Tor 0.4.9.2-alpha-dev
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
entrynodes.c
Go to the documentation of this file.
1/* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file entrynodes.c
9 * \brief Code to manage our fixed first nodes for various functions.
10 *
11 * Entry nodes can be guards (for general use) or bridges (for censorship
12 * circumvention).
13 *
14 * In general, we use entry guards to prevent traffic-sampling attacks:
15 * if we chose every circuit independently, an adversary controlling
16 * some fraction of paths on the network would observe a sample of every
17 * user's traffic. Using guards gives users a chance of not being
18 * profiled.
19 *
20 * The current entry guard selection code is designed to try to avoid
21 * _ever_ trying every guard on the network, to try to stick to guards
22 * that we've used before, to handle hostile/broken networks, and
23 * to behave sanely when the network goes up and down.
24 *
25 * Our algorithm works as follows: First, we maintain a SAMPLE of guards
26 * we've seen in the networkstatus consensus. We maintain this sample
27 * over time, and store it persistently; it is chosen without reference
28 * to our configuration or firewall rules. Guards remain in the sample
29 * as they enter and leave the consensus. We expand this sample as
30 * needed, up to a maximum size.
31 *
32 * As a subset of the sample, we maintain a FILTERED SET of the guards
33 * that we would be willing to use if we could connect to them. The
34 * filter removes all the guards that we're excluding because they're
35 * bridges (or not bridges), because we have restrictive firewall rules,
36 * because of ExcludeNodes, because we of path bias restrictions,
37 * because they're absent from the network at present, and so on.
38 *
39 * As a subset of the filtered set, we keep a REACHABLE FILTERED SET
40 * (also called a "usable filtered set") of those guards that we call
41 * "reachable" or "maybe reachable". A guard is reachable if we've
42 * connected to it more recently than we've failed. A guard is "maybe
43 * reachable" if we have never tried to connect to it, or if we
44 * failed to connect to it so long ago that we no longer think our
45 * failure means it's down.
46 *
47 * As a persistent ordered list whose elements are taken from the
48 * sampled set, we track a CONFIRMED GUARDS LIST. A guard becomes
49 * confirmed when we successfully build a circuit through it, and decide
50 * to use that circuit.
51 *
52 * And as a final group, we have an ordered list of PRIMARY GUARDS,
53 * whose elements are taken from the filtered set. We prefer
54 * confirmed guards to non-confirmed guards for this list, and place
55 * other restrictions on it. The primary guards are the ones that we
56 * connect to "when nothing is wrong" -- circuits through them can be used
57 * immediately.
58 *
59 * To build circuits, we take a primary guard if possible -- or a
60 * reachable filtered confirmed guard if no primary guard is possible --
61 * or the first (by sampled order) filtered guard otherwise. If the guard is
62 * primary, we can use the circuit immediately on success. Otherwise,
63 * the guard is now "pending" -- we won't use its circuit unless all
64 * of the circuits we're trying to build through better guards have
65 * definitely failed.
66 *
67 * While we're building circuits, we track a little "guard state" for
68 * each circuit. We use this to keep track of whether the circuit is
69 * one that we can use as soon as it's done, or whether it's one that
70 * we should keep around to see if we can do better. In the latter case,
71 * a periodic call to entry_guards_upgrade_waiting_circuits() will
72 * eventually upgrade it.
73 **/
74/* DOCDOC -- expand this.
75 *
76 * Information invariants:
77 *
78 * [x] whenever a guard becomes unreachable, clear its usable_filtered flag.
79 *
80 * [x] Whenever a guard becomes reachable or maybe-reachable, if its filtered
81 * flag is set, set its usable_filtered flag.
82 *
83 * [x] Whenever we get a new consensus, call update_from_consensus(). (LATER.)
84 *
85 * [x] Whenever the configuration changes in a relevant way, update the
86 * filtered/usable flags. (LATER.)
87 *
88 * [x] Whenever we add a guard to the sample, make sure its filtered/usable
89 * flags are set as possible.
90 *
91 * [x] Whenever we remove a guard from the sample, remove it from the primary
92 * and confirmed lists.
93 *
94 * [x] When we make a guard confirmed, update the primary list, and sort them
95 * by sampled order.
96 *
97 * [x] When we make a guard filtered or unfiltered, update the primary list.
98 *
99 * [x] When we are about to pick a guard, make sure that the primary list is
100 * full.
101 *
102 * [x] When we update the confirmed list, or when we re-build the primary list
103 * and detect a change, we sort those lists by sampled_idx
104 *
105 * [x] Before calling first_reachable_filtered_entry_guard(), make sure
106 * that the filtered, primary, and confirmed flags are up-to-date.
107 *
108 * [x] Call entry_guard_consider_retry every time we are about to check
109 * is_usable_filtered or is_reachable, and every time we set
110 * is_filtered to 1.
111 *
112 * [x] Call entry_guards_changed_for_guard_selection() whenever we update
113 * a persistent field.
114 */
115
116#define ENTRYNODES_PRIVATE
117
118#include "core/or/or.h"
119#include "app/config/config.h"
120#include "lib/confmgt/confmgt.h"
121#include "app/config/statefile.h"
124#include "core/or/channel.h"
125#include "core/or/circuitbuild.h"
126#include "core/or/circuitlist.h"
127#include "core/or/circuitstats.h"
128#include "core/or/circuituse.h"
129#include "core/or/conflux_pool.h"
130#include "core/or/policies.h"
132#include "feature/client/circpathbias.h"
145#include "feature/relay/router.h"
149#include "lib/math/fp.h"
150
155
156#include "core/or/conflux_util.h"
157
158/** A list of existing guard selection contexts. */
160/** The currently enabled guard selection context. */
161static guard_selection_t *curr_guard_context = NULL;
162
163/** A value of 1 means that at least one context has changed,
164 * and those changes need to be flushed to disk. */
165static int entry_guards_dirty = 0;
166
167static void entry_guard_set_filtered_flags(const or_options_t *options,
168 guard_selection_t *gs,
169 entry_guard_t *guard);
170static void pathbias_check_use_success_count(entry_guard_t *guard);
171static void pathbias_check_close_success_count(entry_guard_t *guard);
172static int node_is_possible_guard(const node_t *node);
173static int node_passes_guard_filter(const or_options_t *options,
174 const node_t *node);
175static entry_guard_t *entry_guard_add_to_sample_impl(guard_selection_t *gs,
176 const uint8_t *rsa_id_digest,
177 const char *nickname,
178 const tor_addr_port_t *bridge_addrport);
179static entry_guard_t *get_sampled_guard_by_bridge_addr(guard_selection_t *gs,
180 const tor_addr_port_t *addrport);
181static int entry_guard_obeys_restriction(const entry_guard_t *guard,
182 const entry_guard_restriction_t *rst);
183static int compare_guards_by_sampled_idx(const void **a_, const void **b_);
184
185/** Return 0 if we should apply guardfraction information found in the
186 * consensus. A specific consensus can be specified with the
187 * <b>ns</b> argument, if NULL the most recent one will be picked.*/
188int
190{
191 /* We need to check the corresponding torrc option and the consensus
192 * parameter if we need to. */
193 const or_options_t *options = get_options();
194
195 /* If UseGuardFraction is 'auto' then check the same-named consensus
196 * parameter. If the consensus parameter is not present, default to
197 * "off". */
198 if (options->UseGuardFraction == -1) {
199 return networkstatus_get_param(ns, "UseGuardFraction",
200 0, /* default to "off" */
201 0, 1);
202 }
203
204 return options->UseGuardFraction;
205}
206
207/** Return true iff we know a preferred descriptor for <b>guard</b> */
208static int
209guard_has_descriptor(const entry_guard_t *guard)
210{
211 const node_t *node = node_get_by_id(guard->identity);
212 if (!node)
213 return 0;
214 return node_has_preferred_descriptor(node, 1);
215}
216
217/**
218 * Try to determine the correct type for a selection named "name",
219 * if <b>type</b> is GS_TYPE_INFER.
220 */
221STATIC guard_selection_type_t
222guard_selection_infer_type(guard_selection_type_t type,
223 const char *name)
224{
225 if (type == GS_TYPE_INFER) {
226 if (!strcmp(name, "bridges"))
227 type = GS_TYPE_BRIDGE;
228 else if (!strcmp(name, "restricted"))
229 type = GS_TYPE_RESTRICTED;
230 else
231 type = GS_TYPE_NORMAL;
232 }
233 return type;
234}
235
236/**
237 * Allocate and return a new guard_selection_t, with the name <b>name</b>.
238 */
239STATIC guard_selection_t *
241 guard_selection_type_t type)
242{
243 guard_selection_t *gs;
244
245 type = guard_selection_infer_type(type, name);
246
247 gs = tor_malloc_zero(sizeof(*gs));
248 gs->name = tor_strdup(name);
249 gs->type = type;
250 gs->sampled_entry_guards = smartlist_new();
251 gs->confirmed_entry_guards = smartlist_new();
252 gs->primary_entry_guards = smartlist_new();
253
254 return gs;
255}
256
257/**
258 * Return the guard selection called <b>name</b>. If there is none, and
259 * <b>create_if_absent</b> is true, then create and return it. If there
260 * is none, and <b>create_if_absent</b> is false, then return NULL.
261 */
262STATIC guard_selection_t *
264 guard_selection_type_t type,
265 int create_if_absent)
266{
267 if (!guard_contexts) {
269 }
270 SMARTLIST_FOREACH_BEGIN(guard_contexts, guard_selection_t *, gs) {
271 if (!strcmp(gs->name, name))
272 return gs;
273 } SMARTLIST_FOREACH_END(gs);
274
275 if (! create_if_absent)
276 return NULL;
277
278 log_debug(LD_GUARD, "Creating a guard selection called %s", name);
279 guard_selection_t *new_selection = guard_selection_new(name, type);
280 smartlist_add(guard_contexts, new_selection);
281
282 return new_selection;
283}
284
285/**
286 * Allocate the first guard context that we're planning to use,
287 * and make it the current context.
288 */
289static void
291{
293 if (!guard_contexts) {
295 }
296 guard_selection_type_t type = GS_TYPE_INFER;
297 const char *name = choose_guard_selection(
298 get_options(),
300 approx_time(),
302 NULL,
303 &type);
304 tor_assert(name); // "name" can only be NULL if we had an old name.
305 tor_assert(type != GS_TYPE_INFER);
306 log_notice(LD_GUARD, "Starting with guard context \"%s\"", name);
308}
309
310/** Get current default guard_selection_t, creating it if necessary */
311guard_selection_t *
313{
314 if (!curr_guard_context) {
316 }
317
318 return curr_guard_context;
319}
320
321/** Return a statically allocated human-readable description of <b>guard</b>
322 */
323const char *
324entry_guard_describe(const entry_guard_t *guard)
325{
326 static char buf[256];
327 tor_snprintf(buf, sizeof(buf),
328 "%s ($%s)",
329 strlen(guard->nickname) ? guard->nickname : "[bridge]",
330 hex_str(guard->identity, DIGEST_LEN));
331 return buf;
332}
333
334/** Return <b>guard</b>'s 20-byte RSA identity digest */
335const char *
336entry_guard_get_rsa_id_digest(const entry_guard_t *guard)
337{
338 return guard->identity;
339}
340
341/** Return the pathbias state associated with <b>guard</b>. */
344{
345 return &guard->pb;
346}
347
348HANDLE_IMPL(entry_guard, entry_guard_t, ATTR_UNUSED STATIC)
349
350/** Return an interval between 'now' and 'max_backdate' seconds in the past,
351 * chosen uniformly at random. We use this before recording persistent
352 * dates, so that we aren't leaking exactly when we recorded it.
353 */
354MOCK_IMPL(STATIC time_t,
355randomize_time,(time_t now, time_t max_backdate))
356{
357 tor_assert(max_backdate > 0);
358
359 time_t earliest = now - max_backdate;
360 time_t latest = now;
361 if (earliest <= 0)
362 earliest = 1;
363 if (latest <= earliest)
364 latest = earliest + 1;
365
366 return crypto_rand_time_range(earliest, latest);
367}
368
369/**
370 * @name parameters for networkstatus algorithm
371 *
372 * These parameters are taken from the consensus; some are overrideable in
373 * the torrc.
374 */
375/**@{*/
376/**
377 * We never let our sampled guard set grow larger than this fraction
378 * of the guards on the network.
379 */
380STATIC double
382{
383 int32_t pct =
384 networkstatus_get_param(NULL, "guard-max-sample-threshold-percent",
385 DFLT_MAX_SAMPLE_THRESHOLD_PERCENT,
386 1, 100);
387 return pct / 100.0;
388}
389/**
390 * We never let our sampled guard set grow larger than this number.
391 */
392STATIC int
394{
395 return (int) networkstatus_get_param(NULL, "guard-max-sample-size",
396 DFLT_MAX_SAMPLE_SIZE,
397 1, INT32_MAX);
398}
399/**
400 * We always try to make our sample contain at least this many guards.
401 */
402STATIC int
404{
405 return networkstatus_get_param(NULL, "guard-min-filtered-sample-size",
406 DFLT_MIN_FILTERED_SAMPLE_SIZE,
407 1, INT32_MAX);
408}
409/**
410 * If a guard is unlisted for this many days in a row, we remove it.
411 */
412STATIC int
414{
415 return networkstatus_get_param(NULL,
416 "guard-remove-unlisted-guards-after-days",
417 DFLT_REMOVE_UNLISTED_GUARDS_AFTER_DAYS,
418 1, 365*10);
419}
420
421/**
422 * Return number of seconds that will make a guard no longer eligible
423 * for selection if unlisted for this long.
424 */
425static time_t
427{
428 return get_remove_unlisted_guards_after_days() * 24 * 60 * 60;
429}
430
431/**
432 * We remove unconfirmed guards from the sample after this many days,
433 * regardless of whether they are listed or unlisted.
434 */
435STATIC int
437{
438 if (get_options()->GuardLifetime >= 86400)
439 return get_options()->GuardLifetime;
440 int32_t days;
441 days = networkstatus_get_param(NULL,
442 "guard-lifetime-days",
443 DFLT_GUARD_LIFETIME_DAYS, 1, 365*10);
444 return days * 86400;
445}
446/**
447 * We remove confirmed guards from the sample if they were sampled
448 * GUARD_LIFETIME_DAYS ago and confirmed this many days ago.
449 */
450STATIC int
452{
453 if (get_options()->GuardLifetime >= 86400)
454 return get_options()->GuardLifetime;
455 int32_t days;
456 days = networkstatus_get_param(NULL, "guard-confirmed-min-lifetime-days",
457 DFLT_GUARD_CONFIRMED_MIN_LIFETIME_DAYS,
458 1, 365*10);
459 return days * 86400;
460}
461/**
462 * How many guards do we try to keep on our primary guard list?
463 */
464STATIC int
466{
467 /* If the user has explicitly configured the number of primary guards, do
468 * what the user wishes to do */
469 const int configured_primaries = get_options()->NumPrimaryGuards;
470 if (configured_primaries) {
471 return configured_primaries;
472 }
473
474 /* otherwise check for consensus parameter and if that's not set either, just
475 * use the default value. */
476 return networkstatus_get_param(NULL,
477 "guard-n-primary-guards",
478 DFLT_N_PRIMARY_GUARDS, 1, INT32_MAX);
479}
480/**
481 * Return the number of the live primary guards we should look at when
482 * making a circuit.
483 */
484STATIC int
486{
487 int configured;
488 const char *param_name;
489 int param_default;
490
491 /* If the user has explicitly configured the amount of guards, use
492 that. Otherwise, fall back to the default value. */
493 if (usage == GUARD_USAGE_DIRGUARD) {
494 configured = get_options()->NumDirectoryGuards;
495 param_name = "guard-n-primary-dir-guards-to-use";
496 param_default = DFLT_N_PRIMARY_DIR_GUARDS_TO_USE;
497 } else {
498 configured = get_options()->NumEntryGuards;
499 param_name = "guard-n-primary-guards-to-use";
500 param_default = DFLT_N_PRIMARY_GUARDS_TO_USE;
501 }
502 if (configured >= 1) {
503 return configured;
504 }
505 return networkstatus_get_param(NULL,
506 param_name, param_default, 1, INT32_MAX);
507}
508/**
509 * If we haven't successfully built or used a circuit in this long, then
510 * consider that the internet is probably down.
511 */
512STATIC int
514{
515 return networkstatus_get_param(NULL, "guard-internet-likely-down-interval",
516 DFLT_INTERNET_LIKELY_DOWN_INTERVAL,
517 1, INT32_MAX);
518}
519/**
520 * If we're trying to connect to a nonprimary guard for at least this
521 * many seconds, and we haven't gotten the connection to work, we will treat
522 * lower-priority guards as usable.
523 */
524STATIC int
526{
527 return networkstatus_get_param(NULL,
528 "guard-nonprimary-guard-connect-timeout",
529 DFLT_NONPRIMARY_GUARD_CONNECT_TIMEOUT,
530 1, INT32_MAX);
531}
532/**
533 * If a circuit has been sitting around in 'waiting for better guard' state
534 * for at least this long, we'll expire it.
535 */
536STATIC int
538{
539 return networkstatus_get_param(NULL,
540 "guard-nonprimary-guard-idle-timeout",
541 DFLT_NONPRIMARY_GUARD_IDLE_TIMEOUT,
542 1, INT32_MAX);
543}
544/**
545 * If our configuration retains fewer than this fraction of guards from the
546 * torrc, we are in a restricted setting.
547 */
548STATIC double
550{
551 int32_t pct = networkstatus_get_param(NULL,
552 "guard-meaningful-restriction-percent",
553 DFLT_MEANINGFUL_RESTRICTION_PERCENT,
554 1, INT32_MAX);
555 return pct / 100.0;
556}
557/**
558 * If our configuration retains fewer than this fraction of guards from the
559 * torrc, we are in an extremely restricted setting, and should warn.
560 */
561STATIC double
563{
564 int32_t pct = networkstatus_get_param(NULL,
565 "guard-extreme-restriction-percent",
566 DFLT_EXTREME_RESTRICTION_PERCENT,
567 1, 100);
568 return pct / 100.0;
569}
570
571/* Mark <b>guard</b> as maybe reachable again. */
572static void
573mark_guard_maybe_reachable(entry_guard_t *guard)
574{
575 if (guard->is_reachable != GUARD_REACHABLE_NO) {
576 return;
577 }
578
579 /* Note that we do not clear failing_since: this guard is now only
580 * _maybe-reachable_. */
581 guard->is_reachable = GUARD_REACHABLE_MAYBE;
582 if (guard->is_filtered_guard)
583 guard->is_usable_filtered_guard = 1;
584
585 /* Check if it is a bridge and we don't have its descriptor yet */
586 if (guard->bridge_addr && !guard_has_descriptor(guard)) {
587 /* Reset the descriptor fetch retry schedule, so it gives it another
588 * go soon. It's important to keep any "REACHABLE_MAYBE" bridges in
589 * sync with the descriptor fetch schedule, since we will refuse to
590 * use the network until our first primary bridges are either
591 * known-usable or known-unusable. See bug 40396. */
592 download_status_t *dl = get_bridge_dl_status_by_id(guard->identity);
593 if (dl)
595 }
596}
597
598/**
599 * Called when the network comes up after having seemed to be down for
600 * a while: Mark the primary guards as maybe-reachable so that we'll
601 * try them again.
602 */
603STATIC void
605{
606 tor_assert(gs);
607
608 if (!gs->primary_guards_up_to_date)
610
611 SMARTLIST_FOREACH_BEGIN(gs->primary_entry_guards, entry_guard_t *, guard) {
612 mark_guard_maybe_reachable(guard);
613 } SMARTLIST_FOREACH_END(guard);
614}
615
616/* Called when we exhaust all guards in our sampled set: Marks all guards as
617 maybe-reachable so that we'll try them again. */
618static void
619mark_all_guards_maybe_reachable(guard_selection_t *gs)
620{
621 tor_assert(gs);
622
623 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
624 mark_guard_maybe_reachable(guard);
625 } SMARTLIST_FOREACH_END(guard);
626}
627
628/**@}*/
629
630/**
631 * Given our options and our list of nodes, return the name of the
632 * guard selection that we should use. Return NULL for "use the
633 * same selection you were using before.
634 */
635STATIC const char *
637 const networkstatus_t *live_ns,
638 const guard_selection_t *old_selection,
639 guard_selection_type_t *type_out)
640{
641 tor_assert(options);
642 tor_assert(type_out);
643
644 if (options->UseBridges) {
645 *type_out = GS_TYPE_BRIDGE;
646 return "bridges";
647 }
648
649 if (! live_ns) {
650 /* without a networkstatus, we can't tell any more than that. */
651 *type_out = GS_TYPE_NORMAL;
652 return "default";
653 }
654
655 const smartlist_t *nodes = nodelist_get_list();
656 int n_guards = 0, n_passing_filter = 0;
657 SMARTLIST_FOREACH_BEGIN(nodes, const node_t *, node) {
658 if (node_is_possible_guard(node)) {
659 ++n_guards;
660 if (node_passes_guard_filter(options, node)) {
661 ++n_passing_filter;
662 }
663 }
664 } SMARTLIST_FOREACH_END(node);
665
666 /* We use separate 'high' and 'low' thresholds here to prevent flapping
667 * back and forth */
668 const int meaningful_threshold_high =
669 (int)(n_guards * get_meaningful_restriction_threshold() * 1.05);
670 const int meaningful_threshold_mid =
671 (int)(n_guards * get_meaningful_restriction_threshold());
672 const int meaningful_threshold_low =
673 (int)(n_guards * get_meaningful_restriction_threshold() * .95);
674 const int extreme_threshold =
675 (int)(n_guards * get_extreme_restriction_threshold());
676
677 /*
678 If we have no previous selection, then we're "restricted" iff we are
679 below the meaningful restriction threshold. That's easy enough.
680
681 But if we _do_ have a previous selection, we make it a little
682 "sticky": we only move from "restricted" to "default" when we find
683 that we're above the threshold plus 5%, and we only move from
684 "default" to "restricted" when we're below the threshold minus 5%.
685 That should prevent us from flapping back and forth if we happen to
686 be hovering very close to the default.
