Tor 0.4.9.2-alpha-dev
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
or.h
Go to the documentation of this file.
1/* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file or.h
9 * \brief Master header file for Tor-specific functionality.
10 **/
11
12#ifndef TOR_OR_H
13#define TOR_OR_H
14
15#include "orconfig.h"
16#include "lib/cc/torint.h"
17
18#ifdef HAVE_SIGNAL_H
19#include <signal.h>
20#endif
21#ifdef HAVE_TIME_H
22#include <time.h>
23#endif
24
25#include "lib/arch/bytes.h"
27#include "lib/container/map.h"
28#include "lib/buf/buffers.h"
32#include "lib/ctime/di_ops.h"
33#include "lib/defs/dh_sizes.h"
37#include "lib/err/torerr.h"
38#include "lib/fs/dir.h"
39#include "lib/fs/files.h"
40#include "lib/fs/mmap.h"
41#include "lib/fs/path.h"
42#include "lib/fs/userdb.h"
43#include "lib/geoip/country.h"
44#include "lib/intmath/addsub.h"
45#include "lib/intmath/bits.h"
46#include "lib/intmath/cmp.h"
47#include "lib/intmath/logic.h"
48#include "lib/intmath/muldiv.h"
49#include "lib/log/escape.h"
50#include "lib/log/ratelim.h"
51#include "lib/log/util_bug.h"
52#include "lib/malloc/malloc.h"
53#include "lib/net/address.h"
54#include "lib/net/inaddr.h"
55#include "lib/net/socket.h"
59#include "lib/string/printf.h"
60#include "lib/string/scanf.h"
63#include "lib/thread/threads.h"
67
68#include "ht.h"
69
70// These, more than other includes, are for keeping the other struct
71// definitions working. We should remove them when we minimize our includes.
73
76
77/* These signals are defined to help handle_control_signal work.
78 */
79#ifndef SIGHUP
80#define SIGHUP 1
81#endif
82#ifndef SIGINT
83#define SIGINT 2
84#endif
85#ifndef SIGUSR1
86#define SIGUSR1 10
87#endif
88#ifndef SIGUSR2
89#define SIGUSR2 12
90#endif
91#ifndef SIGTERM
92#define SIGTERM 15
93#endif
94/* Controller signals start at a high number so we don't
95 * conflict with system-defined signals. */
96#define SIGNEWNYM 129
97#define SIGCLEARDNSCACHE 130
98#define SIGHEARTBEAT 131
99#define SIGACTIVE 132
100#define SIGDORMANT 133
101
102#if (SIZEOF_CELL_T != 0)
103/* On Irix, stdlib.h defines a cell_t type, so we need to make sure
104 * that our stuff always calls cell_t something different. */
105#define cell_t tor_cell_t
106#endif
107
108/** Helper macro: Given a pointer to to.base_, of type from*, return &to. */
109#define DOWNCAST(to, ptr) ((to*)SUBTYPE_P(ptr, to, base_))
110
111/** Length of longest allowable configured nickname. */
112#define MAX_NICKNAME_LEN 19
113/** Length of a router identity encoded as a hexadecimal digest, plus
114 * possible dollar sign. */
115#define MAX_HEX_NICKNAME_LEN (HEX_DIGEST_LEN+1)
116/** Maximum length of verbose router identifier: dollar sign, hex ID digest,
117 * equal sign or tilde, nickname. */
118#define MAX_VERBOSE_NICKNAME_LEN (1+HEX_DIGEST_LEN+1+MAX_NICKNAME_LEN)
119
120/** For HTTP parsing: Maximum number of bytes we'll accept in the headers
121 * of an HTTP request or response. */
122#define MAX_HEADERS_SIZE 50000
123
124/** Maximum size, in bytes, of a single router descriptor uploaded to us
125 * as a directory authority. Caches and clients fetch whatever descriptors
126 * the authorities tell them to fetch, and don't care about size. */
127#define MAX_DESCRIPTOR_UPLOAD_SIZE 20000
128
129/** Maximum size of a single extrainfo document, as above. */
130#define MAX_EXTRAINFO_UPLOAD_SIZE 50000
131
132/** Minimum lifetime for an onion key in days. */
133#define MIN_ONION_KEY_LIFETIME_DAYS (1)
134
135/** Maximum lifetime for an onion key in days. */
136#define MAX_ONION_KEY_LIFETIME_DAYS (90)
137
138/** Default lifetime for an onion key in days. */
139#define DEFAULT_ONION_KEY_LIFETIME_DAYS (28)
140
141/** Minimum grace period for acceptance of an onion key in days.
