token_bucket_ctr: replace 32-bit wallclock time with monotime

This started as a response to ticket #40792 where Coverity is
complaining about a potential year 2038 bug where we cast time_t from
approx_time() to uint32_t for use in token_bucket_ctr.

There was a larger can of worms though, since token_bucket really
doesn't want to be using wallclock time here. I audited the call sites
for approx_time() and changed any that used a 32-bit cast or made
inappropriate use of wallclock time. Things like certificate lifetime,
consensus intervals, etc. need wallclock time. Measurements of rates
over time, however, are better served with a monotonic timer that does
not try and sync with wallclock ever.

Looking closer at token_bucket, its design is a bit odd because it was
initially intended for use with tick units but later forked into
token_bucket_rw which uses ticks to count bytes per second, and
token_bucket_ctr which uses seconds to count slower events. The rates
represented by either token bucket can't be lower than 1 per second, so
the slower timer in 'ctr' is necessary to represent the slower rates of
things like connections or introduction packets or rendezvous attempts.

I considered modifying token_bucket to use 64-bit timestamps overall
instead of 32-bit, but that seemed like an unnecessarily invasive change
that would grant some peace of mind but probably not help much. I was
more interested in removing the dependency on wallclock time. The
token_bucket_rw timer already uses monotonic time. This patch converts
token_bucket_ctr to use monotonic time as well. It introduces a new
monotime_coarse_absolute_sec(), which is currently the same as nsec
divided by a billion but could be optimized easily if we ever need to.

This patch also might fix a rollover bug.. I haven't tested this
extensively but I don't think the previous version of the rollover code
on either token bucket was correct, and I would expect it to get stuck
after the first rollover.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
This commit is contained in:
Micah Elizabeth Scott 2023-05-16 16:28:26 -07:00 committed by David Goulet
parent a3ff3155c2
commit 23f4a28f97
13 changed files with 155 additions and 83 deletions

View File

@ -21,6 +21,7 @@
#include "feature/relay/routermode.h" #include "feature/relay/routermode.h"
#include "feature/stats/geoip_stats.h" #include "feature/stats/geoip_stats.h"
#include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_rand.h"
#include "lib/time/compat_time.h"
#include "core/or/dos.h" #include "core/or/dos.h"
#include "core/or/dos_sys.h" #include "core/or/dos_sys.h"
@ -528,7 +529,8 @@ conn_update_on_connect(conn_client_stats_t *stats, const tor_addr_t *addr)
stats->concurrent_count++; stats->concurrent_count++;
/* Refill connect connection count. */ /* Refill connect connection count. */
token_bucket_ctr_refill(&stats->connect_count, (uint32_t) approx_time()); token_bucket_ctr_refill(&stats->connect_count,
(uint32_t) monotime_coarse_absolute_sec());
/* Decrement counter for this new connection. */ /* Decrement counter for this new connection. */
if (token_bucket_ctr_get(&stats->connect_count) > 0) { if (token_bucket_ctr_get(&stats->connect_count) > 0) {
@ -808,7 +810,7 @@ dos_geoip_entry_init(clientmap_entry_t *geoip_ent)
* can be enabled at runtime and these counters need to be valid. */ * can be enabled at runtime and these counters need to be valid. */
token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count, token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count,
dos_conn_connect_rate, dos_conn_connect_burst, dos_conn_connect_rate, dos_conn_connect_burst,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
} }
/** Note that the given channel has sent outbound the maximum amount of cell /** Note that the given channel has sent outbound the maximum amount of cell

View File

@ -35,6 +35,7 @@
#include "lib/crypt_ops/crypto_dh.h" #include "lib/crypt_ops/crypto_dh.h"
#include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h" #include "lib/crypt_ops/crypto_util.h"
#include "lib/time/compat_time.h"
/* Trunnel. */ /* Trunnel. */
#include "trunnel/ed25519_cert.h" #include "trunnel/ed25519_cert.h"
@ -794,7 +795,7 @@ handle_rend_pqueue_cb(mainloop_event_t *ev, void *arg)
if (pow_state->using_pqueue_bucket) { if (pow_state->using_pqueue_bucket) {
token_bucket_ctr_refill(&pow_state->pqueue_bucket, token_bucket_ctr_refill(&pow_state->pqueue_bucket,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
if (token_bucket_ctr_get(&pow_state->pqueue_bucket) > 0) { if (token_bucket_ctr_get(&pow_state->pqueue_bucket) > 0) {
token_bucket_ctr_dec(&pow_state->pqueue_bucket, 1); token_bucket_ctr_dec(&pow_state->pqueue_bucket, 1);

