| blob | 82043d607f6ecdda91ca8295a1c85a0f8eb307c8 |
1 /* Copyright (c) 2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file conflux_pool.c
6 * \brief Conflux circuit pool management
7 */
9 #define TOR_CONFLUX_PRIVATE
10 #define CONFLUX_CELL_PRIVATE
44 /* Indicate if we are shutting down. This is used so we avoid recovering a
45 * conflux set on total shutdown. */
48 /** The pool of client-side conflux_t that are built, linked, and ready
49 * to be used. Indexed by nonce. */
52 /** The pool of origin unlinked_circuits_t indexed by nonce. */
55 /** The pool of relay conflux_t indexed by nonce. We call these "server"
56 * because they could be onion-service side too (even though we likely will
57 * only implement onion service conflux in Arti). The code is littered with
58 * asserts to ensure there are no origin circuits in here for now, too. */
61 /** The pool of relay unlinked_circuits_t indexed by nonce. */
64 /* A leg is essentially a circuit for a conflux set. We use this object for the
65 * unlinked pool. */
67 /* The circuit of the leg. */
70 /* The LINK cell content which is used to put the information back in the
71 * conflux_t object once all legs have linked and validate the ack. */
74 /* Indicate if the leg has received the LINKED or the LINKED_ACK cell
75 * depending on its side of the circuit. When all legs are linked, we then
76 * finalize the conflux_t object and move it to the linked pool. */
79 /* What time did we send the LINK/LINKED (depending on which side) so we can
80 * calculate the RTT. */
83 /* The RTT value in usec takend from the LINK <--> LINKED round trip. */
87 /* Object used to track unlinked circuits which are kept in the unlinked pool
88 * until they are linked and moved to the linked pool and global circuit set.
89 */
91 /* If true, indicate that this unlinked set is client side as in the legs are
92 * origin circuits. Else, it is on the exit side and thus or circuits. */
95 /* If true, indicate if the conflux_t is related to a linked set. */
98 /* Conflux object that will be set in each leg once all linked. */
101 /* Legs. */
105 /** Error code used when linking circuits. Based on those, we decide to
106 * relaunch or not. */
108 /* Linking was successful. */
110 /* The RTT was not acceptable. */
112 /* The leg can't be found. */
114 /* The set can't be found. */
116 /* Invalid leg as in not pass validation. */
120 #ifdef TOR_UNIT_TESTS
121 digest256map_t *
123 {
125 }
127 digest256map_t *
129 {
131 }
132 #endif
134 /* For unit tests only: please treat these exactly as the defines in the
135 * code. */
139 /** Helper: Format at 8 bytes the nonce for logging. */
142 {
144 }
146 /**
147 * Return the conflux algorithm for a desired UX value.
148 */
149 static uint8_t
151 {
159 /* For now, we have no low mem algs, so use minRTT since it should
160 * switch less and thus use less mem */
161 /* TODO-329-TUNING: Pick better algs here*/
166 /* Trunnel should protect us from this */
169 }
170 }
172 /** Return a newly allocated conflux_t object. */
175 {
182 }
184 static void
186 {
189 }
204 }
206 /** Wrapper for the free function, set the cfx pointer to NULL after free */
207 #define conflux_free(cfx) \
208 FREE_AND_NULL(conflux_t, conflux_free_, cfx)
210 /** Helper: Free function for the digest256map_free(). */
213 {
216 }
218 /** Return a newly allocated leg object containing the given circuit and link
219 * pointer (no copy). */
222 {
227 }
229 /** Free the given leg object. Passing NULL is safe. */
230 static void
232 {
235 }
239 }
242 }
244 /** Return a newly allocated unlinked set object for the given nonce. A new
245 * conflux object is also created. */
248 {
256 }
258 /** Free the given unlinked object. */
259 static void
261 {
264 }
267 /* This cfx is pointing to a linked set. */
270 }
274 }
276 /** Add the given unlinked object to the unlinked pool. */
277 static void
279 {
285 }
286 }
288 /** Delete the given unlinked object from the unlinked pool. */
289 static void
291 {
298 }
299 }
301 /** Return an unlinked object for the given nonce else NULL. */
304 {
310 }
311 }
313 /** Delete from the pool and free the given unlinked object. */
314 static void
316 {
320 }
322 /** Add the given conflux object to the linked conflux set. */
323 static void
325 {
331 }
332 }
334 /** Delete from the linked conflux set the given nonce. */
335 static void
337 {
343 }
344 }
346 /** Return a conflux_t object for the given nonce from the linked set. */
349 {
355 }
356 }
358 /** Add the given leg to the given unlinked object. */
361 {
366 }
368 /** Return an unlinked leg for the given unlinked object and for the given
369 * circuit. */
372 {
376 }
379 }
381 /** Return the given circuit leg from its unlinked set (if any). */
384 {
389 }
391 }
393 static void
396 {
405 }
407 }
409 /**
410 * Ensure that the given circuit has no attached streams.
