relay.c 114 KB
Newer Older
Roger Dingledine's avatar
Roger Dingledine committed
1
2
/* Copyright (c) 2001 Matej Pfajfar.
 * Copyright (c) 2001-2004, Roger Dingledine.
3
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
Nick Mathewson's avatar
Nick Mathewson committed
4
 * Copyright (c) 2007-2019, The Tor Project, Inc. */
5
6
7
8
/* See LICENSE for licensing information */

/**
 * \file relay.c
9
 * \brief Handle relay cell encryption/decryption, plus packaging and
Nick Mathewson's avatar
Nick Mathewson committed
10
 *    receiving from circuits, plus queuing on circuits.
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 *
 * This is a core modules that makes Tor work. It's responsible for
 * dealing with RELAY cells (the ones that travel more than one hop along a
 * circuit), by:
 *  <ul>
 *   <li>constructing relays cells,
 *   <li>encrypting relay cells,
 *   <li>decrypting relay cells,
 *   <li>demultiplexing relay cells as they arrive on a connection,
 *   <li>queueing relay cells for retransmission,
 *   <li>or handling relay cells that are for us to receive (as an exit or a
 *   client).
 *  </ul>
 *
 * RELAY cells are generated throughout the code at the client or relay side,
 * using relay_send_command_from_edge() or one of the functions like
 * connection_edge_send_command() that calls it.  Of particular interest is
 * connection_edge_package_raw_inbuf(), which takes information that has
 * arrived on an edge connection socket, and packages it as a RELAY_DATA cell
 * -- this is how information is actually sent across the Tor network.  The
 * cryptography for these functions is handled deep in
 * circuit_package_relay_cell(), which either adds a single layer of
 * encryption (if we're an exit), or multiple layers (if we're the origin of
 * the circuit).  After construction and encryption, the RELAY cells are
 * passed to append_cell_to_circuit_queue(), which queues them for
 * transmission and tells the circuitmux (see circuitmux.c) that the circuit
 * is waiting to send something.
 *
 * Incoming RELAY cells arrive at circuit_receive_relay_cell(), called from
 * command.c.  There they are decrypted and, if they are for us, are passed to
 * connection_edge_process_relay_cell(). If they're not for us, they're
 * re-queued for retransmission again with append_cell_to_circuit_queue().
 *
 * The connection_edge_process_relay_cell() function handles all the different
 * types of relay cells, launching requests or transmitting data as needed.
46
47
 **/

48
#define RELAY_PRIVATE
49
50
#include "core/or/or.h"
#include "feature/client/addressmap.h"
51
#include "lib/err/backtrace.h"
52
#include "lib/container/buffers.h"
53
54
55
56
57
#include "core/or/channel.h"
#include "feature/client/circpathbias.h"
#include "core/or/circuitbuild.h"
#include "core/or/circuitlist.h"
#include "core/or/circuituse.h"
58
#include "lib/compress/compress.h"
59
60
61
62
63
#include "app/config/config.h"
#include "core/mainloop/connection.h"
#include "core/or/connection_edge.h"
#include "core/or/connection_or.h"
#include "feature/control/control.h"
64
65
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
66
#include "feature/dircommon/directory.h"
67
#include "feature/relay/dns.h"
68
#include "feature/stats/geoip_stats.h"
69
#include "feature/hs/hs_cache.h"
70
#include "core/mainloop/mainloop.h"
71
72
#include "feature/nodelist/networkstatus.h"
#include "feature/nodelist/nodelist.h"
73
#include "core/or/onion.h"
74
75
76
77
78
79
#include "core/or/policies.h"
#include "core/or/reasons.h"
#include "core/or/relay.h"
#include "core/crypto/relay_crypto.h"
#include "feature/rend/rendcache.h"
#include "feature/rend/rendcommon.h"
80
#include "feature/nodelist/describe.h"
81
82
83
#include "feature/nodelist/routerlist.h"
#include "core/or/scheduler.h"
#include "feature/stats/rephist.h"
84

85
86
87
88
89
90
91
92
93
94
95
#include "core/or/cell_st.h"
#include "core/or/cell_queue_st.h"
#include "core/or/cpath_build_state_st.h"
#include "feature/dircommon/dir_connection_st.h"
#include "core/or/destroy_cell_queue_st.h"
#include "core/or/entry_connection_st.h"
#include "core/or/extend_info_st.h"
#include "core/or/or_circuit_st.h"
#include "core/or/origin_circuit_st.h"
#include "feature/nodelist/routerinfo_st.h"
#include "core/or/socks_request_st.h"
96

Nick Mathewson's avatar
Nick Mathewson committed
97
98
#include "lib/intmath/weakrng.h"

99
static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell,
100
                                            cell_direction_t cell_direction,
101
                                            crypt_path_t *layer_hint);
102

103
104
105
106
107
108
109
110
111
static void circuit_consider_sending_sendme(circuit_t *circ,
                                            crypt_path_t *layer_hint);
static void circuit_resume_edge_reading(circuit_t *circ,
                                        crypt_path_t *layer_hint);
static int circuit_resume_edge_reading_helper(edge_connection_t *conn,
                                              circuit_t *circ,
                                              crypt_path_t *layer_hint);
static int circuit_consider_stop_edge_reading(circuit_t *circ,
                                              crypt_path_t *layer_hint);
112
static int circuit_queue_streams_are_blocked(circuit_t *circ);
113
114
115
116
static void adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ,
                                                  entry_connection_t *conn,
                                                  node_t *node,
                                                  const tor_addr_t *addr);
117

118
119
120
121
122
123
124
/** Stop reading on edge connections when we have this many cells
 * waiting on the appropriate queue. */
#define CELL_QUEUE_HIGHWATER_SIZE 256
/** Start reading from edge connections again when we get down to this many
 * cells. */
#define CELL_QUEUE_LOWWATER_SIZE 64