142 * The maximum value is defined in proposal #274 as being the current network
143 * consensus parameter for "onion-key-rotation-days". */
144#define MIN_ONION_KEY_GRACE_PERIOD_DAYS (1)
145
146/** Default grace period for acceptance of an onion key in days. */
147#define DEFAULT_ONION_KEY_GRACE_PERIOD_DAYS (7)
148
149/** How often we should check the network consensus if it is time to rotate or
150 * expire onion keys. */
151#define ONION_KEY_CONSENSUS_CHECK_INTERVAL (60*60)
152
153/** How often do we rotate TLS contexts? */
154#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
155
156/** How old do we allow a router to get before removing it
157 * from the router list? In seconds. */
158#define ROUTER_MAX_AGE (60*60*48)
159/** How old can a router get before we (as a server) will no longer
160 * consider it live? In seconds. */
161#define ROUTER_MAX_AGE_TO_PUBLISH (60*60*24)
162/** How old do we let a saved descriptor get before force-removing it? */
163#define OLD_ROUTER_DESC_MAX_AGE (60*60*24*5)
164
165/* Proxy client types */
166#define PROXY_NONE 0
167#define PROXY_CONNECT 1
168#define PROXY_SOCKS4 2
169#define PROXY_SOCKS5 3
170#define PROXY_HAPROXY 4
171/* !!!! If there is ever a PROXY_* type over 7, we must grow the proxy_type
172 * field in or_connection_t */
173
174/* Pluggable transport proxy type. Don't use this in or_connection_t,
175 * instead use the actual underlying proxy type (see above). */
176#define PROXY_PLUGGABLE 5
177
178/** How many circuits do we want simultaneously in-progress to handle
179 * a given stream? */
180#define MIN_CIRCUITS_HANDLING_STREAM 2
181
182/* These RELAY_COMMAND constants define values for relay cell commands, and
183* must match those defined in tor-spec.txt. */
184#define RELAY_COMMAND_BEGIN 1
185#define RELAY_COMMAND_DATA 2
186#define RELAY_COMMAND_END 3
187#define RELAY_COMMAND_CONNECTED 4
188
189#define RELAY_COMMAND_SENDME 5
190#define RELAY_COMMAND_EXTEND 6
191#define RELAY_COMMAND_EXTENDED 7
192#define RELAY_COMMAND_TRUNCATE 8
193#define RELAY_COMMAND_TRUNCATED 9
194#define RELAY_COMMAND_DROP 10
195
196#define RELAY_COMMAND_RESOLVE 11
197#define RELAY_COMMAND_RESOLVED 12
198
199#define RELAY_COMMAND_BEGIN_DIR 13
200#define RELAY_COMMAND_EXTEND2 14
201#define RELAY_COMMAND_EXTENDED2 15
202
203/* Conflux */
204#define RELAY_COMMAND_CONFLUX_LINK 19
205#define RELAY_COMMAND_CONFLUX_LINKED 20
206#define RELAY_COMMAND_CONFLUX_LINKED_ACK 21
207#define RELAY_COMMAND_CONFLUX_SWITCH 22
208
209#define RELAY_COMMAND_ESTABLISH_INTRO 32
210#define RELAY_COMMAND_ESTABLISH_RENDEZVOUS 33
211#define RELAY_COMMAND_INTRODUCE1 34
212#define RELAY_COMMAND_INTRODUCE2 35
213#define RELAY_COMMAND_RENDEZVOUS1 36
214#define RELAY_COMMAND_RENDEZVOUS2 37
215#define RELAY_COMMAND_INTRO_ESTABLISHED 38
216#define RELAY_COMMAND_RENDEZVOUS_ESTABLISHED 39
217#define RELAY_COMMAND_INTRODUCE_ACK 40
218
219#define RELAY_COMMAND_PADDING_NEGOTIATE 41
220#define RELAY_COMMAND_PADDING_NEGOTIATED 42
221
222#define RELAY_COMMAND_XOFF 43
223#define RELAY_COMMAND_XON 44
224
225/* NOTE: Any new command from above MUST be added to this function. */
226/** Helper to learn if we know the relay command. Unfortuantely, they are not
227 * contigous and so we need this kind of big switch. We could do better but for
228 * now, we'll run with this. */
229static inline bool
230is_known_relay_command(const uint8_t cmd)
231{
232 switch (cmd) {
233 case RELAY_COMMAND_BEGIN:
234 case RELAY_COMMAND_BEGIN_DIR:
235 case RELAY_COMMAND_CONFLUX_LINK:
236 case RELAY_COMMAND_CONFLUX_LINKED:
237 case RELAY_COMMAND_CONFLUX_LINKED_ACK:
238 case RELAY_COMMAND_CONFLUX_SWITCH:
239 case RELAY_COMMAND_CONNECTED:
240 case RELAY_COMMAND_DATA:
241 case RELAY_COMMAND_DROP:
242 case RELAY_COMMAND_END:
243 case RELAY_COMMAND_ESTABLISH_INTRO:
244 case RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
245 case RELAY_COMMAND_EXTEND2:
246 case RELAY_COMMAND_EXTEND:
247 case RELAY_COMMAND_EXTENDED2:
248 case RELAY_COMMAND_EXTENDED:
249 case RELAY_COMMAND_INTRODUCE1:
250 case RELAY_COMMAND_INTRODUCE2:
251 case RELAY_COMMAND_INTRODUCE_ACK:
252 case RELAY_COMMAND_INTRO_ESTABLISHED:
253 case RELAY_COMMAND_PADDING_NEGOTIATE:
254 case RELAY_COMMAND_PADDING_NEGOTIATED:
255 case RELAY_COMMAND_RENDEZVOUS1:
256 case RELAY_COMMAND_RENDEZVOUS2:
257 case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
258 case RELAY_COMMAND_RESOLVE:
259 case RELAY_COMMAND_RESOLVED:
260 case RELAY_COMMAND_SENDME:
261 case RELAY_COMMAND_TRUNCATE:
262 case RELAY_COMMAND_TRUNCATED:
263 case RELAY_COMMAND_XOFF:
264 case RELAY_COMMAND_XON:
265 return true;
266 default:
267 return false;
268 }
269}
270
271/* Reasons why an OR connection is closed. */
272#define END_OR_CONN_REASON_DONE 1
273#define END_OR_CONN_REASON_REFUSED 2 /* connection refused */
274#define END_OR_CONN_REASON_OR_IDENTITY 3
275#define END_OR_CONN_REASON_CONNRESET 4 /* connection reset by peer */
276#define END_OR_CONN_REASON_TIMEOUT 5
277#define END_OR_CONN_REASON_NO_ROUTE 6 /* no route to host/net */
278#define END_OR_CONN_REASON_IO_ERROR 7 /* read/write error */
279#define END_OR_CONN_REASON_RESOURCE_LIMIT 8 /* sockets, buffers, etc */
280#define END_OR_CONN_REASON_PT_MISSING 9 /* PT failed or not available */
281#define END_OR_CONN_REASON_TLS_ERROR 10 /* Problem in TLS protocol */
282#define END_OR_CONN_REASON_MISC 11
283
284/* Reasons why we (or a remote OR) might close a stream. See tor-spec.txt for
285 * documentation of these. The values must match. */
286#define END_STREAM_REASON_MISC 1
287#define END_STREAM_REASON_RESOLVEFAILED 2
288#define END_STREAM_REASON_CONNECTREFUSED 3
289#define END_STREAM_REASON_EXITPOLICY 4
290#define END_STREAM_REASON_DESTROY 5
291#define END_STREAM_REASON_DONE 6
292#define END_STREAM_REASON_TIMEOUT 7
293#define END_STREAM_REASON_NOROUTE 8
294#define END_STREAM_REASON_HIBERNATING 9
295#define END_STREAM_REASON_INTERNAL 10
296#define END_STREAM_REASON_RESOURCELIMIT 11
297#define END_STREAM_REASON_CONNRESET 12
298#define END_STREAM_REASON_TORPROTOCOL 13
299#define END_STREAM_REASON_NOTDIRECTORY 14
300#define END_STREAM_REASON_ENTRYPOLICY 15
301
302/* These high-numbered end reasons are not part of the official spec,
303 * and are not intended to be put in relay end cells. They are here
304 * to be more informative when sending back socks replies to the
305 * application. */
306/* XXXX 256 is no longer used; feel free to reuse it. */
307/** We were unable to attach the connection to any circuit at all. */
308/* XXXX the ways we use this one don't make a lot of sense. */
309#define END_STREAM_REASON_CANT_ATTACH 257
310/** We can't connect to any directories at all, so we killed our streams
311 * before they can time out. */
312#define END_STREAM_REASON_NET_UNREACHABLE 258
313/** This is a SOCKS connection, and the client used (or misused) the SOCKS
314 * protocol in a way we couldn't handle. */
315#define END_STREAM_REASON_SOCKSPROTOCOL 259
316/** This is a transparent proxy connection, but we can't extract the original
317 * target address:port. */
318#define END_STREAM_REASON_CANT_FETCH_ORIG_DEST 260
319/** This is a connection on the NATD port, and the destination IP:Port was
320 * either ill-formed or out-of-range. */
321#define END_STREAM_REASON_INVALID_NATD_DEST 261
322/** The target address is in a private network (like 127.0.0.1 or 10.0.0.1);
323 * you don't want to do that over a randomly chosen exit */
324#define END_STREAM_REASON_PRIVATE_ADDR 262
325/** This is an HTTP tunnel connection and the client used or misused HTTP in a
326 * way we can't handle.
