Commit Graph

274 Commits

Author SHA1 Message Date
Nick Mathewson
762b799545 Rename 'remove' -> 'rmv' to avoid shadowing a libc global 2016-12-16 14:04:57 -05:00
Nick Mathewson
23c09b6bc2 Resolve a division-by-zero complaint from coverity. CID 1397272 2016-12-16 12:21:02 -05:00
Nick Mathewson
990a863d7c Merge branch 'ticket20831_v2' 2016-12-16 11:40:19 -05:00
Nick Mathewson
506bd6d47c Make NumDirectoryGuards work with the new guard algorithm.
Now that we support NumEntryGuards, NumDirectoryGuards is pretty
easy to put back in.
2016-12-16 11:34:31 -05:00
Nick Mathewson
d9200d853d Make NumEntryGuards work as expected again.
Further, add a "guard-n-primary-guards-to-use" parameter, defaulting
to 1, for NumEntryGuards to override.
2016-12-16 11:34:31 -05:00
Nick Mathewson
deb8bcadce 271: Algorithm tweak to allow multiple entry guards.
Previously, we had NumEntryGuards kind of hardwired to 1.  Now we
have the code (but not the configuarability) to choose randomly from
among the first N primary guards that would work, where N defaults
to 1.

Part of 20831 support for making NumEntryGuards work again.
2016-12-16 11:34:31 -05:00
Nick Mathewson
385602e982 Respect GuardLifetime in prop271 code.
It overrides both the GUARD_LIFETIME and the
GUARD_CONFIRMED_MIN_LIFETIME options.
2016-12-16 11:34:31 -05:00
Nick Mathewson
988b0afbd6 Merge branch 'ticket20826_v2' 2016-12-16 11:29:02 -05:00
Nick Mathewson
e044b4f8ce Support restrictive ENTRYNODES configurations correctly.
Since we already had a separate function for getting the universe of
possible guards, all we had to do was tweak it to handle very the
GS_TYPE_RESTRICTED case.
2016-12-16 11:28:27 -05:00
Nick Mathewson
4ec9751c14 guard->nickname is never NULL. 2016-12-16 11:25:59 -05:00
Nick Mathewson
2cee38f76a Merge branch 'prop271_030_v1_squashed' 2016-12-16 11:20:59 -05:00
Nick Mathewson
20292ec497 Per suggestion, increase the retry frequency for primary guards. 2016-12-16 11:06:22 -05:00
Nick Mathewson
fc7751a989 Rewrite state transition logic in entry_guards_note_success()
asn found while testing that this function can be reached with
GUARD_STATE_COMPLETE circuits; I believe this happens when
cannibalization occurs.

The added complexity of handling one more state made it reasonable
to turn the main logic here into a switch statement.
2016-12-16 11:06:22 -05:00
Nick Mathewson
2e2f3a4d99 Add a separate, non-fractional, limit to the sampled guard set size.
Letting the maximum sample size grow proportionally to the number of
guards defeats its purpose to a certain extent.  Noted by asn during
code review.

Fixes bug 20920; bug not in any released (or merged) version of Tor.
2016-12-16 11:06:22 -05:00
Nick Mathewson
e50d85b90c Clean check for live consensus when updating the guard sample.
The valid_until check was redundant.
2016-12-16 11:06:22 -05:00
Nick Mathewson
b7088e5b5a Move a TODO comment into doxygen comments. 2016-12-16 11:06:22 -05:00
George Kadianakis
50783d0123 Easy code fixes.
- Correctly maintain the previous guard selection in choose_guard_selection().
- Print bridge identifier instead of nothing in entry_guard_describe()._
2016-12-16 11:06:22 -05:00
George Kadianakis
7ab2678074 Trivial documentation improvements. 2016-12-16 11:06:22 -05:00
Nick Mathewson
6867950432 Wrap all of the legacy guard code, and its users, in #ifdefs
This will make it easier to see what we remove down the line.
2016-12-16 11:06:22 -05:00
Nick Mathewson
2b4bfe62ee Fix a signed/unsigned warning on 32-bit 2016-12-16 11:06:21 -05:00
Nick Mathewson
52e196bab5 Don't make $hexid nicknames persistent.
(That's asking for trouble, and also totally completely redundant.)
2016-12-16 11:06:21 -05:00
Nick Mathewson
79d3e94f8b prop271: Tests for the highlevel or_state_t encode/decode functions 2016-12-16 11:06:20 -05:00
Nick Mathewson
217590ad05 Extract guard_selection_infer_type into its own function. 2016-12-16 11:06:20 -05:00
Nick Mathewson
2c8c58ab2f Another tweak for guard restrictions: don't let complete circs block
If a complete circuit C2 doesn't obey the restrictions of C1, then
C2 cannot block C1.