125
126
127
/** Stats: how many relay cells have originated at this hop, or have
 * been relayed onward (not recognized at this hop)?
 */
128
uint64_t stats_n_relay_cells_relayed = 0;
129
130
131
/** Stats: how many relay cells have been delivered to streams at this
 * hop?
 */
132
uint64_t stats_n_relay_cells_delivered = 0;
133
134
135
/** Stats: how many circuits have we closed due to the cell queue limit being
 * reached (see append_cell_to_circuit_queue()) */
uint64_t stats_n_circ_max_cell_reached = 0;
136

137
138
139
/** Used to tell which stream to read from first on a circuit. */
static tor_weak_rng_t stream_choice_rng = TOR_WEAK_RNG_INIT;

140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
/**
 * Update channel usage state based on the type of relay cell and
 * circuit properties.
 *
 * This is needed to determine if a client channel is being
 * used for application traffic, and if a relay channel is being
 * used for multihop circuits and application traffic. The decision
 * to pad in channelpadding.c depends upon this info (as well as
 * consensus parameters) to decide what channels to pad.
 */
static void
circuit_update_channel_usage(circuit_t *circ, cell_t *cell)
{
  if (CIRCUIT_IS_ORIGIN(circ)) {
    /*
     * The client state was first set much earlier in
     * circuit_send_next_onion_skin(), so we can start padding as early as
     * possible.
     *
     * However, if padding turns out to be expensive, we may want to not do
     * it until actual application traffic starts flowing (which is controlled
     * via consensus param nf_pad_before_usage).
     *
     * So: If we're an origin circuit and we've created a full length circuit,
     * then any CELL_RELAY cell means application data. Increase the usage
     * state of the channel to indicate this.
     *
     * We want to wait for CELL_RELAY specifically here, so we know that
     * the channel was definitely being used for data and not for extends.
     * By default, we pad as soon as a channel has been used for *any*
     * circuits, so this state is irrelevant to the padding decision in
     * the default case. However, if padding turns out to be expensive,
     * we would like the ability to avoid padding until we're absolutely
     * sure that a channel is used for enough application data to be worth
     * padding.
     *
     * (So it does not matter that CELL_RELAY_EARLY can actually contain
     * application data. This is only a load reducing option and that edge
     * case does not matter if we're desperately trying to reduce overhead
     * anyway. See also consensus parameter nf_pad_before_usage).
     */
    if (BUG(!circ->n_chan))
      return;

    if (circ->n_chan->channel_usage == CHANNEL_USED_FOR_FULL_CIRCS &&
        cell->command == CELL_RELAY) {
      circ->n_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC;
    }
  } else {
    /* If we're a relay circuit, the question is more complicated. Basically:
     * we only want to pad connections that carry multihop (anonymous)
     * circuits.
     *
     * We assume we're more than one hop if either the previous hop
     * is not a client, or if the previous hop is a client and there's
     * a next hop. Then, circuit traffic starts at RELAY_EARLY, and
     * user application traffic starts when we see RELAY cells.
     */
    or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);

    if (BUG(!or_circ->p_chan))
      return;

203
204
    if (!channel_is_client(or_circ->p_chan) ||
        (channel_is_client(or_circ->p_chan) && circ->n_chan)) {
205
206
207
208
209
210
211
212
213
214
215
      if (cell->command == CELL_RELAY_EARLY) {
        if (or_circ->p_chan->channel_usage < CHANNEL_USED_FOR_FULL_CIRCS) {
          or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_FULL_CIRCS;
        }
      } else if (cell->command == CELL_RELAY) {
        or_circ->p_chan->channel_usage = CHANNEL_USED_FOR_USER_TRAFFIC;
      }
    }
  }
}

216
/** Receive a relay cell:
217
218
 *  - Crypt it (encrypt if headed toward the origin or if we <b>are</b> the
 *    origin; decrypt if we're headed toward the exit).
219
 *  - Check if recognized (if exitward).
220
221
 *  - If recognized and the digest checks out, then find if there's a stream
 *    that the cell is intended for, and deliver it to the right
222
 *    connection_edge.
223
224
 *  - If not recognized, then we need to relay it: append it to the appropriate
 *    cell_queue on <b>circ</b>.
225
 *
226
 * Return -<b>reason</b> on failure.
227
 */
228
int
229
230
circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
                           cell_direction_t cell_direction)
231
{
232
  channel_t *chan = NULL;
233
234
  crypt_path_t *layer_hint=NULL;
  char recognized=0;
235
  int reason;
236

237
238
239
240
  tor_assert(cell);
  tor_assert(circ);
  tor_assert(cell_direction == CELL_DIRECTION_OUT ||
             cell_direction == CELL_DIRECTION_IN);
241
242
243
  if (circ->marked_for_close)
    return 0;

244
245
  if (relay_decrypt_cell(circ, cell, cell_direction, &layer_hint, &recognized)
      < 0) {
246
247
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "relay crypt failed. Dropping connection.");
248
    return -END_CIRC_REASON_INTERNAL;
249
250
  }

251
252
  circuit_update_channel_usage(circ, cell);

253
  if (recognized) {
254
255
256
    edge_connection_t *conn = NULL;

    if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
257
258
259
      if (pathbias_check_probe_response(circ, cell) == -1) {
        pathbias_count_valid_cells(circ, cell);
      }
260
261
262
263
264
265

      /* We need to drop this cell no matter what to avoid code that expects
       * a certain purpose (such as the hidserv code). */
      return 0;
    }