View File

@ -28,6 +28,7 @@
#include "feature/relay/routermode.h" #include "feature/relay/routermode.h"
#include "lib/evloop/token_bucket.h" #include "lib/evloop/token_bucket.h"
#include "lib/time/compat_time.h"
#include "feature/hs/hs_dos.h" #include "feature/hs/hs_dos.h"
@ -143,7 +144,7 @@ hs_dos_setup_default_intro2_defenses(or_circuit_t *circ)
token_bucket_ctr_init(&circ->introduce2_bucket, token_bucket_ctr_init(&circ->introduce2_bucket,
consensus_param_introduce_rate_per_sec, consensus_param_introduce_rate_per_sec,
consensus_param_introduce_burst_per_sec, consensus_param_introduce_burst_per_sec,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
} }
/** Called when the consensus has changed. We might have new consensus /** Called when the consensus has changed. We might have new consensus
@ -188,7 +189,7 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
/* Refill INTRODUCE2 bucket. */ /* Refill INTRODUCE2 bucket. */
token_bucket_ctr_refill(&s_intro_circ->introduce2_bucket, token_bucket_ctr_refill(&s_intro_circ->introduce2_bucket,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
/* Decrement the bucket for this valid INTRODUCE1 cell we just got. Don't /* Decrement the bucket for this valid INTRODUCE1 cell we just got. Don't
* underflow else we end up with a too big of a bucket. */ * underflow else we end up with a too big of a bucket. */

View File

@ -17,6 +17,7 @@
#include "feature/rend/rendmid.h" #include "feature/rend/rendmid.h"
#include "feature/stats/rephist.h" #include "feature/stats/rephist.h"
#include "lib/crypt_ops/crypto_format.h" #include "lib/crypt_ops/crypto_format.h"
#include "lib/time/compat_time.h"
/* Trunnel */ /* Trunnel */
#include "trunnel/ed25519_cert.h" #include "trunnel/ed25519_cert.h"
@ -316,7 +317,7 @@ handle_establish_intro_cell_dos_extension(
token_bucket_ctr_init(&circ->introduce2_bucket, token_bucket_ctr_init(&circ->introduce2_bucket,
(uint32_t) intro2_rate_per_sec, (uint32_t) intro2_rate_per_sec,
(uint32_t) intro2_burst_per_sec, (uint32_t) intro2_burst_per_sec,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64 log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
" and Burst is %" PRIu64, " and Burst is %" PRIu64,
intro2_rate_per_sec, intro2_burst_per_sec); intro2_rate_per_sec, intro2_burst_per_sec);

View File

@ -34,6 +34,7 @@
#include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h" #include "lib/crypt_ops/crypto_util.h"
#include "lib/time/tvdiff.h" #include "lib/time/tvdiff.h"
#include "lib/time/compat_time.h"
#include "feature/hs/hs_circuit.h" #include "feature/hs/hs_circuit.h"
#include "feature/hs/hs_common.h" #include "feature/hs/hs_common.h"
@ -290,7 +291,7 @@ initialize_pow_defenses(hs_service_t *service)
token_bucket_ctr_init(&pow_state->pqueue_bucket, token_bucket_ctr_init(&pow_state->pqueue_bucket,
service->config.pow_queue_rate, service->config.pow_queue_rate,
service->config.pow_queue_burst, service->config.pow_queue_burst,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
pow_state->pqueue_low_level = MAX(8, service->config.pow_queue_rate / 4); pow_state->pqueue_low_level = MAX(8, service->config.pow_queue_rate / 4);
pow_state->pqueue_high_level = pow_state->pqueue_high_level =