411 *
412 * This validation function is called at various stages for
413 * unlinked circuits, to make sure they have no streams.
414 */
415 static void
417 {
425 }
431 }
438 }
443 }
444 }
445 }
447 /** Return true iff the legs in the given unlinked set are valid and coherent
448 * to be a linked set. */
449 static bool
451 {
463 /* Version and nonce must match in all legs. */
466 }
468 // If the other ends last sent sequence number is higher than the
469 // last sequence number we delivered, we have data loss, and cannot link.
475 // TODO-329-ARTI: Instead of closing the set here, we could
476 // immediately send a SWITCH cell and re-send the missing data.
477 // To do this, though, we would need to constantly buffer at least
478 // a cwnd worth of sent data to retransmit. We're not going to try
479 // this in C-Tor, but arti could consider it.
480 }
484 /* Note that if no legs, it validates. */
487 }
489 /** Add up a new leg to the given conflux object. */
490 static void
492 {
497 /* Big trouble if we add a leg to the wrong set. */
502 // TODO-329-ARTI: Blindly copying the values from the cell. Is this correct?
503 // I think no... When adding new legs, switching to this leg is
504 // likely to break, unless the sender tracks what link cell it sent..
505 // Is that the best option? Or should we use the max of our legs, here?
506 // (It seems the other side will have no idea what our current maxes
507 /// are, so this option seems better right now)
515 /* Add leg to given conflux. */
518 /* Ensure the new circuit has no streams. */
521 /* If this is not the first leg, get the first leg, and get
522 * the reference streams from it. */
531 /* Sync all legs with the new stream(s). */
538 }
539 }
543 CIRCUIT_PURPOSE_CONFLUX_UNLINKED);
545 }
547 }
549 /**
550 * Clean up a circuit from its conflux_t object.
551 *
552 * Return true if closing this circuit should tear down the entire set,
553 * false otherwise.
554 */
555 static bool
557 {
567 }
569 // If the circuit still has inflight data, teardown
577 }
579 /* Remove it from the cfx. */
582 /* After removal, if this leg had the highest sent (or recv)
583 * sequence number, it was in active use by us (or the other side).
584 * We need to tear down the entire set. */
585 // TODO-329-ARTI: If we support resumption, we don't need this.
592 }
593 }
595 /* Cleanup any reference to leg. */
601 }
604 }
608 end:
610 }
612 /** Close the circuit of each legs of the given unlinked object. */
613 static void
615 {
620 /* Small optimization here, avoid this work if no legs. */
623 }
625 /* We will iterate over all legs and put the circuit in its own list and then
626 * mark them for close. The unlinked object gets freed opportunistically once
627 * there is no more legs attached to it and so we can't hold a reference
628 * while closing circuits. */
635 /* The leg gets cleaned up in the circuit close. */
639 }
642 }
645 /* Drop the list and ignore its content, we don't have ownership. */
647 }
649 /** Either closee all legs of the given unlinked set or delete it from the pool
650 * and free its memory.