The patch here is a little big-ish, since we can no longer look
through all the complete circuits and all the waiting circuits on a
single pass: we have to find the best waiting circuit first.
2016-12-16 11:06:20 -05:00
Nick Mathewson
87f9b42179 Implement support for per-circuit guard restrictions.
This is an important thing I hadn't considered when writing prop271:
sometimes you have to restrict what guard you use for a particular
circuit.  Most frequently, that would be because you plan to use a
certain node as your exit, and so you can't choose that for your
guard.

This change means that the upgrade-waiting-circuits algorithm needs
a slight tweak too: circuit A cannot block circuit B from upgrading
if circuit B needs to follow a restriction that circuit A does not
follow.
2016-12-16 11:06:20 -05:00
Nick Mathewson
17c3faa2e3 guards_choose_dirguard(): replace one XXXX with another.
I had been asking myself, "hey, doesn't the new code need to look at
this "info" parameter? The old code did!"  But it turns out that the
old code hasn't, since 05f7336624.

So instead of "support this!" the comment now says "we can remove
this!"
2016-12-16 11:06:20 -05:00
Nick Mathewson
9d065ecc3d Fix a magic number in get_max_sample_size 2016-12-16 11:06:20 -05:00
Nick Mathewson
1e9cd5d2bb Note a couple of XXX-prop271s as spec deviations. 2016-12-16 11:06:19 -05:00
Nick Mathewson
f4e64c04f4 Remove some resolved "XXXX prop271" comments. 2016-12-16 11:06:19 -05:00
Nick Mathewson
80fa404625 Fix for small test networks: don't refuse to have any sampled guards.
Don't restrict the sample size if the network size is less than 20
guards.  Maybe we'll think of a better rule later on?
2016-12-16 11:06:19 -05:00
Nick Mathewson
eac8b3f758 Remove a few unused arguments. 2016-12-16 11:06:19 -05:00
Nick Mathewson
84bfa895d7 Change return value of entry_guard_succeeded to an enum.
George pointed out that (-1,0,1) for (never usable, maybe usable
later, usable right now) was a pretty rotten convention that made
the code harder to read.
2016-12-16 11:06:19 -05:00
Nick Mathewson
46619ec914 Note some large functions that could be split.
George Kadianakis pointed these out.
2016-12-16 11:06:19 -05:00
Nick Mathewson
3bcbbea350 More progress on bridge implementation with prop271 guards
Here we handle most (all?) of the remaining tasks, and fix some
bugs, in the prop271 bridge implementation.

  * We record bridge identities as we learn them.
  * We only call deprecated functions from bridges.c when the
    deprecated guard algorithm is in use.
  * We update any_bridge_descriptors_known() and
    num_bridges_usable() to work correctly with the new backend
    code. (Previously, they called into the guard selection logic.
  * We update bridge directory fetches to work with the new
    guard code.
  * We remove some erroneous assertions where we assumed that we'd
    never load a guard that wasn't for the current selection.

Also, we fix a couple of typos.
2016-12-16 11:06:18 -05:00
Nick Mathewson
82fa71610d Implement bridge backends for sampling, filtering guards.
Still missing is functionality for picking bridges when we don't
know a descriptor for them yet, and functionality for learning a
bridge ID.