View File

@ -111,7 +111,9 @@ token_bucket_raw_dec(token_bucket_raw_t *bucket,
return becomes_empty; return becomes_empty;
} }
/** Convert a rate in bytes per second to a rate in bytes per step */ /** Convert a rate in bytes per second to a rate in bytes per step.
* This is used for the 'rw' style (tick based) token buckets but not for
* the 'ctr' style buckets which count seconds. */
STATIC uint32_t STATIC uint32_t
rate_per_sec_to_rate_per_step(uint32_t rate) rate_per_sec_to_rate_per_step(uint32_t rate)
{ {
@ -130,18 +132,18 @@ rate_per_sec_to_rate_per_step(uint32_t rate)
/** /**
* Initialize a token bucket in *<b>bucket</b>, set up to allow <b>rate</b> * Initialize a token bucket in *<b>bucket</b>, set up to allow <b>rate</b>
* bytes per second, with a maximum burst of <b>burst</b> bytes. The bucket * bytes per second, with a maximum burst of <b>burst</b> bytes. The bucket
* is created such that <b>now_ts</b> is the current timestamp. The bucket * is created such that <b>now_ts_stamp</b> is the current time in coarse stamp
* starts out full. * units. The bucket starts out full.
*/ */
void void
token_bucket_rw_init(token_bucket_rw_t *bucket, token_bucket_rw_init(token_bucket_rw_t *bucket,
uint32_t rate, uint32_t rate,
uint32_t burst, uint32_t burst,
uint32_t now_ts) uint32_t now_ts_stamp)
{ {
memset(bucket, 0, sizeof(token_bucket_rw_t)); memset(bucket, 0, sizeof(token_bucket_rw_t));
token_bucket_rw_adjust(bucket, rate, burst); token_bucket_rw_adjust(bucket, rate, burst);
token_bucket_rw_reset(bucket, now_ts); token_bucket_rw_reset(bucket, now_ts_stamp);
} }
/** /**
@ -161,56 +163,54 @@ token_bucket_rw_adjust(token_bucket_rw_t *bucket,
} }
/** /**
* Reset <b>bucket</b> to be full, as of timestamp <b>now_ts</b>. * Reset <b>bucket</b> to be full, as of timestamp <b>now_ts_stamp</b>.
*/ */
void void
token_bucket_rw_reset(token_bucket_rw_t *bucket, token_bucket_rw_reset(token_bucket_rw_t *bucket,
uint32_t now_ts) uint32_t now_ts_stamp)
{ {
token_bucket_raw_reset(&bucket->read_bucket, &bucket->cfg); token_bucket_raw_reset(&bucket->read_bucket, &bucket->cfg);
token_bucket_raw_reset(&bucket->write_bucket, &bucket->cfg); token_bucket_raw_reset(&bucket->write_bucket, &bucket->cfg);
bucket->last_refilled_at_timestamp = now_ts; bucket->last_refilled_at_timestamp = now_ts_stamp;
} }
/** /**
* Refill <b>bucket</b> as appropriate, given that the current timestamp * Refill <b>bucket</b> as appropriate, given that the current timestamp
* is <b>now_ts</b>. * is <b>now_ts_stamp</b> in coarse timestamp units.
* *
* Return a bitmask containing TB_READ iff read bucket was empty and became * Return a bitmask containing TB_READ iff read bucket was empty and became
* nonempty, and TB_WRITE iff the write bucket was empty and became nonempty. * nonempty, and TB_WRITE iff the write bucket was empty and became nonempty.
*/ */
int int
token_bucket_rw_refill(token_bucket_rw_t *bucket, token_bucket_rw_refill(token_bucket_rw_t *bucket,
uint32_t now_ts) uint32_t now_ts_stamp)
{ {
const uint32_t elapsed_ticks = const uint32_t elapsed_ticks =
(now_ts - bucket->last_refilled_at_timestamp); (now_ts_stamp - bucket->last_refilled_at_timestamp);
if (elapsed_ticks > UINT32_MAX-(300*1000)) {
/* Either about 48 days have passed since the last refill, or the
* monotonic clock has somehow moved backwards. (We're looking at you,
* Windows.). We accept up to a 5 minute jump backwards as
* "unremarkable".
*/
return 0;
}
const uint32_t elapsed_steps = elapsed_ticks / TICKS_PER_STEP;
if (!elapsed_steps) {
/* Note that if less than one whole step elapsed, we don't advance the
* time in last_refilled_at. That's intentional: we want to make sure
* that we add some bytes to it eventually. */
return 0;
}
int flags = 0; int flags = 0;
if (token_bucket_raw_refill_steps(&bucket->read_bucket,
&bucket->cfg, elapsed_steps))
flags |= TB_READ;
if (token_bucket_raw_refill_steps(&bucket->write_bucket,
&bucket->cfg, elapsed_steps))
flags |= TB_WRITE;
bucket->last_refilled_at_timestamp = now_ts; /* Skip over updates that include an overflow or a very large jump.
