#include "feature/relay/routermode.h"
#include "feature/stats/geoip_stats.h"
#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/time/compat_time.h"
#include "core/or/dos.h"
#include "core/or/dos_sys.h"
stats->concurrent_count++;
/* Refill connect connection count. */
- token_bucket_ctr_refill(&stats->connect_count, (uint32_t) approx_time());
+ token_bucket_ctr_refill(&stats->connect_count,
+ (uint32_t) monotime_coarse_absolute_sec());
/* Decrement counter for this new connection. */
if (token_bucket_ctr_get(&stats->connect_count) > 0) {
* can be enabled at runtime and these counters need to be valid. */
token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count,
dos_conn_connect_rate, dos_conn_connect_burst,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
}
/** Note that the given channel has sent outbound the maximum amount of cell
#include "lib/crypt_ops/crypto_dh.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
+#include "lib/time/compat_time.h"
/* Trunnel. */
#include "trunnel/ed25519_cert.h"
if (pow_state->using_pqueue_bucket) {
token_bucket_ctr_refill(&pow_state->pqueue_bucket,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
if (token_bucket_ctr_get(&pow_state->pqueue_bucket) > 0) {
token_bucket_ctr_dec(&pow_state->pqueue_bucket, 1);
#include "feature/relay/routermode.h"
#include "lib/evloop/token_bucket.h"
+#include "lib/time/compat_time.h"
#include "feature/hs/hs_dos.h"
token_bucket_ctr_init(&circ->introduce2_bucket,
consensus_param_introduce_rate_per_sec,
consensus_param_introduce_burst_per_sec,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
}
/** Called when the consensus has changed. We might have new consensus
/* Refill INTRODUCE2 bucket. */
token_bucket_ctr_refill(&s_intro_circ->introduce2_bucket,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
/* Decrement the bucket for this valid INTRODUCE1 cell we just got. Don't
* underflow else we end up with a too big of a bucket. */
#include "feature/rend/rendmid.h"
#include "feature/stats/rephist.h"
#include "lib/crypt_ops/crypto_format.h"
+#include "lib/time/compat_time.h"
/* Trunnel */
#include "trunnel/ed25519_cert.h"
token_bucket_ctr_init(&circ->introduce2_bucket,
(uint32_t) intro2_rate_per_sec,
(uint32_t) intro2_burst_per_sec,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
" and Burst is %" PRIu64,
intro2_rate_per_sec, intro2_burst_per_sec);
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/time/tvdiff.h"
+#include "lib/time/compat_time.h"
#include "feature/hs/hs_circuit.h"
#include "feature/hs/hs_common.h"
token_bucket_ctr_init(&pow_state->pqueue_bucket,
service->config.pow_queue_rate,
service->config.pow_queue_burst,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
pow_state->pqueue_low_level = MAX(8, service->config.pow_queue_rate / 4);
pow_state->pqueue_high_level =
return becomes_empty;
}
-/** Convert a rate in bytes per second to a rate in bytes per step */
+/** Convert a rate in bytes per second to a rate in bytes per step.
+ * This is used for the 'rw' style (tick based) token buckets but not for
+ * the 'ctr' style buckets which count seconds. */
STATIC uint32_t
rate_per_sec_to_rate_per_step(uint32_t rate)
{
/**
* Initialize a token bucket in *<b>bucket</b>, set up to allow <b>rate</b>
* bytes per second, with a maximum burst of <b>burst</b> bytes. The bucket
- * is created such that <b>now_ts</b> is the current timestamp. The bucket
- * starts out full.
+ * is created such that <b>now_ts_stamp</b> is the current time in coarse stamp
+ * units. The bucket starts out full.
*/
void
token_bucket_rw_init(token_bucket_rw_t *bucket,
uint32_t rate,
uint32_t burst,
- uint32_t now_ts)
+ uint32_t now_ts_stamp)
{
memset(bucket, 0, sizeof(token_bucket_rw_t));
token_bucket_rw_adjust(bucket, rate, burst);
- token_bucket_rw_reset(bucket, now_ts);
+ token_bucket_rw_reset(bucket, now_ts_stamp);
}
/**
}
/**
- * Reset <b>bucket</b> to be full, as of timestamp <b>now_ts</b>.
+ * Reset <b>bucket</b> to be full, as of timestamp <b>now_ts_stamp</b>.
