Tor 0.4.9.0-alpha-dev
circpathbias.c
Go to the documentation of this file.
1/* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file circpathbias.c
9 *
10 * \brief Code to track success/failure rates of circuits built through
11 * different tor nodes, in an attempt to detect attacks where
12 * an attacker deliberately causes circuits to fail until the client
13 * choses a path they like.
14 *
15 * This code is currently configured in a warning-only mode, though false
16 * positives appear to be rare in practice. There is also support for
17 * disabling really bad guards, but it's quite experimental and may have bad
18 * anonymity effects.
19 *
20 * The information here is associated with the entry_guard_t object for
21 * each guard, and stored persistently in the state file.
22 */
23
24#include "core/or/or.h"
25#include "core/or/channel.h"
26#include "feature/client/circpathbias.h"
28#include "core/or/circuitlist.h"
29#include "core/or/circuituse.h"
32#include "app/config/config.h"
36#include "core/or/relay.h"
37#include "lib/math/fp.h"
38#include "lib/math/laplace.h"
39
40#include "core/or/cell_st.h"
45
49static void pathbias_measure_use_rate(entry_guard_t *guard);
50static void pathbias_measure_close_rate(entry_guard_t *guard);
51static void pathbias_scale_use_rates(entry_guard_t *guard);
52static void pathbias_scale_close_rates(entry_guard_t *guard);
53static int entry_guard_inc_circ_attempt_count(entry_guard_t *guard);
54
55/** Increment the number of times we successfully extended a circuit to
56 * <b>guard</b>, first checking if the failure rate is high enough that
57 * we should eliminate the guard. Return -1 if the guard looks no good;
58 * return 0 if the guard looks fine.
59 */
60static int
62{
64
66
68
69 if (pb->path_bias_disabled)
70 return -1;
71
73 pb->circ_attempts++;
74
75 log_info(LD_CIRC, "Got success count %f/%f for guard %s",
78 return 0;
79}
80
81/** The minimum number of circuit attempts before we start
82 * thinking about warning about path bias and dropping guards */
83static int
85{
86#define DFLT_PATH_BIAS_MIN_CIRC 150
87 if (options->PathBiasCircThreshold >= 5)
88 return options->PathBiasCircThreshold;
89 else
90 return networkstatus_get_param(NULL, "pb_mincircs",
91 DFLT_PATH_BIAS_MIN_CIRC,
92 5, INT32_MAX);
93}
94
95/** The circuit success rate below which we issue a notice */
96static double
98{
99#define DFLT_PATH_BIAS_NOTICE_PCT 70
100 if (options->PathBiasNoticeRate >= 0.0)
101 return options->PathBiasNoticeRate;
102 else
103 return networkstatus_get_param(NULL, "pb_noticepct",
104 DFLT_PATH_BIAS_NOTICE_PCT, 0, 100)/100.0;
105}
106
107/** The circuit success rate below which we issue a warn */
108static double
110{
111#define DFLT_PATH_BIAS_WARN_PCT 50
112 if (options->PathBiasWarnRate >= 0.0)
113 return options->PathBiasWarnRate;
114 else
115 return networkstatus_get_param(NULL, "pb_warnpct",
116 DFLT_PATH_BIAS_WARN_PCT, 0, 100)/100.0;
117}
118
119/* XXXX I'd like to have this be static again, but entrynodes.c needs it. */
120/**
121 * The extreme rate is the rate at which we would drop the guard,
122 * if pb_dropguard is also set. Otherwise we just warn.
123 */
124double
126{
127#define DFLT_PATH_BIAS_EXTREME_PCT 30
128 if (options->PathBiasExtremeRate >= 0.0)
129 return options->PathBiasExtremeRate;
130 else
131 return networkstatus_get_param(NULL, "pb_extremepct",
132 DFLT_PATH_BIAS_EXTREME_PCT, 0, 100)/100.0;
133}
134
135/* XXXX I'd like to have this be static again, but entrynodes.c needs it. */
136/**
137 * If 1, we actually disable use of guards that fall below
138 * the extreme_pct.
139 */
140int
142{
143#define DFLT_PATH_BIAS_DROP_GUARDS 0
144 if (options->PathBiasDropGuards >= 0)
145 return options->PathBiasDropGuards;
146 else
147 return networkstatus_get_param(NULL, "pb_dropguards",
148 DFLT_PATH_BIAS_DROP_GUARDS, 0, 1);
149}
150
151/**
152 * This is the number of circuits at which we scale our
153 * counts by mult_factor/scale_factor. Note, this count is
154 * not exact, as we only perform the scaling in the event
155 * of no integer truncation.
156 */
157static int
159{
160#define DFLT_PATH_BIAS_SCALE_THRESHOLD 300
161 if (options->PathBiasScaleThreshold >= 10)
162 return options->PathBiasScaleThreshold;
163 else
164 return networkstatus_get_param(NULL, "pb_scalecircs",
165 DFLT_PATH_BIAS_SCALE_THRESHOLD, 10,
166 INT32_MAX);
167}
168
169/**
170 * Compute the path bias scaling ratio from the consensus
171 * parameters pb_multfactor/pb_scalefactor.
172 *
173 * Returns a value in (0, 1.0] which we multiply our pathbias
174 * counts with to scale them down.
175 */
176static double
178{
179 (void) options;
180 /*
181 * The scale factor is the denominator for our scaling
182 * of circuit counts for our path bias window.
183 *
184 * Note that our use of doubles for the path bias state
185 * file means that powers of 2 work best here.
186 */
187 int denominator = networkstatus_get_param(NULL, "pb_scalefactor",
188 2, 2, INT32_MAX);
189 tor_assert(denominator > 0);
190
191 /**
192 * The mult factor is the numerator for our scaling
193 * of circuit counts for our path bias window. It
194 * allows us to scale by fractions.
195 */
196 return networkstatus_get_param(NULL, "pb_multfactor",
197 1, 1, denominator)/((double)denominator);
198}
199
200/** The minimum number of circuit usage attempts before we start
201 * thinking about warning about path use bias and dropping guards */
202static int
204{
205#define DFLT_PATH_BIAS_MIN_USE 20
206 if (options->PathBiasUseThreshold >= 3)
207 return options->PathBiasUseThreshold;
208 else
209 return networkstatus_get_param(NULL, "pb_minuse",
210 DFLT_PATH_BIAS_MIN_USE,
211 3, INT32_MAX);
212}
213
214/** The circuit use success rate below which we issue a notice */
215static double
217{
218#define DFLT_PATH_BIAS_NOTICE_USE_PCT 80
219 if (options->PathBiasNoticeUseRate >= 0.0)
220 return options->PathBiasNoticeUseRate;
221 else
222 return networkstatus_get_param(NULL, "pb_noticeusepct",
223 DFLT_PATH_BIAS_NOTICE_USE_PCT,
224 0, 100)/100.0;
225}
226
227/**
228 * The extreme use rate is the rate at which we would drop the guard,
229 * if pb_dropguard is also set. Otherwise we just warn.
230 */
231double
233{
234#define DFLT_PATH_BIAS_EXTREME_USE_PCT 60
235 if (options->PathBiasExtremeUseRate >= 0.0)
236 return options->PathBiasExtremeUseRate;
237 else
238 return networkstatus_get_param(NULL, "pb_extremeusepct",
239 DFLT_PATH_BIAS_EXTREME_USE_PCT,
240 0, 100)/100.0;
241}
242
243/**
244 * This is the number of circuits at which we scale our
245 * use counts by mult_factor/scale_factor. Note, this count is
246 * not exact, as we only perform the scaling in the event
247 * of no integer truncation.