687
688 The extreme threshold is for warning only.
689 */
690
691 static int have_warned_extreme_threshold = 0;
692 if (n_guards &&
693 n_passing_filter < extreme_threshold &&
694 ! have_warned_extreme_threshold) {
695 have_warned_extreme_threshold = 1;
696 const double exclude_frac =
697 (n_guards - n_passing_filter) / (double)n_guards;
698 log_warn(LD_GUARD, "Your configuration excludes %d%% of all possible "
699 "guards. That's likely to make you stand out from the "
700 "rest of the world.", (int)(exclude_frac * 100));
701 }
702
703 /* Easy case: no previous selection. Just check if we are in restricted or
704 normal guard selection. */
705 if (old_selection == NULL) {
706 if (n_passing_filter >= meaningful_threshold_mid) {
707 *type_out = GS_TYPE_NORMAL;
708 return "default";
709 } else {
710 *type_out = GS_TYPE_RESTRICTED;
711 return "restricted";
712 }
713 }
714
715 /* Trickier case: we do have a previous guard selection context. */
716 tor_assert(old_selection);
717
718 /* Use high and low thresholds to decide guard selection, and if we fall in
719 the middle then keep the current guard selection context. */
720 if (n_passing_filter >= meaningful_threshold_high) {
721 *type_out = GS_TYPE_NORMAL;
722 return "default";
723 } else if (n_passing_filter < meaningful_threshold_low) {
724 *type_out = GS_TYPE_RESTRICTED;
725 return "restricted";
726 } else {
727 /* we are in the middle: maintain previous guard selection */
728 *type_out = old_selection->type;
729 return old_selection->name;
730 }
731}
732
733/**
734 * Check whether we should switch from our current guard selection to a
735 * different one. If so, switch and return 1. Return 0 otherwise.
736 *
737 * On a 1 return, the caller should mark all currently live circuits unusable
738 * for new streams, by calling circuit_mark_all_unused_circs() and
739 * circuit_mark_all_dirty_circs_as_unusable().
740 */
741int
743{
744 if (!curr_guard_context) {
746 return 1;
747 }
748
749 guard_selection_type_t type = GS_TYPE_INFER;
750 const char *new_name = choose_guard_selection(
751 options,
753 approx_time(),
756 &type);
757 tor_assert(new_name);
758 tor_assert(type != GS_TYPE_INFER);
759
760 const char *cur_name = curr_guard_context->name;
761 if (! strcmp(cur_name, new_name)) {
762 log_debug(LD_GUARD,
763 "Staying with guard context \"%s\" (no change)", new_name);
764 return 0; // No change
765 }
766
767 log_notice(LD_GUARD, "Switching to guard context \"%s\" (was using \"%s\")",
768 new_name, cur_name);
769 guard_selection_t *new_guard_context;
770 new_guard_context = get_guard_selection_by_name(new_name, type, 1);
771 tor_assert(new_guard_context);
772 tor_assert(new_guard_context != curr_guard_context);
773 curr_guard_context = new_guard_context;
774
775 return 1;
776}
777
778/**
779 * Return true iff <b>node</b> has all the flags needed for us to consider it
780 * a possible guard when sampling guards.
781 */
782static int
784{
785 /* The "GUARDS" set is all nodes in the nodelist for which this predicate
786 * holds. */
787
788 tor_assert(node);
789 return (node->is_possible_guard &&
790 node->is_stable &&
791 node->is_fast &&
792 node->is_valid &&
793 node_is_dir(node) &&
795}
796
797/**
798 * Return the sampled guard with the RSA identity digest <b>rsa_id</b>, or
799 * NULL if we don't have one. */
800STATIC entry_guard_t *
801get_sampled_guard_with_id(guard_selection_t *gs,
802 const uint8_t *rsa_id)
803{
804 tor_assert(gs);
805 tor_assert(rsa_id);
806 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
807 if (tor_memeq(guard->identity, rsa_id, DIGEST_LEN))
808 return guard;
809 } SMARTLIST_FOREACH_END(guard);
810 return NULL;
811}
812
813/** If <b>gs</b> contains a sampled entry guard matching <b>bridge</b>,
814 * return that guard. Otherwise return NULL. */
815static entry_guard_t *
816get_sampled_guard_for_bridge(guard_selection_t *gs,
817 const bridge_info_t *bridge)
818{
819 const uint8_t *id = bridge_get_rsa_id_digest(bridge);
820 const tor_addr_port_t *addrport = bridge_get_addr_port(bridge);
821 entry_guard_t *guard;
822 if (BUG(!addrport))
823 return NULL; // LCOV_EXCL_LINE
824 guard = get_sampled_guard_by_bridge_addr(gs, addrport);
825 if (! guard || (id && tor_memneq(id, guard->identity, DIGEST_LEN)))
826 return NULL;
827 else
828 return guard;
829}
830
831/** If we know a bridge_info_t matching <b>guard</b>, return that
832 * bridge. Otherwise return NULL. */
833static bridge_info_t *
834get_bridge_info_for_guard(const entry_guard_t *guard)
835{
836 const uint8_t *identity = NULL;
837 if (! tor_digest_is_zero(guard->identity)) {
838 identity = (const uint8_t *)guard->identity;
839 }
840 if (BUG(guard->bridge_addr == NULL))
841 return NULL;
842
844 &guard->bridge_addr->addr,
845 guard->bridge_addr->port,
846 (const char*)identity);
847}
848
849/**
850 * Return true iff we have a sampled guard with the RSA identity digest
851 * <b>rsa_id</b>. */
852static inline int
853have_sampled_guard_with_id(guard_selection_t *gs, const uint8_t *rsa_id)
854{
855 return get_sampled_guard_with_id(gs, rsa_id) != NULL;
856}
857
858/**
859 * Allocate a new entry_guard_t object for <b>node</b>, add it to the
860 * sampled entry guards in <b>gs</b>, and return it. <b>node</b> must
861 * not currently be a sampled guard in <b>gs</b>.
862 */
863STATIC entry_guard_t *
864entry_guard_add_to_sample(guard_selection_t *gs,
865 const node_t *node)
866{
867 log_info(LD_GUARD, "Adding %s to the entry guard sample set.",
868 node_describe(node));
869
870 /* make sure that the guard is not already sampled. */
871 if (BUG(have_sampled_guard_with_id(gs, (const uint8_t*)node->identity)))
872 return NULL; // LCOV_EXCL_LINE
873
875 (const uint8_t*)node->identity,
876 node_get_nickname(node),
877 NULL);
878}
879
880/**
881 * Backend: adds a new sampled guard to <b>gs</b>, with given identity,
882 * nickname, and ORPort. rsa_id_digest and bridge_addrport are optional, but
883 * we need one of them. nickname is optional. The caller is responsible for
884 * maintaining the size limit of the SAMPLED_GUARDS set.
885 */
886static entry_guard_t *
887entry_guard_add_to_sample_impl(guard_selection_t *gs,
888 const uint8_t *rsa_id_digest,
889 const char *nickname,
890 const tor_addr_port_t *bridge_addrport)
891{
892 const int GUARD_LIFETIME = get_guard_lifetime();
893 tor_assert(gs);
894
895 // XXXX #20827 take ed25519 identity here too.
896
897 /* Make sure we can actually identify the guard. */
898 if (BUG(!rsa_id_digest && !bridge_addrport))
899 return NULL; // LCOV_EXCL_LINE
900
901 entry_guard_t *guard = tor_malloc_zero(sizeof(entry_guard_t));
902
903 /* persistent fields */
904 guard->is_persistent = (rsa_id_digest != NULL);
905 guard->selection_name = tor_strdup(gs->name);
906 if (rsa_id_digest)
907 memcpy(guard->identity, rsa_id_digest, DIGEST_LEN);
908 if (nickname)
909 strlcpy(guard->nickname, nickname, sizeof(guard->nickname));
910 guard->sampled_on_date = randomize_time(approx_time(), GUARD_LIFETIME/10);
911 tor_free(guard->sampled_by_version);
912 guard->sampled_by_version = tor_strdup(VERSION);
913 guard->currently_listed = 1;
914 guard->sampled_idx = gs->next_sampled_idx++;
915 guard->confirmed_idx = -1;
916
917 /* non-persistent fields */
918 guard->is_reachable = GUARD_REACHABLE_MAYBE;
919 if (bridge_addrport)
920 guard->bridge_addr = tor_memdup(bridge_addrport, sizeof(*bridge_addrport));
921
922 smartlist_add(gs->sampled_entry_guards, guard);
923 guard->in_selection = gs;
926
927 /* Just added this guard to the sampled set and hence it might be used as a
928 * guard in the future: send GUARD NEW control event. */
929 control_event_guard(guard->nickname, guard->identity, "NEW");
930
931 return guard;
932}
933
934/**
935 * Add an entry guard to the "bridges" guard selection sample, with
936 * information taken from <b>bridge</b>. Return that entry guard.
937 */
938static entry_guard_t *
940 const bridge_info_t *bridge)
941{
942 const uint8_t *id_digest = bridge_get_rsa_id_digest(bridge);
943 const tor_addr_port_t *addrport = bridge_get_addr_port(bridge);
944
945 tor_assert(addrport);
946
947 /* make sure that the guard is not already sampled. */
948 if (BUG(get_sampled_guard_for_bridge(gs, bridge)))
949 return NULL; // LCOV_EXCL_LINE
950
951 return entry_guard_add_to_sample_impl(gs, id_digest, NULL, addrport);
952}
953
954/**
955 * Return the entry_guard_t in <b>gs</b> whose address is <b>addrport</b>,
956 * or NULL if none exists.
957*/
958static entry_guard_t *
960 const tor_addr_port_t *addrport)
961{
962 if (! gs)
963 return NULL;
964 if (BUG(!addrport))
965 return NULL;
966 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, g) {
967 if (g->bridge_addr && tor_addr_port_eq(addrport, g->bridge_addr))
968 return g;
969 } SMARTLIST_FOREACH_END(g);
970 return NULL;
971}
972
973/** Update the guard subsystem's knowledge of the identity of the bridge
974 * at <b>addrport</b>. Idempotent.
975 */
976void
978 const uint8_t *rsa_id_digest)
979{
980 guard_selection_t *gs = get_guard_selection_by_name("bridges",
981 GS_TYPE_BRIDGE,
982 0);
983 if (!gs)
984 return;
985
986 entry_guard_t *g = get_sampled_guard_by_bridge_addr(gs, addrport);
987 if (!g)
988 return;
989
990 int make_persistent = 0;
991
992 if (tor_digest_is_zero(g->identity)) {
993 memcpy(g->identity, rsa_id_digest, DIGEST_LEN);
994 make_persistent = 1;
995 } else if (tor_memeq(g->identity, rsa_id_digest, DIGEST_LEN)) {
996 /* Nothing to see here; we learned something we already knew. */
997 if (BUG(! g->is_persistent))
998 make_persistent = 1;
999 } else {
1000 char old_id[HEX_DIGEST_LEN+1];
1001 base16_encode(old_id, sizeof(old_id), g->identity, sizeof(g->identity));
1002 log_warn(LD_BUG, "We 'learned' an identity %s for a bridge at %s:%d, but "
1003 "we already knew a different one (%s). Ignoring the new info as "
1004 "possibly bogus.",
1005 hex_str((const char *)rsa_id_digest, DIGEST_LEN),
1006 fmt_and_decorate_addr(&addrport->addr), addrport->port,
1007 old_id);
1008 return; // redundant, but let's be clear: we're not making this persistent.
1009 }
1010
1011 if (make_persistent) {
1012 g->is_persistent = 1;
1014 }
1015}
1016
1017/**
1018 * Return the number of sampled guards in <b>gs</b> that are "filtered"
1019 * (that is, we're willing to connect to them) and that are "usable"
1020 * (that is, either "reachable" or "maybe reachable").
1021 *
1022 * If a restriction is provided in <b>rst</b>, do not count any guards that
1023 * violate it.
1024 */
1025STATIC int
1026num_reachable_filtered_guards(const guard_selection_t *gs,
1027 const entry_guard_restriction_t *rst)
1028{
1029 int n_reachable_filtered_guards = 0;
1030 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1032 if (! entry_guard_obeys_restriction(guard, rst))
1033 continue;
1034 if (guard->is_usable_filtered_guard)
1035 ++n_reachable_filtered_guards;
1036 } SMARTLIST_FOREACH_END(guard);
1037 return n_reachable_filtered_guards;
1038}
1039
1040/** Return the actual maximum size for the sample in <b>gs</b>,
1041 * given that we know about <b>n_guards</b> total. */
1042static int
1043get_max_sample_size(guard_selection_t *gs,
1044 int n_guards)
1045{
1046 const int using_bridges = (gs->type == GS_TYPE_BRIDGE);
1047 const int min_sample = get_min_filtered_sample_size();
1048
1049 /* If we are in bridge mode, expand our sample set as needed without worrying
1050 * about max size. We should respect the user's wishes to use many bridges if
1051 * that's what they have specified in their configuration file. */
1052 if (using_bridges)
1053 return INT_MAX;
1054
1055 const int max_sample_by_pct = (int)(n_guards * get_max_sample_threshold());
1056 const int max_sample_absolute = get_max_sample_size_absolute();
1057 const int max_sample = MIN(max_sample_by_pct, max_sample_absolute);
1058 if (max_sample < min_sample)
1059 return min_sample;
1060 else
1061 return max_sample;
1062}
1063
1064/**
1065 * Return a smartlist of all the guards that are not currently
1066 * members of the sample (GUARDS - SAMPLED_GUARDS). The elements of
1067 * this list are node_t pointers in the non-bridge case, and
1068 * bridge_info_t pointers in the bridge case. Set *<b>n_guards_out</b>
1069 * to the number of guards that we found in GUARDS, including those
1070 * that were already sampled.
1071 */
1072static smartlist_t *
1074 guard_selection_t *gs,
1075 int *n_guards_out)
1076{
1077 /* Construct eligible_guards as GUARDS - SAMPLED_GUARDS */
1078 smartlist_t *eligible_guards = smartlist_new();
1079 int n_guards = 0; // total size of "GUARDS"
1080
1081 if (gs->type == GS_TYPE_BRIDGE) {
1082 const smartlist_t *bridges = bridge_list_get();
1083 SMARTLIST_FOREACH_BEGIN(bridges, bridge_info_t *, bridge) {
1084 ++n_guards;
1085 if (NULL != get_sampled_guard_for_bridge(gs, bridge)) {
1086 continue;
1087 }
1088 smartlist_add(eligible_guards, bridge);
1089 } SMARTLIST_FOREACH_END(bridge);
1090 } else {
1091 const smartlist_t *nodes = nodelist_get_list();
1092 const int n_sampled = smartlist_len(gs->sampled_entry_guards);
1093
1094 /* Build a bloom filter of our current guards: let's keep this O(N). */
1095 digestset_t *sampled_guard_ids = digestset_new(n_sampled);
1096 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, const entry_guard_t *,
1097 guard) {
1098 digestset_add(sampled_guard_ids, guard->identity);
1099 } SMARTLIST_FOREACH_END(guard);
1100
1101 SMARTLIST_FOREACH_BEGIN(nodes, const node_t *, node) {
1102 if (! node_is_possible_guard(node))
1103 continue;
1104 if (gs->type == GS_TYPE_RESTRICTED) {
1105 /* In restricted mode, we apply the filter BEFORE sampling, so
1106 * that we are sampling from the nodes that we might actually
1107 * select. If we sampled first, we might wind up with a sample
1108 * that didn't include any EntryNodes at all. */
1109 if (! node_passes_guard_filter(options, node))
1110 continue;
1111 }
1112 ++n_guards;
1113 if (digestset_probably_contains(sampled_guard_ids, node->identity))
1114 continue;
1115 smartlist_add(eligible_guards, (node_t*)node);
1116 } SMARTLIST_FOREACH_END(node);
1117
1118 /* Now we can free that bloom filter. */
1119 digestset_free(sampled_guard_ids);
1120 }
1121
1122 *n_guards_out = n_guards;
1123 return eligible_guards;
1124}
1125
1126/** Helper: given a smartlist of either bridge_info_t (if gs->type is
1127 * GS_TYPE_BRIDGE) or node_t (otherwise), pick one that can be a guard,
1128 * add it as a guard, remove it from the list, and return a new
1129 * entry_guard_t. Return NULL on failure. */
1130static entry_guard_t *
1132 smartlist_t *eligible_guards)
1133{
1134 entry_guard_t *added_guard;
1135 if (gs->type == GS_TYPE_BRIDGE) {
1136 const bridge_info_t *bridge = smartlist_choose(eligible_guards);
1137 if (BUG(!bridge))
1138 return NULL; // LCOV_EXCL_LINE
1139 smartlist_remove(eligible_guards, bridge);
1140 added_guard = entry_guard_add_bridge_to_sample(gs, bridge);
1141 } else {
1142 const node_t *node =
1143 node_sl_choose_by_bandwidth(eligible_guards, WEIGHT_FOR_GUARD);
1144 if (BUG(!node))
1145 return NULL; // LCOV_EXCL_LINE
1146 smartlist_remove(eligible_guards, node);
1147 added_guard = entry_guard_add_to_sample(gs, node);
1148 }
1149
1150 return added_guard;
1151}
1152
1153/**
1154 * Return true iff we need a consensus to update our guards, but we don't
1155 * have one. (We can return 0 here either if the consensus is _not_ missing,
1156 * or if we don't need a consensus because we're using bridges.)
1157 */
1158static int
1159reasonably_live_consensus_is_missing(const guard_selection_t *gs)
1160{
1161 tor_assert(gs);
1162 if (gs->type == GS_TYPE_BRIDGE) {
1163 /* We don't update bridges from the consensus; they aren't there. */
1164 return 0;
1165 }
1167 approx_time(),
1168 usable_consensus_flavor()) == NULL;
1169}
1170
1171/**
1172 * Add new guards to the sampled guards in <b>gs</b> until there are
1173 * enough usable filtered guards, but never grow the sample beyond its
1174 * maximum size. Return the last guard added, or NULL if none were
1175 * added.
1176 */
1177STATIC entry_guard_t *
1178entry_guards_expand_sample(guard_selection_t *gs)
1179{
1180 tor_assert(gs);
1181 const or_options_t *options = get_options();
1182
1184 log_info(LD_GUARD, "Not expanding the sample guard set; we have "
1185 "no reasonably live consensus.");
1186 return NULL;
1187 }
1188
1189 int n_sampled = smartlist_len(gs->sampled_entry_guards);
1190 entry_guard_t *added_guard = NULL;
1191 int n_usable_filtered_guards = num_reachable_filtered_guards(gs, NULL);
1192 int n_guards = 0;
1193 smartlist_t *eligible_guards = get_eligible_guards(options, gs, &n_guards);
1194
1195 const int max_sample = get_max_sample_size(gs, n_guards);
1196 const int min_filtered_sample = get_min_filtered_sample_size();
1197
1198 log_info(LD_GUARD, "Expanding the sample guard set. We have %d guards "
1199 "in the sample, and %d eligible guards to extend it with.",
1200 n_sampled, smartlist_len(eligible_guards));
1201
1202 while (n_usable_filtered_guards < min_filtered_sample) {
1203 /* Has our sample grown too large to expand? */
1204 if (n_sampled >= max_sample) {
1205 log_info(LD_GUARD, "Not expanding the guard sample any further; "
1206 "just hit the maximum sample threshold of %d",
1207 max_sample);
1208 goto done;
1209 }
1210
1211 /* Did we run out of guards? */
1212 if (smartlist_len(eligible_guards) == 0) {
1213 /* LCOV_EXCL_START
1214 As long as MAX_SAMPLE_THRESHOLD makes can't be adjusted to
1215 allow all guards to be sampled, this can't be reached.
1216 */
1217 log_info(LD_GUARD, "Not expanding the guard sample any further; "
1218 "just ran out of eligible guards");
1219 goto done;
1220 /* LCOV_EXCL_STOP */
1221 }
1222
1223 /* Otherwise we can add at least one new guard. */
1224 added_guard = select_and_add_guard_item_for_sample(gs, eligible_guards);
1225 if (!added_guard)
1226 goto done; // LCOV_EXCL_LINE -- only fails on BUG.
1227
1228 ++n_sampled;
1229
1230 if (added_guard->is_usable_filtered_guard)
1231 ++n_usable_filtered_guards;
1232 }
1233
1234 done:
1235 smartlist_free(eligible_guards);
1236 return added_guard;
1237}
1238
1239/**
1240 * Helper: <b>guard</b> has just been removed from the sampled guards:
1241 * also remove it from primary and confirmed. */
1242static void
1244 entry_guard_t *guard)
1245{
1246 if (guard->is_primary) {
1247 guard->is_primary = 0;
1248 smartlist_remove_keeporder(gs->primary_entry_guards, guard);
1249 } else {
1250 if (BUG(smartlist_contains(gs->primary_entry_guards, guard))) {
1251 smartlist_remove_keeporder(gs->primary_entry_guards, guard);
1252 }
1253 }
1254
1255 if (guard->confirmed_idx >= 0) {
1256 smartlist_remove_keeporder(gs->confirmed_entry_guards, guard);
1257 guard->confirmed_idx = -1;
1258 guard->confirmed_on_date = 0;
1259 } else {
1260 if (BUG(smartlist_contains(gs->confirmed_entry_guards, guard))) {
1261 // LCOV_EXCL_START
1262 smartlist_remove_keeporder(gs->confirmed_entry_guards, guard);
1263 // LCOV_EXCL_STOP
1264 }
1265 }
1266}
1267
1268/** Return true iff <b>guard</b> is currently "listed" -- that is, it
1269 * appears in the consensus, or as a configured bridge (as
1270 * appropriate) */
1271MOCK_IMPL(STATIC int,
1272entry_guard_is_listed,(guard_selection_t *gs, const entry_guard_t *guard))
1273{
1274 if (gs->type == GS_TYPE_BRIDGE) {
1275 return NULL != get_bridge_info_for_guard(guard);
1276 } else {
1277 const node_t *node = node_get_by_id(guard->identity);
1278
1279 return node && node_is_possible_guard(node);
1280 }
1281}
1282
1283/**
1284 * Enumerate <b>sampled_entry_guards</b> smartlist in <b>gs</b>.
1285 * For each <b>entry_guard_t</b> object in smartlist, do the following:
1286 * * Update <b>currently_listed</b> field to reflect if guard is listed
1287 * in guard selection <b>gs</b>.
1288 * * Set <b>unlisted_since_date</b> to approximate UNIX time of
1289 * unlisting if guard is unlisted (randomize within 20% of
1290 * get_remove_unlisted_guards_after_seconds()). Otherwise,
1291 * set it to 0.
1292 *
1293 * Require <b>gs</b> to be non-null pointer.
1294 * Return a number of entries updated.