*/
void
token_bucket_rw_reset(token_bucket_rw_t *bucket,
- uint32_t now_ts)
+ uint32_t now_ts_stamp)
{
token_bucket_raw_reset(&bucket->read_bucket, &bucket->cfg);
token_bucket_raw_reset(&bucket->write_bucket, &bucket->cfg);
- bucket->last_refilled_at_timestamp = now_ts;
+ bucket->last_refilled_at_timestamp = now_ts_stamp;
}
/**
* Refill <b>bucket</b> as appropriate, given that the current timestamp
- * is <b>now_ts</b>.
+ * is <b>now_ts_stamp</b> in coarse timestamp units.
*
* Return a bitmask containing TB_READ iff read bucket was empty and became
* nonempty, and TB_WRITE iff the write bucket was empty and became nonempty.
*/
int
token_bucket_rw_refill(token_bucket_rw_t *bucket,
- uint32_t now_ts)
+ uint32_t now_ts_stamp)
{
const uint32_t elapsed_ticks =
- (now_ts - bucket->last_refilled_at_timestamp);
- if (elapsed_ticks > UINT32_MAX-(300*1000)) {
- /* Either about 48 days have passed since the last refill, or the
- * monotonic clock has somehow moved backwards. (We're looking at you,
- * Windows.). We accept up to a 5 minute jump backwards as
- * "unremarkable".
- */
- return 0;
- }
- const uint32_t elapsed_steps = elapsed_ticks / TICKS_PER_STEP;
+ (now_ts_stamp - bucket->last_refilled_at_timestamp);
+ int flags = 0;
- if (!elapsed_steps) {
- /* Note that if less than one whole step elapsed, we don't advance the
- * time in last_refilled_at. That's intentional: we want to make sure
- * that we add some bytes to it eventually. */
- return 0;
- }
+ /* Skip over updates that include an overflow or a very large jump.
+ * This can happen for platform specific reasons, such as the old ~48
+ * day windows timer. */
+ if (elapsed_ticks <= UINT32_MAX/4) {
+ const uint32_t elapsed_steps = elapsed_ticks / TICKS_PER_STEP;
- int flags = 0;
- if (token_bucket_raw_refill_steps(&bucket->read_bucket,
- &bucket->cfg, elapsed_steps))
- flags |= TB_READ;
- if (token_bucket_raw_refill_steps(&bucket->write_bucket,
- &bucket->cfg, elapsed_steps))
- flags |= TB_WRITE;
+ if (!elapsed_steps) {
+ /* Note that if less than one whole step elapsed, we don't advance the
+ * time in last_refilled_at. That's intentional: we want to make sure
+ * that we add some bytes to it eventually. */
+ return 0;
+ }
+
+ if (token_bucket_raw_refill_steps(&bucket->read_bucket,
+ &bucket->cfg, elapsed_steps))
+ flags |= TB_READ;
+ if (token_bucket_raw_refill_steps(&bucket->write_bucket,
+ &bucket->cfg, elapsed_steps))
+ flags |= TB_WRITE;
+ }
- bucket->last_refilled_at_timestamp = now_ts;
+ bucket->last_refilled_at_timestamp = now_ts_stamp;
return flags;
}
/** Initialize a token bucket in <b>bucket</b>, set up to allow <b>rate</b>
* per second, with a maximum burst of <b>burst</b>. The bucket is created
- * such that <b>now_ts</b> is the current timestamp. The bucket starts out
- * full. */
+ * such that <b>now_ts_sec</b> is the current timestamp. The bucket starts
+ * out full. Note that these counters use seconds instead of approximate
+ * milliseconds, in order to allow a lower minimum rate than the rw counters.
+ */
void
token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
- uint32_t burst, uint32_t now_ts)
+ uint32_t burst, uint32_t now_ts_sec)
{
memset(bucket, 0, sizeof(token_bucket_ctr_t));
token_bucket_ctr_adjust(bucket, rate, burst);
- token_bucket_ctr_reset(bucket, now_ts);
+ token_bucket_ctr_reset(bucket, now_ts_sec);
}
/** Change the configured rate and burst of the given token bucket object in
token_bucket_raw_adjust(&bucket->counter, &bucket->cfg);
}
-/** Reset <b>bucket</b> to be full, as of timestamp <b>now_ts</b>. */
+/** Reset <b>bucket</b> to be full, as of timestamp <b>now_ts_sec</b>. */
void
-token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts)
+token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts_sec)
{
token_bucket_raw_reset(&bucket->counter, &bucket->cfg);
- bucket->last_refilled_at_timestamp = now_ts;
+ bucket->last_refilled_at_timestamp = now_ts_sec;
}
/** Refill <b>bucket</b> as appropriate, given that the current timestamp is
- * <b>now_ts</b>. */
+ * <b>now_ts_sec</b> in seconds. */
void
-token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts)
+token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts_sec)
{
- const uint32_t elapsed_ticks =
- (now_ts - bucket->last_refilled_at_timestamp);
- if (elapsed_ticks > UINT32_MAX-(300*1000)) {
- /* Either about 48 days have passed since the last refill, or the
- * monotonic clock has somehow moved backwards. (We're looking at you,
- * Windows.). We accept up to a 5 minute jump backwards as
- * "unremarkable".