248 */
249static int
251{
252#define DFLT_PATH_BIAS_SCALE_USE_THRESHOLD 100
253 if (options->PathBiasScaleUseThreshold >= 10)
254 return options->PathBiasScaleUseThreshold;
255 else
256 return networkstatus_get_param(NULL, "pb_scaleuse",
257 DFLT_PATH_BIAS_SCALE_USE_THRESHOLD,
258 10, INT32_MAX);
259}
260
261/**
262 * Convert a Guard's path state to string.
263 */
264const char *
266{
267 switch (state) {
269 return "new";
271 return "build attempted";
273 return "build succeeded";
275 return "use attempted";
277 return "use succeeded";
279 return "use failed";
281 return "already counted";
282 }
283
284 return "unknown";
285}
286
287/**
288 * This function decides if a circuit has progressed far enough to count
289 * as a circuit "attempt". As long as end-to-end tagging is possible,
290 * we assume the adversary will use it over hop-to-hop failure. Therefore,
291 * we only need to account bias for the last hop. This should make us
292 * much more resilient to ambient circuit failure, and also make that
293 * failure easier to measure (we only need to measure Exit failure rates).
294 */
295static int
297{
298#define N2N_TAGGING_IS_POSSIBLE
299#ifdef N2N_TAGGING_IS_POSSIBLE
300 /* cpath is a circular list. We want circs with more than one hop,
301 * and the second hop must be waiting for keys still (it's just
302 * about to get them). */
303 return circ->cpath &&
304 circ->cpath->next != circ->cpath &&
305 circ->cpath->next->state == CPATH_STATE_AWAITING_KEYS;
306#else /* !defined(N2N_TAGGING_IS_POSSIBLE) */
307 /* If tagging attacks are no longer possible, we probably want to
308 * count bias from the first hop. However, one could argue that
309 * timing-based tagging is still more useful than per-hop failure.
310 * In which case, we'd never want to use this.
311 */
312 return circ->cpath &&
313 circ->cpath->state == CPATH_STATE_AWAITING_KEYS;
314#endif /* defined(N2N_TAGGING_IS_POSSIBLE) */
315}
316
317/**
318 * Decide if the path bias code should count a circuit.
319 *
320 * @returns 1 if we should count it, 0 otherwise.
321 */
322static int
324{
325#define PATHBIAS_COUNT_INTERVAL (600)
326 static ratelim_t count_limit =
327 RATELIM_INIT(PATHBIAS_COUNT_INTERVAL);
328 char *rate_msg = NULL;
329
330 /* We can't do path bias accounting without entry guards.
331 * Testing and controller circuits also have no guards.
332 *
333 * We also don't count server-side rends, because their
334 * endpoint could be chosen maliciously.
335 * Similarly, we can't count client-side intro attempts,
336 * because clients can be manipulated into connecting to
337 * malicious intro points.
338 *
339 * Finally, avoid counting conflux circuits for now, because
340 * a malicious exit could cause us to reconnect and blame
341 * our guard...
342 *
343 * TODO-329-PURPOSE: This is not quite right, we could
344 * instead avoid sending usable probes on conflux circs,
345 * and count only linked circs as failures, but it is
346 * not 100% clear that would result in accurate counts. */
347 if (get_options()->UseEntryGuards == 0 ||
348 circ->base_.purpose == CIRCUIT_PURPOSE_TESTING ||
349 circ->base_.purpose == CIRCUIT_PURPOSE_CONTROLLER ||
351 circ->base_.purpose == CIRCUIT_PURPOSE_S_REND_JOINED ||
353 circ->base_.purpose == CIRCUIT_PURPOSE_CONFLUX_LINKED ||
354 (circ->base_.purpose >= CIRCUIT_PURPOSE_C_INTRODUCING &&
356
357 /* Check to see if the shouldcount result has changed due to a
358 * unexpected purpose change that would affect our results.
359 *
360 * The reason we check the path state too here is because for the
361 * cannibalized versions of these purposes, we count them as successful
362 * before their purpose change.
363 */
364 if (circ->pathbias_shouldcount == PATHBIAS_SHOULDCOUNT_COUNTED
366 log_info(LD_BUG,
367 "Circuit %d is now being ignored despite being counted "
368 "in the past. Purpose is %s, path state is %s",
369 circ->global_identifier,
372 }
373 circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_IGNORED;
374 return 0;
375 }
376
377 /* Ignore circuits where the controller helped choose the path. When
378 * this happens, we can't be sure whether the path was chosen randomly
379 * or not. */
380 if (circ->any_hop_from_controller) {
381 /* (In this case, we _don't_ check to see if shouldcount is changing,
382 * since it's possible that an already-created circuit later gets extended
383 * by the controller. */
384 circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_IGNORED;
385 return 0;
386 }
387
388 /* Completely ignore one hop circuits */
389 if (circ->build_state->onehop_tunnel ||
390 circ->build_state->desired_path_len == 1) {
391 /* Check for inconsistency */
392 if (circ->build_state->desired_path_len != 1 ||
393 !circ->build_state->onehop_tunnel) {
394 if ((rate_msg = rate_limit_log(&count_limit, approx_time()))) {
395 log_info(LD_BUG,
396 "One-hop circuit %d has length %d. Path state is %s. "
397 "Circuit is a %s currently %s.%s",
398 circ->global_identifier,
402 circuit_state_to_string(circ->base_.state),
403 rate_msg);
404 tor_free(rate_msg);
405 }
407 }
408
409 /* Check to see if the shouldcount result has changed due to a
410 * unexpected change that would affect our results */
411 if (circ->pathbias_shouldcount == PATHBIAS_SHOULDCOUNT_COUNTED) {
412 log_info(LD_BUG,
413 "One-hop circuit %d is now being ignored despite being counted "
414 "in the past. Purpose is %s, path state is %s",
415 circ->global_identifier,
418 }
419 circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_IGNORED;
420 return 0;
421 }
422
423 /* Check to see if the shouldcount result has changed due to a
424 * unexpected purpose change that would affect our results */
425 if (circ->pathbias_shouldcount == PATHBIAS_SHOULDCOUNT_IGNORED) {
426 log_info(LD_CIRC,
427 "Circuit %d is not being counted by pathbias because it was "
428 "ignored in the past. Purpose is %s, path state is %s",
429 circ->global_identifier,
432 return 0;
433 }
434 circ->pathbias_shouldcount = PATHBIAS_SHOULDCOUNT_COUNTED;
435
436 return 1;
437}
438
439/**
440 * Check our circuit state to see if this is a successful circuit attempt.
441 * If so, record it in the current guard's path bias circ_attempt count.
442 *
443 * Also check for several potential error cases for bug #6475.