327 */
328#define END_STREAM_REASON_HTTPPROTOCOL 263
329
330/** Bitwise-and this value with endreason to mask out all flags. */
331#define END_STREAM_REASON_MASK 511
332
333/** Bitwise-or this with the argument to control_event_stream_status
334 * to indicate that the reason came from an END cell. */
335#define END_STREAM_REASON_FLAG_REMOTE 512
336/** Bitwise-or this with the argument to control_event_stream_status
337 * to indicate that we already sent a CLOSED stream event. */
338#define END_STREAM_REASON_FLAG_ALREADY_SENT_CLOSED 1024
339/** Bitwise-or this with endreason to indicate that we already sent
340 * a socks reply, and no further reply needs to be sent from
341 * connection_mark_unattached_ap(). */
342#define END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED 2048
343
344/* 'type' values to use in RESOLVED cells. Specified in tor-spec.txt. */
345#define RESOLVED_TYPE_HOSTNAME 0
346#define RESOLVED_TYPE_IPV4 4
347#define RESOLVED_TYPE_IPV6 6
348#define RESOLVED_TYPE_ERROR_TRANSIENT 0xF0
349#define RESOLVED_TYPE_ERROR 0xF1
350/* C Tor internal error code to handle empty dns reply */
351#define RESOLVED_TYPE_NOERROR 0x01F2
352
353/* Negative reasons are internal: we never send them in a DESTROY or TRUNCATE
354 * call; they only go to the controller for tracking */
355
356/* Closing introduction point that were opened in parallel. */
357#define END_CIRC_REASON_IP_NOW_REDUNDANT -4
358
359/** Our post-timeout circuit time measurement period expired.
360 * We must give up now */
361#define END_CIRC_REASON_MEASUREMENT_EXPIRED -3
362
363/** We couldn't build a path for this circuit. */
364#define END_CIRC_REASON_NOPATH -2
365/** Catch-all "other" reason for closing origin circuits. */
366#define END_CIRC_AT_ORIGIN -1
367
368/* Reasons why we (or a remote OR) might close a circuit. See tor-spec.txt
369 * section 5.4 for documentation of these. */
370#define END_CIRC_REASON_MIN_ 0
371#define END_CIRC_REASON_NONE 0
372#define END_CIRC_REASON_TORPROTOCOL 1
373#define END_CIRC_REASON_INTERNAL 2
374#define END_CIRC_REASON_REQUESTED 3
375#define END_CIRC_REASON_HIBERNATING 4
376#define END_CIRC_REASON_RESOURCELIMIT 5
377#define END_CIRC_REASON_CONNECTFAILED 6
378#define END_CIRC_REASON_OR_IDENTITY 7
379#define END_CIRC_REASON_CHANNEL_CLOSED 8
380#define END_CIRC_REASON_FINISHED 9
381#define END_CIRC_REASON_TIMEOUT 10
382#define END_CIRC_REASON_DESTROYED 11
383#define END_CIRC_REASON_NOSUCHSERVICE 12
384#define END_CIRC_REASON_MAX_ 12
385
386/** Bitwise-OR this with the argument to circuit_mark_for_close() or
387 * control_event_circuit_status() to indicate that the reason was
388 * passed through from a destroy or truncate cell. */
389#define END_CIRC_REASON_FLAG_REMOTE 512
390
391/** Length of v2 descriptor ID (32 base32 chars = 160 bits).
392 *
393 * XXX: It is still used by v3 code but should be renamed or maybe removed. */
394#define REND_DESC_ID_V2_LEN_BASE32 BASE32_DIGEST_LEN
395
396/** Maximum length of authorized client names for a hidden service. */
397#define REND_CLIENTNAME_MAX_LEN 16
398
399/** Length of the rendezvous cookie that is used to connect circuits at the
400 * rendezvous point. */
401#define REND_COOKIE_LEN DIGEST_LEN
402
403/** Client authorization type that a hidden service performs. */
404typedef enum rend_auth_type_t {
405 REND_NO_AUTH = 0,
406 REND_V3_AUTH = 1, /* Dummy flag to allow adding v3 services on the
407 * control port */
409
410/* Stub because we can't include hs_ident.h. */
413struct hs_ident_circuit_t;
414
415typedef struct hsdir_index_t hsdir_index_t;
416
417/** Time interval for tracking replays of DH public keys received in
418 * INTRODUCE2 cells. Used only to avoid launching multiple
419 * simultaneous attempts to connect to the same rendezvous point. */
420#define REND_REPLAY_TIME_INTERVAL (5 * 60)
421
422/** Used to indicate which way a cell is going on a circuit. */
423typedef enum {
424 CELL_DIRECTION_IN=1, /**< The cell is moving towards the origin. */
425 CELL_DIRECTION_OUT=2, /**< The cell is moving away from the origin. */
427
428/**
429 * An enum to allow us to specify which channel in a circuit
430 * we're interested in.
