mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-25 07:07:52 +01:00
Code Issues Projects Releases Wiki Activity

hs-v3: Privatize access to HS DoS consensus param

Browse source 
Remove the public functions returning the HS DoS consensus param or default
values as it is exclusively used internally now.

Rename the param_* variables to consensus_param_* for better code semantic.

Finally, make some private functions available to unit tests.

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2019-08-20 08:52:34 -04:00 committed by George Kadianakis
parent 184c76e339
commit 94a2221708
3 changed files with 30 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
src/feature/hs/hs_dos.c
View file

@ -46,14 +46,14 @@
#define HS_DOS_INTRODUCE_ENABLED_DEFAULT 0
/* Consensus parameters. */
static uint32_t param_introduce_rate_per_sec =
static uint32_t consensus_param_introduce_rate_per_sec =
HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC;
static uint32_t param_introduce_burst_per_sec =
static uint32_t consensus_param_introduce_burst_per_sec =
HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC;
static uint32_t param_introduce_defense_enabled =
static uint32_t consensus_param_introduce_defense_enabled =
HS_DOS_INTRODUCE_ENABLED_DEFAULT;
static uint32_t
STATIC uint32_t
get_intro2_enable_consensus_param(const networkstatus_t *ns)
{
return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSDefense",
@ -61,7 +61,7 @@ get_intro2_enable_consensus_param(const networkstatus_t *ns)
}
/* Return the parameter for the introduction rate per sec. */
static uint32_t
STATIC uint32_t
get_intro2_rate_consensus_param(const networkstatus_t *ns)
{
return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSRatePerSec",
@ -70,7 +70,7 @@ get_intro2_rate_consensus_param(const networkstatus_t *ns)
}
/* Return the parameter for the introduction burst per sec. */
static uint32_t
STATIC uint32_t
get_intro2_burst_consensus_param(const networkstatus_t *ns)
{
return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSBurstPerSec",
@ -90,8 +90,8 @@ update_intro_circuits(void)
SMARTLIST_FOREACH_BEGIN(intro_circs, circuit_t *, circ) {
/* Adjust the rate/burst value that might have changed. */
token_bucket_ctr_adjust(&TO_OR_CIRCUIT(circ)->introduce2_bucket,
param_introduce_rate_per_sec,
param_introduce_burst_per_sec);
consensus_param_introduce_rate_per_sec,
consensus_param_introduce_burst_per_sec);
} SMARTLIST_FOREACH_END(circ);
smartlist_free(intro_circs);
@ -101,9 +101,12 @@ update_intro_circuits(void)
static void
set_consensus_parameters(const networkstatus_t *ns)
{
param_introduce_rate_per_sec = get_intro2_rate_consensus_param(ns);
param_introduce_burst_per_sec = get_intro2_burst_consensus_param(ns);
param_introduce_defense_enabled = get_intro2_enable_consensus_param(ns);
consensus_param_introduce_rate_per_sec =
get_intro2_rate_consensus_param(ns);
consensus_param_introduce_burst_per_sec =
get_intro2_burst_consensus_param(ns);
consensus_param_introduce_defense_enabled =
get_intro2_enable_consensus_param(ns);
/* The above might have changed which means we need to go through all
* introduction circuits (relay side) and update the token buckets. */
@ -114,27 +117,6 @@ set_consensus_parameters(const networkstatus_t *ns)
* Public API.
*/
/* Return the INTRODUCE2 cell rate per second (param or default). */
uint32_t
hs_dos_get_intro2_rate_param(void)
{
return param_introduce_rate_per_sec;
}
/* Return the INTRODUCE2 cell burst per second (param or default). */
uint32_t
hs_dos_get_intro2_burst_param(void)
{
return param_introduce_burst_per_sec;
}
/* Return the INTRODUCE2 DoS defense enabled flag (param or default). */
unsigned int
hs_dos_get_intro2_enabled_param(void)
{
return (unsigned int) param_introduce_defense_enabled;
}
/* Initialize the INTRODUCE2 token bucket for the DoS defenses using the
* consensus/default values. We might get a cell extension that changes those
* later but if we don't, the default or consensus parameters are used. */
@ -143,10 +125,11 @@ hs_dos_setup_default_intro2_defenses(or_circuit_t *circ)
{
tor_assert(circ);
circ->introduce2_dos_defense_enabled = param_introduce_defense_enabled;
circ->introduce2_dos_defense_enabled =
consensus_param_introduce_defense_enabled;
token_bucket_ctr_init(&circ->introduce2_bucket,
param_introduce_rate_per_sec,
param_introduce_burst_per_sec,
consensus_param_introduce_rate_per_sec,
consensus_param_introduce_burst_per_sec,
(uint32_t) approx_time());
}