444 */
445int
447{
448#define CIRC_ATTEMPT_NOTICE_INTERVAL (600)
449 static ratelim_t circ_attempt_notice_limit =
450 RATELIM_INIT(CIRC_ATTEMPT_NOTICE_INTERVAL);
451 char *rate_msg = NULL;
452
453 if (!pathbias_should_count(circ)) {
454 return 0;
455 }
456
458 /* Help track down the real cause of bug #6475: */
459 if (circ->has_opened && circ->path_state != PATH_STATE_BUILD_ATTEMPTED) {
460 if ((rate_msg = rate_limit_log(&circ_attempt_notice_limit,
461 approx_time()))) {
462 log_info(LD_BUG,
463 "Opened circuit %d is in strange path state %s. "
464 "Circuit is a %s currently %s.%s",
465 circ->global_identifier,
468 circuit_state_to_string(circ->base_.state),
469 rate_msg);
470 tor_free(rate_msg);
471 }
472 }
473
474 /* Don't re-count cannibalized circs.. */
475 if (!circ->has_opened) {
476 entry_guard_t *guard = NULL;
477
478 if (circ->cpath && circ->cpath->extend_info) {
481 } else if (circ->base_.n_chan) {
482 guard =
484 }
485
486 if (guard) {
487 if (circ->path_state == PATH_STATE_NEW_CIRC) {
489
490 if (entry_guard_inc_circ_attempt_count(guard) < 0) {
491 /* Bogus guard; we already warned. */
492 return -END_CIRC_REASON_TORPROTOCOL;
493 }
494 } else {
495 if ((rate_msg = rate_limit_log(&circ_attempt_notice_limit,
496 approx_time()))) {
497 log_info(LD_BUG,
498 "Unopened circuit %d has strange path state %s. "
499 "Circuit is a %s currently %s.%s",
500 circ->global_identifier,
503 circuit_state_to_string(circ->base_.state),
504 rate_msg);
505 tor_free(rate_msg);
506 }
507 }
508 } else {
509 if ((rate_msg = rate_limit_log(&circ_attempt_notice_limit,
510 approx_time()))) {
511 log_info(LD_CIRC,
512 "Unopened circuit has no known guard. "
513 "Circuit is a %s currently %s.%s",
515 circuit_state_to_string(circ->base_.state),
516 rate_msg);
517 tor_free(rate_msg);
518 }
519 }
520 }
521 }
522
523 return 0;
524}
525
526/**
527 * Check our circuit state to see if this is a successful circuit
528 * completion. If so, record it in the current guard's path bias
529 * success count.
530 *
531 * Also check for several potential error cases for bug #6475.
532 */
533void
535{
536#define SUCCESS_NOTICE_INTERVAL (600)
537 static ratelim_t success_notice_limit =
538 RATELIM_INIT(SUCCESS_NOTICE_INTERVAL);
539 char *rate_msg = NULL;
540 entry_guard_t *guard = NULL;
541
542 if (!pathbias_should_count(circ)) {
543 return;
544 }
545
546 /* Don't count cannibalized/reused circs for path bias
547 * "build" success, since they get counted under "use" success. */
548 if (!circ->has_opened) {
549 if (circ->cpath && circ->cpath->extend_info) {
552 }
553
554 if (guard) {
556
559 pb->circ_successes++;
561
562 log_info(LD_CIRC, "Got success count %f/%f for guard %s",
564 entry_guard_describe(guard));
565 } else {
566 if ((rate_msg = rate_limit_log(&success_notice_limit,
567 approx_time()))) {
568 log_info(LD_BUG,
569 "Succeeded circuit %d is in strange path state %s. "
570 "Circuit is a %s currently %s.%s",
571 circ->global_identifier,
574 circuit_state_to_string(circ->base_.state),
575 rate_msg);
576 tor_free(rate_msg);
577 }
578 }
579
580 if (pb->circ_attempts < pb->circ_successes) {
581 log_notice(LD_BUG, "Unexpectedly high successes counts (%f/%f) "
582 "for guard %s",
584 entry_guard_describe(guard));
585 }
586 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
587 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
588 * No need to log that case. */
589 } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
590 if ((rate_msg = rate_limit_log(&success_notice_limit,
591 approx_time()))) {
592 log_info(LD_CIRC,
593 "Completed circuit has no known guard. "
594 "Circuit is a %s currently %s.%s",
596 circuit_state_to_string(circ->base_.state),
597 rate_msg);
598 tor_free(rate_msg);
599 }
600 }
601 } else {
603 if ((rate_msg = rate_limit_log(&success_notice_limit,
604 approx_time()))) {
605 log_info(LD_BUG,
606 "Opened circuit %d is in strange path state %s. "
607 "Circuit is a %s currently %s.%s",
608 circ->global_identifier,
611 circuit_state_to_string(circ->base_.state),
612 rate_msg);
613 tor_free(rate_msg);
614 }
615 }
616 }
617}
618
619/**
620 * Record an attempt to use a circuit. Changes the circuit's
621 * path state and update its guard's usage counter.
622 *
623 * Used for path bias usage accounting.
624 */
625void
627{
628 if (!pathbias_should_count(circ)) {
629 return;
630 }
631
633 log_notice(LD_BUG,
634 "Used circuit %d is in strange path state %s. "
635 "Circuit is a %s currently %s.",
636 circ->global_identifier,
639 circuit_state_to_string(circ->base_.state));
640 } else if (circ->path_state < PATH_STATE_USE_ATTEMPTED) {
641 entry_guard_t *guard = entry_guard_get_by_id_digest(
643 if (guard) {
645
648 pb->use_attempts++;
650
651 log_debug(LD_CIRC,
652 "Marked circuit %d (%f/%f) as used for guard %s.",
653 circ->global_identifier,
655 entry_guard_describe(guard));
656 }
657
659 } else {
660 /* Harmless but educational log message */
661 log_info(LD_CIRC,
662 "Used circuit %d is already in path state %s. "
663 "Circuit is a %s currently %s.",
664 circ->global_identifier,
667 circuit_state_to_string(circ->base_.state));
668 }
669
670 return;
671}
672
673/**
674 * Check the circuit's path state is appropriate and mark it as
675 * successfully used. Used for path bias usage accounting.
676 *
677 * We don't actually increment the guard's counters until
678 * pathbias_check_close(), because the circuit can still transition
679 * back to PATH_STATE_USE_ATTEMPTED if a stream fails later (this
680 * is done so we can probe the circuit for liveness at close).
681 */
682void
684{
685 if (!pathbias_should_count(circ)) {
686 return;
687 }
688
690 log_notice(LD_BUG,
691 "Used circuit %d is in strange path state %s. "
692 "Circuit is a %s currently %s.",
693 circ->global_identifier,
696 circuit_state_to_string(circ->base_.state));
697
699 }
700
701 /* We don't do any accounting at the guard until actual circuit close */
703
704 return;
705}
706
707/**
708 * If a stream ever detaches from a circuit in a retriable way,
709 * we need to mark this circuit as still needing either another
710 * successful stream, or in need of a probe.
711 *
712 * An adversary could let the first stream request succeed (ie the
713 * resolve), but then tag and timeout the remainder (via cell
714 * dropping), forcing them on new circuits.
715 *
716 * Rolling back the state will cause us to probe such circuits, which
717 * should lead to probe failures in the event of such tagging due to
718 * either unrecognized cells coming in while we wait for the probe,
719 * or the cipher state getting out of sync in the case of dropped cells.
720 */
721void
723{
725 log_info(LD_CIRC,
726 "Rolling back pathbias use state to 'attempted' for detached "
727 "circuit %d", circ->global_identifier);
729 }
730}
731
732/**
733 * Actually count a circuit success towards a guard's usage counters
734 * if the path state is appropriate.