- */
- return;
- }
+ const uint32_t elapsed_sec =
+ (now_ts_sec - bucket->last_refilled_at_timestamp);
- token_bucket_raw_refill_steps(&bucket->counter, &bucket->cfg,
- elapsed_ticks);
- bucket->last_refilled_at_timestamp = now_ts;
+ /* Are we detecting a rollover or a similar extremely large jump? This
+ * shouldn't generally happen, but if it does for whatever (possibly
+ * platform-specific) reason, ignore it. */
+ if (elapsed_sec <= UINT32_MAX/4) {
+ token_bucket_raw_refill_steps(&bucket->counter, &bucket->cfg,
+ elapsed_sec);
+ }
+ bucket->last_refilled_at_timestamp = now_ts_sec;
}
void token_bucket_rw_init(token_bucket_rw_t *bucket,
uint32_t rate,
uint32_t burst,
- uint32_t now_ts);
+ uint32_t now_ts_stamp);
void token_bucket_rw_adjust(token_bucket_rw_t *bucket,
uint32_t rate, uint32_t burst);
void token_bucket_rw_reset(token_bucket_rw_t *bucket,
- uint32_t now_ts);
+ uint32_t now_ts_stamp);
#define TB_READ 1
#define TB_WRITE 2
int token_bucket_rw_refill(token_bucket_rw_t *bucket,
- uint32_t now_ts);
+ uint32_t now_ts_stamp);
int token_bucket_rw_dec_read(token_bucket_rw_t *bucket,
ssize_t n);
} token_bucket_ctr_t;
void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate,
- uint32_t burst, uint32_t now_ts);
+ uint32_t burst, uint32_t now_ts_sec);
void token_bucket_ctr_adjust(token_bucket_ctr_t *bucket, uint32_t rate,
uint32_t burst);
-void token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts);
-void token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts);
+void token_bucket_ctr_reset(token_bucket_ctr_t *bucket, uint32_t now_ts_sec);
+void token_bucket_ctr_refill(token_bucket_ctr_t *bucket, uint32_t now_ts_sec);
static inline bool
token_bucket_ctr_dec(token_bucket_ctr_t *bucket, ssize_t n)
return monotime_absolute_nsec() / ONE_MILLION;
}
+uint64_t
+monotime_absolute_sec(void)
+{
+ return monotime_absolute_nsec() / ONE_BILLION;
+}
+
#ifdef MONOTIME_COARSE_FN_IS_DIFFERENT
uint64_t
monotime_coarse_absolute_nsec(void)
{
return monotime_coarse_absolute_nsec() / ONE_MILLION;
}
+
+uint64_t
+monotime_coarse_absolute_sec(void)
+{
+ /* Note: Right now I'm not too concerned about 64-bit division, but if this
+ * ever becomes a hotspot we need to optimize, we can modify this to grab
+ * tv_sec directly from CLOCK_MONOTONIC_COARSE on linux at least. Right now
+ * I'm choosing to make this simpler and easier to test, but this
+ * optimization is available easily if we need it. */
+ return monotime_coarse_absolute_nsec() / ONE_BILLION;
+}
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
#define initialized_at_coarse initialized_at
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
* A: In general, regular monotime uses something that requires a system call.
* On platforms where system calls are cheap, you win! Otherwise, you lose.
*
+ * XXX: This hasn't been true for a long time. Expect both coarse and fine
+ * monotime won't require a syscall, but they will have different
+ * costs in terms of low-level synchronization inside the vDSO and
+ * the hardware. The basic guidelines here still apply, but we aren't
+ * really worrying about system calls any more, and the integer div
+ * concerns are becoming nearly unimportant as well.
+ *
* On Windows, monotonic time uses QuereyPerformanceCounter. Storing
* monotime_t costs 8 bytes.
*
* Fractional units are truncated, not rounded.
*/
uint64_t monotime_absolute_msec(void);
-
+/**
+ * Return the number of seconds since the timer system was initialized.
+ * The returned value may be equal to zero.
+ * Fractional units are truncated, not rounded.
+ */
+uint64_t monotime_absolute_sec(void);
/**
* Set <b>out</b> to zero.