1295 */
1296static size_t
1298{
1299 size_t n_changes = 0;
1300
1301 tor_assert(gs);
1302
1303 const time_t unlisted_since_slop =
1305
1306 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1307 /* XXXX #20827 check ed ID too */
1308 const int is_listed = entry_guard_is_listed(gs, guard);
1309
1310 if (is_listed && ! guard->currently_listed) {
1311 ++n_changes;
1312 guard->currently_listed = 1;
1313 guard->unlisted_since_date = 0;
1314 log_info(LD_GUARD, "Sampled guard %s is now listed again.",
1315 entry_guard_describe(guard));
1316 } else if (!is_listed && guard->currently_listed) {
1317 ++n_changes;
1318 guard->currently_listed = 0;
1319 guard->unlisted_since_date = randomize_time(approx_time(),
1320 unlisted_since_slop);
1321 log_info(LD_GUARD, "Sampled guard %s is now unlisted.",
1322 entry_guard_describe(guard));
1323 } else if (is_listed && guard->currently_listed) {
1324 log_debug(LD_GUARD, "Sampled guard %s is still listed.",
1325 entry_guard_describe(guard));
1326 } else {
1327 tor_assert(! is_listed && ! guard->currently_listed);
1328 log_debug(LD_GUARD, "Sampled guard %s is still unlisted.",
1329 entry_guard_describe(guard));
1330 }
1331
1332 /* Clean up unlisted_since_date, just in case. */
1333 if (guard->currently_listed && guard->unlisted_since_date) {
1334 ++n_changes;
1335 guard->unlisted_since_date = 0;
1336 log_warn(LD_BUG, "Sampled guard %s was listed, but with "
1337 "unlisted_since_date set. Fixing.",
1338 entry_guard_describe(guard));
1339 } else if (!guard->currently_listed && ! guard->unlisted_since_date) {
1340 ++n_changes;
1341 guard->unlisted_since_date = randomize_time(approx_time(),
1342 unlisted_since_slop);
1343 log_warn(LD_BUG, "Sampled guard %s was unlisted, but with "
1344 "unlisted_since_date unset. Fixing.",
1345 entry_guard_describe(guard));
1346 }
1347 } SMARTLIST_FOREACH_END(guard);
1348
1349 return n_changes;
1350}
1351
1352/**
1353 * Enumerate <b>sampled_entry_guards</b> smartlist in <b>gs</b>.
1354 * For each <b>entry_guard_t</b> object in smartlist, do the following:
1355 * * If <b>currently_listed</b> is false and <b>unlisted_since_date</b>
1356 * is earlier than <b>remove_if_unlisted_since</b> - remove it.
1357 * * Otherwise, check if <b>sampled_on_date</b> is earlier than
1358 * <b>maybe_remove_if_sampled_before</b>.
1359 * * When above condition is correct, remove the guard if:
1360 * * It was never confirmed.
1361 * * It was confirmed before <b>remove_if_confirmed_before</b>.
1362 *
1363 * Require <b>gs</b> to be non-null pointer.
1364 * Return number of entries deleted.
1365 */
1366static size_t
1368 const time_t remove_if_unlisted_since,
1369 const time_t maybe_remove_if_sampled_before,
1370 const time_t remove_if_confirmed_before)
1371{
1372 size_t n_changes = 0;
1373
1374 tor_assert(gs);
1375
1376 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1377 int rmv = 0;
1378
1379 if (guard->currently_listed == 0 &&
1380 guard->unlisted_since_date < remove_if_unlisted_since) {
1381 /*
1382 "We have a live consensus, and {IS_LISTED} is false, and
1383 {FIRST_UNLISTED_AT} is over get_remove_unlisted_guards_after_days()
1384 days in the past."
1385 */
1386 log_info(LD_GUARD, "Removing sampled guard %s: it has been unlisted "
1387 "for over %d days", entry_guard_describe(guard),
1389 rmv = 1;
1390 } else if (guard->sampled_on_date < maybe_remove_if_sampled_before) {
1391 /* We have a live consensus, and {ADDED_ON_DATE} is over
1392 {GUARD_LIFETIME} ago, *and* {CONFIRMED_ON_DATE} is either
1393 "never", or over {GUARD_CONFIRMED_MIN_LIFETIME} ago.
1394 */
1395 if (guard->confirmed_on_date == 0) {
1396 rmv = 1;
1397 log_info(LD_GUARD, "Removing sampled guard %s: it was sampled "
1398 "over %d days ago, but never confirmed.",
1399 entry_guard_describe(guard),
1400 get_guard_lifetime() / 86400);
1401 } else if (guard->confirmed_on_date < remove_if_confirmed_before) {
1402 rmv = 1;
1403 log_info(LD_GUARD, "Removing sampled guard %s: it was sampled "
1404 "over %d days ago, and confirmed over %d days ago.",
1405 entry_guard_describe(guard),
1406 get_guard_lifetime() / 86400,
1408 }
1409 }
1410
1411 if (rmv) {
1412 ++n_changes;
1413 SMARTLIST_DEL_CURRENT_KEEPORDER(gs->sampled_entry_guards, guard);
1415 entry_guard_free(guard);
1416 }
1417 } SMARTLIST_FOREACH_END(guard);
1418
1419 return n_changes;
1420}
1421
1422/**
1423 * Update the status of all sampled guards based on the arrival of a
1424 * new consensus networkstatus document. This will include marking
1425 * some guards as listed or unlisted, and removing expired guards. */
1426STATIC void
1428{
1429 tor_assert(gs);
1430
1431 // It's important to use a reasonably live consensus here; we want clients
1432 // to bootstrap even if their clock is skewed by more than 2-3 hours.
1433 // But we don't want to make changes based on anything that's really old.
1435 log_info(LD_GUARD, "Not updating the sample guard set; we have "
1436 "no reasonably live consensus.");
1437 return;
1438 }
1439 log_info(LD_GUARD, "Updating sampled guard status based on received "
1440 "consensus.");
1441
1442 /* First: Update listed/unlisted. */
1443 size_t n_changes = sampled_guards_update_consensus_presence(gs);
1444
1445 const time_t remove_if_unlisted_since =
1447 const time_t maybe_remove_if_sampled_before =
1449 const time_t remove_if_confirmed_before =
1451
1452 /* Then: remove the ones that have been junk for too long */
1453 n_changes +=
1455 remove_if_unlisted_since,
1456 maybe_remove_if_sampled_before,
1457 remove_if_confirmed_before);
1458
1459 if (n_changes) {
1460 gs->primary_guards_up_to_date = 0;
1462 /* We don't need to rebuild the confirmed list right here -- we may have
1463 * removed confirmed guards above, but we can't have added any new
1464 * confirmed guards.
1465 */
1467 }
1468}
1469
1470/**
1471 * Return true iff <b>node</b> is a Tor relay that we are configured to
1472 * be able to connect to. */
1473static int
1475 const node_t *node)
1476{
1477 /* NOTE: Make sure that this function stays in sync with
1478 * options_transition_affects_entry_guards */
1479 if (routerset_contains_node(options->ExcludeNodes, node))
1480 return 0;
1481
1482 if (options->EntryNodes &&
1483 !routerset_contains_node(options->EntryNodes, node))
1484 return 0;
1485
1486 if (!reachable_addr_allows_node(node, FIREWALL_OR_CONNECTION, 0))
1487 return 0;
1488
1490 return 0;
1491
1492 return 1;
1493}
1494
1495/** Helper: Return true iff <b>bridge</b> passes our configuration
1496 * filter-- if it is a relay that we are configured to be able to
1497 * connect to. */
1498static int
1500 const bridge_info_t *bridge)
1501{
1502 tor_assert(bridge);
1503 if (!bridge)
1504 return 0;
1505
1506 if (routerset_contains_bridge(options->ExcludeNodes, bridge))
1507 return 0;
1508
1509 /* Ignore entrynodes */
1510 const tor_addr_port_t *addrport = bridge_get_addr_port(bridge);
1511
1512 if (!reachable_addr_allows_addr(&addrport->addr,
1513 addrport->port,
1514 FIREWALL_OR_CONNECTION,
1515 0, 0))
1516 return 0;
1517
1518 return 1;
1519}
1520
1521/**
1522 * Return true iff <b>guard</b> is a Tor relay that we are configured to
1523 * be able to connect to, and we haven't disabled it for omission from
1524 * the consensus or path bias issues. */
1525static int
1526entry_guard_passes_filter(const or_options_t *options, guard_selection_t *gs,
1527 entry_guard_t *guard)
1528{
1529 if (guard->currently_listed == 0)
1530 return 0;
1531 if (guard->pb.path_bias_disabled)
1532 return 0;
1533
1534 if (gs->type == GS_TYPE_BRIDGE) {
1535 const bridge_info_t *bridge = get_bridge_info_for_guard(guard);
1536 if (bridge == NULL)
1537 return 0;
1538 return bridge_passes_guard_filter(options, bridge);
1539 } else {
1540 const node_t *node = node_get_by_id(guard->identity);
1541 if (node == NULL) {
1542 // This can happen when currently_listed is true, and we're not updating
1543 // it because we don't have a live consensus.
1544 return 0;
1545 }
1546
1547 return node_passes_guard_filter(options, node);
1548 }
1549}
1550
1551/** Return true iff <b>guard</b> is in the same family as <b>node</b>.
1552 */
1553static int
1554guard_in_node_family(const entry_guard_t *guard, const node_t *node)
1555{
1556 const node_t *guard_node = node_get_by_id(guard->identity);
1557 if (guard_node) {
1558 return nodes_in_same_family(guard_node, node);
1559 } else {
1560 /* If we don't have a node_t for the guard node, we might have
1561 * a bridge_info_t for it. So let's check to see whether the bridge
1562 * address matches has any family issues.
1563 *
1564 * (Strictly speaking, I believe this check is unnecessary, since we only
1565 * use it to avoid the exit's family when building circuits, and we don't
1566 * build multihop circuits until we have a routerinfo_t for the
1567 * bridge... at which point, we'll also have a node_t for the
1568 * bridge. Nonetheless, it seems wise to include it, in case our
1569 * assumptions change down the road. -nickm.)
1570 */
1571 if (get_options()->EnforceDistinctSubnets && guard->bridge_addr) {
1572 tor_addr_t node_addr;
1573 node_get_addr(node, &node_addr);
1574 if (router_addrs_in_same_network(&node_addr,
1575 &guard->bridge_addr->addr)) {
1576 return 1;
1577 }
1578 }
1579 return 0;
1580 }
1581}
1582
1583/* Allocate and return a new exit guard restriction (where <b>exit_id</b> is of
1584 * size DIGEST_LEN) */
1585STATIC entry_guard_restriction_t *
1586guard_create_exit_restriction(const uint8_t *exit_id)
1587{
1588 entry_guard_restriction_t *rst = NULL;
1589 rst = tor_malloc_zero(sizeof(entry_guard_restriction_t));
1590 rst->type = RST_EXIT_NODE;
1591 memcpy(rst->exclude_id, exit_id, DIGEST_LEN);
1592 return rst;
1593}
1594
1595/* Allocate and return a new exit guard restriction that excludes all current
1596 * and pending conflux guards */
1597STATIC entry_guard_restriction_t *
1598guard_create_conflux_restriction(const origin_circuit_t *circ,
1599 const uint8_t *exit_id)
1600{
1601 entry_guard_restriction_t *rst = NULL;
1602 rst = tor_malloc_zero(sizeof(entry_guard_restriction_t));
1603 rst->type = RST_EXCL_LIST;
1604 rst->excluded = smartlist_new();
1605 conflux_add_guards_to_exclude_list(circ, rst->excluded);
1606 memcpy(rst->exclude_id, exit_id, DIGEST_LEN);
1607 return rst;
1608}
1609
1610/** If we have fewer than this many possible usable guards, don't set
1611 * MD-availability-based restrictions: we might denylist all of them. */
1612#define MIN_GUARDS_FOR_MD_RESTRICTION 10
1613
1614/** Return true if we should set md dirserver restrictions. We might not want
1615 * to set those if our guard options are too restricted, since we don't want
1616 * to denylist all of them. */
1617static int
1619{
1620 const guard_selection_t *gs = get_guard_selection_info();
1621 int num_usable_guards = num_reachable_filtered_guards(gs, NULL);
1622
1623 /* Don't set restriction if too few reachable filtered guards. */
1624 if (num_usable_guards < MIN_GUARDS_FOR_MD_RESTRICTION) {
1625 log_info(LD_GUARD, "Not setting md restriction: only %d"
1626 " usable guards.", num_usable_guards);
1627 return 0;
1628 }
1629
1630 /* We have enough usable guards: set MD restriction */
1631 return 1;
1632}
1633
1634/** Allocate and return an outdated md guard restriction. Return NULL if no
1635 * such restriction is needed. */
1636STATIC entry_guard_restriction_t *
1638{
1639 entry_guard_restriction_t *rst = NULL;
1640
1642 log_debug(LD_GUARD, "Not setting md restriction: too few "
1643 "filtered guards.");
1644 return NULL;
1645 }
1646
1647 rst = tor_malloc_zero(sizeof(entry_guard_restriction_t));
1648 rst->type = RST_OUTDATED_MD_DIRSERVER;
1649
1650 return rst;
1651}
1652
1653/* Return True if <b>guard</b> obeys the exit restriction <b>rst</b>. */
1654static int
1655guard_obeys_exit_restriction(const entry_guard_t *guard,
1656 const entry_guard_restriction_t *rst)
1657{
1658 tor_assert(rst->type == RST_EXIT_NODE ||
1659 rst->type == RST_EXCL_LIST);
1660
1661 // Exclude the exit ID and all of its family.
1662 const node_t *node = node_get_by_id((const char*)rst->exclude_id);
1663 if (node && guard_in_node_family(guard, node))
1664 return 0;
1665
1666 return tor_memneq(guard->identity, rst->exclude_id, DIGEST_LEN);
1667}
1668
1669/** Return True if <b>guard</b> should be used as a dirserver for fetching
1670 * microdescriptors. */
1671static int
1672guard_obeys_md_dirserver_restriction(const entry_guard_t *guard)
1673{
1674 /* If this guard is an outdated dirserver, don't use it. */
1675 if (microdesc_relay_is_outdated_dirserver(guard->identity)) {
1676 log_info(LD_GENERAL, "Skipping %s dirserver: outdated",
1677 hex_str(guard->identity, DIGEST_LEN));
1678 return 0;
1679 }
1680
1681 log_debug(LD_GENERAL, "%s dirserver obeys md restrictions",
1682 hex_str(guard->identity, DIGEST_LEN));
1683
1684 return 1;
1685}
1686
1687/**
1688 * Return true if a restriction is reachability related, such that it should
1689 * cause us to consider additional primary guards when selecting one.
1690 */
1691static bool
1692entry_guard_restriction_is_reachability(const entry_guard_restriction_t *rst)
1693{
1694 tor_assert(rst);
1695 return (rst->type == RST_OUTDATED_MD_DIRSERVER);
1696}
1697
1698/**
1699 * Return true iff <b>guard</b> obeys the restrictions defined in <b>rst</b>.
1700 * (If <b>rst</b> is NULL, there are no restrictions.)
1701 */
1702static int
1703entry_guard_obeys_restriction(const entry_guard_t *guard,
1704 const entry_guard_restriction_t *rst)
1705{
1706 tor_assert(guard);
1707 if (! rst)
1708 return 1; // No restriction? No problem.
1709
1710 if (rst->type == RST_EXIT_NODE) {
1711 return guard_obeys_exit_restriction(guard, rst);
1712 } else if (rst->type == RST_OUTDATED_MD_DIRSERVER) {
1714 } else if (rst->type == RST_EXCL_LIST) {
1715 return guard_obeys_exit_restriction(guard, rst) &&
1716 !smartlist_contains_digest(rst->excluded, guard->identity);
1717 }
1718
1720 return 0;
1721}
1722
1723/**
1724 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1725 * flags on <b>guard</b>. */
1726void
1728 guard_selection_t *gs,
1729 entry_guard_t *guard)
1730{
1731 unsigned was_filtered = guard->is_filtered_guard;
1732 guard->is_filtered_guard = 0;
1733 guard->is_usable_filtered_guard = 0;
1734
1735 if (entry_guard_passes_filter(options, gs, guard)) {
1736 guard->is_filtered_guard = 1;
1737
1738 if (guard->is_reachable != GUARD_REACHABLE_NO)
1739 guard->is_usable_filtered_guard = 1;
1740
1742 }
1743 log_debug(LD_GUARD, "Updated sampled guard %s: filtered=%d; "
1744 "reachable_filtered=%d.", entry_guard_describe(guard),
1745 guard->is_filtered_guard, guard->is_usable_filtered_guard);
1746
1747 if (!bool_eq(was_filtered, guard->is_filtered_guard)) {
1748 /* This guard might now be primary or nonprimary. */
1749 gs->primary_guards_up_to_date = 0;
1750 }
1751}
1752
1753/**
1754 * Update the <b>is_filtered_guard</b> and <b>is_usable_filtered_guard</b>
1755 * flag on every guard in <b>gs</b>. */
1756STATIC void
1758{
1759 const or_options_t *options = get_options();
1760
1761 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1762 entry_guard_set_filtered_flags(options, gs, guard);
1763 } SMARTLIST_FOREACH_END(guard);
1764}
1765
1766/**
1767 * Return the first sampled guard from the reachable filtered sample guards
1768 * in <b>gs</b>, subject to the exclusion rules listed in <b>flags</b>.
1769 * Return NULL if no such guard can be found.
1770 *
1771 * Make sure that the sample is big enough, and that all the filter flags
1772 * are set correctly, before calling this function.
1773 *
1774 * If a restriction is provided in <b>rst</b>, do not return any guards that
1775 * violate it.
1776 **/
1777STATIC entry_guard_t *
1779 const entry_guard_restriction_t *rst,
1780 unsigned flags)
1781{
1782 tor_assert(gs);
1783 entry_guard_t *result = NULL;
1784 const unsigned exclude_confirmed = flags & SAMPLE_EXCLUDE_CONFIRMED;
1785 const unsigned exclude_primary = flags & SAMPLE_EXCLUDE_PRIMARY;
1786 const unsigned exclude_pending = flags & SAMPLE_EXCLUDE_PENDING;
1787 const unsigned no_update_primary = flags & SAMPLE_NO_UPDATE_PRIMARY;
1788 const unsigned need_descriptor = flags & SAMPLE_EXCLUDE_NO_DESCRIPTOR;
1789
1790 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1792 } SMARTLIST_FOREACH_END(guard);
1793
1794 const int n_reachable_filtered = num_reachable_filtered_guards(gs, rst);
1795
1796 log_info(LD_GUARD, "Trying to sample a reachable guard: We know of %d "
1797 "in the USABLE_FILTERED set.", n_reachable_filtered);
1798
1799 const int min_filtered_sample = get_min_filtered_sample_size();
1800 if (n_reachable_filtered < min_filtered_sample) {
1801 log_info(LD_GUARD, " (That isn't enough. Trying to expand the sample.)");
1803 }
1804
1805 if (exclude_primary && !gs->primary_guards_up_to_date && !no_update_primary)
1807
1808 /* Build the set of reachable filtered guards. */
1809 smartlist_t *reachable_filtered_sample = smartlist_new();
1810 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1811 entry_guard_consider_retry(guard);// redundant, but cheap.
1812 if (! entry_guard_obeys_restriction(guard, rst))
1813 continue;
1814 if (! guard->is_usable_filtered_guard)
1815 continue;
1816 if (exclude_confirmed && guard->confirmed_idx >= 0)
1817 continue;
1818 if (exclude_primary && guard->is_primary)
1819 continue;
1820 if (exclude_pending && guard->is_pending)
1821 continue;
1822 if (need_descriptor && !guard_has_descriptor(guard))
1823 continue;
1824 smartlist_add(reachable_filtered_sample, guard);
1825 } SMARTLIST_FOREACH_END(guard);
1826
1827 log_info(LD_GUARD, " (After filters [%x], we have %d guards to consider.)",
1828 flags, smartlist_len(reachable_filtered_sample));
1829
1830 if (smartlist_len(reachable_filtered_sample)) {
1831 /**
1832 * Get the first guard of the filtered set builds from
1833 * sampled_entry_guards. Proposal 310 suggests this design to overcome
1834 * performance and security issues linked to the previous selection
1835 * method. The guard selected here should be filtered out if this function
1836 * is called again in the same context. I.e., if we filter guards to add
1837 * them into some list X, then the guards from list X will be filtered out
1838 * when this function is called again. Hence it requires setting exclude
1839 * flags in a appropriate way (depending of the context of the caller).
1840 */
1841 result = smartlist_get(reachable_filtered_sample, 0);
1842 log_info(LD_GUARD, " (Selected %s.)",
1843 result ? entry_guard_describe(result) : "<null>");
1844 }
1845 smartlist_free(reachable_filtered_sample);
1846
1847 return result;
1848}
1849
1850static int
1851compare_guards_by_confirmed_idx(const void **a_, const void **b_)
1852{
1853 const entry_guard_t *a = *a_, *b = *b_;
1854 if (a->confirmed_idx < b->confirmed_idx)
1855 return -1;
1856 else if (a->confirmed_idx > b->confirmed_idx)
1857 return 1;
1858 else
1859 return 0;
1860}
1861/**
1862 * Helper: compare two entry_guard_t by their sampled_idx values.
1863 * Used to sort the sampled list
1864 */
1865static int
1866compare_guards_by_sampled_idx(const void **a_, const void **b_)
1867{
1868 const entry_guard_t *a = *a_, *b = *b_;
1869 if (a->sampled_idx < b->sampled_idx)
1870 return -1;
1871 else if (a->sampled_idx > b->sampled_idx)
1872 return 1;
1873 else
1874 return 0;
1875}
1876
1877/**
1878 * Find the confirmed guards from among the sampled guards in <b>gs</b>,
1879 * and put them in confirmed_entry_guards in the correct
1880 * order. Recalculate their indices.
1881 */
1882STATIC void
1883entry_guards_update_confirmed(guard_selection_t *gs)
1884{
1885 smartlist_clear(gs->confirmed_entry_guards);
1886 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
1887 if (guard->confirmed_idx >= 0)
1888 smartlist_add(gs->confirmed_entry_guards, guard);
1889 } SMARTLIST_FOREACH_END(guard);
1890
1891 smartlist_sort(gs->confirmed_entry_guards, compare_guards_by_confirmed_idx);
1892 /** Needed to keep a dense array of confirmed_idx */
1893 int any_changed = 0;
1894 SMARTLIST_FOREACH_BEGIN(gs->confirmed_entry_guards, entry_guard_t *, guard) {
1895 if (guard->confirmed_idx != guard_sl_idx) {
1896 any_changed = 1;
1897 guard->confirmed_idx = guard_sl_idx;
1898 }
1899 } SMARTLIST_FOREACH_END(guard);
1900
1901 gs->next_confirmed_idx = smartlist_len(gs->confirmed_entry_guards);
1902 // We need the confirmed list to always be give guards in sampled order
1903 smartlist_sort(gs->confirmed_entry_guards, compare_guards_by_sampled_idx);
1904
1905 if (any_changed) {
1907 }
1908}
1909
1910/**
1911 * Mark <b>guard</b> as a confirmed guard -- that is, one that we have
1912 * connected to, and intend to use again.
1913 */
1914STATIC void
1915make_guard_confirmed(guard_selection_t *gs, entry_guard_t *guard)
1916{
1917 if (BUG(guard->confirmed_on_date && guard->confirmed_idx >= 0))
1918 return; // LCOV_EXCL_LINE
1919
1920 if (BUG(smartlist_contains(gs->confirmed_entry_guards, guard)))
1921 return; // LCOV_EXCL_LINE
1922
1923 const int GUARD_LIFETIME = get_guard_lifetime();
1924 guard->confirmed_on_date = randomize_time(approx_time(), GUARD_LIFETIME/10);
1925
1926 log_info(LD_GUARD, "Marking %s as a confirmed guard (index %d)",
1927 entry_guard_describe(guard),
1928 gs->next_confirmed_idx);
1929
1930 guard->confirmed_idx = gs->next_confirmed_idx++;
1931 smartlist_add(gs->confirmed_entry_guards, guard);
1932 /** The confirmation ordering might not be the sample ordering. We need to
1933 * reorder */
1934 smartlist_sort(gs->confirmed_entry_guards, compare_guards_by_sampled_idx);
1935
1936 // This confirmed guard might kick something else out of the primary
1937 // guards.