* This can happen for platform specific reasons, such as the old ~48
* day windows timer. */
if (elapsed_ticks <= UINT32_MAX/4) {
const uint32_t elapsed_steps = elapsed_ticks / TICKS_PER_STEP;
if (!elapsed_steps) {
/* Note that if less than one whole step elapsed, we don't advance the
* time in last_refilled_at. That's intentional: we want to make sure
* that we add some bytes to it eventually. */
return 0;
}
if (token_bucket_raw_refill_steps(&bucket->read_bucket,
&bucket->cfg, elapsed_steps))
flags |= TB_READ;
if (token_bucket_raw_refill_steps(&bucket->write_bucket,
&bucket->cfg, elapsed_steps))
flags |= TB_WRITE;
}
bucket->last_refilled_at_timestamp = now_ts_stamp;
return flags; return flags;
} }
@ -259,15 +259,17 @@ token_bucket_rw_dec(token_bucket_rw_t *bucket,
/** Initialize a token bucket in <b>bucket</b>, set up to allow <b>rate</b> /** Initialize a token bucket in <b>bucket</b>, set up to allow <b>rate</b>
* per second, with a maximum burst of <b>burst</b>. The bucket is created * per second, with a maximum burst of <b>burst</b>. The bucket is created
* such that <b>now_ts</b> is the current timestamp. The bucket starts out * such that <b>now_ts_sec</b> is the current timestamp. The bucket starts
* full. */ * out full. Note that these counters use seconds instead of approximate
* milliseconds, in order to allow a lower minimum rate than the rw counters.
*/
void void
token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate, token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
uint32_t burst, uint32_t now_ts) uint32_t burst, uint32_t now_ts_sec)
{ {
memset(bucket, 0, sizeof(token_bucket_ctr_t)); memset(bucket, 0, sizeof(token_bucket_ctr_t));
token_bucket_ctr_adjust(bucket, rate, burst); token_bucket_ctr_adjust(bucket, rate, burst);
token_bucket_ctr_reset(bucket, now_ts); token_bucket_ctr_reset(bucket, now_ts_sec);
} }
/** Change the configured rate and burst of the given token bucket object in /** Change the configured rate and burst of the given token bucket object in
@ -280,31 +282,28 @@ token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate,
token_bucket_raw_adjust(&bucket->counter, &bucket->cfg); token_bucket_raw_adjust(&bucket->counter, &bucket->cfg);
} }
/** Reset <b>bucket</b> to be full, as of timestamp <b>now_ts</b>. */ /** Reset <b>bucket</b> to be full, as of timestamp <b>now_ts_sec</b>. */
void void
token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts) token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts_sec)
{ {
token_bucket_raw_reset(&bucket->counter, &bucket->cfg); token_bucket_raw_reset(&bucket->counter, &bucket->cfg);
bucket->last_refilled_at_timestamp = now_ts; bucket->last_refilled_at_timestamp = now_ts_sec;
} }
/** Refill <b>bucket</b> as appropriate, given that the current timestamp is /** Refill <b>bucket</b> as appropriate, given that the current timestamp is
* <b>now_ts</b>. */ * <b>now_ts_sec</b> in seconds. */
void void
token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts) token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts_sec)
{ {
const uint32_t elapsed_ticks = const uint32_t elapsed_sec =
(now_ts - bucket->last_refilled_at_timestamp); (now_ts_sec - bucket->last_refilled_at_timestamp);
if (elapsed_ticks > UINT32_MAX-(300*1000)) {
/* Either about 48 days have passed since the last refill, or the
* monotonic clock has somehow moved backwards. (We're looking at you,
* Windows.). We accept up to a 5 minute jump backwards as
* "unremarkable".
*/
return;
}
token_bucket_raw_refill_steps(&bucket->counter, &bucket->cfg, /* Are we detecting a rollover or a similar extremely large jump? This
elapsed_ticks); * shouldn't generally happen, but if it does for whatever (possibly
bucket->last_refilled_at_timestamp = now_ts; * platform-specific) reason, ignore it. */
if (elapsed_sec <= UINT32_MAX/4) {
token_bucket_raw_refill_steps(&bucket->counter, &bucket->cfg,
elapsed_sec);
}
bucket->last_refilled_at_timestamp = now_ts_sec;
} }