Everything else remains (basically) the same. Neat!
2016-12-16 11:06:18 -05:00
Nick Mathewson
53f248f6c9 Add some needed accessors/inspectors for bridge/guard convergence 2016-12-16 11:06:18 -05:00
Nick Mathewson
1d52ac4d3f Lay down some infrastructure for bridges in the New Guard Order.
This includes:
  * making bridge_info_t exposed but opaque
  * allowing guards where we don't know an identity
  * making it possible to learn the identity of a guard
  * creating a guard that lacks a node_t
  * remembering a guard's address and port.
  * Looking up a guard by address and port.
  * Only enforcing the rule that we need a live consensus to update
    the "listed" status for guards when we are not using bridges.
2016-12-16 11:06:18 -05:00
Nick Mathewson
89f5f149df Remove guard_selection argument from status-reporting functions
This prevents us from mixing up multiple guard_selections
2016-12-16 11:06:18 -05:00
Nick Mathewson
6dcbc24a4e Add a backpointer from entry_guard_t to guard_selection_t
This is safe, because no entry_guard_t ever outlives its
guard_selection_t.

I want this because now that multiple guard selections can be active
during one tor session, we should make sure that any information we
register about guards is with respect to the selection that they came
from.
2016-12-16 11:06:18 -05:00
Nick Mathewson
404e9e5611 Have multiple guard contexts we can switch between.
Currently, this code doesn't actually have the contexts behave
differently, (except for the legacy context), but it does switch
back and forth between them nicely.
2016-12-16 11:06:18 -05:00
Nick Mathewson
c6d218c44b Unit tests for entry_guard_{pick_for_circuit,succeeded,failed} 2016-12-16 11:06:17 -05:00
Nick Mathewson
9493711077 Mark confirmed guards primary as appropriate.
If a guard becomes primary as a result of confirming it, consider
the circuit through that guard as a primary circuit.

Also, note open questions on behavior when confirming nonprimary guards
2016-12-16 11:06:17 -05:00
Nick Mathewson
d2af9826fd Turn #defines for prop271 into networkstatus params
Some of these will get torrc options to override them too; this
is just the mechanical conversion.

Also, add documentation for a couple of undocumented (but now used)
parameters.
2016-12-16 11:06:17 -05:00
Nick Mathewson
2ea5aa7182 Expire circuits that have been WAITING_FOR_BETTER_GUARD too long
(This is required by 3.9 in prop271, but is better done as a
separate function IMO)
2016-12-16 11:06:16 -05:00
Nick Mathewson
e56bc1e5de Move the 'dirty' flag for the guards to a global again
It makes more sense to have a single dirty flag, since we always
regenerate the whole state file when we save it.
2016-12-16 11:06:16 -05:00
Nick Mathewson
bce0f79252 Mark some more BUG lines as unreachable. 2016-12-16 11:06:16 -05:00
Nick Mathewson
a7bc73935b Test get_guard_selection_by_name 2016-12-16 11:06:15 -05:00
Nick Mathewson
526b0e2ce2 Avoid division-by-zero in pathbias_check_*_success_count 2016-12-16 11:06:15 -05:00
Nick Mathewson
ac67819396 Make sure primary-guards are up-to-date when we inspect them.
(Plus some magic to prevent and detect recursive invocation of
entry_guards_update_primary(), since that can cause some pretty
tricky misbehavior.)
2016-12-16 11:06:15 -05:00
Nick Mathewson
897626953b Rebuild the guard lists as appropriate on torrc change.
(Also, prepare to tie guard changes into the mark-all-old-circuits
logic.)
2016-12-16 11:06:15 -05:00
Nick Mathewson
6788418f28 Propagate Ed25519 identities downwards into more functions.
Actually set ed25519 identities on channels when we set a channel's
identity.
2016-12-08 16:47:58 -05:00
Nick Mathewson
a20c8a81d7 Migrate main data loop for set_bad_connections to use channel structures
This was the last user of our or_connections-by-ID map.  It also had
a tendency to be O(N) in cases that only had to be O(1).
2016-12-08 16:47:57 -05:00
Nick Mathewson
d98b9b6d65 Fix pathbias interactions with entry guards
entry_guard_get_by_id_digest() was always returning NULL, which was
causing "adventure" and "fun"
2016-11-30 14:44:43 -05:00
Nick Mathewson
783fa2f586 Make pathbias fields persistent for new guards 2016-11-30 14:44:43 -05:00
Nick Mathewson
858c8f5593 Make new prop271 entry guards persistent
To do this, it makes sense to treat legacy guards as a separate
guard_selection_t *, and handle them separately.  This also means we
add support here for having multiple guard selections.