1938 gs->primary_guards_up_to_date = 0;
1939
1941}
1942
1943/**
1944 * Recalculate the list of primary guards (the ones we'd prefer to use) from
1945 * the filtered sample and the confirmed list.
1946 */
1947STATIC void
1948entry_guards_update_primary(guard_selection_t *gs)
1949{
1950 tor_assert(gs);
1951
1952 // prevent recursion. Recursion is potentially very bad here.
1953 static int running = 0;
1954 tor_assert(!running);
1955 running = 1;
1956
1957 const int N_PRIMARY_GUARDS = get_n_primary_guards();
1958
1959 smartlist_t *new_primary_guards = smartlist_new();
1960 smartlist_t *old_primary_guards = smartlist_new();
1961 smartlist_add_all(old_primary_guards, gs->primary_entry_guards);
1962
1963 /* Set this flag now, to prevent the calls below from recursing. */
1964 gs->primary_guards_up_to_date = 1;
1965
1966 /* First, can we fill it up with confirmed guards? */
1967 SMARTLIST_FOREACH_BEGIN(gs->confirmed_entry_guards, entry_guard_t *, guard) {
1968 if (smartlist_len(new_primary_guards) >= N_PRIMARY_GUARDS)
1969 break;
1970 if (! guard->is_filtered_guard)
1971 continue;
1972 guard->is_primary = 1;
1973 smartlist_add(new_primary_guards, guard);
1974 } SMARTLIST_FOREACH_END(guard);
1975
1976 SMARTLIST_FOREACH_BEGIN(old_primary_guards, entry_guard_t *, guard) {
1977 /* Can we keep any older primary guards? First remove all the ones
1978 * that we already kept. */
1979 if (smartlist_contains(new_primary_guards, guard)) {
1980 SMARTLIST_DEL_CURRENT_KEEPORDER(old_primary_guards, guard);
1981 continue;
1982 }
1983
1984 /* Now add any that are still good. */
1985 if (smartlist_len(new_primary_guards) < N_PRIMARY_GUARDS &&
1986 guard->is_filtered_guard) {
1987 guard->is_primary = 1;
1988 smartlist_add(new_primary_guards, guard);
1989 SMARTLIST_DEL_CURRENT_KEEPORDER(old_primary_guards, guard);
1990 } else {
1991 /* Mark the remaining previous primary guards as non-primary */
1992 guard->is_primary = 0;
1993 }
1994 } SMARTLIST_FOREACH_END(guard);
1995
1996 /* Finally, fill out the list with sampled guards. */
1997 while (smartlist_len(new_primary_guards) < N_PRIMARY_GUARDS) {
1998 entry_guard_t *guard = first_reachable_filtered_entry_guard(gs, NULL,
1999 SAMPLE_EXCLUDE_CONFIRMED|
2000 SAMPLE_EXCLUDE_PRIMARY|
2001 SAMPLE_NO_UPDATE_PRIMARY);
2002 if (!guard)
2003 break;
2004 guard->is_primary = 1;
2005 smartlist_add(new_primary_guards, guard);
2006 }
2007
2008#if 1
2009 /* Debugging. */
2010 SMARTLIST_FOREACH(gs->sampled_entry_guards, entry_guard_t *, guard, {
2011 tor_assert_nonfatal(
2012 bool_eq(guard->is_primary,
2013 smartlist_contains(new_primary_guards, guard)));
2014 });
2015#endif /* 1 */
2016
2017 const int any_change = !smartlist_ptrs_eq(gs->primary_entry_guards,
2018 new_primary_guards);
2019 if (any_change) {
2020 log_info(LD_GUARD, "Primary entry guards have changed. "
2021 "New primary guard list is: ");
2022 int n = smartlist_len(new_primary_guards);
2023 SMARTLIST_FOREACH_BEGIN(new_primary_guards, entry_guard_t *, g) {
2024 log_info(LD_GUARD, " %d/%d: %s%s%s",
2025 g_sl_idx+1, n, entry_guard_describe(g),
2026 g->confirmed_idx >= 0 ? " (confirmed)" : "",
2027 g->is_filtered_guard ? "" : " (excluded by filter)");
2028 } SMARTLIST_FOREACH_END(g);
2029 smartlist_sort(new_primary_guards, compare_guards_by_sampled_idx);
2030 }
2031
2032 smartlist_free(old_primary_guards);
2033 smartlist_free(gs->primary_entry_guards);
2034 gs->primary_entry_guards = new_primary_guards;
2035 gs->primary_guards_up_to_date = 1;
2036 running = 0;
2037}
2038
2039/**
2040 * Return the number of seconds after the last attempt at which we should
2041 * retry a guard that has been failing since <b>failing_since</b>.
2042 */
2043static int
2044get_retry_schedule(time_t failing_since, time_t now,
2045 int is_primary)
2046{
2047 const unsigned SIX_HOURS = 6 * 3600;
2048 const unsigned FOUR_DAYS = 4 * 86400;
2049 const unsigned SEVEN_DAYS = 7 * 86400;
2050
2051 time_t tdiff;
2052 if (now > failing_since) {
2053 tdiff = now - failing_since;
2054 } else {
2055 tdiff = 0;
2056 }
2057
2058 const struct {
2059 time_t maximum; int primary_delay; int nonprimary_delay;
2060 } delays[] = {
2061 // clang-format off
2062 { SIX_HOURS, 10*60, 1*60*60 },
2063 { FOUR_DAYS, 90*60, 4*60*60 },
2064 { SEVEN_DAYS, 4*60*60, 18*60*60 },
2065 { TIME_MAX, 9*60*60, 36*60*60 }
2066 // clang-format on
2067 };
2068
2069 unsigned i;
2070 for (i = 0; i < ARRAY_LENGTH(delays); ++i) {
2071 if (tdiff <= delays[i].maximum) {
2072 return is_primary ? delays[i].primary_delay : delays[i].nonprimary_delay;
2073 }
2074 }
2075 /* LCOV_EXCL_START -- can't reach, since delays ends with TIME_MAX. */
2077 return 36*60*60;
2078 /* LCOV_EXCL_STOP */
2079}
2080
2081/**
2082 * If <b>guard</b> is unreachable, consider whether enough time has passed
2083 * to consider it maybe-reachable again.
2084 */
2085STATIC void
2086entry_guard_consider_retry(entry_guard_t *guard)
2087{
2088 if (guard->is_reachable != GUARD_REACHABLE_NO)
2089 return; /* No retry needed. */
2090
2091 const time_t now = approx_time();
2092 const int delay =
2093 get_retry_schedule(guard->failing_since, now, guard->is_primary);
2094 const time_t last_attempt = guard->last_tried_to_connect;
2095
2096 /* Check if it is a bridge and we don't have its descriptor yet */
2097 if (guard->bridge_addr && !guard_has_descriptor(guard)) {
2098 /* We want to leave the retry schedule to fetch_bridge_descriptors(),
2099 * so we don't have two retry schedules clobbering each other. See
2100 * bugs 40396 and 40497 for details of why we need this exception. */
2101 return;
2102 }
2103
2104 if (BUG(last_attempt == 0) ||
2105 now >= last_attempt + delay) {
2106 /* We should mark this retriable. */
2107 char tbuf[ISO_TIME_LEN+1];
2108 format_local_iso_time(tbuf, last_attempt);
2109 log_info(LD_GUARD, "Marked %s%sguard %s for possible retry, since we "
2110 "haven't tried to use it since %s.",
2111 guard->is_primary?"primary ":"",
2112 guard->confirmed_idx>=0?"confirmed ":"",
2113 entry_guard_describe(guard),
2114 tbuf);
2115
2116 guard->is_reachable = GUARD_REACHABLE_MAYBE;
2117 if (guard->is_filtered_guard)
2118 guard->is_usable_filtered_guard = 1;
2119 }
2120}
2121
2122/** Tell the entry guards subsystem that we have confirmed that as of
2123 * just now, we're on the internet. */
2124void
2126{
2127 gs->last_time_on_internet = approx_time();
2128}
2129
2130/**
2131 * Pick a primary guard for use with a circuit, if available. Update the
2132 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
2133 * guard as appropriate. Set <b>state_out</b> to the new guard-state
2134 * of the circuit.
2135 */
2136static entry_guard_t *
2138 guard_usage_t usage,
2139 const entry_guard_restriction_t *rst,
2140 unsigned *state_out)
2141{
2142 const int need_descriptor = (usage == GUARD_USAGE_TRAFFIC);
2143 entry_guard_t *chosen_guard = NULL;
2144
2145 int num_entry_guards_to_consider = get_n_primary_guards_to_use(usage);
2146 smartlist_t *usable_primary_guards = smartlist_new();
2147 int num_entry_guards_considered = 0;
2148
2149 SMARTLIST_FOREACH_BEGIN(gs->primary_entry_guards, entry_guard_t *, guard) {
2151 if (!entry_guard_obeys_restriction(guard, rst)) {
2152 log_info(LD_GUARD, "Entry guard %s doesn't obey restriction, we test the"
2153 " next one", entry_guard_describe(guard));
2155 log_info(LD_GUARD,
2156 "Skipping guard %s due to circuit path restriction. "
2157 "Have %d, considered: %d, to consider: %d",
2158 entry_guard_describe(guard),
2159 smartlist_len(usable_primary_guards),
2160 num_entry_guards_considered,
2161 num_entry_guards_to_consider);
2162 /* If the restriction is a circuit path restriction (as opposed to a
2163 * reachability restriction), count this as considered. */
2164 num_entry_guards_considered++;
2165
2166 /* If we have considered enough guards, *and* we actually have a guard,
2167 * then proceed to select one from the list. */
2168 if (num_entry_guards_considered >= num_entry_guards_to_consider) {
2169 /* This should not happen with 2-leg conflux unless there is a
2170 * race between removing a failed leg and a retry, but check
2171 * anyway and log. */
2172 if (smartlist_len(usable_primary_guards) == 0) {
2173 static ratelim_t guardlog = RATELIM_INIT(60);
2175 "All current guards excluded by path restriction "
2176 "type %d; using an additional guard.",
2177 rst->type);
2178 } else {
2179 break;
2180 }
2181 }
2182 }
2183 continue;
2184 }
2185 if (guard->is_reachable != GUARD_REACHABLE_NO) {
2186 if (need_descriptor && !guard_has_descriptor(guard)) {
2187 log_info(LD_GUARD, "Guard %s does not have a descriptor",
2188 entry_guard_describe(guard));
2189 continue;
2190 }
2191 *state_out = GUARD_CIRC_STATE_USABLE_ON_COMPLETION;
2192 guard->last_tried_to_connect = approx_time();
2193 smartlist_add(usable_primary_guards, guard);
2194 num_entry_guards_considered++;
2195
2196 /* If we have considered enough guards, then proceed to select
2197 * one from the list. */
2198 if (num_entry_guards_considered >= num_entry_guards_to_consider) {
2199 break;
2200 }
2201 } else {
2202 log_info(LD_GUARD, "Guard %s is not reachable",
2203 entry_guard_describe(guard));
2204 }
2205 } SMARTLIST_FOREACH_END(guard);
2206
2207 if (smartlist_len(usable_primary_guards)) {
2208 chosen_guard = smartlist_choose(usable_primary_guards);
2209 log_info(LD_GUARD,
2210 "Selected primary guard %s for circuit from a list size of %d.",
2211 entry_guard_describe(chosen_guard),
2212 smartlist_len(usable_primary_guards));
2213 /* Describe each guard in the list: */
2214 SMARTLIST_FOREACH_BEGIN(usable_primary_guards, entry_guard_t *, guard) {
2215 log_info(LD_GUARD, " %s", entry_guard_describe(guard));
2216 } SMARTLIST_FOREACH_END(guard);
2217 smartlist_free(usable_primary_guards);
2218 }
2219
2220 smartlist_free(usable_primary_guards);
2221 return chosen_guard;
2222}
2223
2224/**
2225 * For use with a circuit, pick a non-pending running filtered confirmed guard,
2226 * if one is available. Update the <b>last_tried_to_connect</b> time and the
2227 * <b>is_pending</b> fields of the guard as appropriate. Set <b>state_out</b>
2228 * to the new guard-state of the circuit.
2229 */
2230static entry_guard_t *
2232 guard_usage_t usage,
2233 const entry_guard_restriction_t *rst,
2234 unsigned *state_out)
2235{
2236 const int need_descriptor = (usage == GUARD_USAGE_TRAFFIC);
2237
2238 SMARTLIST_FOREACH_BEGIN(gs->confirmed_entry_guards, entry_guard_t *, guard) {
2239 if (guard->is_primary)
2240 continue; /* we already considered this one. */
2241 if (! entry_guard_obeys_restriction(guard, rst))
2242 continue;
2244 if (guard->is_usable_filtered_guard && ! guard->is_pending) {
2245 if (need_descriptor && !guard_has_descriptor(guard))
2246 continue; /* not a bug */
2247 guard->is_pending = 1;
2248 guard->last_tried_to_connect = approx_time();
2249 *state_out = GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD;
2250 log_info(LD_GUARD, "No primary guards available. Selected confirmed "
2251 "guard %s for circuit. Will try other guards before using "
2252 "this circuit.",
2253 entry_guard_describe(guard));
2254 return guard;
2255 }
2256 } SMARTLIST_FOREACH_END(guard);
2257
2258 return NULL;
2259}
2260
2261/**
2262 * For use with a circuit, pick a usable filtered guard. Update the
2263 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
2264 * guard as appropriate. Set <b>state_out</b> to the new guard-state of the
2265 * circuit.
2266 */
2267static entry_guard_t *
2269 guard_usage_t usage,
2270 const entry_guard_restriction_t *rst,
2271 unsigned *state_out)
2272{
2273 const int need_descriptor = (usage == GUARD_USAGE_TRAFFIC);
2274 entry_guard_t *chosen_guard = NULL;
2275 unsigned flags = 0;
2276 if (need_descriptor)
2277 flags |= SAMPLE_EXCLUDE_NO_DESCRIPTOR;
2278 chosen_guard = first_reachable_filtered_entry_guard(gs,
2279 rst,
2280 SAMPLE_EXCLUDE_CONFIRMED |
2281 SAMPLE_EXCLUDE_PRIMARY |
2282 SAMPLE_EXCLUDE_PENDING |
2283 flags);
2284 if (!chosen_guard) {
2285 return NULL;
2286 }
2287
2288 chosen_guard->is_pending = 1;
2289 chosen_guard->last_tried_to_connect = approx_time();
2290 *state_out = GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD;
2291 log_info(LD_GUARD, "No primary or confirmed guards available. Selected "
2292 "guard %s for circuit. Will try other guards before "
2293 "using this circuit.",
2294 entry_guard_describe(chosen_guard));
2295 return chosen_guard;
2296}
2297
2298/**
2299 * Get a guard for use with a circuit. Prefer to pick a running primary
2300 * guard; then a non-pending running filtered confirmed guard; then a
2301 * non-pending runnable filtered guard. Update the
2302 * <b>last_tried_to_connect</b> time and the <b>is_pending</b> fields of the
2303 * guard as appropriate. Set <b>state_out</b> to the new guard-state
2304 * of the circuit.
2305 */
2306STATIC entry_guard_t *
2308 guard_usage_t usage,
2309 const entry_guard_restriction_t *rst,
2310 unsigned *state_out)
2311{
2312 entry_guard_t *chosen_guard = NULL;
2313 tor_assert(gs);
2314 tor_assert(state_out);
2315
2316 if (!gs->primary_guards_up_to_date)
2318
2319 /* "If any entry in PRIMARY_GUARDS has {is_reachable} status of
2320 <maybe> or <yes>, return the first such guard." */
2321 chosen_guard = select_primary_guard_for_circuit(gs, usage, rst, state_out);
2322 if (chosen_guard) {
2323 log_info(LD_GUARD, "Selected primary guard %s for circuit.",
2324 entry_guard_describe(chosen_guard));
2325 return chosen_guard;
2326 }
2327
2328 /* "Otherwise, if the ordered intersection of {CONFIRMED_GUARDS}
2329 and {USABLE_FILTERED_GUARDS} is nonempty, return the first
2330 entry in that intersection that has {is_pending} set to
2331 false." */
2332 chosen_guard = select_confirmed_guard_for_circuit(gs, usage, rst, state_out);
2333 if (chosen_guard) {
2334 log_info(LD_GUARD, "Selected confirmed guard %s for circuit.",
2335 entry_guard_describe(chosen_guard));
2336 return chosen_guard;
2337 }
2338
2339 /* "Otherwise, if there is no such entry, select a member
2340 * {USABLE_FILTERED_GUARDS} following the sample ordering" */
2341 chosen_guard = select_filtered_guard_for_circuit(gs, usage, rst, state_out);
2342
2343 if (chosen_guard == NULL) {
2344 log_info(LD_GUARD, "Absolutely no sampled guards were available. "
2345 "Marking all guards for retry and starting from top again.");
2346 mark_all_guards_maybe_reachable(gs);
2347 return NULL;
2348 }
2349
2350 log_info(LD_GUARD, "Selected filtered guard %s for circuit.",
2351 entry_guard_describe(chosen_guard));
2352 return chosen_guard;
2353}
2354
2355/**
2356 * Note that we failed to connect to or build circuits through <b>guard</b>.
2357 * Use with a guard returned by select_entry_guard_for_circuit().
2358 */
2359STATIC void
2361 entry_guard_t *guard)
2362{
2363 tor_assert(gs);
2364
2365 guard->is_reachable = GUARD_REACHABLE_NO;
2366 guard->is_usable_filtered_guard = 0;
2367
2368 guard->is_pending = 0;
2369 if (guard->failing_since == 0)
2370 guard->failing_since = approx_time();
2371
2372 /* This guard not reachable: send GUARD DOWN event */
2373 control_event_guard(guard->nickname, guard->identity, "DOWN");
2374
2375 log_info(LD_GUARD, "Recorded failure for %s%sguard %s",
2376 guard->is_primary?"primary ":"",
2377 guard->confirmed_idx>=0?"confirmed ":"",
2378 entry_guard_describe(guard));
2379
2380 /* Schedule a re-assessment of whether we have enough dir info to
2381 * use the network. Counterintuitively, *losing* a bridge might actually
2382 * be just what we need to *resume* using the network, if we had it in
2383 * state GUARD_REACHABLE_MAYBE and we were stalling to learn this
2384 * outcome. See bug 40396 for more details. */
2386}
2387
2388/**
2389 * Note that we successfully connected to, and built a circuit through
2390 * <b>guard</b>. Given the old guard-state of the circuit in <b>old_state</b>,
2391 * return the new guard-state of the circuit.
2392 *
2393 * Be aware: the circuit is only usable when its guard-state becomes
2394 * GUARD_CIRC_STATE_COMPLETE.
2395 **/
2396STATIC unsigned
2398 entry_guard_t *guard,
2399 unsigned old_state)
2400{
2401 tor_assert(gs);
2402
2403 /* Save this, since we're about to overwrite it. */
2404 const time_t last_time_on_internet = gs->last_time_on_internet;
2405 gs->last_time_on_internet = approx_time();
2406
2407 /* If guard was not already marked as reachable, send a GUARD UP signal */
2408 if (guard->is_reachable != GUARD_REACHABLE_YES) {
2409 control_event_guard(guard->nickname, guard->identity, "UP");
2410
2411 /* Schedule a re-assessment of whether we have enough dir info to
2412 * use the network. One of our guards has just moved to
2413 * GUARD_REACHABLE_YES, so maybe we can resume using the network
2414 * now. */
2416 }
2417
2418 guard->is_reachable = GUARD_REACHABLE_YES;
2419 guard->failing_since = 0;
2420 guard->is_pending = 0;
2421 if (guard->is_filtered_guard)
2422 guard->is_usable_filtered_guard = 1;
2423
2424 if (guard->confirmed_idx < 0) {
2425 make_guard_confirmed(gs, guard);
2426 if (!gs->primary_guards_up_to_date)
2428 }
2429
2430 unsigned new_state;
2431 switch (old_state) {
2432 case GUARD_CIRC_STATE_COMPLETE:
2433 case GUARD_CIRC_STATE_USABLE_ON_COMPLETION:
2434 new_state = GUARD_CIRC_STATE_COMPLETE;
2435 break;
2436 default:
2439 case GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD:
2440 if (guard->is_primary) {
2441 /* XXXX #20832 -- I don't actually like this logic. It seems to make
2442 * us a little more susceptible to evil-ISP attacks. The mitigations
2443 * I'm thinking of, however, aren't local to this point, so I'll leave
2444 * it alone. */
2445 /* This guard may have become primary by virtue of being confirmed.
2446 * If so, the circuit for it is now complete.
2447 */
2448 new_state = GUARD_CIRC_STATE_COMPLETE;
2449 } else {
2450 new_state = GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD;
2451 }
2452 break;
2453 }
2454
2455 if (! guard->is_primary) {
2456 if (last_time_on_internet + get_internet_likely_down_interval()
2457 < approx_time()) {
2459 }
2460 }
2461
2462 log_info(LD_GUARD, "Recorded success for %s%sguard %s",
2463 guard->is_primary?"primary ":"",
2464 guard->confirmed_idx>=0?"confirmed ":"",
2465 entry_guard_describe(guard));
2466
2467 return new_state;
2468}
2469
2470/**
2471 * Helper: Return true iff <b>a</b> has higher priority than <b>b</b>.
2472 */
2473STATIC int
2474entry_guard_has_higher_priority(entry_guard_t *a, entry_guard_t *b)
2475{
2476 tor_assert(a && b);
2477 if (a == b)
2478 return 0;
2479
2480 /* Confirmed is always better than unconfirmed; lower index better
2481 than higher */
2482 if (a->confirmed_idx < 0) {
2483 if (b->confirmed_idx >= 0)
2484 return 0;
2485 } else {
2486 if (b->confirmed_idx < 0)
2487 return 1;
2488
2489 /* Lower confirmed_idx is better than higher. */
2490 return (a->confirmed_idx < b->confirmed_idx);
2491 }
2492
2493 /* If we reach this point, both are unconfirmed. If one is pending, it
2494 * has higher priority. */
2495 if (a->is_pending) {
2496 if (! b->is_pending)
2497 return 1;
2498
2499 /* Both are pending: earlier last_tried_connect wins. */
2500 return a->last_tried_to_connect < b->last_tried_to_connect;
2501 } else {
2502 if (b->is_pending)
2503 return 0;
2504
2505 /* Neither is pending: priorities are equal. */
2506 return 0;
2507 }
2508}
2509
2510/** Release all storage held in <b>restriction</b> */
2511STATIC void
2512entry_guard_restriction_free_(entry_guard_restriction_t *rst)
2513{
2514 if (rst && rst->excluded) {
2515 SMARTLIST_FOREACH(rst->excluded, void *, g,
2516 tor_free(g));
2517 smartlist_free(rst->excluded);
2518 }
2519 tor_free(rst);
2520}
2521
2522/**
2523 * Release all storage held in <b>state</b>.