735 */
736static void
738{
739 entry_guard_t *guard;
740
741 if (!pathbias_should_count(circ)) {
742 return;
743 }
744
746 log_notice(LD_BUG,
747 "Successfully used circuit %d is in strange path state %s. "
748 "Circuit is a %s currently %s.",
749 circ->global_identifier,
752 circuit_state_to_string(circ->base_.state));
753 } else {
756 if (guard) {
758
759 pb->use_successes++;
761
762 if (pb->use_attempts < pb->use_successes) {
763 log_notice(LD_BUG, "Unexpectedly high use successes counts (%f/%f) "
764 "for guard %s",
766 entry_guard_describe(guard));
767 }
768
769 log_debug(LD_CIRC,
770 "Marked circuit %d (%f/%f) as used successfully for guard %s",
772 pb->use_attempts,
773 entry_guard_describe(guard));
774 }
775 }
776
777 return;
778}
779
780/**
781 * Send a probe down a circuit that the client attempted to use,
782 * but for which the stream timed out/failed. The probe is a
783 * RELAY_BEGIN cell with a 0.a.b.c destination address, which
784 * the exit will reject and reply back, echoing that address.
785 *
786 * The reason for such probes is because it is possible to bias
787 * a user's paths simply by causing timeouts, and these timeouts
788 * are not possible to differentiate from unresponsive servers.
789 *
790 * The probe is sent at the end of the circuit lifetime for two
791 * reasons: to prevent cryptographic taggers from being able to
792 * drop cells to cause timeouts, and to prevent easy recognition
793 * of probes before any real client traffic happens.
794 *
795 * Returns -1 if we couldn't probe, 0 otherwise.
796 */
797static int
799{
800 /* Based on connection_ap_handshake_send_begin() */
801 char payload[CELL_PAYLOAD_SIZE];
802 int payload_len;
803 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
804 crypt_path_t *cpath_layer = NULL;
805 char *probe_nonce = NULL;
806
807 tor_assert(ocirc);
808
809 cpath_layer = ocirc->cpath->prev;
810
811 if (cpath_layer->state != CPATH_STATE_OPEN) {
812 /* This can happen for cannibalized circuits. Their
813 * last hop isn't yet open */
814 log_info(LD_CIRC,
815 "Got pathbias probe request for unopened circuit %d. "
816 "Opened %d, len %d", ocirc->global_identifier,
817 ocirc->has_opened, ocirc->build_state->desired_path_len);
818 return -1;
819 }
820
821 /* We already went down this road. */
823 ocirc->pathbias_probe_id) {
824 log_info(LD_CIRC,
825 "Got pathbias probe request for circuit %d with "
826 "outstanding probe", ocirc->global_identifier);
827 return -1;
828 }
829
830 /* Can't probe if the channel isn't open */
831 if (circ->n_chan == NULL ||
832 (!CHANNEL_IS_OPEN(circ->n_chan)
833 && !CHANNEL_IS_MAINT(circ->n_chan))) {
834 log_info(LD_CIRC,
835 "Skipping pathbias probe for circuit %d: Channel is not open.",
836 ocirc->global_identifier);
837 return -1;
838 }
839
841
842 /* Update timestamp for when circuit_expire_building() should kill us */
844
845 /* Generate a random address for the nonce */
846 crypto_rand((char*)&ocirc->pathbias_probe_nonce,
847 sizeof(ocirc->pathbias_probe_nonce));
848 ocirc->pathbias_probe_nonce &= 0x00ffffff;
849 probe_nonce = tor_dup_ip(ocirc->pathbias_probe_nonce);
850
851 if (!probe_nonce) {
852 log_err(LD_BUG, "Failed to generate nonce");
853 return -1;
854 }
855
856 tor_snprintf(payload,RELAY_PAYLOAD_SIZE, "%s:25", probe_nonce);
857 payload_len = (int)strlen(payload)+1;
858
859 // XXX: need this? Can we assume ipv4 will always be supported?
860 // If not, how do we tell?
861 //if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
862 // set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
863 // payload_len += 4;
864 //}
865
866 /* Generate+Store stream id, make sure it's non-zero */
868
869 if (ocirc->pathbias_probe_id==0) {
870 log_warn(LD_CIRC,
871 "Ran out of stream IDs on circuit %u during "
872 "pathbias probe attempt.", ocirc->global_identifier);
873 tor_free(probe_nonce);
874 return -1;
875 }
876
877 log_info(LD_CIRC,
878 "Sending pathbias testing cell to %s:25 on stream %d for circ %d.",
879 probe_nonce, ocirc->pathbias_probe_id, ocirc->global_identifier);
880 tor_free(probe_nonce);
881
882 /* Send a test relay cell */
883 if (relay_send_command_from_edge(ocirc->pathbias_probe_id, circ,
884 RELAY_COMMAND_BEGIN, payload,
885 payload_len, cpath_layer) < 0) {
886 log_notice(LD_CIRC,
887 "Failed to send pathbias probe cell on circuit %d.",
888 ocirc->global_identifier);
889 return -1;
890 }
891
892 /* Mark it freshly dirty so it doesn't get expired in the meantime */
893 circ->timestamp_dirty = time(NULL);
894
895 return 0;
896}
897
898/**
899 * Check the response to a pathbias probe, to ensure the
900 * cell is recognized and the nonce and other probe
901 * characteristics are as expected.
902 *
903 * If the response is valid, return 0. Otherwise return < 0.
904 */
905int
907{
908 /* Based on connection_edge_process_relay_cell() */
910 int reason;
911 uint32_t ipv4_host;
912 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
913
914 tor_assert(cell);
915 tor_assert(ocirc);
917
918 relay_header_unpack(&rh, cell->payload);
919
920 reason = rh.length > 0 ?
921 get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
922
923 if (rh.command == RELAY_COMMAND_END &&
924 reason == END_STREAM_REASON_EXITPOLICY &&
925 ocirc->pathbias_probe_id == rh.stream_id) {
926
927 /* Check length+extract host: It is in network order after the reason code.
928 * See connection_edge_end(). */
929 if (rh.length < 9) { /* reason+ipv4+dns_ttl */
930 log_notice(LD_PROTOCOL,
931 "Short path bias probe response length field (%d).", rh.length);
932 return - END_CIRC_REASON_TORPROTOCOL;
933 }
934
935 ipv4_host = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+1));
936
937 /* Check nonce */
938 if (ipv4_host == ocirc->pathbias_probe_nonce) {
941 circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED);
942 log_info(LD_CIRC,
943 "Got valid path bias probe back for circ %d, stream %d.",
944 ocirc->global_identifier, ocirc->pathbias_probe_id);
945 return 0;
946 } else {
947 log_notice(LD_CIRC,
948 "Got strange probe value 0x%x vs 0x%x back for circ %d, "
949 "stream %d.", ipv4_host, ocirc->pathbias_probe_nonce,
950 ocirc->global_identifier, ocirc->pathbias_probe_id);
951 return -1;
952 }
953 }
954 log_info(LD_CIRC,
955 "Got another cell back back on pathbias probe circuit %d: "
956 "Command: %d, Reason: %d, Stream-id: %d",
957 ocirc->global_identifier, rh.command, reason, rh.stream_id);
958 return -1;
959}
960
961/**
962 * Check if a cell is counts as valid data for a circuit,
963 * and if so, count it as valid.
964 */
965void
967{
968 origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
970
971 relay_header_unpack(&rh, cell->payload);
972
973 /* Check to see if this is a cell from a previous connection,
974 * or is a request to close the circuit. */
975 switch (rh.command) {
976 case RELAY_COMMAND_TRUNCATED:
977 /* Truncated cells can arrive on path bias circs. When they do,
978 * just process them. This closes the circ, but it was junk anyway.