View File

@ -66,19 +66,19 @@ typedef struct token_bucket_rw_t {
void token_bucket_rw_init(token_bucket_rw_t *bucket, void token_bucket_rw_init(token_bucket_rw_t *bucket,
uint32_t rate, uint32_t rate,
uint32_t burst, uint32_t burst,
uint32_t now_ts); uint32_t now_ts_stamp);
void token_bucket_rw_adjust(token_bucket_rw_t *bucket, void token_bucket_rw_adjust(token_bucket_rw_t *bucket,
uint32_t rate, uint32_t burst); uint32_t rate, uint32_t burst);
void token_bucket_rw_reset(token_bucket_rw_t *bucket, void token_bucket_rw_reset(token_bucket_rw_t *bucket,
uint32_t now_ts); uint32_t now_ts_stamp);
#define TB_READ 1 #define TB_READ 1
#define TB_WRITE 2 #define TB_WRITE 2
int token_bucket_rw_refill(token_bucket_rw_t *bucket, int token_bucket_rw_refill(token_bucket_rw_t *bucket,
uint32_t now_ts); uint32_t now_ts_stamp);
int token_bucket_rw_dec_read(token_bucket_rw_t *bucket, int token_bucket_rw_dec_read(token_bucket_rw_t *bucket,
ssize_t n); ssize_t n);
@ -114,11 +114,11 @@ typedef struct token_bucket_ctr_t {
} token_bucket_ctr_t; } token_bucket_ctr_t;
void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate, void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
uint32_t burst, uint32_t now_ts); uint32_t burst, uint32_t now_ts_sec);
void token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate, void token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate,
uint32_t burst); uint32_t burst);
void token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts); void token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts_sec);
void token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts); void token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts_sec);
static inline bool static inline bool
token_bucket_ctr_dec(token_bucket_ctr_t *bucket, ssize_t n) token_bucket_ctr_dec(token_bucket_ctr_t *bucket, ssize_t n)

View File

@ -812,6 +812,12 @@ monotime_absolute_msec(void)
return monotime_absolute_nsec() / ONE_MILLION; return monotime_absolute_nsec() / ONE_MILLION;
} }
uint64_t
monotime_absolute_sec(void)
{
return monotime_absolute_nsec() / ONE_BILLION;
}
#ifdef MONOTIME_COARSE_FN_IS_DIFFERENT #ifdef MONOTIME_COARSE_FN_IS_DIFFERENT
uint64_t uint64_t
monotime_coarse_absolute_nsec(void) monotime_coarse_absolute_nsec(void)
@ -836,6 +842,17 @@ monotime_coarse_absolute_msec(void)
{ {
return monotime_coarse_absolute_nsec() / ONE_MILLION; return monotime_coarse_absolute_nsec() / ONE_MILLION;
} }
uint64_t
monotime_coarse_absolute_sec(void)
{
/* Note: Right now I'm not too concerned about 64-bit division, but if this
* ever becomes a hotspot we need to optimize, we can modify this to grab
* tv_sec directly from CLOCK_MONOTONIC_COARSE on linux at least. Right now
* I'm choosing to make this simpler and easier to test, but this
* optimization is available easily if we need it. */
return monotime_coarse_absolute_nsec() / ONE_BILLION;
}
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */ #else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
#define initialized_at_coarse initialized_at #define initialized_at_coarse initialized_at
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */ #endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */

View File

@ -89,6 +89,13 @@
* A: In general, regular monotime uses something that requires a system call. * A: In general, regular monotime uses something that requires a system call.
* On platforms where system calls are cheap, you win! Otherwise, you lose. * On platforms where system calls are cheap, you win! Otherwise, you lose.
* *
* XXX: This hasn't been true for a long time. Expect both coarse and fine
* monotime won't require a syscall, but they will have different
* costs in terms of low-level synchronization inside the vDSO and
* the hardware. The basic guidelines here still apply, but we aren't
* really worrying about system calls any more, and the integer div
* concerns are becoming nearly unimportant as well.
*
* On Windows, monotonic time uses QuereyPerformanceCounter. Storing * On Windows, monotonic time uses QuereyPerformanceCounter. Storing
* monotime_t costs 8 bytes. * monotime_t costs 8 bytes.
* *
@ -232,7 +239,12 @@ MOCK_DECL(uint64_t, monotime_absolute_usec,(void));
* Fractional units are truncated, not rounded. * Fractional units are truncated, not rounded.
*/ */
uint64_t monotime_absolute_msec(void); uint64_t monotime_absolute_msec(void);
/**
* Return the number of seconds since the timer system was initialized.
* The returned value may be equal to zero.
* Fractional units are truncated, not rounded.
*/
uint64_t monotime_absolute_sec(void);
/** /**
* Set <b>out</b> to zero. * Set <b>out</b> to zero.
*/ */
@ -259,11 +271,13 @@ void monotime_coarse_get(monotime_coarse_t *out);
uint64_t monotime_coarse_absolute_nsec(void); uint64_t monotime_coarse_absolute_nsec(void);
uint64_t monotime_coarse_absolute_usec(void); uint64_t monotime_coarse_absolute_usec(void);
uint64_t monotime_coarse_absolute_msec(void); uint64_t monotime_coarse_absolute_msec(void);
uint64_t monotime_coarse_absolute_sec(void);
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */ #else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
#define monotime_coarse_get monotime_get #define monotime_coarse_get monotime_get
#define monotime_coarse_absolute_nsec monotime_absolute_nsec #define monotime_coarse_absolute_nsec monotime_absolute_nsec
#define monotime_coarse_absolute_usec monotime_absolute_usec #define monotime_coarse_absolute_usec monotime_absolute_usec
#define monotime_coarse_absolute_msec monotime_absolute_msec #define monotime_coarse_absolute_msec monotime_absolute_msec
#define monotime_coarse_absolute_sec monotime_absolute_sec
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */ #endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
/** /**

View File

@ -243,10 +243,30 @@ test_bwmgt_token_buf_refill(void *arg)
tt_int_op(b.read_bucket.bucket, OP_GT, 8*KB-400); tt_int_op(b.read_bucket.bucket, OP_GT, 8*KB-400);
tt_int_op(b.read_bucket.bucket, OP_LT, 8*KB+400); tt_int_op(b.read_bucket.bucket, OP_LT, 8*KB+400);
// A ridiculous amount of time passes. /* A large amount of time passes, but less than the threshold at which
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, INT32_MAX)); * we start detecting an assumed rollover event. This might be about 20
* days on a system with stamp units equal to 1ms. */
uint32_t ts_stamp = START_TS + UINT32_MAX / 5;
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp));
tt_int_op(b.read_bucket.bucket, OP_EQ, b.cfg.burst); tt_int_op(b.read_bucket.bucket, OP_EQ, b.cfg.burst);
/* Fully empty the bucket and make sure it's filling once again */
token_bucket_rw_dec_read(&b, b.cfg.burst);
tt_int_op(b.read_bucket.bucket, OP_EQ, 0);
tt_int_op(1, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += BW_SEC));
tt_int_op(b.read_bucket.bucket, OP_GT, 16*KB - 300);
tt_int_op(b.read_bucket.bucket, OP_LT, 16*KB + 300);
/* An even larger amount of time passes, which we take to be a 32-bit
* rollover event. The individual update is ignored, but the timestamp
* is still updated and the very next update should be accounted properly. */
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += UINT32_MAX/2));
tt_int_op(b.read_bucket.bucket, OP_GT, 16*KB - 600);
tt_int_op(b.read_bucket.bucket, OP_LT, 16*KB + 600);
tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += BW_SEC));
tt_int_op(b.read_bucket.bucket, OP_GT, 32*KB - 600);
tt_int_op(b.read_bucket.bucket, OP_LT, 32*KB + 600);
done: done:
; ;
} }