651 *
652 * Important: The unlinked object is freed opportunistically when legs are
653 * removed until the point none remains. And so, it is only safe to free the
654 * object if no more legs exist.
655 */
656 static void
658 {
661 }
663 /* If we have legs, the circuit close will trigger the unlinked object to be
664 * opportunistically freed. Else, we do it explicitly. */
669 }
670 /* Either the unlinked object has been freed or the last leg close will free
671 * it so from this point on, nullify for safety reasons. */
673 }
675 /** Upon an error condition or a close of an in-use circuit, we must close all
676 * linked and unlinked circuits associated with a set. When the last leg of
677 * each set is closed, the set is removed from the pool. */
678 static void
680 {
681 /* It is possible that for a nonce we have both an unlinked set and a linked
682 * set. This happens if there is a recovery leg launched for an existing
683 * linked set. */
685 /* Close the unlinked set. */
689 }
690 /* In case it gets freed, be safe here. */
693 /* Close the linked set. It will free itself upon the close of
694 * the last leg. */
699 }
710 /* Drop the list and ignore its content, we don't have ownership. */
712 }
713 }
715 /** Helper: Free function taking a void pointer for the digest256map_free. */
718 {
721 }
723 /** Attempt to finalize the unlinked set to become a linked set and be put in
724 * the linked pool.
725 *
726 * If this finalized successfully, the given unlinked object is freed. */
727 static link_circ_err_t
729 {
738 /* Without legs, this is not ready to become a linked set. */
742 }
744 /* If there are too many legs, we can't link. */
748 "Conflux set has too many legs to link. "
753 }
755 /* Validate that all legs are coherent and parameters match. On failure, we
756 * teardown the whole unlinked set because this means we either have a code
757 * flow problem or the Exit is trying to trick us. */
762 END_CIRC_REASON_TORPROTOCOL);
765 }
767 /* Check all linked status. All need to be true in order to finalize the set
768 * and move it to the linked pool. */
770 /* We are still waiting on a leg. */
776 }
779 /* Finalize the cfx object by adding all legs into it. */
781 /* Removing the leg from the list is important so we avoid ending up with a
782 * leg in the unlinked list that is set with LINKED purpose. */
785 /* We are ready to attach the leg to the cfx object now. */
788 /* Clean the pending nonce and set the conflux object in the circuit. */
791 /* We are done with this leg object. */
797 /* Add the conflux object to the linked pool. For an existing linked cfx
798 * object, we'll simply replace it with itself. */
801 /* Remove it from the unlinked pool. */
804 /* We don't recover a leg when it is linked but if we would like to support
805 * session ressumption, this would be very important in order to allow new
806 * legs to be created/recovered. */
809 /* Nullify because we are about to free the unlinked object and the cfx has
810 * moved to all circuits. */
818 end:
820 }
822 /** Record the RTT for this client circuit.
823 *
824 * Return the RTT value. UINT64_MAX is returned if we couldn't find the initial
825 * measurement of when the cell was sent or if the leg is missing. */
826 static uint64_t
828 {
839 }
846 // TODO-329-TUNING: For now, let's accept this case. We need to do
847 // tuning and clean up the tests such that they use RTT in order to
848 // fail here.
849 //goto err;
850 }
853 err:
854 // Avoid using this leg until a timestamp comes in
858 }
860 /** Record the RTT for this Exit circuit.
861 *
862 * Return the RTT value. UINT64_MAX is returned if we couldn't find the initial
863 * measurement of when the cell was sent or if the leg is missing. */
865 static uint64_t
867 {
878 }
887 }
890 err:
894 }
896 /** For the given circuit, record the RTT from when the LINK or LINKED cell was
897 * sent that is this function works for either client or Exit.
898 *
899 * Return false if the RTT is too high for our standard else true. */
900 static bool
902 {
918 }
921 }
924 }
926 /** Link the given circuit within its unlinked set. This is called when either
927 * the LINKED or LINKED_ACK is received depending on which side of the circuit
928 * it is.