266
    conn = relay_lookup_conn(circ, cell, cell_direction, layer_hint);
267
    if (cell_direction == CELL_DIRECTION_OUT) {
268
      ++stats_n_relay_cells_delivered;
269
      log_debug(LD_OR,"Sending away from origin.");
270
271
      if ((reason=connection_edge_process_relay_cell(cell, circ, conn, NULL))
          < 0) {
272
        log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
273
274
               "connection_edge_process_relay_cell (away from origin) "
               "failed.");
275
        return reason;
276
277
      }
    }
278
    if (cell_direction == CELL_DIRECTION_IN) {
279
      ++stats_n_relay_cells_delivered;
280
      log_debug(LD_OR,"Sending to origin.");
281
282
      if ((reason = connection_edge_process_relay_cell(cell, circ, conn,
                                                       layer_hint)) < 0) {
283
284
285
286
287
288
289
        /* If a client is trying to connect to unknown hidden service port,
         * END_CIRC_AT_ORIGIN is sent back so we can then close the circuit.
         * Do not log warn as this is an expected behavior for a service. */
        if (reason != END_CIRC_AT_ORIGIN) {
          log_warn(LD_OR,
                   "connection_edge_process_relay_cell (at origin) failed.");
        }
290
        return reason;
291
292
293
294
295
296
      }
    }
    return 0;
  }

  /* not recognized. pass it on. */
297
  if (cell_direction == CELL_DIRECTION_OUT) {
298
    cell->circ_id = circ->n_circ_id; /* switch it */
299
    chan = circ->n_chan;
300
301
  } else if (! CIRCUIT_IS_ORIGIN(circ)) {
    cell->circ_id = TO_OR_CIRCUIT(circ)->p_circ_id; /* switch it */
302
    chan = TO_OR_CIRCUIT(circ)->p_chan;
303
  } else {
304
305
    log_fn(LOG_PROTOCOL_WARN, LD_OR,
           "Dropping unrecognized inbound cell on origin circuit.");
306
307
308
309
310
311
312
313
314
    /* If we see unrecognized cells on path bias testing circs,
     * it's bad mojo. Those circuits need to die.
     * XXX: Shouldn't they always die? */
    if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
      TO_ORIGIN_CIRCUIT(circ)->path_state = PATH_STATE_USE_FAILED;
      return -END_CIRC_REASON_TORPROTOCOL;
    } else {
      return 0;
    }
315
316
  }

317
  if (!chan) {
318
319
320
321
    // XXXX Can this splice stuff be done more cleanly?
    if (! CIRCUIT_IS_ORIGIN(circ) &&
        TO_OR_CIRCUIT(circ)->rend_splice &&
        cell_direction == CELL_DIRECTION_OUT) {
322
      or_circuit_t *splice_ = TO_OR_CIRCUIT(circ)->rend_splice;
323
      tor_assert(circ->purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED);
324
325
      tor_assert(splice_->base_.purpose == CIRCUIT_PURPOSE_REND_ESTABLISHED);
      cell->circ_id = splice_->p_circ_id;
326
      cell->command = CELL_RELAY; /* can't be relay_early anyway */
327
      if ((reason = circuit_receive_relay_cell(cell, TO_CIRCUIT(splice_),
328
                                               CELL_DIRECTION_IN)) < 0) {
329
330
        log_warn(LD_REND, "Error relaying cell across rendezvous; closing "
                 "circuits");
331
        /* XXXX Do this here, or just return -1? */
332
333
        circuit_mark_for_close(circ, -reason);
        return reason;
334
335
336
      }
      return 0;
    }
337
338
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Didn't recognize cell, but circ stops here! Closing circ.");
339
    return -END_CIRC_REASON_TORPROTOCOL;
340
341
  }

342
  log_debug(LD_OR,"Passing on unrecognized cell.");
343
344
345
346
347

  ++stats_n_relay_cells_relayed; /* XXXX no longer quite accurate {cells}
                                  * we might kill the circ before we relay
                                  * the cells. */

348
  append_cell_to_circuit_queue(circ, chan, cell, cell_direction, 0);
349
350
351
  return 0;
}

352
/** Package a relay cell from an edge:
353
 *  - Encrypt it to the right layer
354
 *  - Append it to the appropriate cell_queue on <b>circ</b>.
355
 */
356
static int
357
circuit_package_relay_cell(cell_t *cell, circuit_t *circ,
358
                           cell_direction_t cell_direction,
Nick Mathewson's avatar
Nick Mathewson committed
359
360
                           crypt_path_t *layer_hint, streamid_t on_stream,
                           const char *filename, int lineno)
Roger Dingledine's avatar
Roger Dingledine committed
361
{
362
  channel_t *chan; /* where to send the cell */
363

364
365
366
367
368
  if (circ->marked_for_close) {
    /* Circuit is marked; send nothing. */
    return 0;
  }

369
  if (cell_direction == CELL_DIRECTION_OUT) {
370
    chan = circ->n_chan;
Nick Mathewson's avatar
Nick Mathewson committed
371
372
    if (!chan) {
      log_warn(LD_BUG,"outgoing relay cell sent from %s:%d has n_chan==NULL."
373
374
375
376
377
378
379
380
381
               " Dropping. Circuit is in state %s (%d), and is "
               "%smarked for close. (%s:%d, %d)", filename, lineno,
               circuit_state_to_string(circ->state), circ->state,
               circ->marked_for_close ? "" : "not ",
               circ->marked_for_close_file?circ->marked_for_close_file:"",
               circ->marked_for_close, circ->marked_for_close_reason);
      if (CIRCUIT_IS_ORIGIN(circ)) {
        circuit_log_path(LOG_WARN, LD_BUG, TO_ORIGIN_CIRCUIT(circ));
      }
382
      log_backtrace(LOG_WARN,LD_BUG,"");
Nick Mathewson's avatar
Nick Mathewson committed
383
384
385
386
387
      return 0; /* just drop it */
    }
    if (!CIRCUIT_IS_ORIGIN(circ)) {
      log_warn(LD_BUG,"outgoing relay cell sent from %s:%d on non-origin "
               "circ. Dropping.", filename, lineno);
388
      log_backtrace(LOG_WARN,LD_BUG,"");
389
390
      return 0; /* just drop it */
    }
391