431 *
432 * This is needed because our data structures and other fields
433 * for channel delivery are disassociated from the channel.
434 */
435typedef enum {
436 CIRCUIT_N_CHAN = 0,
437 CIRCUIT_P_CHAN = 1
439
440/** Initial value for both sides of a circuit transmission window when the
441 * circuit is initialized. Measured in cells. */
442#define CIRCWINDOW_START 1000
443#define CIRCWINDOW_START_MIN 100
444#define CIRCWINDOW_START_MAX 1000
445/** Amount to increment a circuit window when we get a circuit SENDME. */
446#define CIRCWINDOW_INCREMENT 100
447/** Initial value on both sides of a stream transmission window when the
448 * stream is initialized. Measured in cells. */
449#define STREAMWINDOW_START 500
450#define STREAMWINDOW_START_MAX 500
451/** Amount to increment a stream window when we get a stream SENDME. */
452#define STREAMWINDOW_INCREMENT 50
453
454/** Maximum number of queued cells on a circuit for which we are the
455 * midpoint before we give up and kill it. This must be >= circwindow
456 * to avoid killing innocent circuits, and >= circwindow*2 to give
457 * leaky-pipe a chance of working someday. The ORCIRC_MAX_MIDDLE_KILL_THRESH
458 * ratio controls the margin of error between emitting a warning and
459 * killing the circuit.
460 */
461#define ORCIRC_MAX_MIDDLE_CELLS (CIRCWINDOW_START_MAX*2)
462/** Ratio of hard (circuit kill) to soft (warning) thresholds for the
463 * ORCIRC_MAX_MIDDLE_CELLS tests.
464 */
465#define ORCIRC_MAX_MIDDLE_KILL_THRESH (1.1f)
466
467/* Cell commands. These values are defined in tor-spec.txt. */
468#define CELL_PADDING 0
469#define CELL_CREATE 1
470#define CELL_CREATED 2
471#define CELL_RELAY 3
472#define CELL_DESTROY 4
473#define CELL_CREATE_FAST 5
474#define CELL_CREATED_FAST 6
475#define CELL_VERSIONS 7
476#define CELL_NETINFO 8
477#define CELL_RELAY_EARLY 9
478#define CELL_CREATE2 10
479#define CELL_CREATED2 11
480#define CELL_PADDING_NEGOTIATE 12
481
482#define CELL_VPADDING 128
483#define CELL_CERTS 129
484#define CELL_AUTH_CHALLENGE 130
485#define CELL_AUTHENTICATE 131
486#define CELL_AUTHORIZE 132
487#define CELL_COMMAND_MAX_ 132
488
489/** How long to test reachability before complaining to the user. */
490#define TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT (20*60)
491
492/** Legal characters in a nickname. */
493#define LEGAL_NICKNAME_CHARACTERS \
494 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
495
496/** Name chosen by routers that don't configure nicknames */
497#define UNNAMED_ROUTER_NICKNAME "Unnamed"
498
499/** Number of bytes in a SOCKS4 header. */
500#define SOCKS4_NETWORK_LEN 8
501
502/*
503 * Relay cell body (V0):
504 * Relay command [1 byte]
505 * Recognized [2 bytes]
506 * Stream ID [2 bytes]
507 * Partial SHA-1 [4 bytes]
508 * Length [2 bytes]
509 * Relay payload [498 bytes]
510 *
511 * Relay cell body (V1):
512 * Tag [16 bytes]
513 * Command [1 byte]
514 * Length [2 bytes]
515 * Stream ID [2 bytes, Optional, depends on command]
516 * Relay payload [488 bytes _or_ 490 bytes]
517 */
518
519/** Number of bytes in a cell, minus cell header. */
520#define CELL_PAYLOAD_SIZE 509
521/** Number of bytes in a cell transmitted over the network, in the longest
522 * form */
523#define CELL_MAX_NETWORK_SIZE 514
524
525/** Maximum length of a header on a variable-length cell. */
526#define VAR_CELL_MAX_HEADER_SIZE 7
527
528/** Which format should we use for relay cells? */
529typedef enum relay_cell_fmt_t {
530 /** Our original format, with 2 byte recognized field and a 4-byte digest */
532 /** New format introduced for CGO, with 16 byte tag. */
535
536static int get_cell_network_size(int wide_circ_ids);
537static inline int get_cell_network_size(int wide_circ_ids)
538{
539 return wide_circ_ids ? CELL_MAX_NETWORK_SIZE : CELL_MAX_NETWORK_SIZE - 2;
540}
541static int get_var_cell_header_size(int wide_circ_ids);
542static inline int get_var_cell_header_size(int wide_circ_ids)
543{
544 return wide_circ_ids ? VAR_CELL_MAX_HEADER_SIZE :
546}
547static int get_circ_id_size(int wide_circ_ids);
548static inline int get_circ_id_size(int wide_circ_ids)
549{
550 return wide_circ_ids ? 4 : 2;
551}
552
553/** Number of bytes used for a relay cell's header, in the v0 format. */
554#define RELAY_HEADER_SIZE_V0 (1+2+2+4+2)
555/** Number of bytes used for a relay cell's header, in the v1 format,
556 * if no StreamID is used. */
557#define RELAY_HEADER_SIZE_V1_NO_STREAM_ID (16+1+2)
558/** Number of bytes used for a relay cell's header, in the v1 format,
559 * if a StreamID is used. */
560#define RELAY_HEADER_SIZE_V1_WITH_STREAM_ID (16+1+2+2)
561
562/** Largest number of bytes that can fit in any relay cell payload.
563 *
564 * Note that the actual maximum may be smaller if the V1 cell format
565 * is in use; see relay_cell_max_payload_size() for the real maximum.