View File

@ -9,6 +9,7 @@
#include "core/or/dos.h" #include "core/or/dos.h"
#include "core/or/circuitlist.h" #include "core/or/circuitlist.h"
#include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_rand.h"
#include "lib/time/compat_time.h"
#include "feature/stats/geoip_stats.h" #include "feature/stats/geoip_stats.h"
#include "core/or/channel.h" #include "core/or/channel.h"
#include "feature/nodelist/microdesc.h" #include "feature/nodelist/microdesc.h"
@ -23,6 +24,8 @@
#include "test/test.h" #include "test/test.h"
#include "test/log_test_helpers.h" #include "test/log_test_helpers.h"
static const uint64_t BILLION = 1000000000;
static networkstatus_t *dummy_ns = NULL; static networkstatus_t *dummy_ns = NULL;
static networkstatus_t * static networkstatus_t *
mock_networkstatus_get_latest_consensus(void) mock_networkstatus_get_latest_consensus(void)
@ -58,14 +61,18 @@ mock_enable_dos_protection(const networkstatus_t *ns)
static void static void
test_dos_conn_creation(void *arg) test_dos_conn_creation(void *arg)
{ {
uint64_t monotime_now = 0xfffffffe;
(void) arg; (void) arg;
monotime_enable_test_mocking();
monotime_coarse_set_mock_time_nsec(monotime_now);
MOCK(get_param_cc_enabled, mock_enable_dos_protection); MOCK(get_param_cc_enabled, mock_enable_dos_protection);
MOCK(get_param_conn_enabled, mock_enable_dos_protection); MOCK(get_param_conn_enabled, mock_enable_dos_protection);
/* Initialize test data */ /* Initialize test data */
or_connection_t or_conn; or_connection_t or_conn;
time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */ time_t wallclock_now = 1281533250; /* 2010-08-11 13:27:30 UTC */
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr, tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
"18.0.0.1")); "18.0.0.1"));
tor_addr_t *addr = &TO_CONN(&or_conn)->addr; tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
@ -75,13 +82,14 @@ test_dos_conn_creation(void *arg)
uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL); uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL);
/* Introduce new client */ /* Introduce new client */
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, wallclock_now);
{ /* Register many conns from this client but not enough to get it blocked */ { /* Register many conns from this client but not enough to get it blocked */
unsigned int i; unsigned int i;
for (i = 0; i < max_concurrent_conns; i++) { for (i = 0; i < max_concurrent_conns; i++) {
/* Don't trigger the connect() rate limitation so advance the clock 1 /* Don't trigger the connect() rate limitation so advance the clock 1
* second for each connection. */ * second for each connection. */
update_approx_time(++now); monotime_coarse_set_mock_time_nsec(monotime_now += BILLION);
update_approx_time(++wallclock_now);
dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL);
} }
} }
@ -107,6 +115,7 @@ test_dos_conn_creation(void *arg)
done: done:
dos_free_all(); dos_free_all();
monotime_disable_test_mocking();
} }
/** Helper mock: Place a fake IP addr for this channel in <b>addr_out</b> */ /** Helper mock: Place a fake IP addr for this channel in <b>addr_out</b> */