929 *
930 * It attempts to finalize the unlinked set as well which, if successful, puts
931 * it in the linked pool. */
932 static link_circ_err_t
934 {
943 }
952 }
956 /* Failure to find the leg when linking a circuit is an important problem
957 * so log loudly and error. */
963 }
965 /* Successful link. Attempt to finalize the set in case this was the last
966 * LINKED or LINKED_ACK cell to receive. */
970 end:
972 }
974 /** Launch a brand new set.
975 *
976 * Return true if all legs successfully launched or false if one failed. */
977 STATIC bool
979 {
982 /* Brand new nonce for this set. */
985 /* Launch all legs. */
988 /* This function cleans up entirely the unlinked set if a leg is unable
989 * to be launched. The recovery would be complex here. */
991 }
992 }
996 err:
998 }
1002 {
1011 /* If this is a leg of an existing linked set, use that conflux object
1012 * instead so all legs point to the same. It is put in the leg's circuit
1013 * once the link is confirmed. */
1019 }
1020 /* Add this set to the unlinked pool. */
1022 }
1025 }
1027 /**
1028 * On the client side, we need to determine if there is already
1029 * an exit in use for this set, and if so, use that.
1030 *
1031 * Otherwise, we return NULL and the exit is decided by the
1032 * circuitbuild.c code.
1033 */
1036 {
1041 // First, check the linked pool for the nonce
1045 /* Get the exit from the first leg */
1059 /* Get the exit from the first leg */
1066 }
1067 }
1068 }
1071 }
1073 /**
1074 * Return the currently configured client UX.
1075 */
1076 static uint8_t
1078 {
1079 #ifdef TOR_UNIT_TESTS
1081 #else
1086 /* Return the UX */
1088 #endif
1089 }
1091 /** Return true iff the given conflux object is allowed to launch a new leg. If
1092 * the cfx object is NULL, then it is always allowed to launch a new leg. */
1093 static bool
1095 {
1098 }
1100 /* The maximum number of retry is the minimum number of legs we are allowed
1101 * per set plus the maximum amount of retries we are allowed to do. */
1106 /* Only log once per nonce if we've reached the maximum. */
1110 }
1114 }
1116 allowed:
1118 }
1120 /*
1121 * Public API.
1122 */
1124 /** Launch a new conflux leg for the given nonce.
1125 *
1126 * Return true on success else false which teardowns the entire unlinked set if
1127 * any. */
1128 bool
1130 {
1132 CIRCLAUNCH_NEED_CONFLUX;
1138 /* Get or create a new unlinked object for this leg. */
1142 /* If we have an existing linked set, validate the number of leg retries
1143 * before attempting the launch. */
1146 }
1155 }
1157 /* Increase the retry count for this conflux object as in this nonce.
1158 * We must do this now, because some of the maze's early failure paths
1159 * call right back into this function for relaunch. */
1167 }
1170 /* At this point, the unlinked object has either a new conflux_t or the one
1171 * used by a linked set so it is fine to use the cfx from the unlinked object
1172 * from now on. */
1174 /* Get the max_seq_sent and recv from the linked pool, if it exists, and pass
1175 * to new link cell. */
1179 // TODO-329-ARTI: To support resumption/retransmit, the client should store
1180 // the last_seq_sent now, so that it can know how much data to retransmit to
1181 // the server after link. C-Tor will not be implementing this, but arti and
1182 // arti-relay could (if resumption seems worthwhile; it may not be worth the
1183 // memory storage there, either).
1185 /* We have a circuit, create the new leg and attach it to the set. */
1194 err:
1196 }
1198 /**
1199 * Add the identity digest of the guard nodes of all legs of the conflux
1200 * circuit.
1201 *
1202 * This function checks both pending and linked conflux circuits.