979 * No reason to wait for the probe. */
983
984 break;
985
986 case RELAY_COMMAND_END:
988 rh.stream_id)) {
990 }
991 break;
992
993 case RELAY_COMMAND_DATA:
995 rh.stream_id)) {
997 }
998 break;
999
1000 case RELAY_COMMAND_SENDME:
1002 rh.stream_id)) {
1004 }
1005 break;
1006
1007 case RELAY_COMMAND_CONNECTED:
1009 rh.stream_id)) {
1011 }
1012 break;
1013
1014 case RELAY_COMMAND_RESOLVED:
1016 rh.stream_id)) {
1018 }
1019 break;
1020 }
1021}
1022
1023/**
1024 * Check if a circuit was used and/or closed successfully.
1025 *
1026 * If we attempted to use the circuit to carry a stream but failed
1027 * for whatever reason, or if the circuit mysteriously died before
1028 * we could attach any streams, record these two cases.
1029 *
1030 * If we *have* successfully used the circuit, or it appears to
1031 * have been closed by us locally, count it as a success.
1032 *
1033 * Returns 0 if we're done making decisions with the circ,
1034 * or -1 if we want to probe it first.
1035 */
1036int
1038{
1039 circuit_t *circ = &ocirc->base_;
1040
1041 if (!pathbias_should_count(ocirc)) {
1042 return 0;
1043 }
1044
1045 switch (ocirc->path_state) {
1046 /* If the circuit was closed after building, but before use, we need
1047 * to ensure we were the ones who tried to close it (and not a remote
1048 * actor). */
1050 if (reason & END_CIRC_REASON_FLAG_REMOTE) {
1051 /* Remote circ close reasons on an unused circuit all could be bias */
1052 log_info(LD_CIRC,
1053 "Circuit %d remote-closed without successful use for reason %d. "
1054 "Circuit purpose %d currently %d,%s. Len %d.",
1055 ocirc->global_identifier,
1056 reason, circ->purpose, ocirc->has_opened,
1060 } else if ((reason & ~END_CIRC_REASON_FLAG_REMOTE)
1061 == END_CIRC_REASON_CHANNEL_CLOSED &&
1062 circ->n_chan &&
1064 != CHANNEL_CLOSE_REQUESTED) {
1065 /* If we didn't close the channel ourselves, it could be bias */
1066 /* XXX: Only count bias if the network is live?
1067 * What about clock jumps/suspends? */
1068 log_info(LD_CIRC,
1069 "Circuit %d's channel closed without successful use for reason "
1070 "%d, channel reason %d. Circuit purpose %d currently %d,%s. Len "
1071 "%d.", ocirc->global_identifier,
1072 reason, circ->n_chan->reason_for_closing,
1073 circ->purpose, ocirc->has_opened,
1077 } else {
1079 }
1080 break;
1081
1082 /* If we tried to use a circuit but failed, we should probe it to ensure
1083 * it has not been tampered with. */
1085 /* XXX: Only probe and/or count failure if the network is live?
1086 * What about clock jumps/suspends? */
1087 if (pathbias_send_usable_probe(circ) == 0)
1088 return -1;
1089 else
1091
1092 /* Any circuit where there were attempted streams but no successful
1093 * streams could be bias */
1094 log_info(LD_CIRC,
1095 "Circuit %d closed without successful use for reason %d. "
1096 "Circuit purpose %d currently %d,%s. Len %d.",
1097 ocirc->global_identifier,
1098 reason, circ->purpose, ocirc->has_opened,
1101 break;
1102
1106 break;
1107
1110 break;
1111
1115 default:
1116 // Other states are uninteresting. No stats to count.
1117 break;
1118 }
1119
1121
1122 return 0;
1123}
1124
1125/**
1126 * Count a successfully closed circuit.
1127 */
1128static void
1130{
1131 entry_guard_t *guard = NULL;
1132 if (!pathbias_should_count(circ)) {
1133 return;
1134 }
1135
1136 if (circ->cpath && circ->cpath->extend_info) {
1139 }
1140
1141 if (guard) {
1143
1144 /* In the long run: circuit_success ~= successful_circuit_close +
1145 * circ_failure + stream_failure */
1148 } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
1149 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1150 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1151 * No need to log that case. */
1152 log_info(LD_CIRC,
1153 "Successfully closed circuit has no known guard. "
1154 "Circuit is a %s currently %s",
1156 circuit_state_to_string(circ->base_.state));
1157 }
1158}
1159
1160/**
1161 * Count a circuit that fails after it is built, but before it can
1162 * carry any traffic.
1163 *
1164 * This is needed because there are ways to destroy a
1165 * circuit after it has successfully completed. Right now, this is
1166 * used for purely informational/debugging purposes.
1167 */
1168static void
1170{
1171 entry_guard_t *guard = NULL;
1172
1173 if (!pathbias_should_count(circ)) {
1174 return;
1175 }
1176
1177 if (circ->cpath && circ->cpath->extend_info) {
1180 }
1181
1182 if (guard) {
1184
1185 pb->collapsed_circuits++;
1187 } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
1188 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1189 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1190 * No need to log that case. */
1191 log_info(LD_CIRC,
1192 "Destroyed circuit has no known guard. "
1193 "Circuit is a %s currently %s",
1195 circuit_state_to_string(circ->base_.state));
1196 }
1197}
1198
1199/**
1200 * Count a known failed circuit (because we could not probe it).
1201 *
1202 * This counter is informational.
1203 */
1204static void
1206{
1207 entry_guard_t *guard = NULL;
1208 if (!pathbias_should_count(circ)) {
1209 return;
1210 }
1211
1212 if (circ->cpath && circ->cpath->extend_info) {
1215 }
1216
1217 if (guard) {
1219
1220 pb->unusable_circuits++;
1222 } else if (circ->base_.purpose != CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT) {
1223 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1224 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1225 * No need to log that case. */
1226 /* XXX note cut-and-paste code in this function compared to nearby
1227 * functions. Would be nice to refactor. -RD */
1228 log_info(LD_CIRC,
1229 "Stream-failing circuit has no known guard. "
1230 "Circuit is a %s currently %s",
1232 circuit_state_to_string(circ->base_.state));
1233 }
1234}
1235
1236/**
1237 * Count timeouts for path bias log messages.
1238 *
1239 * These counts are purely informational.
1240 */
1241void
1243{
1244 entry_guard_t *guard = NULL;
1245
1246 if (!pathbias_should_count(circ)) {
1247 return;
1248 }
1249
1250 /* For hidden service circs, they can actually be used
1251 * successfully and then time out later (because
1252 * the other side declines to use them). */
1253 if (circ->path_state == PATH_STATE_USE_SUCCEEDED) {
1254 return;
1255 }
1256
1257 if (circ->cpath && circ->cpath->extend_info) {
1260 }
1261
1262 if (guard) {
1264
1265 pb->timeouts++;
1267 }
1268}
1269
1270/**
1271 * Helper function to count all of the currently opened circuits
1272 * for a guard that are in a given path state range. The state
1273 * range is inclusive on both ends.
