Ticket #15482: 0001-More-cautious-approach-to-increasing-circuit-lifetim.patch

File 0001-More-cautious-approach-to-increasing-circuit-lifetim.patch, 4.6 KB (added by nickm, 5 years ago)
  • src/or/circuituse.c

    From 6443d781f7db88acc5f653211c9001596c84d6a1 Mon Sep 17 00:00:00 2001
    From: Nick Mathewson <nickm@torproject.org>
    Date: Fri, 27 Mar 2015 10:19:38 -0400
    Subject: [PATCH] More cautious approach to increasing circuit lifetime for TB
    
    Only increase the lifetime when authentication-based circuit isolation
    is in use, and never increase it beyond MaxIsolatedCircuitDirtiness *
    1.125
    ---
     src/or/circuituse.c | 17 +++++++++++++++--
     src/or/config.c     | 12 ++++++++++++
     src/or/or.h         |  5 ++++-
     3 files changed, 31 insertions(+), 3 deletions(-)
    
    diff --git a/src/or/circuituse.c b/src/or/circuituse.c
    index d0d31ad..a16ce34 100644
    a b connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, 
    22642264
    22652265  base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT;
    22662266
    2267   if (!circ->base_.timestamp_dirty)
    2268     circ->base_.timestamp_dirty = time(NULL);
     2267  if (!circ->base_.timestamp_dirty) {
     2268    circ->base_.timestamp_dirty = approx_time();
     2269    time_t more = get_options()->MaxIsolatedCircuitDirtiness;
     2270    more += crypto_rand_int((int)more / 8);
     2271    circ->base_.max_timestamp_dirty = circ->base_.timestamp_dirty + more;
     2272  } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) &&
     2273             (conn->socks_request->usernamelen ||
     2274              conn->socks_request->passwordlen)) {
     2275    /* When stream isolation is in use and controlled by an application, up to
     2276     * max_timestamp_dirty, we are willing to keep using the stream. */
     2277    if (approx_time() < circ->base_.max_timestamp_dirty) {
     2278      circ->base_.timestamp_dirty = approx_time();
     2279    }
     2280  }
    22692281
    22702282  pathbias_count_use_attempt(circ);
    22712283
    mark_circuit_unusable_for_new_conns(origin_circuit_t *circ) 
    25302542    circ->base_.timestamp_dirty = 1; /* prevent underflow */
    25312543  else
    25322544    circ->base_.timestamp_dirty -= options->MaxCircuitDirtiness;
     2545  circ->base_.max_timestamp_dirty = circ->base_.timestamp_dirty;
    25332546
    25342547  circ->unusable_for_new_conns = 1;
    25352548}
  • src/or/config.c

    diff --git a/src/or/config.c b/src/or/config.c
    index fca350c..23dcef2 100644
    a b static config_var_t option_vars_[] = { 
    312312  VAR("MapAddress",              LINELIST, AddressMap,           NULL),
    313313  V(MaxAdvertisedBandwidth,      MEMUNIT,  "1 GB"),
    314314  V(MaxCircuitDirtiness,         INTERVAL, "10 minutes"),
     315  V(MaxIsolatedCircuitDirtiness, INTERVAL, "4 hours"),
    315316  V(MaxClientCircuitsPending,    UINT,     "32"),
    316317  VAR("MaxMemInQueues",          MEMUNIT,   MaxMemInQueues_raw, "0"),
    317318  OBSOLETE("MaxOnionsPending"),
    options_validate(or_options_t *old_options, or_options_t *options, 
    31433144    options->MaxCircuitDirtiness = MAX_MAX_CIRCUIT_DIRTINESS;
    31443145  }
    31453146
     3147  if (options->MaxIsolatedCircuitDirtiness < options->MaxCircuitDirtiness) {
     3148    log_warn(LD_CONFIG, "MaxIsolatedCircuitDirtiness is less than "
     3149             "MaxCircuitDirtiness; raising it.");
     3150    options->MaxIsolatedCircuitDirtiness = options->MaxCircuitDirtiness;
     3151  }
     3152  if (options->MaxIsolatedCircuitDirtiness > MAX_MAX_CIRCUIT_DIRTINESS) {
     3153    log_warn(LD_CONFIG, "MaxIsolatedCircuitDirtiness option is too high; "
     3154             "setting to %d days.", MAX_MAX_CIRCUIT_DIRTINESS/86400);
     3155    options->MaxIsolatedCircuitDirtiness = MAX_MAX_CIRCUIT_DIRTINESS;
     3156  }
     3157
    31463158  if (options->CircuitStreamTimeout &&
    31473159      options->CircuitStreamTimeout < MIN_CIRCUIT_STREAM_TIMEOUT) {
    31483160    log_warn(LD_CONFIG, "CircuitStreamTimeout option is too short; "
  • src/or/or.h

    diff --git a/src/or/or.h b/src/or/or.h
    index f75e776..c3225fa 100644
    a b typedef struct circuit_t { 
    28462846   * document it more thoroughly to make sure of that.
    28472847   */
    28482848  time_t timestamp_dirty;
     2849  time_t max_timestamp_dirty;
    28492850
    28502851  uint16_t marked_for_close; /**< Should we close this circuit at the end of
    28512852                              * the main loop? (If true, holds the line number
    typedef struct { 
    36503651  int NewCircuitPeriod; /**< How long do we use a circuit before building
    36513652                         * a new one? */
    36523653  int MaxCircuitDirtiness; /**< Never use circs that were first used more than
    3653                                 this interval ago. */
     3654                                this interval ago. DOCDOC; no longer right */
     3655  int MaxIsolatedCircuitDirtiness; /**< Never use circs that were first used
     3656                                    * more than this interval ago. DOCDOC */
    36543657  int PredictedPortsRelevanceTime; /** How long after we've requested a
    36553658                                    * connection for a given port, do we want
    36563659                                    * to continue to pick exits that support