2524 */
2525void
2526circuit_guard_state_free_(circuit_guard_state_t *state)
2527{
2528 if (!state)
2529 return;
2530 entry_guard_restriction_free(state->restrictions);
2531 entry_guard_handle_free(state->guard);
2532 tor_free(state);
2533}
2534
2535/** Allocate and return a new circuit_guard_state_t to track the result
2536 * of using <b>guard</b> for a given operation. */
2537MOCK_IMPL(STATIC circuit_guard_state_t *,
2538circuit_guard_state_new,(entry_guard_t *guard, unsigned state,
2539 entry_guard_restriction_t *rst))
2540{
2541 circuit_guard_state_t *result;
2542
2543 result = tor_malloc_zero(sizeof(circuit_guard_state_t));
2544 result->guard = entry_guard_handle_new(guard);
2545 result->state = state;
2546 result->state_set_at = approx_time();
2547 result->restrictions = rst;
2548
2549 return result;
2550}
2551
2552/**
2553 * Pick a suitable entry guard for a circuit in, and place that guard
2554 * in *<b>chosen_node_out</b>. Set *<b>guard_state_out</b> to an opaque
2555 * state object that will record whether the circuit is ready to be used
2556 * or not. Return 0 on success; on failure, return -1.
2557 *
2558 * If a restriction is provided in <b>rst</b>, do not return any guards that
2559 * violate it, and remember that restriction in <b>guard_state_out</b> for
2560 * later use. (Takes ownership of the <b>rst</b> object.)
2561 */
2562int
2563entry_guard_pick_for_circuit(guard_selection_t *gs,
2564 guard_usage_t usage,
2565 entry_guard_restriction_t *rst,
2566 const node_t **chosen_node_out,
2567 circuit_guard_state_t **guard_state_out)
2568{
2569 tor_assert(gs);
2570 tor_assert(chosen_node_out);
2571 tor_assert(guard_state_out);
2572 *chosen_node_out = NULL;
2573 *guard_state_out = NULL;
2574
2575 unsigned state = 0;
2576 entry_guard_t *guard =
2577 select_entry_guard_for_circuit(gs, usage, rst, &state);
2578 if (! guard)
2579 goto fail;
2580 if (BUG(state == 0))
2581 goto fail;
2582 const node_t *node = node_get_by_id(guard->identity);
2583 // XXXX #20827 check Ed ID.
2584 if (! node)
2585 goto fail;
2586 if (BUG(usage != GUARD_USAGE_DIRGUARD &&
2588 goto fail;
2589
2590 *chosen_node_out = node;
2591 *guard_state_out = circuit_guard_state_new(guard, state, rst);
2592
2593 return 0;
2594 fail:
2595 entry_guard_restriction_free(rst);
2596 return -1;
2597}
2598
2599/**
2600 * Called by the circuit building module when a circuit has succeeded: informs
2601 * the guards code that the guard in *<b>guard_state_p</b> is working, and
2602 * advances the state of the guard module. On a GUARD_USABLE_NEVER return
2603 * value, the circuit is broken and should not be used. On a GUARD_USABLE_NOW
2604 * return value, the circuit is ready to use. On a GUARD_MAYBE_USABLE_LATER
2605 * return value, the circuit should not be used until we find out whether
2606 * preferred guards will work for us.
2607 */
2608guard_usable_t
2609entry_guard_succeeded(circuit_guard_state_t **guard_state_p)
2610{
2611 if (BUG(*guard_state_p == NULL))
2612 return GUARD_USABLE_NEVER;
2613
2614 entry_guard_t *guard = entry_guard_handle_get((*guard_state_p)->guard);
2615 if (! guard || BUG(guard->in_selection == NULL))
2616 return GUARD_USABLE_NEVER;
2617
2618 unsigned newstate =
2619 entry_guards_note_guard_success(guard->in_selection, guard,
2620 (*guard_state_p)->state);
2621
2622 (*guard_state_p)->state = newstate;
2623 (*guard_state_p)->state_set_at = approx_time();
2624
2625 if (newstate == GUARD_CIRC_STATE_COMPLETE) {
2626 return GUARD_USABLE_NOW;
2627 } else {
2628 return GUARD_MAYBE_USABLE_LATER;
2629 }
2630}
2631
2632/** Cancel the selection of *<b>guard_state_p</b> without declaring
2633 * success or failure. It is safe to call this function if success or
2634 * failure _has_ already been declared. */
2635void
2636entry_guard_cancel(circuit_guard_state_t **guard_state_p)
2637{
2638 if (BUG(*guard_state_p == NULL))
2639 return;
2640 entry_guard_t *guard = entry_guard_handle_get((*guard_state_p)->guard);
2641 if (! guard)
2642 return;
2643
2644 /* XXXX prop271 -- last_tried_to_connect_at will be erroneous here, but this
2645 * function will only get called in "bug" cases anyway. */
2646 guard->is_pending = 0;
2647 circuit_guard_state_free(*guard_state_p);
2648 *guard_state_p = NULL;
2649}
2650
2651/**
2652 * Called by the circuit building module when a circuit has failed:
2653 * informs the guards code that the guard in *<b>guard_state_p</b> is
2654 * not working, and advances the state of the guard module.
2655 */
2656void
2657entry_guard_failed(circuit_guard_state_t **guard_state_p)
2658{
2659 if (BUG(*guard_state_p == NULL))
2660 return;
2661
2662 entry_guard_t *guard = entry_guard_handle_get((*guard_state_p)->guard);
2663 if (! guard || BUG(guard->in_selection == NULL))
2664 return;
2665
2666 entry_guards_note_guard_failure(guard->in_selection, guard);
2667
2668 (*guard_state_p)->state = GUARD_CIRC_STATE_DEAD;
2669 (*guard_state_p)->state_set_at = approx_time();
2670}
2671
2672/**
2673 * Run the entry_guard_failed() function on every circuit that is
2674 * pending on <b>chan</b>.
2675 */
2676void
2678{
2679 if (!chan)
2680 return;
2681
2682 smartlist_t *pending = smartlist_new();
2684 SMARTLIST_FOREACH_BEGIN(pending, circuit_t *, circ) {
2685 if (!CIRCUIT_IS_ORIGIN(circ))
2686 continue;
2687
2688 origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ);
2689 if (origin_circ->guard_state) {
2690 /* We might have no guard state if we didn't use a guard on this
2691 * circuit (eg it's for a fallback directory). */
2692 entry_guard_failed(&origin_circ->guard_state);
2693 }
2694 } SMARTLIST_FOREACH_END(circ);
2695 smartlist_free(pending);
2696}
2697
2698/**
2699 * Return true iff every primary guard in <b>gs</b> is believed to
2700 * be unreachable.
2701 */
2702STATIC int
2704{
2705 tor_assert(gs);
2706 if (!gs->primary_guards_up_to_date)
2708 SMARTLIST_FOREACH_BEGIN(gs->primary_entry_guards, entry_guard_t *, guard) {
2710 if (guard->is_reachable != GUARD_REACHABLE_NO)
2711 return 0;
2712 } SMARTLIST_FOREACH_END(guard);
2713 return 1;
2714}
2715
2716/** Wrapper for entry_guard_has_higher_priority that compares the
2717 * guard-priorities of a pair of circuits. Return 1 if <b>a</b> has higher
2718 * priority than <b>b</b>.
2719 *
2720 * If a restriction is provided in <b>rst</b>, then do not consider
2721 * <b>a</b> to have higher priority if it violates the restriction.
2722 */
2723static int
2725 const entry_guard_restriction_t *rst,
2727{
2728 circuit_guard_state_t *state_a = origin_circuit_get_guard_state(a);
2729 circuit_guard_state_t *state_b = origin_circuit_get_guard_state(b);
2730
2731 tor_assert(state_a);
2732 tor_assert(state_b);
2733
2734 entry_guard_t *guard_a = entry_guard_handle_get(state_a->guard);
2735 entry_guard_t *guard_b = entry_guard_handle_get(state_b->guard);
2736
2737 if (! guard_a) {
2738 /* Unknown guard -- never higher priority. */
2739 return 0;
2740 } else if (! guard_b) {
2741 /* Known guard -- higher priority than any unknown guard. */
2742 return 1;
2743 } else if (! entry_guard_obeys_restriction(guard_a, rst)) {
2744 /* Restriction violated; guard_a cannot have higher priority. */
2745 return 0;
2746 } else {
2747 /* Both known -- compare.*/
2748 return entry_guard_has_higher_priority(guard_a, guard_b);
2749 }
2750}
2751
2752/**
2753 * Look at all of the origin_circuit_t * objects in <b>all_circuits_in</b>,
2754 * and see if any of them that were previously not ready to use for
2755 * guard-related reasons are now ready to use. Place those circuits
2756 * in <b>newly_complete_out</b>, and mark them COMPLETE.
2757 *
2758 * Return 1 if we upgraded any circuits, and 0 otherwise.
2759 */
2760int
2762 const smartlist_t *all_circuits_in,
2763 smartlist_t *newly_complete_out)
2764{
2765 tor_assert(gs);
2766 tor_assert(all_circuits_in);
2767 tor_assert(newly_complete_out);
2768
2770 /* We only upgrade a waiting circuit if the primary guards are all
2771 * down. */
2772 log_debug(LD_GUARD, "Considered upgrading guard-stalled circuits, "
2773 "but not all primary guards were definitely down.");
2774 return 0;
2775 }
2776
2777 int n_waiting = 0;
2778 int n_complete = 0;
2779 int n_complete_blocking = 0;
2780 origin_circuit_t *best_waiting_circuit = NULL;
2781 smartlist_t *all_circuits = smartlist_new();
2782 SMARTLIST_FOREACH_BEGIN(all_circuits_in, origin_circuit_t *, circ) {
2783 // We filter out circuits that aren't ours, or which we can't
2784 // reason about.
2785 circuit_guard_state_t *state = origin_circuit_get_guard_state(circ);
2786 if (state == NULL)
2787 continue;
2788 entry_guard_t *guard = entry_guard_handle_get(state->guard);
2789 if (!guard || guard->in_selection != gs)
2790 continue;
2791 if (TO_CIRCUIT(circ)->marked_for_close) {
2792 /* Don't consider any marked for close circuits. */
2793 continue;
2794 }
2795
2796 smartlist_add(all_circuits, circ);
2797 } SMARTLIST_FOREACH_END(circ);
2798
2799 SMARTLIST_FOREACH_BEGIN(all_circuits, origin_circuit_t *, circ) {
2800 circuit_guard_state_t *state = origin_circuit_get_guard_state(circ);
2801 if (BUG(state == NULL))
2802 continue;
2803
2804 if (state->state == GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD) {
2805 ++n_waiting;
2806 if (! best_waiting_circuit ||
2807 circ_state_has_higher_priority(circ, NULL, best_waiting_circuit)) {
2808 best_waiting_circuit = circ;
2809 }
2810 }
2811 } SMARTLIST_FOREACH_END(circ);
2812
2813 if (! best_waiting_circuit) {
2814 log_debug(LD_GUARD, "Considered upgrading guard-stalled circuits, "
2815 "but didn't find any.");
2816 goto no_change;
2817 }
2818
2819 /* We'll need to keep track of what restrictions were used when picking this
2820 * circuit, so that we don't allow any circuit without those restrictions to
2821 * block it. */
2822 const entry_guard_restriction_t *rst_on_best_waiting =
2823 origin_circuit_get_guard_state(best_waiting_circuit)->restrictions;
2824
2825 /* First look at the complete circuits: Do any block this circuit? */
2826 SMARTLIST_FOREACH_BEGIN(all_circuits, origin_circuit_t *, circ) {
2827 /* "C2 "blocks" C1 if:
2828 * C2 obeys all the restrictions that C1 had to obey, AND
2829 * C2 has higher priority than C1, AND
2830 * Either C2 is <complete>, or C2 is <waiting_for_better_guard>,
2831 or C2 has been <usable_if_no_better_guard> for no more than
2832 {NONPRIMARY_GUARD_CONNECT_TIMEOUT} seconds."
2833 */
2834 circuit_guard_state_t *state = origin_circuit_get_guard_state(circ);
2835 if (BUG(state == NULL))
2836 continue;
2837 if (state->state != GUARD_CIRC_STATE_COMPLETE)
2838 continue;
2839 ++n_complete;
2840 if (circ_state_has_higher_priority(circ, rst_on_best_waiting,
2841 best_waiting_circuit))
2842 ++n_complete_blocking;
2843 } SMARTLIST_FOREACH_END(circ);
2844
2845 if (n_complete_blocking) {
2846 log_debug(LD_GUARD, "Considered upgrading guard-stalled circuits: found "
2847 "%d complete and %d guard-stalled. At least one complete "
2848 "circuit had higher priority, so not upgrading.",
2849 n_complete, n_waiting);
2850 goto no_change;
2851 }
2852
2853 /* " * If any circuit C1 is <waiting_for_better_guard>, AND:
2854 * All primary guards have reachable status of <no>.
2855 * There is no circuit C2 that "blocks" C1.
2856 Then, upgrade C1 to <complete>.""
2857 */
2858 int n_blockers_found = 0;
2859 const time_t state_set_at_cutoff =
2861 SMARTLIST_FOREACH_BEGIN(all_circuits, origin_circuit_t *, circ) {
2862 circuit_guard_state_t *state = origin_circuit_get_guard_state(circ);
2863 if (BUG(state == NULL))
2864 continue;
2865 if (state->state != GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD)
2866 continue;
2867 if (state->state_set_at <= state_set_at_cutoff)
2868 continue;
2869 if (circ_state_has_higher_priority(circ, rst_on_best_waiting,
2870 best_waiting_circuit))
2871 ++n_blockers_found;
2872 } SMARTLIST_FOREACH_END(circ);
2873
2874 if (n_blockers_found) {
2875 log_debug(LD_GUARD, "Considered upgrading guard-stalled circuits: found "
2876 "%d guard-stalled, but %d pending circuit(s) had higher "
2877 "guard priority, so not upgrading.",
2878 n_waiting, n_blockers_found);
2879 goto no_change;
2880 }
2881
2882 /* Okay. We have a best waiting circuit, and we aren't waiting for
2883 anything better. Add all circuits with that priority to the
2884 list, and call them COMPLETE. */
2885 int n_succeeded = 0;
2886 SMARTLIST_FOREACH_BEGIN(all_circuits, origin_circuit_t *, circ) {
2887 circuit_guard_state_t *state = origin_circuit_get_guard_state(circ);
2888 if (BUG(state == NULL))
2889 continue;
2890 if (circ != best_waiting_circuit && rst_on_best_waiting) {
2891 /* Can't upgrade other circ with same priority as best; might
2892 be blocked. */
2893 continue;
2894 }
2895 if (state->state != GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD)
2896 continue;
2897 if (circ_state_has_higher_priority(best_waiting_circuit, NULL, circ))
2898 continue;
2899
2900 state->state = GUARD_CIRC_STATE_COMPLETE;
2901 state->state_set_at = approx_time();
2902 smartlist_add(newly_complete_out, circ);
2903 ++n_succeeded;
2904 } SMARTLIST_FOREACH_END(circ);
2905
2906 log_info(LD_GUARD, "Considered upgrading guard-stalled circuits: found "
2907 "%d guard-stalled, %d complete. %d of the guard-stalled "
2908 "circuit(s) had high enough priority to upgrade.",
2909 n_waiting, n_complete, n_succeeded);
2910
2911 tor_assert_nonfatal(n_succeeded >= 1);
2912 smartlist_free(all_circuits);
2913 return 1;
2914
2915 no_change:
2916 smartlist_free(all_circuits);
2917 return 0;
2918}
2919
2920/**
2921 * Return true iff the circuit whose state is <b>guard_state</b> should
2922 * expire.
2923 */
2924int
2925entry_guard_state_should_expire(circuit_guard_state_t *guard_state)
2926{
2927 if (guard_state == NULL)
2928 return 0;
2929 const time_t expire_if_waiting_since =
2931 return (guard_state->state == GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD
2932 && guard_state->state_set_at < expire_if_waiting_since);
2933}
2934
2935/**
2936 * Update all derived pieces of the guard selection state in <b>gs</b>.
2937 * Return true iff we should stop using all previously generated circuits.
2938 */
2939int
2940entry_guards_update_all(guard_selection_t *gs)
2941{
2946 return 0;
2947}
2948
2949/**
2950 * Return a newly allocated string for encoding the persistent parts of
2951 * <b>guard</b> to the state file. <b>dense_sampled_idx</b> refers to the
2952 * sampled_idx made dense for this <b>guard</b>. Encoding all guards should
2953 * lead to a dense array of sampled_idx in the state file.
2954 */
2955STATIC char *
2956entry_guard_encode_for_state(entry_guard_t *guard, int dense_sampled_idx)
2957{
2958 /*
2959 * The meta-format we use is K=V K=V K=V... where K can be any
2960 * characters excepts space and =, and V can be any characters except
2961 * space. The order of entries is not allowed to matter.
2962 * Unrecognized K=V entries are persisted; recognized but erroneous
2963 * entries are corrected.
2964 */
2965
2966 smartlist_t *result = smartlist_new();
2967 char tbuf[ISO_TIME_LEN+1];
2968
2969 tor_assert(guard);
2970
2971 smartlist_add_asprintf(result, "in=%s", guard->selection_name);
2972 smartlist_add_asprintf(result, "rsa_id=%s",
2973 hex_str(guard->identity, DIGEST_LEN));
2974 if (guard->bridge_addr) {
2975 smartlist_add_asprintf(result, "bridge_addr=%s:%d",
2976 fmt_and_decorate_addr(&guard->bridge_addr->addr),
2977 guard->bridge_addr->port);
2978 }
2979 if (strlen(guard->nickname) && is_legal_nickname(guard->nickname)) {
2980 smartlist_add_asprintf(result, "nickname=%s", guard->nickname);
2981 }
2982
2983 format_iso_time_nospace(tbuf, guard->sampled_on_date);
2984 smartlist_add_asprintf(result, "sampled_on=%s", tbuf);
2985 // Replacing the sampled_idx by dense array
2986 smartlist_add_asprintf(result, "sampled_idx=%d", dense_sampled_idx);
2987 if (guard->sampled_by_version) {
2988 smartlist_add_asprintf(result, "sampled_by=%s",
2989 guard->sampled_by_version);
2990 }
2991
2992 if (guard->unlisted_since_date > 0) {
2993 format_iso_time_nospace(tbuf, guard->unlisted_since_date);
2994 smartlist_add_asprintf(result, "unlisted_since=%s", tbuf);
2995 }
2996
2997 smartlist_add_asprintf(result, "listed=%d",
2998 (int)guard->currently_listed);
2999
3000 if (guard->confirmed_idx >= 0) {
3001 format_iso_time_nospace(tbuf, guard->confirmed_on_date);
3002 smartlist_add_asprintf(result, "confirmed_on=%s", tbuf);
3003
3004 smartlist_add_asprintf(result, "confirmed_idx=%d", guard->confirmed_idx);
3005 }
3006
3007 const double EPSILON = 1.0e-6;
3008
3009 /* Make a copy of the pathbias object, since we will want to update
3010 some of them */
3011 guard_pathbias_t *pb = tor_memdup(&guard->pb, sizeof(*pb));
3014
3015 #define PB_FIELD(field) do { \
3016 if (pb->field >= EPSILON) { \
3017 smartlist_add_asprintf(result, "pb_" #field "=%f", pb->field); \
3018 } \
3019 } while (0)
3020 PB_FIELD(use_attempts);
3021 PB_FIELD(use_successes);
3022 PB_FIELD(circ_attempts);
3023 PB_FIELD(circ_successes);
3024 PB_FIELD(successful_circuits_closed);
3025 PB_FIELD(collapsed_circuits);
3026 PB_FIELD(unusable_circuits);
3027 PB_FIELD(timeouts);
3028 tor_free(pb);
3029#undef PB_FIELD
3030
3031 if (guard->extra_state_fields)
3032 smartlist_add_strdup(result, guard->extra_state_fields);
3033
3034 char *joined = smartlist_join_strings(result, " ", 0, NULL);
3035 SMARTLIST_FOREACH(result, char *, cp, tor_free(cp));
3036 smartlist_free(result);
3037
3038 return joined;
3039}
3040
3041/**
3042 * Extract key=val from the state string <b>s</b> and duplicate the value to
3043 * some string target declared in entry_guard_parse_from_state
3044 */
3045static void
3047 *extra, strmap_t *vals)
3048{
3049 smartlist_split_string(entries, s, " ",
3050 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
3051
3052 SMARTLIST_FOREACH_BEGIN(entries, char *, entry) {
3053 const char *eq = strchr(entry, '=');
3054 if (!eq) {
3055 smartlist_add(extra, entry);
3056 continue;
3057 }
3058 char *key = tor_strndup(entry, eq-entry);
3059 char **target = strmap_get(vals, key);
3060 if (target == NULL || *target != NULL) {
3061 /* unrecognized or already set */
3062 smartlist_add(extra, entry);
3063 tor_free(key);
3064 continue;
3065 }
3066
3067 *target = tor_strdup(eq+1);
3068 tor_free(key);
3069 tor_free(entry);
3070 } SMARTLIST_FOREACH_END(entry);
3071}
3072
3073/**
3074 * Handle part of the parsing state file logic, focused on time related things
3075 */
3076static void
3077parse_from_state_handle_time(entry_guard_t *guard, char *sampled_on, char
3078 *unlisted_since, char *confirmed_on)
3079{
3080#define HANDLE_TIME(field) do { \
3081 if (field) { \
3082 int r = parse_iso_time_nospace(field, &field ## _time); \
3083 if (r < 0) { \
3084 log_warn(LD_CIRC, "Unable to parse %s %s from guard", \
3085 #field, escaped(field)); \
3086 field##_time = -1; \
3087 } \
3088 } \
3089 } while (0)
3090
3091 time_t sampled_on_time = 0;
3092 time_t unlisted_since_time = 0;
3093 time_t confirmed_on_time = 0;
3094
3095 HANDLE_TIME(sampled_on);
3096 HANDLE_TIME(unlisted_since);
3097 HANDLE_TIME(confirmed_on);
3098
3099 if (sampled_on_time <= 0)
3100 sampled_on_time = approx_time();
3101 if (unlisted_since_time < 0)
3102 unlisted_since_time = 0;
3103 if (confirmed_on_time < 0)
3104 confirmed_on_time = 0;
3105
3106 #undef HANDLE_TIME
3107
3108 guard->sampled_on_date = sampled_on_time;
3109 guard->unlisted_since_date = unlisted_since_time;
3110 guard->confirmed_on_date = confirmed_on_time;
3111}
3112
3113/**
3114 * Given a string generated by entry_guard_encode_for_state(), parse it
3115 * (if possible) and return an entry_guard_t object for it. Return NULL
3116 * on complete failure.
