 @@ MOCK_DECL(uint64_t, monotime_absolute_usec,(void));
|
|||||||
* Fractional units are truncated, not rounded.
|
* Fractional units are truncated, not rounded.
|
||||||
*/
|
*/
|
||||||
uint64_t monotime_absolute_msec(void);
|
uint64_t monotime_absolute_msec(void);
|
||||||
|
/**
|
||||||
|
* Return the number of seconds since the timer system was initialized.
|
||||||
|
* The returned value may be equal to zero.
|
||||||
|
* Fractional units are truncated, not rounded.
|
||||||
|
*/
|
||||||
|
uint64_t monotime_absolute_sec(void);
|
||||||
/**
|
/**
|
||||||
* Set <b>out</b> to zero.
|
* Set <b>out</b> to zero.
|
||||||
*/
|
*/
|
||||||
@ -259,11 +271,13 @@ void monotime_coarse_get(monotime_coarse_t *out);
|
|||||||
uint64_t monotime_coarse_absolute_nsec(void);
|
uint64_t monotime_coarse_absolute_nsec(void);
|
||||||
uint64_t monotime_coarse_absolute_usec(void);
|
uint64_t monotime_coarse_absolute_usec(void);
|
||||||
uint64_t monotime_coarse_absolute_msec(void);
|
uint64_t monotime_coarse_absolute_msec(void);
|
||||||
|
uint64_t monotime_coarse_absolute_sec(void);
|
||||||
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
||||||
#define monotime_coarse_get monotime_get
|
#define monotime_coarse_get monotime_get
|
||||||
#define monotime_coarse_absolute_nsec monotime_absolute_nsec
|
#define monotime_coarse_absolute_nsec monotime_absolute_nsec
|
||||||
#define monotime_coarse_absolute_usec monotime_absolute_usec
|
#define monotime_coarse_absolute_usec monotime_absolute_usec
|
||||||
#define monotime_coarse_absolute_msec monotime_absolute_msec
|
#define monotime_coarse_absolute_msec monotime_absolute_msec
|
||||||
|
#define monotime_coarse_absolute_sec monotime_absolute_sec
|
||||||
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -243,10 +243,30 @@ test_bwmgt_token_buf_refill(void *arg)
|
|||||||
tt_int_op(b.read_bucket.bucket, OP_GT, 8*KB-400);
|
tt_int_op(b.read_bucket.bucket, OP_GT, 8*KB-400);
|
||||||
tt_int_op(b.read_bucket.bucket, OP_LT, 8*KB+400);
|
tt_int_op(b.read_bucket.bucket, OP_LT, 8*KB+400);
|
||||||
|
|
||||||
// A ridiculous amount of time passes.
|
/* A large amount of time passes, but less than the threshold at which
|
||||||
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, INT32_MAX));
|
* we start detecting an assumed rollover event. This might be about 20
|
||||||
|
* days on a system with stamp units equal to 1ms. */
|
||||||
|
uint32_t ts_stamp = START_TS + UINT32_MAX / 5;
|
||||||
|
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp));
|
||||||
tt_int_op(b.read_bucket.bucket, OP_EQ, b.cfg.burst);
|
tt_int_op(b.read_bucket.bucket, OP_EQ, b.cfg.burst);
|
||||||
|
|
||||||
|
/* Fully empty the bucket and make sure it's filling once again */
|
||||||
|
token_bucket_rw_dec_read(&b, b.cfg.burst);
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_EQ, 0);
|
||||||
|
tt_int_op(1, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += BW_SEC));
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_GT, 16*KB - 300);
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_LT, 16*KB + 300);
|
||||||
|
|
||||||
|
/* An even larger amount of time passes, which we take to be a 32-bit
|
||||||
|
* rollover event. The individual update is ignored, but the timestamp
|
||||||
|
* is still updated and the very next update should be accounted properly. */
|
||||||
|
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += UINT32_MAX/2));
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_GT, 16*KB - 600);
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_LT, 16*KB + 600);
|
||||||
|
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += BW_SEC));
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_GT, 32*KB - 600);
|
||||||
|
tt_int_op(b.read_bucket.bucket, OP_LT, 32*KB + 600);
|
||||||
|
|
||||||
done:
|
done:
|
||||||
;
|
;
|
||||||
}
|
}
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
#include "core/or/dos.h"
|
#include "core/or/dos.h"
|
||||||
#include "core/or/circuitlist.h"
|
#include "core/or/circuitlist.h"
|
||||||
#include "lib/crypt_ops/crypto_rand.h"
|
#include "lib/crypt_ops/crypto_rand.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
#include "feature/stats/geoip_stats.h"
|
#include "feature/stats/geoip_stats.h"
|
||||||
#include "core/or/channel.h"
|
#include "core/or/channel.h"
|
||||||
#include "feature/nodelist/microdesc.h"
|
#include "feature/nodelist/microdesc.h"
|
||||||
@ -23,6 +24,8 @@
|
|||||||
#include "test/test.h"
|