8
src/feature/hs/hs_dos.h
View file

@ -24,14 +24,14 @@ void hs_dos_consensus_has_changed(const networkstatus_t *ns);
bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ);
void hs_dos_setup_default_intro2_defenses(or_circuit_t *circ);
unsigned int hs_dos_get_intro2_enabled_param(void);
uint32_t hs_dos_get_intro2_rate_param(void);
uint32_t hs_dos_get_intro2_burst_param(void);
#ifdef HS_DOS_PRIVATE
#ifdef TOR_UNIT_TESTS
STATIC uint32_t get_intro2_enable_consensus_param(const networkstatus_t *ns);
STATIC uint32_t get_intro2_rate_consensus_param(const networkstatus_t *ns);
STATIC uint32_t get_intro2_burst_consensus_param(const networkstatus_t *ns);
#endif /* define(TOR_UNIT_TESTS) */
#endif /* defined(HS_DOS_PRIVATE) */

18
src/test/test_hs_dos.c
View file

@ -8,6 +8,7 @@
#define CIRCUITLIST_PRIVATE
#define NETWORKSTATUS_PRIVATE
#define HS_DOS_PRIVATE
#include "test/test.h"
#include "test/test_helpers.h"
@ -57,11 +58,8 @@ test_can_send_intro2(void *arg)
/* Make that circuit a service intro point. */
circuit_change_purpose(TO_CIRCUIT(or_circ), CIRCUIT_PURPOSE_INTRO_POINT);
hs_dos_setup_default_intro2_defenses(or_circ);
or_circ->introduce2_dos_defense_enabled = 1;
/* Initialize the INTRODUCE2 token bucket for the rate limiting. */
token_bucket_ctr_init(&or_circ->introduce2_bucket,
hs_dos_get_intro2_rate_param(),
hs_dos_get_intro2_burst_param(), now);
/* Brand new circuit, we should be able to send INTRODUCE2 cells. */
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
@ -73,13 +71,13 @@ test_can_send_intro2(void *arg)
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
}
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
hs_dos_get_intro2_burst_param() - 10);
get_intro2_burst_consensus_param(NULL) - 10);
/* Fully refill the bucket minus 1 cell. */
update_approx_time(++now);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
hs_dos_get_intro2_burst_param() - 1);
get_intro2_burst_consensus_param(NULL) - 1);
/* Receive an INTRODUCE2 at each second. We should have the bucket full
* since at every second it gets refilled. */
@ -89,18 +87,18 @@ test_can_send_intro2(void *arg)
}
/* Last check if we can send the cell decrements the bucket so minus 1. */
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
hs_dos_get_intro2_burst_param() - 1);
get_intro2_burst_consensus_param(NULL) - 1);
/* Manually reset bucket for next test. */
token_bucket_ctr_reset(&or_circ->introduce2_bucket, now);
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
hs_dos_get_intro2_burst_param());
get_intro2_burst_consensus_param(NULL));
/* Do a full burst in the current second which should empty the bucket and
* we shouldn't be allowed to send one more cell after that. We go minus 1
* cell else the very last check if we can send the INTRO2 cell returns
* false because the bucket goes down to 0. */
for (uint32_t i = 0; i < hs_dos_get_intro2_burst_param() - 1; i++) {
for (uint32_t i = 0; i < get_intro2_burst_consensus_param(NULL) - 1; i++) {
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
}
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, 1);
@ -118,7 +116,7 @@ test_can_send_intro2(void *arg)
update_approx_time(++now);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
hs_dos_get_intro2_rate_param() - 1);
get_intro2_rate_consensus_param(NULL) - 1);
done:
circuit_free_(TO_CIRCUIT(or_circ));