3117 */
3118STATIC entry_guard_t *
3120{
3121 /* Unrecognized entries get put in here. */
3122 smartlist_t *extra = smartlist_new();
3123
3124 /* These fields get parsed from the string. */
3125 char *in = NULL;
3126 char *rsa_id = NULL;
3127 char *nickname = NULL;
3128 char *sampled_on = NULL;
3129 char *sampled_idx = NULL;
3130 char *sampled_by = NULL;
3131 char *unlisted_since = NULL;
3132 char *listed = NULL;
3133 char *confirmed_on = NULL;
3134 char *confirmed_idx = NULL;
3135 char *bridge_addr = NULL;
3136
3137 // pathbias
3138 char *pb_use_attempts = NULL;
3139 char *pb_use_successes = NULL;
3140 char *pb_circ_attempts = NULL;
3141 char *pb_circ_successes = NULL;
3142 char *pb_successful_circuits_closed = NULL;
3143 char *pb_collapsed_circuits = NULL;
3144 char *pb_unusable_circuits = NULL;
3145 char *pb_timeouts = NULL;
3146 int invalid_sampled_idx = get_max_sample_size_absolute();
3147
3148 /* Split up the entries. Put the ones we know about in strings and the
3149 * rest in "extra". */
3150 {
3151 smartlist_t *entries = smartlist_new();
3152
3153 strmap_t *vals = strmap_new(); // Maps keyword to location
3154#define FIELD(f) \
3155 strmap_set(vals, #f, &f);
3156 FIELD(in);
3157 FIELD(rsa_id);
3158 FIELD(nickname);
3159 FIELD(sampled_on);
3160 FIELD(sampled_idx);
3161 FIELD(sampled_by);
3162 FIELD(unlisted_since);
3163 FIELD(listed);
3164 FIELD(confirmed_on);
3165 FIELD(confirmed_idx);
3166 FIELD(bridge_addr);
3167 FIELD(pb_use_attempts);
3168 FIELD(pb_use_successes);
3169 FIELD(pb_circ_attempts);
3170 FIELD(pb_circ_successes);
3171 FIELD(pb_successful_circuits_closed);
3172 FIELD(pb_collapsed_circuits);
3173 FIELD(pb_unusable_circuits);
3174 FIELD(pb_timeouts);
3175#undef FIELD
3176 /* Extract from s the key=val that we recognize, put the others in extra*/
3177 parse_from_state_set_vals(s, entries, extra, vals);
3178
3179 smartlist_free(entries);
3180 strmap_free(vals, NULL);
3181 }
3182
3183 entry_guard_t *guard = tor_malloc_zero(sizeof(entry_guard_t));
3184 guard->is_persistent = 1;
3185
3186 if (in == NULL) {
3187 log_warn(LD_CIRC, "Guard missing 'in' field");
3188 goto err;
3189 }
3190
3191 guard->selection_name = in;
3192 in = NULL;
3193
3194 if (rsa_id == NULL) {
3195 log_warn(LD_CIRC, "Guard missing RSA ID field");
3196 goto err;
3197 }
3198
3199 /* Process the identity and nickname. */
3200 if (base16_decode(guard->identity, sizeof(guard->identity),
3201 rsa_id, strlen(rsa_id)) != DIGEST_LEN) {
3202 log_warn(LD_CIRC, "Unable to decode guard identity %s", escaped(rsa_id));
3203 goto err;
3204 }
3205
3206 if (nickname) {
3207 strlcpy(guard->nickname, nickname, sizeof(guard->nickname));
3208 } else {
3209 guard->nickname[0]='$';
3210 base16_encode(guard->nickname+1, sizeof(guard->nickname)-1,
3211 guard->identity, DIGEST_LEN);
3212 }
3213
3214 if (bridge_addr) {
3215 tor_addr_port_t res;
3216 memset(&res, 0, sizeof(res));
3217 int r = tor_addr_port_parse(LOG_WARN, bridge_addr,
3218 &res.addr, &res.port, -1);
3219 if (r == 0)
3220 guard->bridge_addr = tor_memdup(&res, sizeof(res));
3221 /* On error, we already warned. */
3222 }
3223
3224 /* Process the various time fields. */
3225 parse_from_state_handle_time(guard, sampled_on, unlisted_since,
3226 confirmed_on);
3227
3228 /* Take sampled_by_version verbatim. */
3229 guard->sampled_by_version = sampled_by;
3230 sampled_by = NULL; /* prevent free */
3231 /* Listed is a boolean */
3232 if (listed && strcmp(listed, "0"))
3233 guard->currently_listed = 1;
3234
3235 /* The index is a nonnegative integer. */
3236 guard->confirmed_idx = -1;
3237 if (confirmed_idx) {
3238 int ok=1;
3239 long idx = tor_parse_long(confirmed_idx, 10, 0, INT_MAX, &ok, NULL);
3240 if (! ok) {
3241 log_warn(LD_GUARD, "Guard has invalid confirmed_idx %s",
3242 escaped(confirmed_idx));
3243 } else {
3244 guard->confirmed_idx = (int)idx;
3245 }
3246 }
3247
3248 if (sampled_idx) {
3249 int ok = 1;
3250 long idx = tor_parse_long(sampled_idx, 10, 0, INT_MAX, &ok, NULL);
3251 if (!ok) {
3252 log_warn(LD_GUARD, "Guard has invalid sampled_idx %s",
3253 escaped(sampled_idx));
3254 /* set it to a idx higher than the max sample size */
3255 guard->sampled_idx = invalid_sampled_idx++;
3256 } else {
3257 guard->sampled_idx = (int)idx;
3258 }
3259 } else if (confirmed_idx) {
3260 /* This state has been written by an older Tor version which did not have
3261 * sample ordering */
3262
3263 guard->sampled_idx = guard->confirmed_idx;
3264 } else {
3265 log_info(LD_GUARD, "The state file seems to be into a status that could"
3266 " yield to weird entry node selection: we're missing both a"
3267 " sampled_idx and a confirmed_idx.");
3268 guard->sampled_idx = invalid_sampled_idx++;
3269 }
3270
3271 /* Anything we didn't recognize gets crammed together */
3272 if (smartlist_len(extra) > 0) {
3273 guard->extra_state_fields = smartlist_join_strings(extra, " ", 0, NULL);
3274 }
3275
3276 /* initialize non-persistent fields */
3277 guard->is_reachable = GUARD_REACHABLE_MAYBE;
3278
3279#define PB_FIELD(field) \
3280 do { \
3281 if (pb_ ## field) { \
3282 int ok = 1; \
3283 double r = tor_parse_double(pb_ ## field, 0.0, 1e9, &ok, NULL); \
3284 if (! ok) { \
3285 log_warn(LD_CIRC, "Guard has invalid pb_%s %s", \
3286 #field, pb_ ## field); \
3287 } else { \
3288 guard->pb.field = r; \
3289 } \
3290 } \
3291 } while (0)
3292 PB_FIELD(use_attempts);
3293 PB_FIELD(use_successes);
3294 PB_FIELD(circ_attempts);
3295 PB_FIELD(circ_successes);
3296 PB_FIELD(successful_circuits_closed);
3297 PB_FIELD(collapsed_circuits);
3298 PB_FIELD(unusable_circuits);
3299 PB_FIELD(timeouts);
3300#undef PB_FIELD
3301
3304
3305 /* We update everything on this guard later, after we've parsed
3306 * everything. */
3307
3308 goto done;
3309
3310 err:
3311 // only consider it an error if the guard state was totally unparseable.
3312 entry_guard_free(guard);
3313 guard = NULL;
3314
3315 done:
3316 tor_free(in);
3317 tor_free(rsa_id);
3318 tor_free(nickname);
3319 tor_free(sampled_on);
3320 tor_free(sampled_by);
3321 tor_free(unlisted_since);
3322 tor_free(listed);
3323 tor_free(confirmed_on);
3324 tor_free(confirmed_idx);
3325 tor_free(sampled_idx);
3326 tor_free(bridge_addr);
3327 tor_free(pb_use_attempts);
3328 tor_free(pb_use_successes);
3329 tor_free(pb_circ_attempts);
3330 tor_free(pb_circ_successes);
3331 tor_free(pb_successful_circuits_closed);
3332 tor_free(pb_collapsed_circuits);
3333 tor_free(pb_unusable_circuits);
3334 tor_free(pb_timeouts);
3335
3336 SMARTLIST_FOREACH(extra, char *, cp, tor_free(cp));
3337 smartlist_free(extra);
3338
3339 return guard;
3340}
3341
3342/**
3343 * Replace the Guards entries in <b>state</b> with a list of all our sampled
3344 * guards.
3345 */
3346static void
3348{
3349 if (!guard_contexts)
3350 return;
3351 config_line_t *lines = NULL;
3352 config_line_t **nextline = &lines;
3353
3354 SMARTLIST_FOREACH_BEGIN(guard_contexts, guard_selection_t *, gs) {
3355 int i = 0;
3356 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
3357 if (guard->is_persistent == 0)
3358 continue;
3359 *nextline = tor_malloc_zero(sizeof(config_line_t));
3360 (*nextline)->key = tor_strdup("Guard");
3361 (*nextline)->value = entry_guard_encode_for_state(guard, i);
3362 nextline = &(*nextline)->next;
3363 i++;
3364 } SMARTLIST_FOREACH_END(guard);
3365 } SMARTLIST_FOREACH_END(gs);
3366
3367 config_free_lines(state->Guard);
3368 state->Guard = lines;
3369}
3370
3371/**
3372 * Replace our sampled guards from the Guards entries in <b>state</b>. Return 0
3373 * on success, -1 on failure. (If <b>set</b> is true, replace nothing -- only
3374 * check whether replacing would work.)
3375 */
3376static int
3378{
3379 const config_line_t *line = state->Guard;
3380 int n_errors = 0;
3381
3382 if (!guard_contexts)
3384
3385 /* Wipe all our existing guard info. (we shouldn't have any, but
3386 * let's be safe.) */
3387 if (set) {
3388 SMARTLIST_FOREACH_BEGIN(guard_contexts, guard_selection_t *, gs) {
3389 guard_selection_free(gs);
3390 if (curr_guard_context == gs)
3391 curr_guard_context = NULL;
3393 } SMARTLIST_FOREACH_END(gs);
3394 }
3395
3396 for ( ; line != NULL; line = line->next) {
3397 entry_guard_t *guard = entry_guard_parse_from_state(line->value);
3398 if (guard == NULL) {
3399 ++n_errors;
3400 continue;
3401 }
3402 tor_assert(guard->selection_name);
3403 if (!strcmp(guard->selection_name, "legacy")) {
3404 ++n_errors;
3405 entry_guard_free(guard);
3406 continue;
3407 }
3408
3409 if (set) {
3410 guard_selection_t *gs;
3411 gs = get_guard_selection_by_name(guard->selection_name,
3412 GS_TYPE_INFER, 1);
3413 tor_assert(gs);
3414 smartlist_add(gs->sampled_entry_guards, guard);
3415 guard->in_selection = gs;
3416 /* Recompute the next_sampled_id from the state. We do not assume that
3417 * sampled guards appear in the correct order within the file, and we
3418 * need to know what would be the next sampled idx to give to any
3419 * new sampled guard (i.e., max of guard->sampled_idx + 1)*/
3420 if (gs->next_sampled_idx <= guard->sampled_idx) {
3421 gs->next_sampled_idx = guard->sampled_idx + 1;
3422 }
3423
3424 } else {
3425 entry_guard_free(guard);
3426 }
3427 }
3428
3429 if (set) {
3430 SMARTLIST_FOREACH_BEGIN(guard_contexts, guard_selection_t *, gs) {
3431 /** Guards should be in sample order within the file, but it is maybe
3432 * better NOT to assume that. Let's order them before updating lists
3433 */
3434 smartlist_sort(gs->sampled_entry_guards, compare_guards_by_sampled_idx);
3436 } SMARTLIST_FOREACH_END(gs);
3437 }
3438 return n_errors ? -1 : 0;
3439}
3440
3441/** If <b>digest</b> matches the identity of any node in the
3442 * entry_guards list for the provided guard selection state,
3443 return that node. Else return NULL. */
3444entry_guard_t *
3446 const char *digest)
3447{
3448 return get_sampled_guard_with_id(gs, (const uint8_t*)digest);
3449}
3450
3451/** Return the node_t associated with a single entry_guard_t. May
3452 * return NULL if the guard is not currently in the consensus. */
3453const node_t *
3454entry_guard_find_node(const entry_guard_t *guard)
3455{
3456 tor_assert(guard);
3457 return node_get_by_id(guard->identity);
3458}
3459
3460/** If <b>digest</b> matches the identity of any node in the
3461 * entry_guards list for the default guard selection state,
3462 return that node. Else return NULL. */
3463entry_guard_t *
3465{
3467 get_guard_selection_info(), digest);
3468}
3469
3470/** We are about to connect to bridge with identity <b>digest</b> to fetch its
3471 * descriptor. Create a new guard state for this connection and return it. */
3472circuit_guard_state_t *
3474{
3475 circuit_guard_state_t *guard_state = NULL;
3476 entry_guard_t *guard = NULL;
3477
3479 get_guard_selection_info(), digest);
3480 if (!guard) {
3481 return NULL;
3482 }
3483
3484 /* Update the guard last_tried_to_connect time since it's checked by the
3485 * guard subsystem. */
3486 guard->last_tried_to_connect = approx_time();
3487
3488 /* Create the guard state */
3489 guard_state = circuit_guard_state_new(guard,
3490 GUARD_CIRC_STATE_USABLE_ON_COMPLETION,
3491 NULL);
3492
3493 return guard_state;
3494}
3495
3496/** Release all storage held by <b>e</b>. */
3497STATIC void
3498entry_guard_free_(entry_guard_t *e)
3499{
3500 if (!e)
3501 return;
3502 entry_guard_handles_clear(e);
3503 tor_free(e->sampled_by_version);
3504 tor_free(e->extra_state_fields);
3505 tor_free(e->selection_name);
3506 tor_free(e->bridge_addr);
3507 tor_free(e);
3508}
3509
3510/** Return 0 if we're fine adding arbitrary routers out of the
3511 * directory to our entry guard list, or return 1 if we have a
3512 * list already and we must stick to it.
3513 */
3514int
3516{
3517 // XXXX #21425 look at the current selection.
3518 if (options->EntryNodes)
3519 return 1;
3520 if (options->UseBridges)
3521 return 1;
3522 return 0;
3523}
3524
3525/** Return the number of bridges that have descriptors that are marked with
3526 * purpose 'bridge' and are running. If use_maybe_reachable is
3527 * true, include bridges that might be reachable in the count.
3528 * Otherwise, if it is false, only include bridges that have recently been
3529 * found running in the count.
3530 *
3531 * We use this function to decide if we're ready to start building
3532 * circuits through our bridges, or if we need to wait until the
3533 * directory "server/authority" requests finish. */
3534MOCK_IMPL(int,
3535num_bridges_usable,(int use_maybe_reachable))
3536{
3537 int n_options = 0;
3538
3539 if (BUG(!get_options()->UseBridges)) {
3540 return 0;
3541 }
3542 guard_selection_t *gs = get_guard_selection_info();
3543 if (BUG(gs->type != GS_TYPE_BRIDGE)) {
3544 return 0;
3545 }
3546
3547 SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) {
3548 /* Not a bridge, or not one we are configured to be able to use. */
3549 if (! guard->is_filtered_guard)
3550 continue;
3551 /* Definitely not usable */
3552 if (guard->is_reachable == GUARD_REACHABLE_NO)
3553 continue;
3554 /* If we want to be really sure the bridges will work, skip maybes */
3555 if (!use_maybe_reachable && guard->is_reachable == GUARD_REACHABLE_MAYBE)
3556 continue;
3557 if (tor_digest_is_zero(guard->identity))
3558 continue;
3559 const node_t *node = node_get_by_id(guard->identity);
3560 if (node && node->ri)
3561 ++n_options;
3562 } SMARTLIST_FOREACH_END(guard);
3563
3564 return n_options;
3565}
3566
3567/** Check the pathbias use success count of <b>node</b> and disable it if it
3568 * goes over our thresholds. */
3569static void
3571{
3572 const or_options_t *options = get_options();
3573 const double EPSILON = 1.0e-9;
3574
3575 /* Note: We rely on the < comparison here to allow us to set a 0
3576 * rate and disable the feature entirely. If refactoring, don't
3577 * change to <= */
3578 if (node->pb.use_attempts > EPSILON &&
3579 pathbias_get_use_success_count(node)/node->pb.use_attempts
3580 < pathbias_get_extreme_use_rate(options) &&
3581 pathbias_get_dropguards(options)) {
3582 node->pb.path_bias_disabled = 1;
3583 log_info(LD_GENERAL,
3584 "Path use bias is too high (%f/%f); disabling node %s",
3585 node->pb.circ_successes, node->pb.circ_attempts,
3586 node->nickname);
3587 }
3588}
3589
3590/** Check the pathbias close count of <b>node</b> and disable it if it goes
3591 * over our thresholds. */
3592static void
3594{
3595 const or_options_t *options = get_options();
3596 const double EPSILON = 1.0e-9;
3597
3598 /* Note: We rely on the < comparison here to allow us to set a 0
3599 * rate and disable the feature entirely. If refactoring, don't
3600 * change to <= */
3601 if (node->pb.circ_attempts > EPSILON &&
3602 pathbias_get_close_success_count(node)/node->pb.circ_attempts
3603 < pathbias_get_extreme_rate(options) &&
3604 pathbias_get_dropguards(options)) {
3605 node->pb.path_bias_disabled = 1;
3606 log_info(LD_GENERAL,
3607 "Path bias is too high (%f/%f); disabling node %s",
3608 node->pb.circ_successes, node->pb.circ_attempts,
3609 node->nickname);
3610 }
3611}
3612
3613/** Parse <b>state</b> and learn about the entry guards it describes.
3614 * If <b>set</b> is true, and there are no errors, replace the guard
3615 * list in the default guard selection context with what we find.
3616 * On success, return 0. On failure, alloc into *<b>msg</b> a string
3617 * describing the error, and return -1.
3618 */
3619int
3620entry_guards_parse_state(or_state_t *state, int set, char **msg)
3621{
3623 int r1 = entry_guards_load_guards_from_state(state, set);
3625
3626 if (r1 < 0) {
3627 if (msg && *msg == NULL) {
3628 *msg = tor_strdup("parsing error");
3629 }
3630 return -1;
3631 }
3632 return 0;
3633}
3634
3635/** How long will we let a change in our guard nodes stay un-saved
3636 * when we are trying to avoid disk writes? */
3637#define SLOW_GUARD_STATE_FLUSH_TIME 600
3638/** How long will we let a change in our guard nodes stay un-saved
3639 * when we are not trying to avoid disk writes? */
3640#define FAST_GUARD_STATE_FLUSH_TIME 30
3641
3642/** Our list of entry guards has changed for a particular guard selection
3643 * context, or some element of one of our entry guards has changed for one.
3644 * Write the changes to disk within the next few minutes.
3645 */
3646void
3648{
3649 time_t when;
3650
3651 tor_assert(gs != NULL);
3652
3654
3655 if (get_options()->AvoidDiskWrites)
3656 when = time(NULL) + SLOW_GUARD_STATE_FLUSH_TIME;
3657 else
3658 when = time(NULL) + FAST_GUARD_STATE_FLUSH_TIME;
3659
3660 /* or_state_save() will call entry_guards_update_state() and
3661 entry_guards_update_guards_in_state()
3662 */
3664
3665 /* Schedule a re-assessment of whether we have enough dir info to
3666 * use the network. When we add or remove or disable or enable a
3667 * guard, the decision could shift. */
3669}
3670
3671/** Our list of entry guards has changed for the default guard selection
3672 * context, or some element of one of our entry guards has changed. Write
3673 * the changes to disk within the next few minutes.
3674 */
3675void
3677{
3679}
3680
3681/** If the entry guard info has not changed, do nothing and return.
3682 * Otherwise, free the EntryGuards piece of <b>state</b> and create
3683 * a new one out of the global entry_guards list, and then mark
3684 * <b>state</b> dirty so it will get saved to disk.
3685 */
3686void
3688{
3690
3691 // Handles all guard info.
3693
3695
3696 if (!get_options()->AvoidDiskWrites)
3699}
3700
3701/** Return true iff the circuit's guard can succeed, that is, can be used. */
3702int
3703entry_guard_could_succeed(const circuit_guard_state_t *guard_state)
3704{
3705 if (get_options()->UseEntryGuards == 0) {
3706 /* we're fine with this circuit's first hop, because we're not
3707 * configured to use entry guards. */
3708 return 1;
3709 }
3710
3711 if (!guard_state) {
3712 return 0;
3713 }
3714
3715 entry_guard_t *guard = entry_guard_handle_get(guard_state->guard);
3716 if (!guard || BUG(guard->in_selection == NULL)) {
3717 return 0;
3718 }
3719
3720 return 1;
3721}
3722
3723/**
3724 * Format a single entry guard in the format expected by the controller.
3725 * Return a newly allocated string.
3726 */
3727STATIC char *
3729{
3730 const char *status = NULL;
3731 time_t when = 0;
3732 const node_t *node;
3733 char tbuf[ISO_TIME_LEN+1];
3734 char nbuf[MAX_VERBOSE_NICKNAME_LEN+1];
3735
3736 /* This is going to be a bit tricky, since the status
3737 * codes weren't really intended for prop271 guards.
3738 *
3739 * XXXX use a more appropriate format for exporting this information
3740 */
3741 if (e->confirmed_idx < 0) {
3742 status = "never-connected";
3743 } else if (! e->currently_listed) {
3744 when = e->unlisted_since_date;
3745 status = "unusable";
3746 } else if (! e->is_filtered_guard) {
3747 status = "unusable";
3748 } else if (e->is_reachable == GUARD_REACHABLE_NO) {
3749 when = e->failing_since;
3750 status = "down";
3751 } else {
3752 status = "up";
3753 }
3754
3755 node = entry_guard_find_node(e);
3756 if (node) {
3757 node_get_verbose_nickname(node, nbuf);
3758 } else {
3759 nbuf[0] = '$';
3760 base16_encode(nbuf+1, sizeof(nbuf)-1, e->identity, DIGEST_LEN);
3761 /* e->nickname field is not very reliable if we don't know about
3762 * this router any longer; don't include it. */
3763 }
3764
3765 char *result = NULL;
3766 if (when) {
3767 format_iso_time(tbuf, when);
3768 tor_asprintf(&result, "%s %s %s\n", nbuf, status, tbuf);
3769 } else {
3770 tor_asprintf(&result, "%s %s\n", nbuf, status);
3771 }
3772 return result;
3773}
3774
3775/** If <b>question</b> is the string "entry-guards", then dump
3776 * to *<b>answer</b> a newly allocated string describing all of
3777 * the nodes in the global entry_guards list. See control-spec.txt
3778 * for details.