392
    relay_encrypt_cell_outbound(cell, TO_ORIGIN_CIRCUIT(circ), layer_hint);
393
394
395

    /* Update circ written totals for control port */
    origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
396
397
    ocirc->n_written_circ_bw = tor_add_u32_nowrap(ocirc->n_written_circ_bw,
                                                  CELL_PAYLOAD_SIZE);
398

399
  } else { /* incoming cell */
400
    if (CIRCUIT_IS_ORIGIN(circ)) {
401
402
      /* We should never package an _incoming_ cell from the circuit
       * origin; that means we messed up somewhere. */
403
      log_warn(LD_BUG,"incoming relay cell at origin circuit. Dropping.");
404
      assert_circuit_ok(circ);
405
406
      return 0; /* just drop it */
    }
407
408
    or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
    relay_encrypt_cell_inbound(cell, or_circ);
409
    chan = or_circ->p_chan;
410
411
  }
  ++stats_n_relay_cells_relayed;
412

413
  append_cell_to_circuit_queue(circ, chan, cell, cell_direction, on_stream);
414
415
416
417
418
419
  return 0;
}

/** If cell's stream_id matches the stream_id of any conn that's
 * attached to circ, return that conn, else return NULL.
 */
420
static edge_connection_t *
Nick Mathewson's avatar
Nick Mathewson committed
421
422
relay_lookup_conn(circuit_t *circ, cell_t *cell,
                  cell_direction_t cell_direction, crypt_path_t *layer_hint)
423
{
424
  edge_connection_t *tmpconn;
425
426
427
428
  relay_header_t rh;

  relay_header_unpack(&rh, cell->payload);

429
  if (!rh.stream_id)
430
431
432
433
434
435
    return NULL;

  /* IN or OUT cells could have come from either direction, now
   * that we allow rendezvous *to* an OP.
   */

436
437
438
  if (CIRCUIT_IS_ORIGIN(circ)) {
    for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn;
         tmpconn=tmpconn->next_stream) {
439
      if (rh.stream_id == tmpconn->stream_id &&
440
          !tmpconn->base_.marked_for_close &&
441
          tmpconn->cpath_layer == layer_hint) {
442
        log_debug(LD_APP,"found conn for stream %d.", rh.stream_id);
443
        return tmpconn;
444
      }
445
    }
446
447
448
  } else {
    for (tmpconn = TO_OR_CIRCUIT(circ)->n_streams; tmpconn;
         tmpconn=tmpconn->next_stream) {
449
      if (rh.stream_id == tmpconn->stream_id &&
450
          !tmpconn->base_.marked_for_close) {
451
452
453
454
455
        log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id);
        if (cell_direction == CELL_DIRECTION_OUT ||
            connection_edge_is_rendezvous_stream(tmpconn))
          return tmpconn;
      }
456
    }
457
458
    for (tmpconn = TO_OR_CIRCUIT(circ)->resolving_streams; tmpconn;
         tmpconn=tmpconn->next_stream) {
459
      if (rh.stream_id == tmpconn->stream_id &&
460
          !tmpconn->base_.marked_for_close) {
461
462
463
        log_debug(LD_EXIT,"found conn for stream %d.", rh.stream_id);
        return tmpconn;
      }
464
465
466
467
468
    }
  }
  return NULL; /* probably a begin relay cell */
}

469
470
471
472
/** Pack the relay_header_t host-order structure <b>src</b> into
 * network-order in the buffer <b>dest</b>. See tor-spec.txt for details
 * about the wire format.
 */
473
void
Nick Mathewson's avatar
Nick Mathewson committed
474
relay_header_pack(uint8_t *dest, const relay_header_t *src)
475
{
Nick Mathewson's avatar
Nick Mathewson committed
476
  set_uint8(dest, src->command);
477
478
479
480
481
482
483
484
485
  set_uint16(dest+1, htons(src->recognized));
  set_uint16(dest+3, htons(src->stream_id));
  memcpy(dest+5, src->integrity, 4);
  set_uint16(dest+9, htons(src->length));
}

/** Unpack the network-order buffer <b>src</b> into a host-order
 * relay_header_t structure <b>dest</b>.
 */
486
void
Nick Mathewson's avatar
Nick Mathewson committed
487
relay_header_unpack(relay_header_t *dest, const uint8_t *src)
488
{
Nick Mathewson's avatar
Nick Mathewson committed
489
  dest->command = get_uint8(src);
490
491
492
493
494
495
  dest->recognized = ntohs(get_uint16(src+1));
  dest->stream_id = ntohs(get_uint16(src+3));
  memcpy(dest->integrity, src+5, 4);
  dest->length = ntohs(get_uint16(src+9));
}