566 */
567#define RELAY_PAYLOAD_SIZE_MAX (CELL_PAYLOAD_SIZE - RELAY_HEADER_SIZE_V0)
568
569/** Smallest capacity of any relay cell payload. */
570#define RELAY_PAYLOAD_SIZE_MIN \
571 (CELL_PAYLOAD_SIZE - RELAY_HEADER_SIZE_V1_WITH_STREAM_ID)
572
573#ifdef TOR_UNIT_TESTS
574// This name is for testing only.
575#define RELAY_PAYLOAD_SIZE RELAY_PAYLOAD_SIZE_MAX
576#endif
577
578/** Identifies a circuit on an or_connection */
579typedef uint32_t circid_t;
580/** Identifies a stream on a circuit */
581typedef uint16_t streamid_t;
582
583/* channel_t typedef; struct channel_t is in channel.h */
584
585typedef struct channel_t channel_t;
586
587/* channel_listener_t typedef; struct channel_listener_t is in channel.h */
588
590
591/* TLS channel stuff */
592
593typedef struct channel_tls_t channel_tls_t;
594
595/* circuitmux_t typedef; struct circuitmux_t is in circuitmux.h */
596
597typedef struct circuitmux_t circuitmux_t;
598
599typedef struct cell_t cell_t;
600typedef struct var_cell_t var_cell_t;
601typedef struct packed_cell_t packed_cell_t;
602typedef struct cell_queue_t cell_queue_t;
603typedef struct destroy_cell_t destroy_cell_t;
605typedef struct ext_or_cmd_t ext_or_cmd_t;
606
607#ifdef TOR_UNIT_TESTS
608/* This is a vestigial type used only for testing.
609 * All current code should instead use relay_msg_t and related accessors.
610 */
611
612/** Beginning of a RELAY cell payload. */
613typedef struct {
614 uint8_t command; /**< The end-to-end relay command. */
615 uint16_t recognized; /**< Used to tell whether cell is for us. */
616 streamid_t stream_id; /**< Which stream is this cell associated with? */
617 char integrity[4]; /**< Used to tell whether cell is corrupted. */
618 uint16_t length; /**< How long is the payload body? */
619} relay_header_t;
620#endif
621
622typedef struct socks_request_t socks_request_t;
625
626/** Minimum length of the random part of an AUTH_CHALLENGE cell. */
627#define OR_AUTH_CHALLENGE_LEN 32
628
629/**
630 * @name Certificate types for CERTS cells.
631 *
632 * These values are defined by the protocol, and affect how an X509
633 * certificate in a CERTS cell is interpreted and used.
634 *
635 * @{ */
636/** A certificate that authenticates a TLS link key. The subject key
637 * must match the key used in the TLS handshake; it must be signed by
638 * the identity key. */
639#define OR_CERT_TYPE_TLS_LINK 1
640/** A self-signed identity certificate. The subject key must be a
641 * 1024-bit RSA key. */
642#define OR_CERT_TYPE_ID_1024 2
643/** A certificate that authenticates a key used in an AUTHENTICATE cell
644 * in the v3 handshake. The subject key must be a 1024-bit RSA key; it
645 * must be signed by the identity key */
646#define OR_CERT_TYPE_AUTH_1024 3
647/* DOCDOC */
648#define OR_CERT_TYPE_RSA_ED_CROSSCERT 7
649/**@}*/
650
651/** The first supported type of AUTHENTICATE cell. It contains
652 * a bunch of structures signed with an RSA1024 key. The signed
653 * structures include a HMAC using negotiated TLS secrets, and a digest
654 * of all cells sent or received before the AUTHENTICATE cell (including
655 * the random server-generated AUTH_CHALLENGE cell).
656 */
657#define AUTHTYPE_RSA_SHA256_TLSSECRET 1
658/** As AUTHTYPE_RSA_SHA256_TLSSECRET, but instead of using the
659 * negotiated TLS secrets, uses exported keying material from the TLS
660 * session as described in RFC 5705.
661 *
662 * Not used by today's tors, since everything that supports this
663 * also supports ED25519_SHA256_5705, which is better.
664 **/
665#define AUTHTYPE_RSA_SHA256_RFC5705 2
666/** As AUTHTYPE_RSA_SHA256_RFC5705, but uses an Ed25519 identity key to
667 * authenticate. */
668#define AUTHTYPE_ED25519_SHA256_RFC5705 3
669/*
670 * NOTE: authchallenge_type_is_better() relies on these AUTHTYPE codes
671 * being sorted in order of preference. If we someday add one with
672 * a higher numerical value that we don't like as much, we should revise
673 * authchallenge_type_is_better().
674 */
675
676/** The length of the part of the AUTHENTICATE cell body that the client and
677 * server can generate independently (when using RSA_SHA256_TLSSECRET). It
678 * contains everything except the client's timestamp, the client's randomly
679 * generated nonce, and the signature. */
680#define V3_AUTH_FIXED_PART_LEN (8+(32*6))
681/** The length of the part of the AUTHENTICATE cell body that the client
682 * signs. */
683#define V3_AUTH_BODY_LEN (V3_AUTH_FIXED_PART_LEN + 8 + 16)
684
687
688/** Length of Extended ORPort connection identifier. */
689#define EXT_OR_CONN_ID_LEN DIGEST_LEN /* 20 */
690
691typedef struct connection_t connection_t;
697typedef struct or_connection_t or_connection_t;
698
699/** Cast a connection_t subtype pointer to a connection_t **/
700#define TO_CONN(c) (&(((c)->base_)))
701
702/** Cast a entry_connection_t subtype pointer to a connection_t **/
703#define ENTRY_TO_CONN(c) (TO_CONN(ENTRY_TO_EDGE_CONN(c)))
704
705typedef struct addr_policy_t addr_policy_t;
706
707typedef struct cached_dir_t cached_dir_t;
708
709/** Enum used to remember where a signed_descriptor_t is stored and how to
710 * manage the memory for signed_descriptor_body. */
711typedef enum {
712 /** The descriptor isn't stored on disk at all: the copy in memory is
713 * canonical; the saved_offset field is meaningless. */
715 /** The descriptor is stored in the cached_routers file: the
716 * signed_descriptor_body is meaningless; the signed_descriptor_len and
717 * saved_offset are used to index into the mmaped cache file. */
719 /** The descriptor is stored in the cached_routers.new file: the
720 * signed_descriptor_body and saved_offset fields are both set. */
721 /* FFFF (We could also mmap the file and grow the mmap as needed, or
722 * lazy-load the descriptor text by using seek and read. We don't, for
723 * now.)