1203 */
1204 void
1207 {
1211 /* Ease our lives. */
1214 /* Ignore if this is not conflux related. */
1217 }
1219 /* When building a circuit, we should not have a conflux object
1220 * ourselves (though one may exist elsewhere). */
1223 /* Getting here without a nonce is a code flow issue. */
1226 }
1228 /* If there is only one bridge, then only issue a warn once that
1229 * at least two bridges are best for conflux. Exempt Snowflake
1230 * from this warn */
1232 /* Do not build any exclude lists; not enough bridges */
1234 }
1236 /* A linked set exists, use it. */
1243 DIGEST_LEN));
1245 }
1247 /* An unlinked set might exist for this nonce, if so, add the second hop of
1248 * the existing legs to the exclusion list. */
1254 /* Convert to origin circ and get cpath */
1258 DIGEST_LEN));
1260 }
1261 }
1263 /**
1264 * Add the identity digest of the middle nodes of all legs of the conflux
1265 * circuit.
1266 *
1267 * This function checks both pending and linked conflux circuits.
1268 *
1269 * XXX: The add guard and middle could be merged since it is the exact same
1270 * code except for the cpath position and the identity digest vs node_t in
1271 * the list. We could use an extra param indicating guard or middle. */
1272 void
1275 {
1279 /* Ease our lives. */
1282 /* Ignore if this is not conflux related. */
1285 }
1287 /* When building a circuit, we should not have a conflux object
1288 * ourselves (though one may exist elsewhere). */
1291 /* Getting here without a nonce is a code flow issue. */
1294 }
1296 /* A linked set exists, use it. */
1305 }
1307 }
1309 /* An unlinked set might exist for this nonce, if so, add the second hop of
1310 * the existing legs to the exclusion list. */
1316 /* Convert to origin circ and get cpath */
1322 }
1324 }
1325 }
1327 /** Return the number of unused client linked set. */
1328 static int
1330 {
1338 }
1340 /* The maze marks circuits used several different ways. If any of
1341 * them are marked for this leg, launch a new one. */
1345 count++;
1346 }
1350 }
1352 /** Determine if we need to launch new conflux circuits for our preemptive
1353 * pool.
1354 *
1355 * This is called once a second from the mainloop from
1356 * circuit_predict_and_launch_new(). */
1357 void
1359 {
1362 /* If conflux is disabled, or we have insufficient consensus exits,
1363 * don't prebuild. */
1367 }
1369 /* Don't attempt to build a new set if we are above our allowed maximum of
1370 * linked sets. */
1374 }
1376 /* Count the linked and unlinked to get the total number of sets we have
1377 * (will have). */
1385 }
1393 /* Failing once likely means we'll fail next attempt so stop for now and
1394 * we'll try later. */
1396 }
1397 }
1398 }
1400 /** Return the first circuit from the linked pool that will work with the conn.
1401 * If no such circuit exists, return NULL. */
1402 origin_circuit_t *
1404 {
1405 /* Use conn to check the exit policy of the first circuit
1406 * of each set in the linked pool. */
1410 /* Get the first circuit of the set. */
1415 /* Bug on these but we can recover. */
1418 }
1421 }
1424 /* Make sure the connection conforms with the exit policy and the isolation
1425 * flags also allows it. */
1427 CIRCUIT_PURPOSE_CONFLUX_LINKED,
1431 }
1433 /* Found a circuit that works. */
1438 }
1440 /** The given circuit is conflux pending and has closed. This deletes the leg
1441 * from the set, attempt to finalize it and relaunch a new leg. If the set is
1442 * empty after removing this leg, it is deleted. */
1443 static void
1445 {
1456 }
1460 /* This circuit is part of set that has already been removed previously freed
1461 * by another leg closing. */
1464 }
1466 /* We keep the nonce here because we will try to recover if we can and the
1467 * pending nonce will get nullified early. */
1473 /* Remove leg from set. */
1475 /* The circuit pending nonce has been nullified at this point. */
1477 /* If no more legs, opportunistically free the unlinked set. */
1481 /* Launch a new leg for this set to recover. */
1484 }
1485 }
1486 /* After this, it might have been freed. */
1489 /* Unlinked circuits should not have attached streams, but check
1490 * anyway, because The Maze. */
1492 }
1494 /** Update all stream pointers to point to this circuit.