Karsten Loesing's avatar
Karsten Loesing committed
496
497
498
499
/** Convert the relay <b>command</b> into a human-readable string. */
static const char *
relay_command_to_string(uint8_t command)
{
500
  static char buf[64];
Karsten Loesing's avatar
Karsten Loesing committed
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
  switch (command) {
    case RELAY_COMMAND_BEGIN: return "BEGIN";
    case RELAY_COMMAND_DATA: return "DATA";
    case RELAY_COMMAND_END: return "END";
    case RELAY_COMMAND_CONNECTED: return "CONNECTED";
    case RELAY_COMMAND_SENDME: return "SENDME";
    case RELAY_COMMAND_EXTEND: return "EXTEND";
    case RELAY_COMMAND_EXTENDED: return "EXTENDED";
    case RELAY_COMMAND_TRUNCATE: return "TRUNCATE";
    case RELAY_COMMAND_TRUNCATED: return "TRUNCATED";
    case RELAY_COMMAND_DROP: return "DROP";
    case RELAY_COMMAND_RESOLVE: return "RESOLVE";
    case RELAY_COMMAND_RESOLVED: return "RESOLVED";
    case RELAY_COMMAND_BEGIN_DIR: return "BEGIN_DIR";
    case RELAY_COMMAND_ESTABLISH_INTRO: return "ESTABLISH_INTRO";
    case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: return "ESTABLISH_RENDEZVOUS";
    case RELAY_COMMAND_INTRODUCE1: return "INTRODUCE1";
    case RELAY_COMMAND_INTRODUCE2: return "INTRODUCE2";
    case RELAY_COMMAND_RENDEZVOUS1: return "RENDEZVOUS1";
    case RELAY_COMMAND_RENDEZVOUS2: return "RENDEZVOUS2";
    case RELAY_COMMAND_INTRO_ESTABLISHED: return "INTRO_ESTABLISHED";
    case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
      return "RENDEZVOUS_ESTABLISHED";
    case RELAY_COMMAND_INTRODUCE_ACK: return "INTRODUCE_ACK";
525
526
527
528
529
530
    case RELAY_COMMAND_EXTEND2: return "EXTEND2";
    case RELAY_COMMAND_EXTENDED2: return "EXTENDED2";
    default:
      tor_snprintf(buf, sizeof(buf), "Unrecognized relay command %u",
                   (unsigned)command);
      return buf;
Karsten Loesing's avatar
Karsten Loesing committed
531
532
533
  }
}

534
535
536
537
538
/** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and send
 * it onto the open circuit <b>circ</b>. <b>stream_id</b> is the ID on
 * <b>circ</b> for the stream that's sending the relay cell, or 0 if it's a
 * control cell.  <b>cpath_layer</b> is NULL for OR->OP cells, or the
 * destination hop for OP->OR cells.
539
 *
540
541
 * If you can't send the cell, mark the circuit for close and return -1. Else
 * return 0.
542
 */
543
544
545
546
547
MOCK_IMPL(int,
relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *circ,
                               uint8_t relay_command, const char *payload,
                               size_t payload_len, crypt_path_t *cpath_layer,
                               const char *filename, int lineno))
548
{
549
550
  cell_t cell;
  relay_header_t rh;
551
  cell_direction_t cell_direction;
552
  /* XXXX NM Split this function into a separate versions per circuit type? */
553

554
  tor_assert(circ);
555
  tor_assert(payload_len <= RELAY_PAYLOAD_SIZE);
556
557
558

  memset(&cell, 0, sizeof(cell_t));
  cell.command = CELL_RELAY;
559
560
  if (CIRCUIT_IS_ORIGIN(circ)) {
    tor_assert(cpath_layer);
561
562
    cell.circ_id = circ->n_circ_id;
    cell_direction = CELL_DIRECTION_OUT;
563
  } else {
564
    tor_assert(! cpath_layer);
565
    cell.circ_id = TO_OR_CIRCUIT(circ)->p_circ_id;
566
567
568
569
570
    cell_direction = CELL_DIRECTION_IN;
  }

  memset(&rh, 0, sizeof(rh));
  rh.command = relay_command;
571
  rh.stream_id = stream_id;
572
573
  rh.length = payload_len;
  relay_header_pack(cell.payload, &rh);
574
  if (payload_len)
575
576
    memcpy(cell.payload+RELAY_HEADER_SIZE, payload, payload_len);

577
578
  log_debug(LD_OR,"delivering %d cell %s.", relay_command,
            cell_direction == CELL_DIRECTION_OUT ? "forward" : "backward");
579

580
581
582
  if (relay_command == RELAY_COMMAND_DROP)
    rep_hist_padding_count_write(PADDING_TYPE_DROP);

583
584
  /* If we are sending an END cell and this circuit is used for a tunneled
   * directory request, advance its state. */
585
586
587
  if (relay_command == RELAY_COMMAND_END && circ->dirreq_id)
    geoip_change_dirreq_state(circ->dirreq_id, DIRREQ_TUNNELED,
                              DIRREQ_END_CELL_SENT);
588

589
  if (cell_direction == CELL_DIRECTION_OUT && circ->n_chan) {
590
    /* if we're using relaybandwidthrate, this conn wants priority */
591
    channel_timestamp_client(circ->n_chan);
592
593
  }

594
595
  if (cell_direction == CELL_DIRECTION_OUT) {
    origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ);
596
597
    if (origin_circ->remaining_relay_early_cells > 0 &&
        (relay_command == RELAY_COMMAND_EXTEND ||
598
         relay_command == RELAY_COMMAND_EXTEND2 ||
599
600
601
602
         cpath_layer != origin_circ->cpath)) {
      /* If we've got any relay_early cells left and (we're sending
       * an extend cell or we're not talking to the first hop), use
       * one of them.  Don't worry about the conn protocol version:
603
       * append_cell_to_circuit_queue will fix it up. */
604
605
606
607
      cell.command = CELL_RELAY_EARLY;
      --origin_circ->remaining_relay_early_cells;
      log_debug(LD_OR, "Sending a RELAY_EARLY cell; %d remaining.",
                (int)origin_circ->remaining_relay_early_cells);
Karsten Loesing's avatar
Karsten Loesing committed
608
609
610
611
      /* Memorize the command that is sent as RELAY_EARLY cell; helps debug
       * task 878. */
      origin_circ->relay_early_commands[
          origin_circ->relay_early_cells_sent++] = relay_command;
612
613
    } else if (relay_command == RELAY_COMMAND_EXTEND ||
               relay_command == RELAY_COMMAND_EXTEND2) {
Karsten Loesing's avatar
Karsten Loesing committed
614
615
616
      /* If no RELAY_EARLY cells can be sent over this circuit, log which
       * commands have been sent as RELAY_EARLY cells before; helps debug
       * task 878. */
617
      smartlist_t *commands_list = smartlist_new();
Karsten Loesing's avatar
Karsten Loesing committed
618
619
620
621
622
623
      int i = 0;
      char *commands = NULL;
      for (; i < origin_circ->relay_early_cells_sent; i++)
        smartlist_add(commands_list, (char *)
            relay_command_to_string(origin_circ->relay_early_commands[i]));
      commands = smartlist_join_strings(commands_list, ",", 0, NULL);
624
      log_warn(LD_BUG, "Uh-oh.  We're sending a RELAY_COMMAND_EXTEND cell, "
Karsten Loesing's avatar
Karsten Loesing committed
625
626
627
628
               "but we have run out of RELAY_EARLY cells on that circuit. "
               "Commands sent before: %s", commands);
      tor_free(commands);
      smartlist_free(commands_list);
629
    }
630
631
632
633