724 */
727#define saved_location_bitfield_t ENUM_BF(saved_location_t)
728
729/** Enumeration: what directory object is being downloaded?
730 * This determines which schedule is selected to perform the download. */
731typedef enum {
732 DL_SCHED_GENERIC = 0,
733 DL_SCHED_CONSENSUS = 1,
734 DL_SCHED_BRIDGE = 2,
736#define download_schedule_bitfield_t ENUM_BF(download_schedule_t)
737
738/** Enumeration: is the download schedule for downloading from an authority,
739 * or from any available directory mirror?
740 * During bootstrap, "any" means a fallback (or an authority, if there
741 * are no fallbacks).
742 * When we have a valid consensus, "any" means any directory server. */
743typedef enum {
744 DL_WANT_ANY_DIRSERVER = 0,
745 DL_WANT_AUTHORITY = 1,
747#define download_want_authority_bitfield_t \
748 ENUM_BF(download_want_authority_t)
749
750/** Enumeration: do we want to increment the schedule position each time a
751 * connection is attempted (these attempts can be concurrent), or do we want
752 * to increment the schedule position after a connection fails? */
753typedef enum {
754 DL_SCHED_INCREMENT_FAILURE = 0,
755 DL_SCHED_INCREMENT_ATTEMPT = 1,
757#define download_schedule_increment_bitfield_t \
758 ENUM_BF(download_schedule_increment_t)
759
761
762/** If n_download_failures is this high, the download can never happen. */
763#define IMPOSSIBLE_TO_DOWNLOAD 255
764
765/** The max size we expect router descriptor annotations we create to
766 * be. We'll accept larger ones if we see them on disk, but we won't
767 * create any that are larger than this. */
768#define ROUTER_ANNOTATION_BUF_LEN 256
769
771
772/** Flags used to summarize the declared protocol versions of a relay,
773 * so we don't need to parse them again and again. */
775 /** True iff we have a proto line for this router, or a versions line
776 * from which we could infer the protocols. */
777 unsigned int protocols_known:1;
778
779 /** True iff this router has a version or protocol list that allows it to
780 * accept EXTEND2 cells. This requires Relay=2. */
782
783 /** True iff this router has a version or protocol list that allows it to
784 * accept IPv6 connections. This requires Relay=2 or Relay=3. */
786
787 /** True iff this router has a version or protocol list that allows it to
788 * initiate IPv6 connections. This requires Relay=3. */
790
791 /** True iff this router has a version or protocol list that allows it to
792 * consider IPv6 connections canonical. This requires Relay=3. */
794
795 /** True iff this router has a protocol list that allows it to negotiate
796 * ed25519 identity keys on a link handshake with us. This
797 * requires LinkAuth=3. */
799
800 /** True iff this router has a protocol list that allows it to negotiate
801 * ed25519 identity keys on a link handshake, at all. This requires some
802 * LinkAuth=X for X >= 3. */
804
805 /** True iff this router has a protocol list that allows it to be an
806 * introduction point supporting ed25519 authentication key which is part of
807 * the v3 protocol detailed in proposal 224. This requires HSIntro=4. */
809
810 /** True iff this router has a protocol list that allows it to support the
811 * ESTABLISH_INTRO DoS cell extension. Requires HSIntro=5. */
813
814 /** True iff this router has a protocol list that allows it to be an hidden
815 * service directory supporting version 3 as seen in proposal 224. This
816 * requires HSDir=2. */
817 unsigned int supports_v3_hsdir : 1;
818
819 /** True iff this router has a protocol list that allows it to be an hidden
820 * service rendezvous point supporting version 3 as seen in proposal 224.
821 * This requires HSRend=2. */
823
824 /** True iff this router has a protocol list that allows clients to
825 * negotiate hs circuit setup padding. Requires Padding=2. */
827
828 /** True iff this router supports congestion control.
829 * Requires both FlowCtrl=2 *and* Relay=4 */
831
832 /** True iff this router supports conflux. Requires Relay=5 */
833 unsigned int supports_conflux : 1;
835
836typedef struct routerinfo_t routerinfo_t;
837typedef struct extrainfo_t extrainfo_t;
838typedef struct routerstatus_t routerstatus_t;
839
840typedef struct microdesc_t microdesc_t;
841typedef struct node_t node_t;
847
848/** Enumerates recognized flavors of a consensus networkstatus document. All
849 * flavors of a consensus are generated from the same set of votes, but they
850 * present different types information to different versions of Tor. */
851typedef enum {
852 FLAV_NS = 0,
853 FLAV_MICRODESC = 1,
855
856/** How many different consensus flavors are there? */
857#define N_CONSENSUS_FLAVORS ((int)(FLAV_MICRODESC)+1)
858
859typedef struct networkstatus_t networkstatus_t;
861typedef struct desc_store_t desc_store_t;
862typedef struct routerlist_t routerlist_t;
863typedef struct extend_info_t extend_info_t;
865
866/** Bitfield enum type listing types of information that directory authorities
867 * can be authoritative about, and that directory caches may or may not cache.
868 *
869 * Note that the granularity here is based on authority granularity and on
870 * cache capabilities. Thus, one particular bit may correspond in practice to
871 * a few types of directory info, so long as every authority that pronounces
872 * officially about one of the types prounounces officially about all of them,
873 * and so long as every cache that caches one of them caches all of them.