#include "test/test.h"
|
||||||
#include "test/log_test_helpers.h"
|
#include "test/log_test_helpers.h"
|
||||||
|
|
||||||
|
static const uint64_t BILLION = 1000000000;
|
||||||
|
|
||||||
static networkstatus_t *dummy_ns = NULL;
|
static networkstatus_t *dummy_ns = NULL;
|
||||||
static networkstatus_t *
|
static networkstatus_t *
|
||||||
mock_networkstatus_get_latest_consensus(void)
|
mock_networkstatus_get_latest_consensus(void)
|
||||||
@ -58,14 +61,18 @@ mock_enable_dos_protection(const networkstatus_t *ns)
|
|||||||
static void
|
static void
|
||||||
test_dos_conn_creation(void *arg)
|
test_dos_conn_creation(void *arg)
|
||||||
{
|
{
|
||||||
|
uint64_t monotime_now = 0xfffffffe;
|
||||||
|
|
||||||
(void) arg;
|
(void) arg;
|
||||||
|
|
||||||
|
monotime_enable_test_mocking();
|
||||||
|
monotime_coarse_set_mock_time_nsec(monotime_now);
|
||||||
MOCK(get_param_cc_enabled, mock_enable_dos_protection);
|
MOCK(get_param_cc_enabled, mock_enable_dos_protection);
|
||||||
MOCK(get_param_conn_enabled, mock_enable_dos_protection);
|
MOCK(get_param_conn_enabled, mock_enable_dos_protection);
|
||||||
|
|
||||||
/* Initialize test data */
|
/* Initialize test data */
|
||||||
or_connection_t or_conn;
|
or_connection_t or_conn;
|
||||||
time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */
|
time_t wallclock_now = 1281533250; /* 2010-08-11 13:27:30 UTC */
|
||||||
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
|
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
|
||||||
"18.0.0.1"));
|
"18.0.0.1"));
|
||||||
tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
|
tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
|
||||||
@ -75,13 +82,14 @@ test_dos_conn_creation(void *arg)
|
|||||||
uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL);
|
uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL);
|
||||||
|
|
||||||
/* Introduce new client */
|
/* Introduce new client */
|
||||||
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now);
|
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, wallclock_now);
|
||||||
{ /* Register many conns from this client but not enough to get it blocked */
|
{ /* Register many conns from this client but not enough to get it blocked */
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
for (i = 0; i < max_concurrent_conns; i++) {
|
for (i = 0; i < max_concurrent_conns; i++) {
|
||||||
/* Don't trigger the connect() rate limitation so advance the clock 1
|
/* Don't trigger the connect() rate limitation so advance the clock 1
|
||||||
* second for each connection. */
|
* second for each connection. */
|
||||||
update_approx_time(++now);
|
monotime_coarse_set_mock_time_nsec(monotime_now += BILLION);
|
||||||
|
update_approx_time(++wallclock_now);
|
||||||
dos_new_client_conn(&or_conn, NULL);
|
dos_new_client_conn(&or_conn, NULL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -107,6 +115,7 @@ test_dos_conn_creation(void *arg)
|
|||||||
|
|
||||||
done:
|
done:
|
||||||
dos_free_all();
|
dos_free_all();
|
||||||
|
monotime_disable_test_mocking();
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Helper mock: Place a fake IP addr for this channel in <b>addr_out</b> */
|
/** Helper mock: Place a fake IP addr for this channel in <b>addr_out</b> */
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
#include "test/log_test_helpers.h"
|
#include "test/log_test_helpers.h"
|
||||||
|
|
||||||
#include "app/config/config.h"
|
#include "app/config/config.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
#include "core/or/circuitlist.h"
|
#include "core/or/circuitlist.h"
|
||||||
#include "core/or/circuituse.h"
|
#include "core/or/circuituse.h"
|
||||||
@ -45,7 +46,8 @@ free_mock_consensus(void)
|
|||||||
static void
|
static void
|
||||||
test_can_send_intro2(void *arg)
|
test_can_send_intro2(void *arg)
|
||||||
{
|
{
|
||||||
uint32_t now = (uint32_t) approx_time();
|
static const uint64_t BILLION = 1000000000;
|
||||||
|
uint64_t now = 12345;
|
||||||
or_circuit_t *or_circ = NULL;
|
or_circuit_t *or_circ = NULL;
|
||||||
|
|
||||||
(void) arg;
|
(void) arg;
|
||||||
@ -55,6 +57,8 @@ test_can_send_intro2(void *arg)
|
|||||||
|
|
||||||
get_options_mutable()->ORPort_set = 1;
|
get_options_mutable()->ORPort_set = 1;
|
||||||
setup_mock_consensus();
|
setup_mock_consensus();
|
||||||
|
monotime_enable_test_mocking();
|
||||||
|
monotime_coarse_set_mock_time_nsec(now);
|
||||||
|
|
||||||
or_circ = or_circuit_new(1, NULL);
|
or_circ = or_circuit_new(1, NULL);