    /* Let's assume we're well-behaved: Anything that we decide to send is
     * valid, delivered data. */
    circuit_sent_valid_data(origin_circ, rh.length);
634
635
  }

636
  if (circuit_package_relay_cell(&cell, circ, cell_direction, cpath_layer,
Nick Mathewson's avatar
Nick Mathewson committed
637
                                 stream_id, filename, lineno) < 0) {
638
    log_warn(LD_BUG,"circuit_package_relay_cell failed. Closing.");
639
    circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
640
641
642
643
644
    return -1;
  }
  return 0;
}

645
646
647
648
649
650
651
652
653
654
/** Make a relay cell out of <b>relay_command</b> and <b>payload</b>, and
 * send it onto the open circuit <b>circ</b>. <b>fromconn</b> is the stream
 * that's sending the relay cell, or NULL if it's a control cell.
 * <b>cpath_layer</b> is NULL for OR->OP cells, or the destination hop
 * for OP->OR cells.
 *
 * If you can't send the cell, mark the circuit for close and
 * return -1. Else return 0.
 */
int
655
connection_edge_send_command(edge_connection_t *fromconn,
656
                             uint8_t relay_command, const char *payload,
657
                             size_t payload_len)
658
659
{
  /* XXXX NM Split this function into a separate versions per circuit type? */
660
  circuit_t *circ;
661
  crypt_path_t *cpath_layer = fromconn->cpath_layer;
662
663
  tor_assert(fromconn);
  circ = fromconn->on_circuit;
664

665
  if (fromconn->base_.marked_for_close) {
666
    log_warn(LD_BUG,
667
             "called on conn that's already marked for close at %s:%d.",
668
669
             fromconn->base_.marked_for_close_file,
             fromconn->base_.marked_for_close);
670
671
672
673
    return 0;
  }

  if (!circ) {
674
    if (fromconn->base_.type == CONN_TYPE_AP) {
675
      log_info(LD_APP,"no circ. Closing conn.");
676
677
      connection_mark_unattached_ap(EDGE_TO_ENTRY_CONN(fromconn),
                                    END_STREAM_REASON_INTERNAL);
678
679
    } else {
      log_info(LD_EXIT,"no circ. Closing conn.");
680
      fromconn->edge_has_sent_end = 1; /* no circ to send to */
681
      fromconn->end_reason = END_STREAM_REASON_INTERNAL;
682
683
684
685
686
      connection_mark_for_close(TO_CONN(fromconn));
    }
    return -1;
  }

687
688
689
690
691
692
  if (circ->marked_for_close) {
    /* The circuit has been marked, but not freed yet. When it's freed, it
     * will mark this connection for close. */
    return -1;
  }

693
694
695
696
697
698
699
700
#ifdef MEASUREMENTS_21206
  /* Keep track of the number of RELAY_DATA cells sent for directory
   * connections. */
  connection_t *linked_conn = TO_CONN(fromconn)->linked_conn;

  if (linked_conn && linked_conn->type == CONN_TYPE_DIR) {
    ++(TO_DIR_CONN(linked_conn)->data_cells_sent);
  }
701
#endif /* defined(MEASUREMENTS_21206) */
702

703
704
  return relay_send_command_from_edge(fromconn->stream_id, circ,
                                      relay_command, payload,
705
                                      payload_len, cpath_layer);
706
707
}

708
/** How many times will I retry a stream that fails due to DNS
709
 * resolve failure or misc error?
710
711
712
 */
#define MAX_RESOLVE_FAILURES 3

713
714
/** Return 1 if reason is something that you should retry if you
 * get the end cell before you've connected; else return 0. */
715
static int
716
717
edge_reason_is_retriable(int reason)
{
718
719
720
  return reason == END_STREAM_REASON_HIBERNATING ||
         reason == END_STREAM_REASON_RESOURCELIMIT ||
         reason == END_STREAM_REASON_EXITPOLICY ||
721
         reason == END_STREAM_REASON_RESOLVEFAILED ||
722
723
         reason == END_STREAM_REASON_MISC ||
         reason == END_STREAM_REASON_NOROUTE;
724
725
}

726
727
/** Called when we receive an END cell on a stream that isn't open yet,
 * from the client side.
728
729
 * Arguments are as for connection_edge_process_relay_cell().
 */
730
static int
731
connection_ap_process_end_not_open(
732
    relay_header_t *rh, cell_t *cell, origin_circuit_t *circ,
733
    entry_connection_t *conn, crypt_path_t *layer_hint)
734
{
735
  node_t *exitrouter;
736
  int reason = *(cell->payload+RELAY_HEADER_SIZE);
737
  int control_reason;
738
  edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(conn);
739
  (void) layer_hint; /* unused */
740