3779 * For backward compatibility, we also handle the string "helper-nodes".
3780 *
3781 * XXX this should be totally redesigned after prop 271 too, and that's
3782 * going to take some control spec work.
3783 * */
3784int
3786 const char *question, char **answer,
3787 const char **errmsg)
3788{
3789 guard_selection_t *gs = get_guard_selection_info();
3790
3791 tor_assert(gs != NULL);
3792
3793 (void) conn;
3794 (void) errmsg;
3795
3796 if (!strcmp(question,"entry-guards") ||
3797 !strcmp(question,"helper-nodes")) {
3798 const smartlist_t *guards;
3799 guards = gs->sampled_entry_guards;
3800
3801 smartlist_t *sl = smartlist_new();
3802
3803 SMARTLIST_FOREACH_BEGIN(guards, const entry_guard_t *, e) {
3805 smartlist_add(sl, cp);
3806 } SMARTLIST_FOREACH_END(e);
3807 *answer = smartlist_join_strings(sl, "", 0, NULL);
3808 SMARTLIST_FOREACH(sl, char *, c, tor_free(c));
3809 smartlist_free(sl);
3810 }
3811 return 0;
3812}
3813
3814/* Given the original bandwidth of a guard and its guardfraction,
3815 * calculate how much bandwidth the guard should have as a guard and
3816 * as a non-guard.
3817 *
3818 * Quoting from proposal236:
3819 *
3820 * Let Wpf denote the weight from the 'bandwidth-weights' line a
3821 * client would apply to N for position p if it had the guard
3822 * flag, Wpn the weight if it did not have the guard flag, and B the
3823 * measured bandwidth of N in the consensus. Then instead of choosing
3824 * N for position p proportionally to Wpf*B or Wpn*B, clients should
3825 * choose N proportionally to F*Wpf*B + (1-F)*Wpn*B.
3826 *
3827 * This function fills the <b>guardfraction_bw</b> structure. It sets
3828 * <b>guard_bw</b> to F*B and <b>non_guard_bw</b> to (1-F)*B.
3829 */
3830void
3831guard_get_guardfraction_bandwidth(guardfraction_bandwidth_t *guardfraction_bw,
3832 int orig_bandwidth,
3833 uint32_t guardfraction_percentage)
3834{
3835 double guardfraction_fraction;
3836
3837 /* Turn the percentage into a fraction. */
3838 tor_assert(guardfraction_percentage <= 100);
3839 guardfraction_fraction = guardfraction_percentage / 100.0;
3840
3841 long guard_bw = tor_lround(guardfraction_fraction * orig_bandwidth);
3842 tor_assert(guard_bw <= INT_MAX);
3843
3844 guardfraction_bw->guard_bw = (int) guard_bw;
3845
3846 guardfraction_bw->non_guard_bw = orig_bandwidth - (int) guard_bw;
3847}
3848
3849/** Helper: Update the status of all entry guards, in whatever algorithm
3850 * is used. Return true if we should stop using all previously generated
3851 * circuits, by calling circuit_mark_all_unused_circs() and
3852 * circuit_mark_all_dirty_circs_as_unusable().
3853 */
3854int
3856{
3857 int mark_circuits = 0;
3859 mark_circuits = 1;
3860
3862
3864 mark_circuits = 1;
3865
3866 return mark_circuits;
3867}
3868
3869/** Helper: pick a guard for a circuit, with whatever algorithm is
3870 used. */
3871const node_t *
3873 cpath_build_state_t *state,
3874 uint8_t purpose,
3875 circuit_guard_state_t **guard_state_out)
3876{
3877 const node_t *r = NULL;
3878 const uint8_t *exit_id = NULL;
3879 entry_guard_restriction_t *rst = NULL;
3880
3881 /* If we this is a conflux circuit, build an exclusion list for it. */
3882 if (CIRCUIT_IS_CONFLUX(TO_CIRCUIT(circ)) && state
3883 && (exit_id = build_state_get_exit_rsa_id(state))) {
3884 rst = guard_create_conflux_restriction(circ, exit_id);
3885 /* Don't allow connecting back to the exit if there is one */
3886 if (state && (exit_id = build_state_get_exit_rsa_id(state))) {
3887 /* add the exit_id to the excluded list */
3888 smartlist_add(rst->excluded, tor_memdup(exit_id, DIGEST_LEN));
3889 }
3890 } else if (state && !circuit_should_use_vanguards(purpose) &&
3891 (exit_id = build_state_get_exit_rsa_id(state))) {
3892 /* We're building to a targeted exit node, so that node can't be
3893 * chosen as our guard for this circuit, unless we're vanguards. */
3894 rst = guard_create_exit_restriction(exit_id);
3895 tor_assert(rst);
3896 }
3898 GUARD_USAGE_TRAFFIC,
3899 rst,
3900 &r,
3901 guard_state_out) < 0) {
3902 tor_assert(r == NULL);
3903 }
3904 return r;
3905}
3906
3907/** Remove all currently listed entry guards for a given guard selection
3908 * context. This frees and replaces <b>gs</b>, so don't use <b>gs</b>
3909 * after calling this function. */
3910void
3912{
3913 // This function shouldn't exist. XXXX
3914 tor_assert(gs != NULL);
3915 char *old_name = tor_strdup(gs->name);
3916 guard_selection_type_t old_type = gs->type;
3917
3918 SMARTLIST_FOREACH(gs->sampled_entry_guards, entry_guard_t *, entry, {
3919 control_event_guard(entry->nickname, entry->identity, "DROPPED");
3920 });
3921
3922 if (gs == curr_guard_context) {
3923 curr_guard_context = NULL;
3924 }
3925
3927 guard_selection_free(gs);
3928
3929 gs = get_guard_selection_by_name(old_name, old_type, 1);
3931 tor_free(old_name);
3932}
3933
3934/** Remove all currently listed entry guards, so new ones will be chosen.
3935 *
3936 * XXXX This function shouldn't exist -- it's meant to support the DROPGUARDS
3937 * command, which is deprecated.
3938 */
3939void
3941{
3943}
3944
3945/** Helper: pick a directory guard, with whatever algorithm is used. */
3946const node_t *
3947guards_choose_dirguard(uint8_t dir_purpose,
3948 circuit_guard_state_t **guard_state_out)
3949{
3950 const node_t *r = NULL;
3951 entry_guard_restriction_t *rst = NULL;
3952
3953 /* If we are fetching microdescs, don't query outdated dirservers. */
3954 if (dir_purpose == DIR_PURPOSE_FETCH_MICRODESC) {
3956 }
3957
3959 GUARD_USAGE_DIRGUARD,
3960 rst,
3961 &r,
3962 guard_state_out) < 0) {
3963 tor_assert(r == NULL);
3964 }
3965 return r;
3966}
3967
3968/**
3969 * If we're running with a constrained guard set, then maybe mark our guards
3970 * usable. Return 1 if we do; 0 if we don't.
3971 */
3972int
3974{
3975 if (! entry_list_is_constrained(options))
3976 return 0;
3977
3979
3980 return 1;
3981}
3982
3983/**
3984 * Check if we are missing any crucial dirinfo for the guard subsystem to
3985 * work. Return NULL if everything went well, otherwise return a newly
3986 * allocated string with an informative error message. In the latter case, use
3987 * the general descriptor information <b>using_mds</b>, <b>num_present</b> and
3988 * <b>num_usable</b> to improve the error message. */
3989char *
3991 int using_mds,
3992 int num_present, int num_usable)
3993{
3994 if (!gs->primary_guards_up_to_date)
3996
3997 char *ret_str = NULL;
3998 int n_missing_descriptors = 0;
3999 int n_considered = 0;
4000 int num_primary_to_check;
4001
4002 /* We want to check for the descriptor of at least the first two primary
4003 * guards in our list, since these are the guards that we typically use for
4004 * circuits. */
4005 num_primary_to_check = get_n_primary_guards_to_use(GUARD_USAGE_TRAFFIC);
4006 num_primary_to_check++;
4007
4008 SMARTLIST_FOREACH_BEGIN(gs->primary_entry_guards, entry_guard_t *, guard) {
4010 if (guard->is_reachable == GUARD_REACHABLE_NO)
4011 continue;
4012 n_considered++;
4013 if (!guard_has_descriptor(guard))
4014 n_missing_descriptors++;
4015 if (n_considered >= num_primary_to_check)
4016 break;
4017 } SMARTLIST_FOREACH_END(guard);
4018
4019 /* If we are not missing any descriptors, return NULL. */
4020 if (!n_missing_descriptors) {
4021 return NULL;
4022 }
4023
4024 /* otherwise return a helpful error string */
4025 tor_asprintf(&ret_str, "We're missing descriptors for %d/%d of our "
4026 "primary entry guards (total %sdescriptors: %d/%d). "
4027 "That's ok. We will try to fetch missing descriptors soon.",
4028 n_missing_descriptors, num_primary_to_check,
4029 using_mds?"micro":"", num_present, num_usable);
4030
4031 return ret_str;
4032}
4033
4034/** As guard_selection_have_enough_dir_info_to_build_circuits, but uses
4035 * the default guard selection. */
4036char *
4038 int num_present, int num_usable)
4039{
4042 using_mds,
4043 num_present, num_usable);
4044}
4045
4046/** Free one guard selection context */
4047STATIC void
4048guard_selection_free_(guard_selection_t *gs)
4049{
4050 if (!gs) return;
4051
4052 tor_free(gs->name);
4053
4054 if (gs->sampled_entry_guards) {
4055 SMARTLIST_FOREACH(gs->sampled_entry_guards, entry_guard_t *, e,
4056 entry_guard_free(e));
4057 smartlist_free(gs->sampled_entry_guards);
4058 gs->sampled_entry_guards = NULL;
4059 }
4060
4061 smartlist_free(gs->confirmed_entry_guards);
4062 smartlist_free(gs->primary_entry_guards);
4063
4064 tor_free(gs);
4065}
4066
4067/**********************************************************************/
4068
4069/** Layer2 guard subsystem (vanguards-lite) used for onion service circuits */
4070
4071/** A simple representation of a layer2 guard. We just need its identity so
4072 * that we feed it into a routerset, and a sampled timestamp to do expiration
4073 * checks. */
4074typedef struct layer2_guard_t {
4075 /** Identity of the guard */
4077 /** When does this guard expire? (randomized timestamp) */
4080
4081#define layer2_guard_free(val) \
4082 FREE_AND_NULL(layer2_guard_t, layer2_guard_free_, (val))
4083
4084/** Return true if the vanguards-lite subsystem is enabled */
4085bool
4087{
4088 /* First check torrc option and then maybe also the consensus parameter. */
4089 const or_options_t *options = get_options();
4090
4091 /* If the option is explicitly disabled, that's the final word here */
4092 if (options->VanguardsLiteEnabled == 0) {
4093 return false;
4094 }
4095
4096 /* If the option is set to auto, then check the consensus parameter */
4097 if (options->VanguardsLiteEnabled == -1) {
4098 return networkstatus_get_param(NULL, "vanguards-lite-enabled",
4099 1, /* default to "on" */
4100 0, 1);
4101 }
4102
4103 /* else it's enabled */
4104 tor_assert_nonfatal(options->VanguardsLiteEnabled == 1);
4105 return options->VanguardsLiteEnabled;
4106}
4107
4108static void
4109layer2_guard_free_(layer2_guard_t *l2)
4110{
4111 if (!l2) {
4112 return;
4113 }
4114
4115 tor_free(l2);
4116}
4117
4118/** Global list and routerset of L2 guards. They are both synced and they get
4119 * updated periodically. We need both the list and the routerset: we use the
4120 * smartlist to keep track of expiration times and the routerset is what we
4121 * return to the users of this subsystem. */
4123static routerset_t *layer2_routerset = NULL;
4124
4125/** Number of L2 guards */
4126#define NUMBER_SECOND_GUARDS 4
4127/** Make sure that the number of L2 guards is less than the number of
4128 * MAX_SANE_RESTRICTED_NODES */
4130
4131/** Lifetime of L2 guards:
4132 * 1 to 12 days, for an average of a week using the max(x,x) distribution */
4133#define MIN_SECOND_GUARD_LIFETIME (3600*24)
4134#define MAX_SECOND_GUARD_LIFETIME (3600*24*12)
4135
4136/** Return the number of guards our L2 guardset should have */
4137static int
4139{
4140 return (int) networkstatus_get_param(NULL,
4141 "guard-hs-l2-number",
4143 1, 19);
4144}
4145
4146/** Return the minimum lifetime of L2 guards */
4147static int
4149{
4150 return (int) networkstatus_get_param(NULL,
4151 "guard-hs-l2-lifetime-min",
4153 1, INT32_MAX);
4154}
4155
4156/** Return the maximum lifetime of L2 guards */
4157static int
4159{
4160 return (int) networkstatus_get_param(NULL,
4161 "guard-hs-l2-lifetime-max",
4162 MAX_SECOND_GUARD_LIFETIME,
4163 1, INT32_MAX);
4164}
4165
4166/**
4167 * Sample and return a lifetime for an L2 guard.
4168 *
4169 * Lifetime randomized uniformly between min and max consensus params.
4170 */
4171static int
4173{
4176
4177 if (BUG(min >= max)) {
4178 return min;
4179 }
4180
4181 return crypto_rand_int_range(min, max);
4182}
4183
4184/** Maintain the L2 guard list. Make sure the list contains enough guards, do
4185 * expirations as necessary, and keep all the data structures of this
4186 * subsystem synchronized */
4187void
4189{
4191 return;
4192 }
4193
4194 /* Create the list if it doesn't exist */
4195 if (!layer2_guards) {
4197 }
4198
4199 /* Go through the list and perform any needed expirations */
4201 /* Expire based on expiration date */
4202 if (g->expire_on_date <= approx_time()) {
4203 log_info(LD_GENERAL, "Removing expired Layer2 guard %s",
4204 safe_str_client(hex_str(g->identity, DIGEST_LEN)));
4205 // Nickname may be gone from consensus and doesn't matter anyway
4206 control_event_guard("None", g->identity, "BAD_L2");
4207 layer2_guard_free(g);
4209 continue;
4210 }
4211
4212 /* Expire if relay has left consensus */
4213 const routerstatus_t *rs = router_get_consensus_status_by_id(g->identity);
4214 if (rs == NULL || !rs->is_stable || !rs->is_fast) {
4215 log_info(LD_GENERAL, "Removing %s Layer2 guard %s",
4216 rs ? "unsuitable" : "missing",
4217 safe_str_client(hex_str(g->identity, DIGEST_LEN)));
4218 // Nickname may be gone from consensus and doesn't matter anyway
4219 control_event_guard("None", g->identity, "BAD_L2");
4220 layer2_guard_free(g);
4222 continue;
4223 }
4224 } SMARTLIST_FOREACH_END(g);
4225
4226 /* Find out how many guards we need to add */
4227 int new_guards_needed_n =
4229 if (new_guards_needed_n <= 0) {
4230 return;
4231 }
4232
4233 log_info(LD_GENERAL, "Adding %d guards to Layer2 routerset",
4234 new_guards_needed_n);
4235
4236 /* First gather the exclusions based on our current L2 guards */
4237 smartlist_t *excluded = smartlist_new();
4239 /* Exclude existing L2 guard so that we don't double-pick it.
4240 * But, it's ok if they come from the same family. */
4241 const node_t *existing = node_get_by_id(g->identity);
4242 if (existing)
4243 smartlist_add(excluded, (node_t *)existing);
4244 } SMARTLIST_FOREACH_END(g);
4245
4246 /* Add required guards to the list */
4247 for (int i = 0; i < new_guards_needed_n; i++) {
4248 const node_t *choice = NULL;
4249 const or_options_t *options = get_options();
4250 /* Pick Stable nodes */
4251 router_crn_flags_t flags = CRN_NEED_DESC|CRN_NEED_UPTIME;
4252 choice = router_choose_random_node(excluded, options->ExcludeNodes, flags);
4253 if (!choice) {
4254 break;
4255 }
4256
4257 /* We found our node: create an L2 guard out of it */
4258 layer2_guard_t *layer2_guard = tor_malloc_zero(sizeof(layer2_guard_t));
4259 memcpy(layer2_guard->identity, choice->identity, DIGEST_LEN);
4260 layer2_guard->expire_on_date = approx_time() +
4262 smartlist_add(layer2_guards, layer2_guard);
4263 log_info(LD_GENERAL, "Adding Layer2 guard %s",
4264 safe_str_client(hex_str(layer2_guard->identity, DIGEST_LEN)));
4265 // Nickname can also be None here because it is looked up later
4266 control_event_guard("None", layer2_guard->identity,
4267 "GOOD_L2");
4268 /* Exclude this node so that we don't double-pick it. (Again, coming
4269 * from the same family is ok here.) */
4270 smartlist_add(excluded, (node_t *)choice);
4271 }
4272
4273 /* Some cleanup */
4274 smartlist_free(excluded);
4275
4276 /* Now that the list is up to date, synchronize the routerset */
4277 routerset_free(layer2_routerset);
4278 layer2_routerset = routerset_new();
4279
4281 routerset_parse(layer2_routerset,
4282 hex_str(g->identity, DIGEST_LEN),
4283 "l2 guards");
4284 } SMARTLIST_FOREACH_END(g);
4285}
4286
4287/**
4288 * Reset vanguards-lite list(s).
4289 *
4290 * Used for SIGNAL NEWNYM.
4291 */
4292void
4294{
4295 if (!layer2_guards)
4296 return;
4297
4298 /* Go through the list and perform any needed expirations */
4300 layer2_guard_free(g);
4301 } SMARTLIST_FOREACH_END(g);
4302
4304
4305 /* Pick new l2 guards */
4307}
4308
4309/** Return a routerset containing the L2 guards or NULL if it's not yet
4310 * initialized. Callers must not free the routerset. Designed for use in
4311 * pick_vanguard_middle_node() and should not be used anywhere else. Do not
4312 * store this pointer -- any future calls to maintain_layer2_guards() and
4313 * purge_vanguards_lite() can invalidate it. */
4314const routerset_t *
4316{
4317 if (!layer2_guards) {
4319 }
4320
4321 return layer2_routerset;
4322}
4323
4324/*****************************************************************************/
4325
4326/** Release all storage held by the list of entry guards and related
4327 * memory structs. */
4328void
4330{
4331 /* Null out the default */
4332 curr_guard_context = NULL;
4333 /* Free all the guard contexts */
4334 if (guard_contexts != NULL) {
4335 SMARTLIST_FOREACH_BEGIN(guard_contexts, guard_selection_t *, gs) {
4336 guard_selection_free(gs);
4337 } SMARTLIST_FOREACH_END(gs);
4338 smartlist_free(guard_contexts);
4339 guard_contexts = NULL;
4340 }
4342
4343 if (!layer2_guards) {
4344 return;
4345 }
4346
4348 layer2_guard_free(g);
4349 } SMARTLIST_FOREACH_END(g);
4350
4351 smartlist_free(layer2_guards);
4352 routerset_free(layer2_routerset);
4353}
int tor_addr_port_parse(int severity, const char *addrport, tor_addr_t *address_out, uint16_t *port_out, int default_port)
Definition: address.c:1857
int tor_addr_port_eq(const tor_addr_port_t *a, const tor_addr_port_t *b)
Definition: address.c:2111
#define fmt_and_decorate_addr(a)
Definition: address.h:243
time_t approx_time(void)
Definition: approx_time.c:32
const char * hex_str(const char *from, size_t fromlen)
Definition: binascii.c:34
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:506
void base16_encode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:478
download_status_t * get_bridge_dl_status_by_id(const char *digest)
Definition: bridges.c:1067
const uint8_t * bridge_get_rsa_id_digest(const bridge_info_t *bridge)
Definition: bridges.c:182
int node_is_a_configured_bridge(const node_t *node)
Definition: bridges.c:391
const tor_addr_port_t * bridge_get_addr_port(const bridge_info_t *bridge)
Definition: bridges.c:196
const smartlist_t * bridge_list_get(void)
Definition: bridges.c:135
bridge_info_t * get_configured_bridge_by_exact_addr_port_digest(const tor_addr_t *addr, uint16_t port, const char *digest)
Definition: bridges.c:283
Header file for circuitbuild.c.
Header file for channel.c.
double pathbias_get_extreme_use_rate(const or_options_t *options)
Definition: circpathbias.c:232
double pathbias_get_extreme_rate(const or_options_t *options)
Definition: circpathbias.c:125
double pathbias_get_use_success_count(entry_guard_t *guard)
int pathbias_get_dropguards(const or_options_t *options)
Definition: circpathbias.c:141
double pathbias_get_close_success_count(entry_guard_t *guard)
circuit_guard_state_t * origin_circuit_get_guard_state(origin_circuit_t *circ)
Definition: circuitbuild.c:544
const uint8_t * build_state_get_exit_rsa_id(cpath_build_state_t *state)
Header file for circuitbuild.c.
origin_circuit_t * TO_ORIGIN_CIRCUIT(circuit_t *x)
Definition: circuitlist.c:185
void circuit_get_all_pending_on_channel(smartlist_t *out, channel_t *chan)
Definition: circuitlist.c:597
Header file for circuitlist.c.
#define CIRCUIT_IS_ORIGIN(c)
Definition: circuitlist.h:154
#define EPSILON
void circuit_build_times_free_timeouts(circuit_build_times_t *cbt)
Definition: circuitstats.c:591
circuit_build_times_t * get_circuit_build_times_mutable(void)
Definition: circuitstats.c:85
Header file for circuitstats.c.
int circuit_should_use_vanguards(uint8_t purpose)
Definition: circuituse.c:2018
Header file for circuituse.c.
#define ARRAY_LENGTH(x)
const char * name
Definition: config.c:2471
const or_options_t * get_options(void)
Definition: config.c:947
Header file for config.c.
Header for confline.c.
void conflux_add_guards_to_exclude_list(const origin_circuit_t *orig_circ, smartlist_t *excluded)
Header file for conflux_pool.c.
Header file for conflux_util.c.
Header for confmgt.c.
Header file for connection.c.
int control_event_guard(const char *nickname, const char *digest, const char *status)
Header file for control_events.c.
#define HEX_DIGEST_LEN
Definition: crypto_digest.h:35
void * smartlist_choose(const smartlist_t *sl)
Definition: crypto_rand.c:594
Common functions for using (pseudo-)random number generators.
time_t crypto_rand_time_range(time_t min, time_t max)
int crypto_rand_int_range(unsigned int min, unsigned int max)
const char * node_describe(const node_t *node)
Definition: describe.c:160
Header file for describe.c.
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
#define DIGEST_LEN
Definition: digest_sizes.h:20
void digestset_add(digestset_t *set, const char *digest)
Definition: digestset.c:44
digestset_t * digestset_new(int max_guess)
Definition: digestset.c:30
int digestset_probably_contains(const digestset_t *set, const char *digest)
Definition: digestset.c:54
Types to handle sets of digests, based on bloom filters.