874 */
875typedef enum {
876 NO_DIRINFO = 0,
877 /** Serves/signs v3 directory information: votes, consensuses, certs */
878 V3_DIRINFO = 1 << 2,
879 /** Serves bridge descriptors. */
881 /** Serves extrainfo documents. */
883 /** Serves microdescriptors. */
886
887#define ALL_DIRINFO ((dirinfo_type_t)((1<<7)-1))
888
889#define ONION_HANDSHAKE_TYPE_TAP 0x0000
890#define ONION_HANDSHAKE_TYPE_FAST 0x0001
891#define ONION_HANDSHAKE_TYPE_NTOR 0x0002
892#define ONION_HANDSHAKE_TYPE_NTOR_V3 0x0003
893#define MAX_ONION_HANDSHAKE_TYPE 0x0003
894
896typedef struct relay_crypto_t relay_crypto_t;
897typedef struct crypt_path_t crypt_path_t;
899
900#define CPATH_KEY_MATERIAL_LEN (20*2+16*2)
901
903
904struct create_cell_t;
905
906/** Entry in the cell stats list of a circuit; used only if CELL_STATS
907 * events are enabled. */
909 uint8_t command; /**< cell command number. */
910 /** Waiting time in centiseconds if this event is for a removed cell,
911 * or 0 if this event is for adding a cell to the queue. 22 bits can
912 * store more than 11 hours, enough to assume that a circuit with this
913 * delay would long have been closed. */
914 unsigned int waiting_time:22;
915 unsigned int removed:1; /**< 0 for added to, 1 for removed from queue. */
916 unsigned int exitward:1; /**< 0 for app-ward, 1 for exit-ward. */
918
919typedef struct circuit_t circuit_t;
921typedef struct or_circuit_t or_circuit_t;
922
923/** Largest number of relay_early cells that we can send on a given
924 * circuit. */
925#define MAX_RELAY_EARLY_CELLS_PER_CIRCUIT 8
926
927typedef enum path_state_t path_state_t;
928#define path_state_bitfield_t ENUM_BF(path_state_t)
929
930#if REND_COOKIE_LEN != DIGEST_LEN
931#error "The REND_TOKEN_LEN macro assumes REND_COOKIE_LEN == DIGEST_LEN"
932#endif
933#define REND_TOKEN_LEN DIGEST_LEN
934
935/** Convert a circuit subtype to a circuit_t. */
936#define TO_CIRCUIT(x) (&((x)->base_))
937
938/** @name Isolation flags
939
940 Ways to isolate client streams
941
942 @{
943*/
944/** Isolate based on destination port */
945#define ISO_DESTPORT (1u<<0)
946/** Isolate based on destination address */
947#define ISO_DESTADDR (1u<<1)
948/** Isolate based on SOCKS authentication */
949#define ISO_SOCKSAUTH (1u<<2)
950/** Isolate based on client protocol choice */
951#define ISO_CLIENTPROTO (1u<<3)
952/** Isolate based on client address */
953#define ISO_CLIENTADDR (1u<<4)
954/** Isolate based on session group (always on). */
955#define ISO_SESSIONGRP (1u<<5)
956/** Isolate based on newnym epoch (always on). */
957#define ISO_NYM_EPOCH (1u<<6)
958/** Isolate all streams (Internal only). */
959#define ISO_STREAM (1u<<7)
960/**@}*/
961
962/** Default isolation level for ports. */
963#define ISO_DEFAULT (ISO_CLIENTADDR|ISO_SOCKSAUTH|ISO_SESSIONGRP|ISO_NYM_EPOCH)
964
965/** Indicates that we haven't yet set a session group on a port_cfg_t. */
966#define SESSION_GROUP_UNSET -1
967/** Session group reserved for directory connections */
968#define SESSION_GROUP_DIRCONN -2
969/** Session group reserved for resolve requests launched by a controller */
970#define SESSION_GROUP_CONTROL_RESOLVE -3
971/** First automatically allocated session group number */
972#define SESSION_GROUP_FIRST_AUTO -4
973
974typedef struct port_cfg_t port_cfg_t;
975typedef struct routerset_t routerset_t;
976
977/** A magic value for the (Socks|OR|...)Port options below, telling Tor
978 * to pick its own port. */
979#define CFG_AUTO_PORT 0xc4005e
980
981typedef struct or_options_t or_options_t;
982
983typedef struct or_state_t or_state_t;
984
985#define MAX_SOCKS_ADDR_LEN 256
986
987/********************************* circuitbuild.c **********************/
988
989/** How many hops does a general-purpose circuit have by default? */
990#define DEFAULT_ROUTE_LEN 3
991
992/* Circuit Build Timeout "public" structures. */
993
994/** Precision multiplier for the Bw weights */
995#define BW_WEIGHT_SCALE 10000
996#define BW_MIN_WEIGHT_SCALE 1
997#define BW_MAX_WEIGHT_SCALE INT32_MAX
998
1000
1001/********************************* config.c ***************************/
1002
1003/********************************* connection_edge.c *************************/
1004
1005/** Enumerates possible origins of a client-side address mapping. */
1006typedef enum {
1007 /** We're remapping this address because the controller told us to. */
1009 /** We're remapping this address because of an AutomapHostsOnResolve
1010 * configuration. */
1012 /** We're remapping this address because our configuration (via torrc, the
1013 * command line, or a SETCONF command) told us to. */
1015 /** We're remapping this address because we have TrackHostExit configured,
1016 * and we want to remember to use the same exit next time. */
1018 /** We're remapping this address because we got a DNS resolution from a
1019 * Tor server that told us what its value was. */
1021
1022 /** No remapping has occurred. This isn't a possible value for an
1023 * addrmap_entry_t; it's used as a null value when we need to answer "Why
1024 * did this remapping happen." */
1027#define addressmap_entry_source_bitfield_t ENUM_BF(addressmap_entry_source_t)
1028
1029#define WRITE_STATS_INTERVAL (24*60*60)
1030
1031/********************************* dirvote.c ************************/
1032
1033typedef struct vote_timing_t vote_timing_t;
1034
1035/********************************* microdesc.c *************************/
1036
1038
1039/** The maximum number of non-circuit-build-timeout failures a hidden
1040 * service client will tolerate while trying to build a circuit to an
1041 * introduction point. */
1042#define MAX_INTRO_POINT_REACHABILITY_FAILURES 5
1043
1044/** The minimum and maximum number of distinct INTRODUCE2 cells which a
1045 * hidden service's introduction point will receive before it begins to
1046 * expire. */
1047#define INTRO_POINT_MIN_LIFETIME_INTRODUCTIONS 16384
1048/* Double the minimum value so the interval is [min, min * 2]. */
1049#define INTRO_POINT_MAX_LIFETIME_INTRODUCTIONS \
1050 (INTRO_POINT_MIN_LIFETIME_INTRODUCTIONS * 2)
1051
1052/** The minimum number of seconds that an introduction point will last
1053 * before expiring due to old age. (If it receives
1054 * INTRO_POINT_LIFETIME_INTRODUCTIONS INTRODUCE2 cells, it may expire
1055 * sooner.)