Note that we don't persist pathbias information yet; that will take
some refactoring.
2016-11-30 14:44:43 -05:00
Nick Mathewson
dbbaa51518 Use the new guard notification/selection APIs throughout Tor
This patch doesn't cover every case; omitted cases are marked with
"XXXX prop271", as usual.  It leaves both the old interface and the
new interface for guard status notification, since they don't
actually work in the same way: the new API wants to be told when a
circuit has failed or succeeded, whereas the old API wants to know
when a channel has failed or succeeded.

I ran into some trouble with directory guard stuff, since when we
pick the directory guard, we don't actually have a circuit to
associate it with.  I solved that by allowing guard states to be
associated with directory connections, not just circuits.
2016-11-30 14:42:53 -05:00
Nick Mathewson
8e43398986 Function to cancel a guard state.
We'll want to use this if we allocate a guard state then decide,
"whoops, we don't want to use this."
2016-11-30 14:42:53 -05:00
Nick Mathewson
4689096ed1 No need to say success/failure when recording failure; remove returnval
(We can fail at succeeding, but there's no plausible way to fail at failing)
2016-11-30 14:42:53 -05:00
Nick Mathewson
af1918d289 New entry_guard_chan_failed function
To be called when an entire channel has failed: tell any/all
circuits pending for the guard of that channel that they have
failed.
2016-11-30 14:42:53 -05:00
Nick Mathewson
1fd0a547bb New function to tell the guard module "We're on the net!"
(Call it whenever we read a cell.)
2016-11-30 14:42:53 -05:00
Nick Mathewson
8dc6048c02 Add an (as yet) unused UseDeprecatedGuardAlgorithm_ option.
I expect we'll be ripping this out somewhere in 0.3.0, but let's
keep it around for a little while in case it turns out to be the
only way to avert disaster?
2016-11-30 14:42:53 -05:00
Nick Mathewson
36e9fbd752 Backend for upgrading 'waiting' circuits to 'complete'
When a nonprimary guard's circuit is complete, we don't call it
actually usable until we are pretty sure that every better guard
is indeed not going to give us a working circuit.
2016-11-30 14:42:52 -05:00
Nick Mathewson
dd6bdab3f6 Write the easy parts of the public entryguard interface.
Here we add a little bit of state to origin circuits, and set up
the necessary functions for the circuit code to call in order to
find guards, use guards, and decide when circuits can be used.

There's also an incomplete function for the hard part of the
circuit-maintenance code, where we figure out whether any waiting
guards are ready to become usable.

(This patch finally uses the handle.c code to make safe handles to
entry_guard_t objects, so that we are allowed to free an
entry_guard_t without checking whether any origin_circuit_t is
holding a reference to it.)
2016-11-30 14:42:52 -05:00
Nick Mathewson
7bf946965b Implement most of the prop271 data structure backends.
This code handles:
  * Maintaining the sampled set, the filtered set, and the
    usable_filtered set.
  * Maintaining the confirmed and primary guard lists.
  * Picking guards for circuits, and updating guard state when
    circuit state changes.

Additionally, I've done code structure movement: even more constants
and structures from entrynodes.c have become ENTRYNODES_PRIVATE
fields of entrynodes.h.

I've also included a bunch of documentation and a bunch of unit
tests.  Coverage on the new code is pretty high.

I've noted important things to resolve before this branch is done
with the /XXXX.*prop271/ regex.
2016-11-30 14:42:52 -05:00
Nick Mathewson
6a02f9f35a Add parameters for new (prop271) guard algorithm.
These are taken from the proposal, and defined there.  Some of them
should turn into consensus parameters.