|
||||||
|
|
||||||
@ -68,7 +72,7 @@ test_can_send_intro2(void *arg)
|
|||||||
|
|
||||||
/* Simulate that 10 cells have arrived in 1 second. There should be no
|
/* Simulate that 10 cells have arrived in 1 second. There should be no
|
||||||
* refill since the bucket is already at maximum on the first cell. */
|
* refill since the bucket is already at maximum on the first cell. */
|
||||||
update_approx_time(++now);
|
monotime_coarse_set_mock_time_nsec(now += BILLION);
|
||||||
for (int i = 0; i < 10; i++) {
|
for (int i = 0; i < 10; i++) {
|
||||||
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
||||||
}
|
}
|
||||||
@ -76,7 +80,7 @@ test_can_send_intro2(void *arg)
|
|||||||
get_intro2_burst_consensus_param(NULL) - 10);
|
get_intro2_burst_consensus_param(NULL) - 10);
|
||||||
|
|
||||||
/* Fully refill the bucket minus 1 cell. */
|
/* Fully refill the bucket minus 1 cell. */
|
||||||
update_approx_time(++now);
|
monotime_coarse_set_mock_time_nsec(now += BILLION);
|
||||||
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
||||||
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
|
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
|
||||||
get_intro2_burst_consensus_param(NULL) - 1);
|
get_intro2_burst_consensus_param(NULL) - 1);
|
||||||
@ -84,7 +88,7 @@ test_can_send_intro2(void *arg)
|
|||||||
/* Receive an INTRODUCE2 at each second. We should have the bucket full
|
/* Receive an INTRODUCE2 at each second. We should have the bucket full
|
||||||
* since at every second it gets refilled. */
|
* since at every second it gets refilled. */
|
||||||
for (int i = 0; i < 10; i++) {
|
for (int i = 0; i < 10; i++) {
|
||||||
update_approx_time(++now);
|
monotime_coarse_set_mock_time_nsec(now += BILLION);
|
||||||
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
||||||
}
|
}
|
||||||
/* Last check if we can send the cell decrements the bucket so minus 1. */
|
/* Last check if we can send the cell decrements the bucket so minus 1. */
|
||||||
@ -92,7 +96,8 @@ test_can_send_intro2(void *arg)
|
|||||||
get_intro2_burst_consensus_param(NULL) - 1);
|
get_intro2_burst_consensus_param(NULL) - 1);
|
||||||
|
|
||||||
/* Manually reset bucket for next test. */
|
/* Manually reset bucket for next test. */
|
||||||
token_bucket_ctr_reset(&or_circ->introduce2_bucket, now);
|
token_bucket_ctr_reset(&or_circ->introduce2_bucket,
|
||||||
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
|
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
|
||||||
get_intro2_burst_consensus_param(NULL));
|
get_intro2_burst_consensus_param(NULL));
|
||||||
|
|
||||||
@ -115,7 +120,7 @@ test_can_send_intro2(void *arg)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* One second has passed, we should have the rate minus 1 cell added. */
|
/* One second has passed, we should have the rate minus 1 cell added. */
|
||||||
update_approx_time(++now);
|
monotime_coarse_set_mock_time_nsec(now += BILLION);
|
||||||
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
|
||||||
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
|
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
|
||||||
get_intro2_rate_consensus_param(NULL) - 1);
|
get_intro2_rate_consensus_param(NULL) - 1);
|
||||||
@ -125,6 +130,7 @@ test_can_send_intro2(void *arg)
|
|||||||
|
|
||||||
hs_free_all();
|
hs_free_all();
|
||||||
free_mock_consensus();
|
free_mock_consensus();
|
||||||
|
monotime_disable_test_mocking();
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
#include "test/test.h"
|
#include "test/test.h"
|
||||||
#include "test/log_test_helpers.h"
|
#include "test/log_test_helpers.h"
|
||||||
#include "lib/crypt_ops/crypto_rand.h"
|
#include "lib/crypt_ops/crypto_rand.h"
|
||||||
|
#include "lib/time/compat_time.h"
|
||||||
|
|
||||||
#include "core/or/or.h"
|
#include "core/or/or.h"
|
||||||
#include "core/or/channel.h"
|
#include "core/or/channel.h"
|
||||||
@ -127,7 +128,7 @@ helper_create_intro_circuit(void)
|
|||||||
tt_assert(circ);
|
tt_assert(circ);
|
||||||
circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_OR);
|
circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_OR);
|
||||||
token_bucket_ctr_init(&circ->introduce2_bucket, 100, 100,
|
token_bucket_ctr_init(&circ->introduce2_bucket, 100, 100,
|
||||||
(uint32_t) approx_time());
|
(uint32_t) monotime_coarse_absolute_sec());
|
||||||
done:
|
done:
|
||||||
return circ;
|
return circ;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user