1274 */
1275static int
1277 path_state_t from,
1278 path_state_t to)
1279{
1280 int open_circuits = 0;
1281
1282 /* Count currently open circuits. Give them the benefit of the doubt. */
1284 origin_circuit_t *ocirc = NULL;
1285 if (!CIRCUIT_IS_ORIGIN(circ) || /* didn't originate here */
1286 circ->marked_for_close) /* already counted */
1287 continue;
1288
1289 ocirc = TO_ORIGIN_CIRCUIT(circ);
1290
1291 if (!ocirc->cpath || !ocirc->cpath->extend_info)
1292 continue;
1293
1294 if (ocirc->path_state >= from &&
1295 ocirc->path_state <= to &&
1296 pathbias_should_count(ocirc) &&
1299 DIGEST_LEN)) {
1300 log_debug(LD_CIRC, "Found opened circuit %d in path_state %s",
1301 ocirc->global_identifier,
1303 open_circuits++;
1304 }
1305 }
1306 SMARTLIST_FOREACH_END(circ);
1307
1308 return open_circuits;
1309}
1310
1311/**
1312 * Return the number of circuits counted as successfully closed for
1313 * this guard.
1314 *
1315 * Also add in the currently open circuits to give them the benefit
1316 * of the doubt.
1317 */
1318double
1320{
1322
1323 return pb->successful_circuits_closed +
1327}
1328
1329/**
1330 * Return the number of circuits counted as successfully used
1331 * this guard.
1332 *
1333 * Also add in the currently open circuits that we are attempting
1334 * to use to give them the benefit of the doubt.
1335 */
1336double
1338{
1340
1341 return pb->use_successes +
1345}
1346
1347/**
1348 * Check the path bias use rate against our consensus parameter limits.
1349 *
1350 * Emits a log message if the use success rates are too low.
1351 *
1352 * If pathbias_get_dropguards() is set, we also disable the use of
1353 * very failure prone guards.
1354 */
1355static void
1356pathbias_measure_use_rate(entry_guard_t *guard)
1357{
1358 const or_options_t *options = get_options();
1360
1361 if (pb->use_attempts > pathbias_get_min_use(options)) {
1362 /* Note: We rely on the < comparison here to allow us to set a 0
1363 * rate and disable the feature entirely. If refactoring, don't
1364 * change to <= */
1366 < pathbias_get_extreme_use_rate(options)) {
1367 /* Dropping is currently disabled by default. */
1368 if (pathbias_get_dropguards(options)) {
1369 if (!pb->path_bias_disabled) {
1370 log_warn(LD_CIRC,
1371 "Guard %s is failing to carry an extremely large "
1372 "amount of stream on its circuits. "
1373 "To avoid potential route manipulation attacks, Tor has "
1374 "disabled use of this guard. "
1375 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1376 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1377 "and %ld timed out. "
1378 "For reference, your timeout cutoff is %ld seconds.",
1379 entry_guard_describe(guard),
1387 tor_lround(pb->timeouts),
1389 pb->path_bias_disabled = 1;
1390 return;
1391 }
1392 } else if (!pb->path_bias_use_extreme) {
1393 pb->path_bias_use_extreme = 1;
1394 log_warn(LD_CIRC,
1395 "Guard %s is failing to carry an extremely large "
1396 "amount of streams on its circuits. "
1397 "This could indicate a route manipulation attack, network "
1398 "overload, bad local network connectivity, or a bug. "
1399 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1400 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1401 "and %ld timed out. "
1402 "For reference, your timeout cutoff is %ld seconds.",
1403 entry_guard_describe(guard),
1411 tor_lround(pb->timeouts),
1413 }
1414 } else if (pathbias_get_use_success_count(guard)/pb->use_attempts
1415 < pathbias_get_notice_use_rate(options)) {
1416 if (!pb->path_bias_use_noticed) {
1417 pb->path_bias_use_noticed = 1;
1418 log_notice(LD_CIRC,
1419 "Guard %s is failing to carry more streams on its "
1420 "circuits than usual. "
1421 "Most likely this means the Tor network is overloaded "
1422 "or your network connection is poor. "
1423 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1424 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1425 "and %ld timed out. "
1426 "For reference, your timeout cutoff is %ld seconds.",
1427 entry_guard_describe(guard),
1435 tor_lround(pb->timeouts),
1437 }
1438 }
1439 }
1440}
1441
1442/**
1443 * Check the path bias circuit close status rates against our consensus
1444 * parameter limits.
1445 *
1446 * Emits a log message if the use success rates are too low.
1447 *
1448 * If pathbias_get_dropguards() is set, we also disable the use of
1449 * very failure prone guards.
1450 *
1451 * XXX: This function shares similar log messages and checks to
1452 * pathbias_measure_use_rate(). It may be possible to combine them
1453 * eventually, especially if we can ever remove the need for 3
1454 * levels of closure warns (if the overall circuit failure rate
1455 * goes down with ntor). One way to do so would be to multiply
1456 * the build rate with the use rate to get an idea of the total
1457 * fraction of the total network paths the user is able to use.
1458 * See ticket #8159.
1459 */
1460static void
1461pathbias_measure_close_rate(entry_guard_t *guard)
1462{
1463 const or_options_t *options = get_options();
1465
1466 if (pb->circ_attempts > pathbias_get_min_circs(options)) {
1467 /* Note: We rely on the < comparison here to allow us to set a 0
1468 * rate and disable the feature entirely. If refactoring, don't
1469 * change to <= */
1471 < pathbias_get_extreme_rate(options)) {
1472 /* Dropping is currently disabled by default. */
1473 if (pathbias_get_dropguards(options)) {
1474 if (!pb->path_bias_disabled) {
1475 log_warn(LD_CIRC,
1476 "Guard %s is failing an extremely large "
1477 "amount of circuits. "
1478 "To avoid potential route manipulation attacks, Tor has "
1479 "disabled use of this guard. "
1480 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1481 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1482 "and %ld timed out. "
1483 "For reference, your timeout cutoff is %ld seconds.",
1484 entry_guard_describe(guard),
1492 tor_lround(pb->timeouts),
1494 pb->path_bias_disabled = 1;
1495 return;
1496 }
1497 } else if (!pb->path_bias_extreme) {
1498 pb->path_bias_extreme = 1;
1499 log_warn(LD_CIRC,
1500 "Guard %s is failing an extremely large "
1501 "amount of circuits. "
1502 "This could indicate a route manipulation attack, "
1503 "extreme network overload, or a bug. "
1504 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1505 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1506 "and %ld timed out. "
1507 "For reference, your timeout cutoff is %ld seconds.",
1508 entry_guard_describe(guard),
1516 tor_lround(pb->timeouts),
1518 }
1520 < pathbias_get_warn_rate(options)) {
1521 if (!pb->path_bias_warned) {
1522 pb->path_bias_warned = 1;
1523 log_warn(LD_CIRC,
1524 "Guard %s is failing a very large "
1525 "amount of circuits. "
1526 "Most likely this means the Tor network is "
1527 "overloaded, but it could also mean an attack against "
1528 "you or potentially the guard itself. "
1529 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1530 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1531 "and %ld timed out. "
1532 "For reference, your timeout cutoff is %ld seconds.",
1533 entry_guard_describe(guard),
1541 tor_lround(pb->timeouts),
1543 }
1545 < pathbias_get_notice_rate(options)) {
1546 if (!pb->path_bias_noticed) {
1547 pb->path_bias_noticed = 1;
1548 log_notice(LD_CIRC,
1549 "Guard %s is failing more circuits than "
1550 "usual. "
1551 "Most likely this means the Tor network is overloaded. "
1552 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1553 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1554 "and %ld timed out. "
1555 "For reference, your timeout cutoff is %ld seconds.",
1556 entry_guard_describe(guard),
1564 tor_lround(pb->timeouts),
1566 }
1567 }
1568 }
1569}
1570
1571/**
1572 * This function scales the path bias use rates if we have
1573 * more data than the scaling threshold. This allows us to
1574 * be more sensitive to recent measurements.