Also, remove some dead code that was there to make compilation work,
and use ATTR_UNUSED like a normal person.
2016-11-30 14:42:52 -05:00
Nick Mathewson
3c12133038 Collect old guard algorithm parameters into one place 2016-11-30 14:42:52 -05:00
Nick Mathewson
c74542c51a Add accessors as needed to repair compilation
The previous commit, in moving a bunch of functions to bridges.c,
broke compilation because bridges.c required two entry points to
entrynodes.c it didn't have.
2016-11-30 14:42:52 -05:00
Nick Mathewson
8da24c99bd Split bridge functions into a new module.
This patch is just:
   * Code movement
   * Adding headers here and there as needed
   * Adding a bridges_free_all() with a call to it.

It breaks compilation, since the bridge code needed to make exactly
2 calls into entrynodes.c internals.  I'll fix those in the next
commit.
2016-11-30 14:42:52 -05:00
Nick Mathewson
dd6def5daf Initial code to parse/encode/sample prop271 guards
The encoding code is very straightforward.  The decoding code is a
bit tricky, but clean-ish.  The sampling code is untested and
probably needs more work.
2016-11-30 14:42:52 -05:00
Nick Mathewson
539eba0a4b Teach parse_iso_time about the spaceless variant.
(We previously added support for generating the spaceless
2016-11-14T19:58:12 variant, but not for actually parsing it.)
2016-11-30 14:42:52 -05:00
Nick Mathewson
df8256a931 Add the prop271 fields to entry_guard_t. Not used yet. 2016-11-30 14:42:52 -05:00
Nick Mathewson
043e9b0151 Whitespace fixes from previous mechanical search-and-replaces 2016-11-30 14:42:52 -05:00
Nick Mathewson
f66f9c82e9 Make entry_guard_t opaque to circpathbias.c
This was a relatively mechanical change.  First, I added an accessor
function for the pathbias-state field of a guard.  Then I did a
search-and-replace in circpathbias.c to replace "guard->pb." with
"pb->".  Finally, I made sure that "pb" was declared whenever it was
needed.
2016-11-30 14:42:52 -05:00
Nick Mathewson
62477906e9 Fix remaining case of circpathbias inspecting entryguard internals 2016-11-30 14:42:52 -05:00
Nick Mathewson
823357dbe4 Add an entry_guard_describe() function
This function helpfully removes all but one remaining use of
an entry_guard_t private field in pathbias.c
2016-11-30 14:42:52 -05:00
Nick Mathewson
be447bc770 Move path-bias fields into a separate structure
(Other than the field movement, the code changes here are just
search-and-replace)
2016-11-30 14:42:52 -05:00
Nick Mathewson
22f2f13f81 prop271: make entry_guard_t mostly-private
The entry_guard_t structure should really be opaque, so that we
can change its contents and have the rest of Tor not care.

This commit makes it "mostly opaque" -- circpathbias.c can still see
inside it.  (I'm making circpathbias.c exempt since it's the only
part of Tor outside of entrynodes.c that made serious use of
entry_guard_t internals.)
2016-11-30 14:42:52 -05:00
Nick Mathewson
b5e75ae7dd Add an ed25519 identity to extend_info 2016-11-10 09:43:27 -05:00
Nick Mathewson
12cf73c451 Merge remote-tracking branch 'andrea/ticket19858_v2'
Conflict in entrynodes.c: any_bridge_supports_microdescriptors was
removed in master, and modified in 19858_v2
2016-10-19 17:11:47 -04:00
Andrea Shepard
1c6f8841f4 Refactor to always allocate chosen_entry_guards in new guard_selection_new() function 2016-10-14 00:15:30 +00:00
Andrea Shepard
3b8a40f262 Use tor_memeq() instead of tor_memcmp() per code review 2016-10-13 23:48:49 +00:00
Andrea Shepard
fca605e763 Adjust comment per code review 2016-10-13 23:47:08 +00:00
Roger Dingledine
bfaded9143 Bridge-using clients now use their cached microdesc consensus
Clients that use bridges were ignoring their cached microdesc-flavor
consensus files, because they only thought they should use the microdesc
flavor once they had a known-working bridge that could offer microdescs,
and at first boot no bridges are known-working.