741
  if (rh->length > 0) {
742
743
    if (reason == END_STREAM_REASON_TORPROTOCOL ||
        reason == END_STREAM_REASON_DESTROY) {
744
      /* Both of these reasons could mean a failed tag
745
       * hit the exit and it complained. Do not probe.
746
747
748
       * Fail the circuit. */
      circ->path_state = PATH_STATE_USE_FAILED;
      return -END_CIRC_REASON_TORPROTOCOL;
749
750
751
    } else if (reason == END_STREAM_REASON_INTERNAL) {
      /* We can't infer success or failure, since older Tors report
       * ENETUNREACH as END_STREAM_REASON_INTERNAL. */
752
753
    } else {
      /* Path bias: If we get a valid reason code from the exit,
754
755
756
757
758
       * it wasn't due to tagging.
       *
       * We rely on recognized+digest being strong enough to make
       * tags unlikely to allow us to get tagged, yet 'recognized'
       * reason codes here. */
759
      pathbias_mark_use_success(circ);
760
    }
761
762
  }

763
764
765
  /* This end cell is now valid. */
  circuit_read_valid_data(circ, rh->length);

766
767
768
769
  if (rh->length == 0) {
    reason = END_STREAM_REASON_MISC;
  }

770
771
  control_reason = reason | END_STREAM_REASON_FLAG_REMOTE;

772
  if (edge_reason_is_retriable(reason) &&
773
774
      /* avoid retry if rend */
      !connection_edge_is_rendezvous_stream(edge_conn)) {
775
776
    const char *chosen_exit_digest =
      circ->build_state->chosen_exit->identity_digest;
777
778
    log_info(LD_APP,"Address '%s' refused due to '%s'. Considering retrying.",
             safe_str(conn->socks_request->address),
779
             stream_end_reason_to_string(reason));
780
    exitrouter = node_get_mutable_by_id(chosen_exit_digest);
781
    switch (reason) {
782
783
784
      case END_STREAM_REASON_EXITPOLICY: {
        tor_addr_t addr;
        tor_addr_make_unspec(&addr);
785
        if (rh->length >= 5) {
786
787
788
789
790
791
792
793
794
795
796
797
798
799
          int ttl = -1;
          tor_addr_make_unspec(&addr);
          if (rh->length == 5 || rh->length == 9) {
            tor_addr_from_ipv4n(&addr,
                                get_uint32(cell->payload+RELAY_HEADER_SIZE+1));
            if (rh->length == 9)
              ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5));
          } else if (rh->length == 17 || rh->length == 21) {
            tor_addr_from_ipv6_bytes(&addr,
                                (char*)(cell->payload+RELAY_HEADER_SIZE+1));
            if (rh->length == 21)
              ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+17));
          }
          if (tor_addr_is_null(&addr)) {
800
801
            log_info(LD_APP,"Address '%s' resolved to 0.0.0.0. Closing,",
                     safe_str(conn->socks_request->address));
802
803
804
            connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
            return 0;
          }
Roger Dingledine's avatar
Roger Dingledine committed
805

Nick Mathewson's avatar
Nick Mathewson committed
806
807
808
809
          if ((tor_addr_family(&addr) == AF_INET &&
                                          !conn->entry_cfg.ipv4_traffic) ||
              (tor_addr_family(&addr) == AF_INET6 &&
                                          !conn->entry_cfg.ipv6_traffic)) {
810
811
812
813
814
815
            log_fn(LOG_PROTOCOL_WARN, LD_APP,
                   "Got an EXITPOLICY failure on a connection with a "
                   "mismatched family. Closing.");
            connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
            return 0;
          }
816
          if (get_options()->ClientDNSRejectInternalAddresses &&
817
              tor_addr_is_internal(&addr, 0)) {
818
819
820
821
822
            log_info(LD_APP,"Address '%s' resolved to internal. Closing,",
                     safe_str(conn->socks_request->address));
            connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
            return 0;
          }
823

824
          client_dns_set_addressmap(conn,
825
                                    conn->socks_request->address, &addr,
826
                                    conn->chosen_exit_name, ttl);
827
828
829
830
831
832
833
834
835
836

          {
            char new_addr[TOR_ADDR_BUF_LEN];
            tor_addr_to_str(new_addr, &addr, sizeof(new_addr), 1);
            if (strcmp(conn->socks_request->address, new_addr)) {
              strlcpy(conn->socks_request->address, new_addr,
                      sizeof(conn->socks_request->address));
              control_event_stream_status(conn, STREAM_EVENT_REMAP, 0);
            }
          }
837
        }
838
        /* check if the exit *ought* to have allowed it */
839
840
841
842
843

        adjust_exit_policy_from_exitpolicy_failure(circ,
                                                   conn,
                                                   exitrouter,
                                                   &addr);
844

845
846
        if (conn->chosen_exit_optional ||
            conn->chosen_exit_retries) {
847
          /* stop wanting a specific exit */
848
          conn->chosen_exit_optional = 0;
849
850
851
852
853
854
855
          /* A non-zero chosen_exit_retries can happen if we set a
           * TrackHostExits for this address under a port that the exit
           * relay allows, but then try the same address with a different
           * port that it doesn't allow to exit. We shouldn't unregister
           * the mapping, since it is probably still wanted on the
           * original port. But now we give away to the exit relay that
           * we probably have a TrackHostExits on it. So be it. */
856
          conn->chosen_exit_retries = 0;
857
          tor_free(conn->chosen_exit_name); /* clears it */
858
        }
859
        if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
860
861
862
          return 0;
        /* else, conn will get closed below */
        break;
863
      }
864
      case END_STREAM_REASON_CONNECTREFUSED:
865
        if (!conn->chosen_exit_optional)
866
867
868
          break; /* break means it'll close, below */
        /* Else fall through: expire this circuit, clear the
         * chosen_exit_name field, and try again. */
869
        FALLTHROUGH;
870
      case END_STREAM_REASON_RESOLVEFAILED:
871
      case END_STREAM_REASON_TIMEOUT:
872
      case END_STREAM_REASON_MISC:
873
      case END_STREAM_REASON_NOROUTE:
874
875
876
        if (client_dns_incr_failures(conn->socks_request->address)
            < MAX_RESOLVE_FAILURES) {
          /* We haven't retried too many times; reattach the connection. */
877
          circuit_log_path(LOG_INFO,LD_APP,circ);
878
          /* Mark this circuit "unusable for new streams". */
879
          mark_circuit_unusable_for_new_conns(circ);
880