1495 * This is used when a linked circuit is closed and we need to update the
1496 * streams to point to the remaining circuit
1497 */
1498 static void
1500 {
1507 /* Iterate over stream list using next_stream pointer, until null */
1510 /* Update the circuit pointer of each stream */
1513 }
1516 /* Iterate over stream list using next_stream pointer, until null */
1519 /* Update the circuit pointer of each stream */
1521 }
1522 /* Iterate over stream list using next_stream pointer, until null */
1525 /* Update the circuit pointer of each stream */
1527 }
1528 }
1529 }
1531 /** Nullify all streams of the given circuit. */
1532 static void
1534 {
1545 }
1546 }
1548 /** The given circuit is already linked to a set and has been closed. Remove it
1549 * from the set and free the pool if no more legs. */
1550 static void
1552 {
1563 }
1565 /* Unlink circuit from its conflux object. */
1569 /* Last leg, remove conflux object from linked set. */
1572 /* If there are other circuits, update streams backpointers and
1573 * nullify the stream lists. We do not free those streams in circuit_free_.
1574 * (They only get freed when the last circuit is freed). */
1578 }
1580 /* Keep the nonce so we can use it through out the rest of the function in
1581 * case we nullify the conflux object before. Reason is that in the case of a
1582 * full teardown, this function becomes basically recursive and so we must
1583 * nullify the conflux object of this circuit now before the recursiveness
1584 * starts leading to all legs being removed and thus not noticing if we are
1585 * the last or the first.
1586 *
1587 * Not the prettiest but that is the price to pay to live in the C-tor maze
1588 * and protected by ballrogs. */
1591 /* Nullify the conflux object from the circuit being closed iff we have more
1592 * legs. Reason being that the last leg needs to have the conflux object
1593 * attached to the circuit so it can be freed in conflux_circuit_free(). */
1596 }
1598 /* If this was a teardown condition, we need to mark other circuits,
1599 * including any potential unlinked circuits, for close.
1600 *
1601 * This call is recursive in the sense that linked_circuit_closed() will end
1602 * up being called for all legs and so by the time we come back here, the
1603 * linked is likely entirely gone. Thus why this is done last. */
1606 }
1607 }
1609 /** The given circuit is being freed and it is a linked leg. Clean up and free
1610 * anything that has to do with this circuit.
1611 *
1612 * After this call, the circuit should NOT be referenced anymore anywhere. */
1613 static void
1615 {
1623 }
1625 /* Circuit can be freed without being closed and so we try to delete this leg
1626 * so we can learn if this circuit is the last leg or not. */
1628 /* Check for instances of bug #40870, which we suspect happen
1629 * during exit. If any happen outside of exit, BUG and warn. */
1631 /* We should bug and warn if we're not in a shutdown process; that
1632 * means we got here somehow without a close. */
1635 "Conflux circuit %p being freed without being marked for "
1636 "full teardown via close, with shutdown state %d. "
1639 }
1641 }
1642 }
1645 /* The last leg will free the streams but until then, we nullify to avoid
1646 * use-after-free. */
1649 /* We are the last leg. */
1651 /* Remove from pool in case it is still lingering there else we'll end up
1652 * in a double free situation. */
1655 /* If there is an unlinked circuit that was also created for this set, we
1656 * need to look for it, and tell it is no longer part of a linked set
1657 * anymore, so it can be freed properly, or can complete the link if it is
1658 * able to. Effectively, the conflux_t object lifetime is longer than
1659 * either the linked or unlinked sets by themselves. This is a situation we
1660 * could cover with handles, but so far, it is not clear they are an
1661 * obvious benefit for other cases than this one. */
1668 /* We are the last one, clear the conflux object. If an unlinked object
1669 * has a reference to it, it won't get freed due to is_for_linked_set
1670 * flag. */
1672 }
1673 }
1674 }
1676 /** The given circuit is being freed and it is an unlinked leg. Clean up and
1677 * free anything that has to do with this circuit.