1575 *
1576 * XXX: The attempt count transfer stuff here might be done
1577 * better by keeping separate pending counters that get
1578 * transferred at circuit close. See ticket #8160.
1579 */
1580static void
1581pathbias_scale_close_rates(entry_guard_t *guard)
1582{
1583 const or_options_t *options = get_options();
1585
1586 /* If we get a ton of circuits, just scale everything down */
1587 if (pb->circ_attempts > pathbias_get_scale_threshold(options)) {
1588 double scale_ratio = pathbias_get_scale_ratio(options);
1589 int opened_attempts = pathbias_count_circs_in_states(guard,
1591 int opened_built = pathbias_count_circs_in_states(guard,
1594 /* Verify that the counts are sane before and after scaling */
1595 int counts_are_sane = (pb->circ_attempts >= pb->circ_successes);
1596
1597 pb->circ_attempts -= (opened_attempts+opened_built);
1598 pb->circ_successes -= opened_built;
1599
1600 pb->circ_attempts *= scale_ratio;
1601 pb->circ_successes *= scale_ratio;
1602 pb->timeouts *= scale_ratio;
1603 pb->successful_circuits_closed *= scale_ratio;
1604 pb->collapsed_circuits *= scale_ratio;
1605 pb->unusable_circuits *= scale_ratio;
1606
1607 pb->circ_attempts += (opened_attempts+opened_built);
1608 pb->circ_successes += opened_built;
1609
1611
1612 log_info(LD_CIRC,
1613 "Scaled pathbias counts to (%f,%f)/%f (%d/%d open) for guard "
1614 "%s",
1616 pb->circ_attempts, opened_built, opened_attempts,
1617 entry_guard_describe(guard));
1618
1619 /* Have the counts just become invalid by this scaling attempt? */
1620 if (counts_are_sane && pb->circ_attempts < pb->circ_successes) {
1621 log_notice(LD_BUG,
1622 "Scaling has mangled pathbias counts to %f/%f (%d/%d open) "
1623 "for guard %s",
1624 pb->circ_successes, pb->circ_attempts, opened_built,
1625 opened_attempts,
1626 entry_guard_describe(guard));
1627 }
1628 }
1629}
1630
1631/**
1632 * This function scales the path bias circuit close rates if we have
1633 * more data than the scaling threshold. This allows us to be more
1634 * sensitive to recent measurements.
1635 *
1636 * XXX: The attempt count transfer stuff here might be done
1637 * better by keeping separate pending counters that get
1638 * transferred at circuit close. See ticket #8160.
1639 */
1640void
1641pathbias_scale_use_rates(entry_guard_t *guard)
1642{
1643 const or_options_t *options = get_options();
1645
1646 /* If we get a ton of circuits, just scale everything down */
1648 double scale_ratio = pathbias_get_scale_ratio(options);
1649 int opened_attempts = pathbias_count_circs_in_states(guard,
1651 /* Verify that the counts are sane before and after scaling */
1652 int counts_are_sane = (pb->use_attempts >= pb->use_successes);
1653
1654 pb->use_attempts -= opened_attempts;
1655
1656 pb->use_attempts *= scale_ratio;
1657 pb->use_successes *= scale_ratio;
1658
1659 pb->use_attempts += opened_attempts;
1660
1661 log_info(LD_CIRC,
1662 "Scaled pathbias use counts to %f/%f (%d open) for guard %s",
1663 pb->use_successes, pb->use_attempts, opened_attempts,
1664 entry_guard_describe(guard));
1665
1666 /* Have the counts just become invalid by this scaling attempt? */
1667 if (counts_are_sane && pb->use_attempts < pb->use_successes) {
1668 log_notice(LD_BUG,
1669 "Scaling has mangled pathbias usage counts to %f/%f "
1670 "(%d open) for guard %s",
1672 opened_attempts, entry_guard_describe(guard));
1673 }
1674
1676 }
1677}
char * tor_dup_ip(uint32_t addr)
Definition: address.c:2047
time_t approx_time(void)
Definition: approx_time.c:32
static uint8_t get_uint8(const void *cp)
Definition: bytes.h:23
static uint32_t get_uint32(const void *cp)
Definition: bytes.h:54
Fixed-size cell structure.
Header file for channel.c.
int pathbias_count_build_attempt(origin_circuit_t *circ)
Definition: circpathbias.c:446
double pathbias_get_extreme_use_rate(const or_options_t *options)
Definition: circpathbias.c:232
void pathbias_count_use_attempt(origin_circuit_t *circ)
Definition: circpathbias.c:626
static void pathbias_count_use_success(origin_circuit_t *circ)
Definition: circpathbias.c:737
static int pathbias_get_min_circs(const or_options_t *options)
Definition: circpathbias.c:84
static int pathbias_should_count(origin_circuit_t *circ)
Definition: circpathbias.c:323
void pathbias_count_valid_cells(circuit_t *circ, const cell_t *cell)
Definition: circpathbias.c:966
static int pathbias_get_min_use(const or_options_t *options)
Definition: circpathbias.c:203
int pathbias_check_close(origin_circuit_t *ocirc, int reason)
static double pathbias_get_warn_rate(const or_options_t *options)
Definition: circpathbias.c:109
static void pathbias_scale_use_rates(entry_guard_t *guard)
static void pathbias_count_collapse(origin_circuit_t *circ)
static double pathbias_get_notice_use_rate(const or_options_t *options)
Definition: circpathbias.c:216
static void pathbias_count_use_failed(origin_circuit_t *circ)
void pathbias_count_timeout(origin_circuit_t *circ)
static void pathbias_count_successful_close(origin_circuit_t *circ)
static int pathbias_is_new_circ_attempt(origin_circuit_t *circ)
Definition: circpathbias.c:296
double pathbias_get_extreme_rate(const or_options_t *options)
Definition: circpathbias.c:125
const char * pathbias_state_to_string(path_state_t state)
Definition: circpathbias.c:265
static int pathbias_send_usable_probe(circuit_t *circ)
Definition: circpathbias.c:798
void pathbias_mark_use_rollback(origin_circuit_t *circ)
Definition: circpathbias.c:722
double pathbias_get_use_success_count(entry_guard_t *guard)
static int pathbias_get_scale_use_threshold(const or_options_t *options)
Definition: circpathbias.c:250
static void pathbias_measure_use_rate(entry_guard_t *guard)
static double pathbias_get_notice_rate(const or_options_t *options)
Definition: circpathbias.c:97
static int entry_guard_inc_circ_attempt_count(entry_guard_t *guard)
Definition: circpathbias.c:61
static void pathbias_measure_close_rate(entry_guard_t *guard)
static int pathbias_count_circs_in_states(entry_guard_t *guard, path_state_t from, path_state_t to)
static double pathbias_get_scale_ratio(const or_options_t *options)
Definition: circpathbias.c:177
int pathbias_check_probe_response(circuit_t *circ, const cell_t *cell)
Definition: circpathbias.c:906
static int pathbias_get_scale_threshold(const or_options_t *options)
Definition: circpathbias.c:158
int pathbias_get_dropguards(const or_options_t *options)
Definition: circpathbias.c:141
static void pathbias_scale_close_rates(entry_guard_t *guard)
void pathbias_mark_use_success(origin_circuit_t *circ)
Definition: circpathbias.c:683
void pathbias_count_build_success(origin_circuit_t *circ)
Definition: circpathbias.c:534
double pathbias_get_close_success_count(entry_guard_t *guard)
int circuit_truncated(origin_circuit_t *circ, int reason)
Header file for circuitbuild.c.
origin_circuit_t * TO_ORIGIN_CIRCUIT(circuit_t *x)
Definition: circuitlist.c:185
const char * circuit_state_to_string(int state)
Definition: circuitlist.c:781
const char * circuit_purpose_to_string(uint8_t purpose)
Definition: circuitlist.c:929
smartlist_t * circuit_get_global_list(void)
Definition: circuitlist.c:713
Header file for circuitlist.c.