881
          if (conn->chosen_exit_optional) {
882
            /* stop wanting a specific exit */
883
            conn->chosen_exit_optional = 0;
884
            tor_free(conn->chosen_exit_name); /* clears it */
885
          }
886
          if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
887
888
889
            return 0;
          /* else, conn will get closed below */
        } else {
890
891
892
893
894
          log_notice(LD_APP,
                     "Have tried resolving or connecting to address '%s' "
                     "at %d different places. Giving up.",
                     safe_str(conn->socks_request->address),
                     MAX_RESOLVE_FAILURES);
895
896
          /* clear the failures, so it will have a full try next time */
          client_dns_clear_failures(conn->socks_request->address);
897
898
899
900
        }
        break;
      case END_STREAM_REASON_HIBERNATING:
      case END_STREAM_REASON_RESOURCELIMIT:
901
        if (exitrouter) {
902
          policies_set_node_exitpolicy_to_reject_all(exitrouter);
903
        }
904
        if (conn->chosen_exit_optional) {
905
          /* stop wanting a specific exit */
906
          conn->chosen_exit_optional = 0;
907
          tor_free(conn->chosen_exit_name); /* clears it */
908
        }
909
        if (connection_ap_detach_retriable(conn, circ, control_reason) >= 0)
910
          return 0;
911
912
913
        /* else, will close below */
        break;
    } /* end switch */
914
    log_info(LD_APP,"Giving up on retrying; conn can't be handled.");
915
  }
916

917
918
  log_info(LD_APP,
           "Edge got end (%s) before we're connected. Marking for close.",
919
       stream_end_reason_to_string(rh->length > 0 ? reason : -1));
920
  circuit_log_path(LOG_INFO,LD_APP,circ);
Nick Mathewson's avatar
Nick Mathewson committed
921
  /* need to test because of detach_retriable */
922
  if (!ENTRY_TO_CONN(conn)->marked_for_close)
923
    connection_mark_unattached_ap(conn, control_reason);
924
925
926
  return 0;
}

927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
/** Called when we have gotten an END_REASON_EXITPOLICY failure on <b>circ</b>
 * for <b>conn</b>, while attempting to connect via <b>node</b>.  If the node
 * told us which address it rejected, then <b>addr</b> is that address;
 * otherwise it is AF_UNSPEC.
 *
 * If we are sure the node should have allowed this address, mark the node as
 * having a reject *:* exit policy.  Otherwise, mark the circuit as unusable
 * for this particular address.
 **/
static void
adjust_exit_policy_from_exitpolicy_failure(origin_circuit_t *circ,
                                           entry_connection_t *conn,
                                           node_t *node,
                                           const tor_addr_t *addr)
{
  int make_reject_all = 0;
  const sa_family_t family = tor_addr_family(addr);

  if (node) {
    tor_addr_t tmp;
    int asked_for_family = tor_addr_parse(&tmp, conn->socks_request->address);
    if (family == AF_UNSPEC) {
      make_reject_all = 1;
    } else if (node_exit_policy_is_exact(node, family) &&
               asked_for_family != -1 && !conn->chosen_exit_name) {
      make_reject_all = 1;
    }

    if (make_reject_all) {
      log_info(LD_APP,
               "Exitrouter %s seems to be more restrictive than its exit "
               "policy. Not using this router as exit for now.",
               node_describe(node));
      policies_set_node_exitpolicy_to_reject_all(node);
    }
  }

  if (family != AF_UNSPEC)
    addr_policy_append_reject_addr(&circ->prepend_policy, addr);
}

968
/** Helper: change the socks_request-&gt;address field on conn to the
969
 * dotted-quad representation of <b>new_addr</b>,
970
 * and send an appropriate REMAP event. */
971
static void
972
remap_event_helper(entry_connection_t *conn, const tor_addr_t *new_addr)
973
{
974
975
  tor_addr_to_str(conn->socks_request->address, new_addr,
                  sizeof(conn->socks_request->address),
976
                  1);
977
978
979
980
  control_event_stream_status(conn, STREAM_EVENT_REMAP,
                              REMAP_STREAM_SOURCE_EXIT);
}

981
982
983
984
/** Extract the contents of a connected cell in <b>cell</b>, whose relay
 * header has already been parsed into <b>rh</b>. On success, set
 * <b>addr_out</b> to the address we're connected to, and <b>ttl_out</b> to
 * the ttl of that address, in seconds, and return 0.  On failure, return
985
986
987
988
989
990
 * -1.
 *
 * Note that the resulting address can be UNSPEC if the connected cell had no
 * address (as for a stream to an union service or a tunneled directory
 * connection), and that the ttl can be absent (in which case <b>ttl_out</b>
 * is set to -1). */
991
STATIC int
992
993
994
995
996
997
998
999
1000
connected_cell_parse(const relay_header_t *rh, const cell_t *cell,
                     tor_addr_t *addr_out, int *ttl_out)
{
  uint32_t bytes;
  const uint8_t *payload = cell->payload + RELAY_HEADER_SIZE;

  tor_addr_make_unspec(addr_out);
  *ttl_out = -1;
  if (rh->length == 0)
For faster browsing, not all history is shown. View entire blame