Header file for directory.c.
#define DIR_PURPOSE_FETCH_MICRODESC
Definition: directory.h:65
void download_status_reset(download_status_t *dls)
Definition: dlstatus.c:363
Header file for dlstatus.c.
void entry_guard_failed(circuit_guard_state_t **guard_state_p)
Definition: entrynodes.c:2657
char * guard_selection_get_err_str_if_dir_info_missing(guard_selection_t *gs, int using_mds, int num_present, int num_usable)
Definition: entrynodes.c:3990
STATIC int get_n_primary_guards(void)
Definition: entrynodes.c:465
const node_t * entry_guard_find_node(const entry_guard_t *guard)
Definition: entrynodes.c:3454
void entry_guard_learned_bridge_identity(const tor_addr_port_t *addrport, const uint8_t *rsa_id_digest)
Definition: entrynodes.c:977
STATIC void entry_guards_update_primary(guard_selection_t *gs)
Definition: entrynodes.c:1948
static entry_guard_t * entry_guard_add_to_sample_impl(guard_selection_t *gs, const uint8_t *rsa_id_digest, const char *nickname, const tor_addr_port_t *bridge_addrport)
Definition: entrynodes.c:887
void entry_guard_chan_failed(channel_t *chan)
Definition: entrynodes.c:2677
static void entry_guards_update_guards_in_state(or_state_t *state)
Definition: entrynodes.c:3347
const routerset_t * get_layer2_guards(void)
Definition: entrynodes.c:4315
void entry_guards_changed(void)
Definition: entrynodes.c:3676
static int guard_obeys_md_dirserver_restriction(const entry_guard_t *guard)
Definition: entrynodes.c:1672
STATIC void entry_guards_note_guard_failure(guard_selection_t *gs, entry_guard_t *guard)
Definition: entrynodes.c:2360
STATIC void guard_selection_free_(guard_selection_t *gs)
Definition: entrynodes.c:4048
STATIC guard_selection_t * guard_selection_new(const char *name, guard_selection_type_t type)
Definition: entrynodes.c:240
void remove_all_entry_guards(void)
Definition: entrynodes.c:3940
STATIC guard_selection_t * get_guard_selection_by_name(const char *name, guard_selection_type_t type, int create_if_absent)
Definition: entrynodes.c:263
void purge_vanguards_lite(void)
Definition: entrynodes.c:4293
static int reasonably_live_consensus_is_missing(const guard_selection_t *gs)
Definition: entrynodes.c:1159
static void entry_guard_set_filtered_flags(const or_options_t *options, guard_selection_t *gs, entry_guard_t *guard)
Definition: entrynodes.c:1727
STATIC double get_meaningful_restriction_threshold(void)
Definition: entrynodes.c:549
STATIC guard_selection_type_t guard_selection_infer_type(guard_selection_type_t type, const char *name)
Definition: entrynodes.c:222
void entry_guard_cancel(circuit_guard_state_t **guard_state_p)
Definition: entrynodes.c:2636
static entry_guard_t * select_and_add_guard_item_for_sample(guard_selection_t *gs, smartlist_t *eligible_guards)
Definition: entrynodes.c:1131
STATIC int get_nonprimary_guard_idle_timeout(void)
Definition: entrynodes.c:537
static entry_guard_t * select_primary_guard_for_circuit(guard_selection_t *gs, guard_usage_t usage, const entry_guard_restriction_t *rst, unsigned *state_out)
Definition: entrynodes.c:2137
entry_guard_t * entry_guard_get_by_id_digest(const char *digest)
Definition: entrynodes.c:3464
STATIC void mark_primary_guards_maybe_reachable(guard_selection_t *gs)
Definition: entrynodes.c:604
int entry_guards_upgrade_waiting_circuits(guard_selection_t *gs, const smartlist_t *all_circuits_in, smartlist_t *newly_complete_out)
Definition: entrynodes.c:2761
#define NUMBER_SECOND_GUARDS
Definition: entrynodes.c:4126
static guard_selection_t * curr_guard_context
Definition: entrynodes.c:161
static void remove_guard_from_confirmed_and_primary_lists(guard_selection_t *gs, entry_guard_t *guard)
Definition: entrynodes.c:1243
void remove_all_entry_guards_for_guard_selection(guard_selection_t *gs)
Definition: entrynodes.c:3911
int num_bridges_usable(int use_maybe_reachable)
Definition: entrynodes.c:3535
#define MIN_GUARDS_FOR_MD_RESTRICTION
Definition: entrynodes.c:1612
static int guard_has_descriptor(const entry_guard_t *guard)
Definition: entrynodes.c:209
STATIC double get_extreme_restriction_threshold(void)
Definition: entrynodes.c:562
int entry_guards_update_all(guard_selection_t *gs)
Definition: entrynodes.c:2940
static smartlist_t * layer2_guards
Definition: entrynodes.c:4122
STATIC circuit_guard_state_t * circuit_guard_state_new(entry_guard_t *guard, unsigned state, entry_guard_restriction_t *rst)
Definition: entrynodes.c:2539
STATIC entry_guard_t * first_reachable_filtered_entry_guard(guard_selection_t *gs, const entry_guard_restriction_t *rst, unsigned flags)
Definition: entrynodes.c:1778
static entry_guard_t * get_sampled_guard_for_bridge(guard_selection_t *gs, const bridge_info_t *bridge)
Definition: entrynodes.c:816
STATIC int get_min_filtered_sample_size(void)
Definition: entrynodes.c:403
static int get_number_of_layer2_hs_guards(void)
Definition: entrynodes.c:4138
static int guard_in_node_family(const entry_guard_t *guard, const node_t *node)
Definition: entrynodes.c:1554
static size_t sampled_guards_update_consensus_presence(guard_selection_t *gs)
Definition: entrynodes.c:1297
static int should_set_md_dirserver_restriction(void)
Definition: entrynodes.c:1618
STATIC void entry_guard_free_(entry_guard_t *e)
Definition: entrynodes.c:3498
STATIC void entry_guard_restriction_free_(entry_guard_restriction_t *rst)
Definition: entrynodes.c:2512
int entry_list_is_constrained(const or_options_t *options)
Definition: entrynodes.c:3515
STATIC int get_guard_confirmed_min_lifetime(void)
Definition: entrynodes.c:451
guard_usable_t entry_guard_succeeded(circuit_guard_state_t **guard_state_p)
Definition: entrynodes.c:2609
circuit_guard_state_t * get_guard_state_for_bridge_desc_fetch(const char *digest)
Definition: entrynodes.c:3473
static entry_guard_t * select_confirmed_guard_for_circuit(guard_selection_t *gs, guard_usage_t usage, const entry_guard_restriction_t *rst, unsigned *state_out)
Definition: entrynodes.c:2231
static size_t sampled_guards_prune_obsolete_entries(guard_selection_t *gs, const time_t remove_if_unlisted_since, const time_t maybe_remove_if_sampled_before, const time_t remove_if_confirmed_before)
Definition: entrynodes.c:1367
STATIC int entry_guard_has_higher_priority(entry_guard_t *a, entry_guard_t *b)
Definition: entrynodes.c:2474
void entry_guards_note_internet_connectivity(guard_selection_t *gs)
Definition: entrynodes.c:2125
const char * entry_guard_get_rsa_id_digest(const entry_guard_t *guard)
Definition: entrynodes.c:336
char * entry_guards_get_err_str_if_dir_info_missing(int using_mds, int num_present, int num_usable)
Definition: entrynodes.c:4037
STATIC void entry_guards_update_confirmed(guard_selection_t *gs)
Definition: entrynodes.c:1883
STATIC char * entry_guard_encode_for_state(entry_guard_t *guard, int dense_sampled_idx)
Definition: entrynodes.c:2956
STATIC void entry_guards_update_filtered_sets(guard_selection_t *gs)
Definition: entrynodes.c:1757
void entry_guards_update_state(or_state_t *state)
Definition: entrynodes.c:3687
bool vanguards_lite_is_enabled(void)
Definition: entrynodes.c:4086
static void pathbias_check_close_success_count(entry_guard_t *guard)
Definition: entrynodes.c:3593
static int get_layer2_hs_guard_lifetime(void)
Definition: entrynodes.c:4172
int update_guard_selection_choice(const or_options_t *options)
Definition: entrynodes.c:742
STATIC entry_guard_restriction_t * guard_create_dirserver_md_restriction(void)
Definition: entrynodes.c:1637
static bool entry_guard_restriction_is_reachability(const entry_guard_restriction_t *rst)
Definition: entrynodes.c:1692
static int compare_guards_by_sampled_idx(const void **a_, const void **b_)
Definition: entrynodes.c:1866
void circuit_guard_state_free_(circuit_guard_state_t *state)
Definition: entrynodes.c:2526
int entry_guard_pick_for_circuit(guard_selection_t *gs, guard_usage_t usage, entry_guard_restriction_t *rst, const node_t **chosen_node_out, circuit_guard_state_t **guard_state_out)
Definition: entrynodes.c:2563
STATIC int get_remove_unlisted_guards_after_days(void)
Definition: entrynodes.c:413
static void create_initial_guard_context(void)
Definition: entrynodes.c:290
STATIC int get_max_sample_size_absolute(void)
Definition: entrynodes.c:393
STATIC int get_nonprimary_guard_connect_timeout(void)
Definition: entrynodes.c:525
void maintain_layer2_guards(void)
Definition: entrynodes.c:4188
static void parse_from_state_handle_time(entry_guard_t *guard, char *sampled_on, char *unlisted_since, char *confirmed_on)
Definition: entrynodes.c:3077
STATIC entry_guard_t * get_sampled_guard_with_id(guard_selection_t *gs, const uint8_t *rsa_id)
Definition: entrynodes.c:801
int entry_guards_parse_state(or_state_t *state, int set, char **msg)
Definition: entrynodes.c:3620
STATIC unsigned entry_guards_note_guard_success(guard_selection_t *gs, entry_guard_t *guard, unsigned old_state)
Definition: entrynodes.c:2397
static int entry_guard_obeys_restriction(const entry_guard_t *guard, const entry_guard_restriction_t *rst)
Definition: entrynodes.c:1703
int entry_guard_state_should_expire(circuit_guard_state_t *guard_state)
Definition: entrynodes.c:2925
guard_pathbias_t * entry_guard_get_pathbias_state(entry_guard_t *guard)
Definition: entrynodes.c:343
const node_t * guards_choose_guard(const origin_circuit_t *circ, cpath_build_state_t *state, uint8_t purpose, circuit_guard_state_t **guard_state_out)
Definition: entrynodes.c:3872
int entry_guard_could_succeed(const circuit_guard_state_t *guard_state)
Definition: entrynodes.c:3703
static entry_guard_t * entry_guard_add_bridge_to_sample(guard_selection_t *gs, const bridge_info_t *bridge)
Definition: entrynodes.c:939
static void pathbias_check_use_success_count(entry_guard_t *guard)
Definition: entrynodes.c:3570
int guards_retry_optimistic(const or_options_t *options)
Definition: entrynodes.c:3973
STATIC int entry_guard_is_listed(guard_selection_t *gs, const entry_guard_t *guard)
Definition: entrynodes.c:1272
const node_t * guards_choose_dirguard(uint8_t dir_purpose, circuit_guard_state_t **guard_state_out)
Definition: entrynodes.c:3947
static entry_guard_t * select_filtered_guard_for_circuit(guard_selection_t *gs, guard_usage_t usage, const entry_guard_restriction_t *rst, unsigned *state_out)
Definition: entrynodes.c:2268
static smartlist_t * get_eligible_guards(const or_options_t *options, guard_selection_t *gs, int *n_guards_out)
Definition: entrynodes.c:1073
STATIC void entry_guard_consider_retry(entry_guard_t *guard)
Definition: entrynodes.c:2086
static int entry_guard_passes_filter(const or_options_t *options, guard_selection_t *gs, entry_guard_t *guard)
Definition: entrynodes.c:1526
#define SLOW_GUARD_STATE_FLUSH_TIME
Definition: entrynodes.c:3637
STATIC double get_max_sample_threshold(void)
Definition: entrynodes.c:381
int should_apply_guardfraction(const networkstatus_t *ns)
Definition: entrynodes.c:189
void entry_guards_changed_for_guard_selection(guard_selection_t *gs)
Definition: entrynodes.c:3647
STATIC entry_guard_t * entry_guard_add_to_sample(guard_selection_t *gs, const node_t *node)
Definition: entrynodes.c:864
static int get_min_lifetime_of_layer2_hs_guards(void)
Definition: entrynodes.c:4148
static int bridge_passes_guard_filter(const or_options_t *options, const bridge_info_t *bridge)
Definition: entrynodes.c:1499
static entry_guard_t * get_sampled_guard_by_bridge_addr(guard_selection_t *gs, const tor_addr_port_t *addrport)
Definition: entrynodes.c:959
static smartlist_t * guard_contexts
Definition: entrynodes.c:159
STATIC int num_reachable_filtered_guards(const guard_selection_t *gs, const entry_guard_restriction_t *rst)
Definition: entrynodes.c:1026
static int have_sampled_guard_with_id(guard_selection_t *gs, const uint8_t *rsa_id)
Definition: entrynodes.c:853
STATIC int entry_guards_all_primary_guards_are_down(guard_selection_t *gs)
Definition: entrynodes.c:2703
STATIC time_t randomize_time(time_t now, time_t max_backdate)
Definition: entrynodes.c:355
static time_t get_remove_unlisted_guards_after_seconds(void)
Definition: entrynodes.c:426
STATIC int get_n_primary_guards_to_use(guard_usage_t usage)
Definition: entrynodes.c:485
STATIC const char * choose_guard_selection(const or_options_t *options, const networkstatus_t *live_ns, const guard_selection_t *old_selection, guard_selection_type_t *type_out)
Definition: entrynodes.c:636
static int get_retry_schedule(time_t failing_since, time_t now, int is_primary)
Definition: entrynodes.c:2044
static int entry_guards_load_guards_from_state(or_state_t *state, int set)
Definition: entrynodes.c:3377
STATIC char * getinfo_helper_format_single_entry_guard(const entry_guard_t *e)
Definition: entrynodes.c:3728
#define FAST_GUARD_STATE_FLUSH_TIME
Definition: entrynodes.c:3640
static int node_is_possible_guard(const node_t *node)
Definition: entrynodes.c:783
#define MIN_SECOND_GUARD_LIFETIME
Definition: entrynodes.c:4133
STATIC void make_guard_confirmed(guard_selection_t *gs, entry_guard_t *guard)
Definition: entrynodes.c:1915
static int circ_state_has_higher_priority(origin_circuit_t *a, const entry_guard_restriction_t *rst, origin_circuit_t *b)
Definition: entrynodes.c:2724
int getinfo_helper_entry_guards(control_connection_t *conn, const char *question, char **answer, const char **errmsg)
Definition: entrynodes.c:3785
guard_selection_t * get_guard_selection_info(void)
Definition: entrynodes.c:312
STATIC entry_guard_t * entry_guard_parse_from_state(const char *s)
Definition: entrynodes.c:3119
STATIC entry_guard_t * select_entry_guard_for_circuit(guard_selection_t *gs, guard_usage_t usage, const entry_guard_restriction_t *rst, unsigned *state_out)
Definition: entrynodes.c:2307
STATIC int get_guard_lifetime(void)
Definition: entrynodes.c:436
static int get_max_lifetime_of_layer2_hs_guards(void)
Definition: entrynodes.c:4158
static void parse_from_state_set_vals(const char *s, smartlist_t *entries, smartlist_t *extra, strmap_t *vals)
Definition: entrynodes.c:3046
static int get_max_sample_size(guard_selection_t *gs, int n_guards)
Definition: entrynodes.c:1043
int guards_update_all(void)
Definition: entrynodes.c:3855
CTASSERT(NUMBER_SECOND_GUARDS< 20)
STATIC void sampled_guards_update_from_consensus(guard_selection_t *gs)
Definition: entrynodes.c:1427
entry_guard_t * entry_guard_get_by_id_digest_for_guard_selection(guard_selection_t *gs, const char *digest)
Definition: entrynodes.c:3445
static bridge_info_t * get_bridge_info_for_guard(const entry_guard_t *guard)
Definition: entrynodes.c:834
static int entry_guards_dirty
Definition: entrynodes.c:165
const char * entry_guard_describe(const entry_guard_t *guard)
Definition: entrynodes.c:324
STATIC entry_guard_t * entry_guards_expand_sample(guard_selection_t *gs)
Definition: entrynodes.c:1178
static int node_passes_guard_filter(const or_options_t *options, const node_t *node)
Definition: entrynodes.c:1474
void entry_guards_free_all(void)
Definition: entrynodes.c:4329
STATIC int get_internet_likely_down_interval(void)
Definition: entrynodes.c:513
Header file for circuitbuild.c.
guard_usage_t
Definition: entrynodes.h:379
const char * escaped(const char *s)
Definition: escape.c:126
long tor_lround(double d)
Definition: fp.c:31
Header for fp.c.
#define log_fn_ratelim(ratelim, severity, domain, args,...)
Definition: log.h:288
#define LD_BUG
Definition: log.h:86
#define LD_GUARD
Definition: log.h:109
#define LD_GENERAL
Definition: log.h:62
#define LOG_NOTICE
Definition: log.h:50
#define LD_CIRC
Definition: log.h:82
#define LOG_WARN
Definition: log.h:53
#define bool_eq(a, b)
Definition: logic.h:16
Header file for mainloop.c.
#define tor_free(p)
Definition: malloc.h:56
int usable_consensus_flavor(void)
Definition: microdesc.c:1088
int microdesc_relay_is_outdated_dirserver(const char *relay_digest)
Definition: microdesc.c:163
Header file for microdesc.c.
networkstatus_t * networkstatus_get_reasonably_live_consensus(time_t now, int flavor)
const routerstatus_t * router_get_consensus_status_by_id(const char *digest)
int32_t networkstatus_get_param(const networkstatus_t *ns, const char *param_name, int32_t default_val, int32_t min_val, int32_t max_val)
Header file for networkstatus.c.
int is_legal_nickname(const char *s)
Definition: nickname.c:19
Header file for nickname.c.
const node_t * router_choose_random_node(smartlist_t *excludedsmartlist, routerset_t *excludedset, router_crn_flags_t flags)
Definition: node_select.c:979
const node_t * node_sl_choose_by_bandwidth(const smartlist_t *sl, bandwidth_weight_rule_t rule)
Definition: node_select.c:856
Header file for node_select.c.
router_crn_flags_t
Definition: node_select.h:16
Node information structure.
const node_t * node_get_by_id(const char *identity_digest)
Definition: nodelist.c:226
void router_dir_info_changed(void)
Definition: nodelist.c:2533
const smartlist_t * nodelist_get_list(void)
Definition: nodelist.c:1081
int router_addrs_in_same_network(const tor_addr_t *a1, const tor_addr_t *a2)
Definition: nodelist.c:2105
int node_has_preferred_descriptor(const node_t *node, int for_direct_connect)
Definition: nodelist.c:1543
const char * node_get_nickname(const node_t *node)
Definition: nodelist.c:1493
int node_is_dir(const node_t *node)
Definition: nodelist.c:1507
void node_get_addr(const node_t *node, tor_addr_t *addr_out)
Definition: nodelist.c:1715
void node_get_verbose_nickname(const node_t *node, char *verbose_name_out)
Definition: nodelist.c:1576
int nodes_in_same_family(const node_t *node1, const node_t *node2)
Definition: nodelist.c:2239
int router_have_minimum_dir_info(void)
Definition: nodelist.c:2490
Header file for nodelist.c.
Master header file for Tor-specific functionality.
#define TO_CIRCUIT(x)
Definition: or.h:936
#define MAX_VERBOSE_NICKNAME_LEN
Definition: or.h:118
The or_state_t structure, which represents Tor's state file.
Origin circuit structure.
long tor_parse_long(const char *s, int base, long min, long max, int *ok, char **next)
Definition: parse_int.c:59
int reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:536
int reachable_addr_allows_node(const node_t *node, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:693
Header file for policies.c.
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
int router_digest_is_me(const char *digest)
Definition: router.c:1775
Header file for router.c.
routerset_t * routerset_new(void)
Definition: routerset.c:51
int routerset_contains_node(const routerset_t *set, const node_t *node)
Definition: routerset.c:353
int routerset_parse(routerset_t *target, const char *s, const char *description)
Definition: routerset.c:115
int routerset_contains_bridge(const routerset_t *set, const bridge_info_t *bridge)
Definition: routerset.c:365
Header file for routerset.c.
Routerstatus (consensus entry) structure.
int smartlist_ptrs_eq(const smartlist_t *s1, const smartlist_t *s2)
Definition: smartlist.c:198
int smartlist_contains_digest(const smartlist_t *sl, const char *element)
Definition: smartlist.c:223
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
void smartlist_sort(smartlist_t *sl, int(*compare)(const void **a, const void **b))
Definition: smartlist.c:334
void smartlist_remove_keeporder(smartlist_t *sl, const void *element)
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
int smartlist_contains(const smartlist_t *sl, const void *element)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
void smartlist_remove(smartlist_t *sl, const void *element)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
#define SMARTLIST_DEL_CURRENT(sl, var)
#define SMARTLIST_DEL_CURRENT_KEEPORDER(sl, var)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
void or_state_mark_dirty(or_state_t *state, time_t when)
Definition: statefile.c:784
or_state_t * get_or_state(void)
Definition: statefile.c:220
Header for statefile.c.
char identity[DIGEST_LEN]
Definition: bridges.c:55
double use_successes
Definition: entrynodes.h:62
double successful_circuits_closed
Definition: entrynodes.h:52
time_t expire_on_date
Definition: entrynodes.c:4078
char identity[DIGEST_LEN]
Definition: entrynodes.c:4076
Definition: node_st.h:34
unsigned int is_valid
Definition: node_st.h:65
char identity[DIGEST_LEN]
Definition: node_st.h:46
unsigned int is_possible_guard
Definition: node_st.h:69
unsigned int is_stable
Definition: node_st.h:68
int VanguardsLiteEnabled
int NumDirectoryGuards
struct routerset_t * EntryNodes
struct routerset_t * ExcludeNodes
struct config_line_t * Guard
Definition: or_state_st.h:42
struct circuit_guard_state_t * guard_state
unsigned int is_stable
unsigned int is_fast
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
void format_iso_time_nospace(char *buf, time_t t)
Definition: time_fmt.c:344
void format_iso_time(char *buf, time_t t)
Definition: time_fmt.c:326
void format_local_iso_time(char *buf, time_t t)
Definition: time_fmt.c:316
Headers for transports.c.
#define tor_assert_nonfatal_unreached()
Definition: util_bug.h:177
#define FALLTHROUGH_UNLESS_ALL_BUGS_ARE_FATAL
Definition: util_bug.h:268
#define tor_assert(expr)
Definition: util_bug.h:103
int tor_digest_is_zero(const char *digest)
Definition: util_string.c:98