This bug caused bridge-using clients to download a new microdesc consensus
on each startup.

Fixes bug 20269; bugfix on 0.2.3.12-alpha.
2016-10-01 16:34:17 -04:00
Andrea Shepard
006c26f54f Abolish globals in entrynodes.c; relativize guard context to new guard_selection_t structure 2016-09-25 02:11:44 +00:00
Nick Mathewson
4757303873 Fix all -Wshadow warnings on Linux
This is a partial fix for 18902.
2016-07-28 06:58:44 -04:00
Nick Mathewson
b750a77e3f fix naked memcmps 2016-06-30 15:34:16 -04:00
Andrea Shepard
657eaee6ae Expose GETINFO download status statics for test suite and make things mockable 2016-06-29 05:55:42 +00:00
Andrea Shepard
c692900728 Add bridge descriptor download status queries to GETINFO 2016-06-29 05:55:42 +00:00
Nick Mathewson
703254a832 Merge remote-tracking branch 'public/bug15942_v2_alternative' 2016-06-23 09:01:24 -04:00
nikkolasg
568dc27a19 Make base16_decodes return number of decoded bytes
base16_decodes() now returns the number of decoded bytes. It's interface
changes from returning a "int" to a "ssize_t". Every callsite now checks the
returned value.

Fixes #14013

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-06-20 08:44:58 -04:00
Andrea Shepard
5cb27d8991 Use exponential backoffs for bridge descriptor downloads 2016-06-18 16:32:17 +00:00
Nick Mathewson
c274f825da Merge remote-tracking branch 'asn/bug17688' 2016-06-11 10:07:15 -04:00
George Kadianakis
36dd9538d9 Don't rely on consensus parameter to use a single guard. 2016-06-07 17:22:47 +03:00
Nick Mathewson
4f1a04ff9c Replace nearly all XXX0vv comments with smarter ones
So, back long ago, XXX012 meant, "before Tor 0.1.2 is released, we
had better revisit this comment and fix it!"

But we have a huge pile of such comments accumulated for a large
number of released versions!  Not cool.

So, here's what I tried to do:

  * 0.2.9 and 0.2.8 are retained, since those are not yet released.

  * XXX+ or XXX++ or XXX++++ or whatever means, "This one looks
    quite important!"

  * The others, after one-by-one examination, are downgraded to
    plain old XXX.  Which doesn't mean they aren't a problem -- just
    that they cannot possibly be a release-blocking problem.
2016-05-30 16:18:16 -04:00
Nick Mathewson
c0568a89d9 Whitespace fixes 2016-03-26 09:54:31 -04:00
teor (Tim Wilson-Brown)
f2153f9716 Always allow OR connections to bridges on private addresses
Regardless of the setting of ExtendAllowPrivateAddresses.

This fixes a bug with pluggable transports that ignore the
(potentially private) address in their bridge line.

Fixes bug 18517; bugfix on 23b088907f in tor-0.2.8.1-alpha.
2016-03-24 10:13:58 -04:00
Nick Mathewson
57699de005 Update the copyright year. 2016-02-27 18:48:19 +01:00
teor (Tim Wilson-Brown)
c281c03654 If both IPv4 and IPv6 addresses could be used, choose one correctly
If there is a node, use node_ipv6_or/dir_preferred().
If there is no node, use fascist_firewall_prefer_ipv6_or/dirport().
2016-02-20 23:40:37 +11:00
Nick Mathewson
838d4dee12 make check-spaces 2016-02-11 12:50:55 -05:00
teor (Tim Wilson-Brown)
c213f277cd Make bridge clients prefer the configured bridge address
When ClientPreferIPv6ORPort is auto, bridges prefer the configured
bridge ORPort address. Otherwise, they use the value of the option.
Other clients prefer IPv4 ORPorts if ClientPreferIPv6ORPort is auto.

When ClientPreferIPv6DirPort is auto, all clients prefer IPv4 DirPorts.
2016-02-03 23:56:19 +11:00