1678 *
1679 * After this call, the circuit should NOT be referenced anymore anywhere. */
1680 static void
1682 {
1687 }
1689 /* Cleanup circuit reference if a leg exists. This is possible if the circuit
1690 * was not marked for close before being freed. */
1694 }
1696 /* Null pointers are safe here. */
1698 }
1700 /** Circuit has been marked for close. */
1701 void
1703 {
1704 /* The unlinked case. If an unlinked set exists, we delete the leg and then
1705 * attempt to finalize it. After that, we'll launch a new leg to recover. */
1710 }
1711 }
1713 /** Circuit with conflux purpose just opened. */
1714 void
1716 {
1724 /* Extra safety layer so we never let a circuit opens if conflux is not
1725 * enabled. */
1730 "Conflux circuit opened without negotiating "
1733 }
1735 /* Unrelated to conflux. */
1738 }
1747 }
1749 /* On failure here, the circuit is closed and thus the leg and unlinked set
1750 * will be cleaned up. */
1753 }
1755 /* Mark the leg on when the LINK cell is sent. Used to timeout the circuit
1756 * for a minimum RTT when getting the LINKED. */
1759 end:
1762 }
1764 /** Process a CONFLUX_LINK cell which arrived on the given circuit. */
1765 void
1768 {
1778 }
1780 /* This cell can't be received on an origin circuit because only the endpoint
1781 * creating the circuit sends it. */
1787 }
1794 }
1798 "Got a CONFLUX_LINK on a circuit with a pending nonce. "
1802 }
1806 "Got a CONFLUX_LINK on an already linked circuit "
1810 }
1812 /* On errors, logging is emitted in this parsing function. */
1819 }
1824 /* Consider this circuit a new leg. We'll now attempt to attach it to an
1825 * existing set or unlinked one. */
1830 /* Attach leg to the unlinked set. */
1833 /* Set the circuit in a pending conflux state for the LINKED_ACK. */
1837 /* Mark when we send the LINKED. */
1840 /* Send LINKED. */
1844 // TODO-329-ARTI: To support resumption/retransmit, the server should
1845 // store the last_seq_sent now, so that it can know how much data
1846 // to retransmit to the server after link. C-Tor will not be implementing
1847 // this, but arti and arti-relay could (if resumption seems worthwhile;
1848 // it may not be worth the memory storage there, either).
1853 /* Link the circuit to the a conflux set immediately before the LINKED is
1854 * sent. Reason is that once the client sends the LINKED_ACK, there is a race
1855 * with the BEGIN cell that can be sent immediately after and arrive first.
1856 * And so, we need to sync the streams before that happens that is before we
1857 * receive the LINKED_ACK. */
1861 }
1863 /* Exits should always request min latency from clients */
1865 last_seq_recv,
1866 DEFAULT_EXIT_UX);
1871 end:
1873 }
1875 /** Process a CONFLUX_LINKED cell which arrived on the given circuit. */
1876 void
1880 {
1885 /*
1886 * There several ways a malicious exit could create problems when sending
1887 * back this LINKED cell.
1888 *
1889 * 1. Using a different nonce that it knows about from another set. Accepting
1890 * it would mean a confirmation attack of linking sets to the same client.
1891 * To address that, the cell nonce MUST be matched with the circuit nonce.
1892 *
1893 * 2. Re-Sending a LINKED cell on an already linked circuit could create side
1894 * channel attacks or unpredictable issues. Circuit is closed.
1895 *
1896 * 3. Receiving a LINKED cell on a circuit that was not expecting it. Again,
1897 * as (2), can create side channel(s). Circuit is closed.