#define CIRCUIT_PURPOSE_S_CONNECT_REND
Definition: circuitlist.h:107
#define CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
Definition: circuitlist.h:93
#define CIRCUIT_PURPOSE_PATH_BIAS_TESTING
Definition: circuitlist.h:123
#define CIRCUIT_PURPOSE_CONTROLLER
Definition: circuitlist.h:121
#define CIRCUIT_IS_ORIGIN(c)
Definition: circuitlist.h:154
#define CIRCUIT_PURPOSE_TESTING
Definition: circuitlist.h:118
#define CIRCUIT_PURPOSE_S_REND_JOINED
Definition: circuitlist.h:110
#define CIRCUIT_PURPOSE_C_INTRODUCE_ACKED
Definition: circuitlist.h:79
#define CIRCUIT_PURPOSE_C_INTRODUCING
Definition: circuitlist.h:73
#define CIRCUIT_PURPOSE_CONFLUX_UNLINKED
Definition: circuitlist.h:137
double get_circuit_build_close_time_ms(void)
Definition: circuitstats.c:93
Header file for circuitstats.c.
void circuit_read_valid_data(origin_circuit_t *circ, uint16_t relay_body_len)
Definition: circuituse.c:3197
void circuit_change_purpose(circuit_t *circ, uint8_t new_purpose)
Definition: circuituse.c:3095
Header file for circuituse.c.
const or_options_t * get_options(void)
Definition: config.c:944
Header file for config.c.
int connection_half_edge_is_valid_data(const smartlist_t *half_conns, streamid_t stream_id)
int connection_half_edge_is_valid_end(smartlist_t *half_conns, streamid_t stream_id)
int connection_half_edge_is_valid_connected(const smartlist_t *half_conns, streamid_t stream_id)
int connection_half_edge_is_valid_resolved(smartlist_t *half_conns, streamid_t stream_id)
int connection_half_edge_is_valid_sendme(const smartlist_t *half_conns, streamid_t stream_id)
streamid_t get_unique_stream_id_by_circ(origin_circuit_t *circ)
Header file for connection_edge.c.
Circuit-build-stse structure.
Path structures for origin circuits.
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:479
Common functions for using (pseudo-)random number generators.
#define fast_memeq(a, b, c)
Definition: di_ops.h:35
#define DIGEST_LEN
Definition: digest_sizes.h:20
void entry_guards_changed(void)
Definition: entrynodes.c:3672
entry_guard_t * entry_guard_get_by_id_digest(const char *digest)
Definition: entrynodes.c:3460
const char * entry_guard_get_rsa_id_digest(const entry_guard_t *guard)
Definition: entrynodes.c:336
guard_pathbias_t * entry_guard_get_pathbias_state(entry_guard_t *guard)
Definition: entrynodes.c:343
const char * entry_guard_describe(const entry_guard_t *guard)
Definition: entrynodes.c:324
Header file for circuitbuild.c.
Extend-info structure.
long tor_lround(double d)
Definition: fp.c:31
Header for fp.c.
Header for laplace.c.
#define LD_PROTOCOL
Definition: log.h:72
#define LD_BUG
Definition: log.h:86
#define LD_CIRC
Definition: log.h:82
#define tor_free(p)
Definition: malloc.h:56
int32_t networkstatus_get_param(const networkstatus_t *ns, const char *param_name, int32_t default_val, int32_t min_val, int32_t max_val)
Header file for networkstatus.c.
Master header file for Tor-specific functionality.
#define CELL_PAYLOAD_SIZE
Definition: or.h:465
#define RELAY_PAYLOAD_SIZE
Definition: or.h:494
#define END_CIRC_REASON_FLAG_REMOTE
Definition: or.h:341
#define RELAY_HEADER_SIZE
Definition: or.h:492
Origin circuit structure.
path_state_t
@ PATH_STATE_ALREADY_COUNTED
@ PATH_STATE_USE_FAILED
@ PATH_STATE_BUILD_ATTEMPTED
@ PATH_STATE_BUILD_SUCCEEDED
@ PATH_STATE_USE_SUCCEEDED
@ PATH_STATE_NEW_CIRC
@ PATH_STATE_USE_ATTEMPTED
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
char * rate_limit_log(ratelim_t *lim, time_t now)
Definition: ratelim.c:42
void relay_header_unpack(relay_header_t *dest, const uint8_t *src)
Definition: relay.c:511
Header file for relay.c.
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
Definition: cell_st.h:17
uint8_t payload[CELL_PAYLOAD_SIZE]
Definition: cell_st.h:21
char identity_digest[DIGEST_LEN]
Definition: channel.h:378
enum channel_t::@8 reason_for_closing
uint8_t state
Definition: circuit_st.h:111
time_t timestamp_dirty
Definition: circuit_st.h:188
uint8_t purpose
Definition: circuit_st.h:112
struct timeval timestamp_began
Definition: circuit_st.h:166
channel_t * n_chan
Definition: circuit_st.h:70
struct crypt_path_t * prev
Definition: crypt_path_st.h:79
uint8_t state
Definition: crypt_path_st.h:72
struct crypt_path_t * next
Definition: crypt_path_st.h:76
extend_info_t * extend_info
Definition: crypt_path_st.h:65
char identity_digest[DIGEST_LEN]
unsigned int path_bias_use_noticed
Definition: entrynodes.h:44
unsigned int path_bias_use_extreme
Definition: entrynodes.h:46
double use_successes
Definition: entrynodes.h:62
unsigned int path_bias_warned
Definition: entrynodes.h:38
unsigned int path_bias_extreme
Definition: entrynodes.h:40
double circ_attempts
Definition: entrynodes.h:49
double collapsed_circuits
Definition: entrynodes.h:54
double circ_successes
Definition: entrynodes.h:50
unsigned int path_bias_disabled
Definition: entrynodes.h:42
double unusable_circuits
Definition: entrynodes.h:57
double successful_circuits_closed
Definition: entrynodes.h:52
double use_attempts
Definition: entrynodes.h:61
unsigned int path_bias_noticed
Definition: entrynodes.h:36
int PathBiasCircThreshold
int PathBiasUseThreshold
unsigned int has_opened
path_state_bitfield_t path_state
uint32_t pathbias_probe_nonce
unsigned int any_hop_from_controller
crypt_path_t * cpath
streamid_t pathbias_probe_id
cpath_build_state_t * build_state
smartlist_t * half_streams
uint16_t length
Definition: or.h:531
uint8_t command
Definition: or.h:527
streamid_t stream_id
Definition: or.h:529
void tor_gettimeofday(struct timeval *timeval)
#define tor_assert(expr)
Definition: util_bug.h:103
#define tor_fragile_assert()
Definition: util_bug.h:278