View File

@ -16,6 +16,7 @@
#include "test/log_test_helpers.h" #include "test/log_test_helpers.h"
#include "app/config/config.h" #include "app/config/config.h"
#include "lib/time/compat_time.h"
#include "core/or/circuitlist.h" #include "core/or/circuitlist.h"
#include "core/or/circuituse.h" #include "core/or/circuituse.h"
@ -45,7 +46,8 @@ free_mock_consensus(void)
static void static void
test_can_send_intro2(void *arg) test_can_send_intro2(void *arg)
{ {
uint32_t now = (uint32_t) approx_time(); static const uint64_t BILLION = 1000000000;
uint64_t now = 12345;
or_circuit_t *or_circ = NULL; or_circuit_t *or_circ = NULL;
(void) arg; (void) arg;
@ -55,6 +57,8 @@ test_can_send_intro2(void *arg)
get_options_mutable()->ORPort_set = 1; get_options_mutable()->ORPort_set = 1;
setup_mock_consensus(); setup_mock_consensus();
monotime_enable_test_mocking();
monotime_coarse_set_mock_time_nsec(now);
or_circ = or_circuit_new(1, NULL); or_circ = or_circuit_new(1, NULL);
@ -68,7 +72,7 @@ test_can_send_intro2(void *arg)
/* Simulate that 10 cells have arrived in 1 second. There should be no /* Simulate that 10 cells have arrived in 1 second. There should be no
* refill since the bucket is already at maximum on the first cell. */ * refill since the bucket is already at maximum on the first cell. */
update_approx_time(++now); monotime_coarse_set_mock_time_nsec(now += BILLION);
for (int i = 0; i < 10; i++) { for (int i = 0; i < 10; i++) {
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
} }
@ -76,7 +80,7 @@ test_can_send_intro2(void *arg)
get_intro2_burst_consensus_param(NULL) - 10); get_intro2_burst_consensus_param(NULL) - 10);
/* Fully refill the bucket minus 1 cell. */ /* Fully refill the bucket minus 1 cell. */
update_approx_time(++now); monotime_coarse_set_mock_time_nsec(now += BILLION);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
get_intro2_burst_consensus_param(NULL) - 1); get_intro2_burst_consensus_param(NULL) - 1);
@ -84,7 +88,7 @@ test_can_send_intro2(void *arg)
/* Receive an INTRODUCE2 at each second. We should have the bucket full /* Receive an INTRODUCE2 at each second. We should have the bucket full
* since at every second it gets refilled. */ * since at every second it gets refilled. */
for (int i = 0; i < 10; i++) { for (int i = 0; i < 10; i++) {
update_approx_time(++now); monotime_coarse_set_mock_time_nsec(now += BILLION);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
} }
/* Last check if we can send the cell decrements the bucket so minus 1. */ /* Last check if we can send the cell decrements the bucket so minus 1. */
@ -92,7 +96,8 @@ test_can_send_intro2(void *arg)
get_intro2_burst_consensus_param(NULL) - 1); get_intro2_burst_consensus_param(NULL) - 1);
/* Manually reset bucket for next test. */ /* Manually reset bucket for next test. */
token_bucket_ctr_reset(&or_circ->introduce2_bucket, now); token_bucket_ctr_reset(&or_circ->introduce2_bucket,
(uint32_t) monotime_coarse_absolute_sec());
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
get_intro2_burst_consensus_param(NULL)); get_intro2_burst_consensus_param(NULL));
@ -115,7 +120,7 @@ test_can_send_intro2(void *arg)
} }
/* One second has passed, we should have the rate minus 1 cell added. */ /* One second has passed, we should have the rate minus 1 cell added. */
update_approx_time(++now); monotime_coarse_set_mock_time_nsec(now += BILLION);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ)); tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
get_intro2_rate_consensus_param(NULL) - 1); get_intro2_rate_consensus_param(NULL) - 1);
@ -125,6 +130,7 @@ test_can_send_intro2(void *arg)
hs_free_all(); hs_free_all();
free_mock_consensus(); free_mock_consensus();
monotime_disable_test_mocking();
} }
static void static void

View File

@ -14,6 +14,7 @@
#include "test/test.h" #include "test/test.h"
#include "test/log_test_helpers.h" #include "test/log_test_helpers.h"
#include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_rand.h"
#include "lib/time/compat_time.h"
#include "core/or/or.h" #include "core/or/or.h"
#include "core/or/channel.h" #include "core/or/channel.h"
@ -127,7 +128,7 @@ helper_create_intro_circuit(void)
tt_assert(circ); tt_assert(circ);
circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_OR); circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_OR);
token_bucket_ctr_init(&circ->introduce2_bucket, 100, 100, token_bucket_ctr_init(&circ->introduce2_bucket, 100, 100,
(uint32_t) approx_time()); (uint32_t) monotime_coarse_absolute_sec());
done: done:
return circ; return circ;
} }