1898 *
1899 * 4. Receiving a LINKED cell from the another hop other than the last one
1900 * (exit). Same as (2) and (3) in terms of issues. Circuit is closed.
1901 */
1906 }
1908 /* LINKED cell are in response to a LINK cell which are only sent on an
1909 * origin circuit and thus received on such.*/
1914 }
1918 "Received a CONFLUX_LINKED cell without having sent a "
1921 }
1925 "Received a CONFLUX_LINKED cell on a circuit that is already "
1928 }
1934 }
1938 /* On errors, logging is emitted in this parsing function. */
1942 }
1947 /* Make sure the cell nonce matches the one on the circuit that was
1948 * previously set by the CONFLUX_LINK cell. */
1952 "Received CONFLUX_LINKED but circuit nonce doesn't match "
1955 }
1957 /* Find the leg from the associated unlinked set. */
1963 }
1967 /* Free the old link, and store the new one. We need to validate
1968 * the one we get during finalize, not the one we sent. */
1972 /* Record the RTT for this circuit. On failure, it means the RTT was too
1973 * high, we relaunch to recover. */
1976 }
1978 /* The following will link the circuit with its set and attempt to finalize
1979 * the set if all expected legs have linked. On error, we close the circuit
1980 * because it means the unlinked set needs to be teardowned. */
1984 /* Successfully linked. */
1988 /* No relaunch if the leg is invalid or the set is not found as in the
1989 * nonce is unknown. */
1994 }
1996 /* We can send the ack only if we finalize. This will not cause issues,
1997 * because LINKED_ACK is exempted from multiplexing in
1998 * conflux_should_multiplex(). */
2000 /* On failure, the circuit is closed by the underlying function(s). */
2002 }
2004 /* If this set is ready to use with a valid conflux set, try any pending
2005 * streams again. */
2008 }
2010 /* This cell is now considered valid for clients. */
2015 close:
2018 end:
2020 }
2022 /** Process a CONFLUX_LINKED_ACK cell which arrived on the given circuit. */
2023 void
2025 {
2030 }
2036 }
2042 }
2046 "Received a CONFLUX_LINKED_ACK cell on a circuit that is not"
2049 }
2054 /* Record the RTT for this circuit. This should not fail */
2057 }
2061 close:
2063 }
2065 /** Called when a circuit is freed.
2066 *
2067 * It is possible a conflux circuit gets freed without being closed (for
2068 * instance SIGTERM) and so this callback is needed in order to finalize the
2069 * cleanup. */
2070 void
2072 {
2081 }
2083 /* Whatever happens, nullify all conflux related pointers. */
2086 }
2088 /** Initialize the conflux pool subsystem. This is called by the subsys
2089 * manager. */
2090 void
2092 {
2095 }
2098 }
2101 }
2104 }
2105 }
2107 /**
2108 * Return a description of all linked and unlinked circuits associated
2109 * with a conflux set.
2110 *
2111 * For use in rare bug cases that are hard to diagnose.
2112 */
2113 void
2115 {
2119 LD_BUG,
2127 // Log all linked legs
2140 legs++;
2143 // Look up the nonce to see if we have any unlinked circuits.
2146 // Log the number of legs and the is_for_linked_set status
2159 legs++;
2161 }
2162 }
2164 /**
2165 * Conflux needs a notification when tor_shutdown() begins, so that
2166 * when circuits are freed, new legs are not launched.
2167 *
2168 * This needs a separate notification from conflux_pool_free_all(),
2169 * because circuits must be freed before that function.
2170 */
2171 void
2173 {
2175 }
2177 #ifdef TOR_UNIT_TESTS
2178 /**
2179 * For unit tests: Clear the shutting down state so we resume building legs.
2180 */
2181 void
2183 {
2185 }
2186 #endif
2188 /** Free and clean up the conflux pool subsystem. This is called by the subsys
2189 * manager AFTER all circuits have been freed which implies that all objects in
2190 * the pools aren't referenced anymore. */
2191 void
2193 {
2198 }