1056 *
1057 * XXX Should this be configurable? */
1058#define INTRO_POINT_LIFETIME_MIN_SECONDS (18*60*60)
1059/** The maximum number of seconds that an introduction point will last
1060 * before expiring due to old age.
1061 *
1062 * XXX Should this be configurable? */
1063#define INTRO_POINT_LIFETIME_MAX_SECONDS (24*60*60)
1064
1065/** The maximum number of circuit creation retry we do to an intro point
1066 * before giving up. We try to reuse intro point that fails during their
1067 * lifetime so this is a hard limit on the amount of time we do that. */
1068#define MAX_INTRO_POINT_CIRCUIT_RETRIES 3
1069
1070/********************************* routerlist.c ***************************/
1071
1072typedef struct dir_server_t dir_server_t;
1073
1074#define RELAY_REQUIRED_MIN_BANDWIDTH (75*1024)
1075#define BRIDGE_REQUIRED_MIN_BANDWIDTH (50*1024)
1076
1077#define ROUTER_MAX_DECLARED_BANDWIDTH INT32_MAX
1078
1079typedef struct tor_version_t tor_version_t;
1080
1081#endif /* !defined(TOR_OR_H) */
Headers for address.h.
Header for addsub.c.
Header for approx_time.c.
Header for binascii.c.
Header for bits.c.
Header file for buffers.c.
Inline functions for reading and writing multibyte values from the middle of strings,...
Macro definitions for MIN, MAX, and CLAMP.
Utility macros to handle different features and behavior in different compilers.
Locale-independent character-type inspection (header)
Header for compat_string.c.
Functions and types for monotonic times.
tor_cmdline_mode_t command
Definition: config.c:2477
Country type for geoip.
Headers for crypto_cipher.c.
Headers for crypto_rsa.c.
Header for cstring.c.
Definitions for sizes of Diffie-Hellman groups elements in Z_p.
Headers for di_ops.c.
Header for dir.c.
Configuration structure for client ports.
Header for escape.c.
Wrappers for reading and writing data to files on disk.
Header for inaddr.c.
Macros for comparing the boolean value of integers.
Headers for util_malloc.c.
Headers for map.c.
Header for mmap.c.
Header for muldiv.c.
saved_location_t
Definition: or.h:711
@ SAVED_IN_JOURNAL
Definition: or.h:725
@ SAVED_NOWHERE
Definition: or.h:714
@ SAVED_IN_CACHE
Definition: or.h:718
#define VAR_CELL_MAX_HEADER_SIZE
Definition: or.h:526
addressmap_entry_source_t
Definition: or.h:1006
@ ADDRMAPSRC_TRACKEXIT
Definition: or.h:1017
@ ADDRMAPSRC_AUTOMAP
Definition: or.h:1011
@ ADDRMAPSRC_NONE
Definition: or.h:1025
@ ADDRMAPSRC_CONTROLLER
Definition: or.h:1008
@ ADDRMAPSRC_DNS
Definition: or.h:1020
@ ADDRMAPSRC_TORRC
Definition: or.h:1014
#define CELL_MAX_NETWORK_SIZE
Definition: or.h:523
static bool is_known_relay_command(const uint8_t cmd)
Definition: or.h:230
uint32_t circid_t
Definition: or.h:579
uint16_t streamid_t
Definition: or.h:581
download_want_authority_t
Definition: or.h:743
rend_auth_type_t
Definition: or.h:404
download_schedule_t
Definition: or.h:731
cell_direction_t
Definition: or.h:423
@ CELL_DIRECTION_OUT
Definition: or.h:425
@ CELL_DIRECTION_IN
Definition: or.h:424
consensus_flavor_t
Definition: or.h:851
relay_cell_fmt_t
Definition: or.h:529
@ RELAY_CELL_FORMAT_V1
Definition: or.h:533
@ RELAY_CELL_FORMAT_V0
Definition: or.h:531
dirinfo_type_t
Definition: or.h:875
@ V3_DIRINFO
Definition: or.h:878
@ BRIDGE_DIRINFO
Definition: or.h:880
@ EXTRAINFO_DIRINFO
Definition: or.h:882
@ MICRODESC_DIRINFO
Definition: or.h:884
download_schedule_increment_t
Definition: or.h:753
circuit_channel_direction_t
Definition: or.h:435
path_state_t
Header for parse_int.c.
Header for path.c.
Header for printf.c.
Summarize similar messages that would otherwise flood the logs.
Header for scanf.c.
Header for smartlist.c.
Header for socket.c.
Definition: cell_st.h:17
Definition: node_st.h:34
unsigned int supports_extend2_cells
Definition: or.h:781
unsigned int supports_ed25519_link_handshake_compat
Definition: or.h:798
unsigned int supports_v3_rendezvous_point
Definition: or.h:822
unsigned int supports_hs_setup_padding
Definition: or.h:826
unsigned int supports_initiating_ipv6_extends
Definition: or.h:789
unsigned int supports_v3_hsdir
Definition: or.h:817
unsigned int supports_ed25519_link_handshake_any
Definition: or.h:803
unsigned int supports_congestion_control
Definition: or.h:830
unsigned int supports_canonical_ipv6_conns
Definition: or.h:793
unsigned int supports_conflux
Definition: or.h:833
unsigned int protocols_known
Definition: or.h:777
unsigned int supports_accepting_ipv6_extends
Definition: or.h:785
unsigned int supports_ed25519_hs_intro
Definition: or.h:808
unsigned int supports_establish_intro_dos_extension
Definition: or.h:812
Definition: or.h:908
uint8_t command
Definition: or.h:909
unsigned int waiting_time
Definition: or.h:914
unsigned int exitward
Definition: or.h:916
unsigned int removed
Definition: or.h:915
Macros to implement mocking and selective exposure for the test code.
Header for threads.c.
Definitions for timing-related constants.
Header for time_fmt.c.
Declarations for timeval-related macros that some platforms are missing.
Headers for torerr.c.
Integer definitions used throughout Tor.
Header for userdb.c.
Macros to manage assertions, fatal and non-fatal.
Header for util_string.c.