*/
uint64_t monotime_coarse_absolute_nsec(void);
uint64_t monotime_coarse_absolute_usec(void);
uint64_t monotime_coarse_absolute_msec(void);
+uint64_t monotime_coarse_absolute_sec(void);
#else /* !defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
#define monotime_coarse_get monotime_get
#define monotime_coarse_absolute_nsec monotime_absolute_nsec
#define monotime_coarse_absolute_usec monotime_absolute_usec
#define monotime_coarse_absolute_msec monotime_absolute_msec
+#define monotime_coarse_absolute_sec monotime_absolute_sec
#endif /* defined(MONOTIME_COARSE_FN_IS_DIFFERENT) */
/**
tt_int_op(b.read_bucket.bucket, OP_GT, 8*KB-400);
tt_int_op(b.read_bucket.bucket, OP_LT, 8*KB+400);
- // A ridiculous amount of time passes.
- tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, INT32_MAX));
+ /* A large amount of time passes, but less than the threshold at which
+ * we start detecting an assumed rollover event. This might be about 20
+ * days on a system with stamp units equal to 1ms. */
+ uint32_t ts_stamp = START_TS + UINT32_MAX / 5;
+ tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp));
tt_int_op(b.read_bucket.bucket, OP_EQ, b.cfg.burst);
+ /* Fully empty the bucket and make sure it's filling once again */
+ token_bucket_rw_dec_read(&b, b.cfg.burst);
+ tt_int_op(b.read_bucket.bucket, OP_EQ, 0);
+ tt_int_op(1, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += BW_SEC));
+ tt_int_op(b.read_bucket.bucket, OP_GT, 16*KB - 300);
+ tt_int_op(b.read_bucket.bucket, OP_LT, 16*KB + 300);
+
+ /* An even larger amount of time passes, which we take to be a 32-bit
+ * rollover event. The individual update is ignored, but the timestamp
+ * is still updated and the very next update should be accounted properly. */
+ tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += UINT32_MAX/2));
+ tt_int_op(b.read_bucket.bucket, OP_GT, 16*KB - 600);
+ tt_int_op(b.read_bucket.bucket, OP_LT, 16*KB + 600);
+ tt_int_op(0, OP_EQ, token_bucket_rw_refill(&b, ts_stamp += BW_SEC));
+ tt_int_op(b.read_bucket.bucket, OP_GT, 32*KB - 600);
+ tt_int_op(b.read_bucket.bucket, OP_LT, 32*KB + 600);
+
done:
;
}
#include "core/or/dos.h"
#include "core/or/circuitlist.h"
#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/time/compat_time.h"
#include "feature/stats/geoip_stats.h"
#include "core/or/channel.h"
#include "feature/nodelist/microdesc.h"
#include "test/test.h"
#include "test/log_test_helpers.h"
+static const uint64_t BILLION = 1000000000;
+
static networkstatus_t *dummy_ns = NULL;
static networkstatus_t *
mock_networkstatus_get_latest_consensus(void)
static void
test_dos_conn_creation(void *arg)
{
+ uint64_t monotime_now = 0xfffffffe;
+
(void) arg;
+ monotime_enable_test_mocking();
+ monotime_coarse_set_mock_time_nsec(monotime_now);
MOCK(get_param_cc_enabled, mock_enable_dos_protection);
MOCK(get_param_conn_enabled, mock_enable_dos_protection);
/* Initialize test data */
or_connection_t or_conn;
- time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */
+ time_t wallclock_now = 1281533250; /* 2010-08-11 13:27:30 UTC */
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
"18.0.0.1"));
tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL);
/* Introduce new client */
- geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now);
+ geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, wallclock_now);
{ /* Register many conns from this client but not enough to get it blocked */
unsigned int i;
for (i = 0; i < max_concurrent_conns; i++) {
/* Don't trigger the connect() rate limitation so advance the clock 1
* second for each connection. */
- update_approx_time(++now);
+ monotime_coarse_set_mock_time_nsec(monotime_now += BILLION);
+ update_approx_time(++wallclock_now);
dos_new_client_conn(&or_conn, NULL);
}
}
done:
dos_free_all();
+ monotime_disable_test_mocking();
}
/** Helper mock: Place a fake IP addr for this channel in <b>addr_out</b> */
#include "test/log_test_helpers.h"
#include "app/config/config.h"
+#include "lib/time/compat_time.h"
#include "core/or/circuitlist.h"
#include "core/or/circuituse.h"
static void
test_can_send_intro2(void *arg)
{
- uint32_t now = (uint32_t) approx_time();
+ static const uint64_t BILLION = 1000000000;
+ uint64_t now = 12345;
or_circuit_t *or_circ = NULL;
(void) arg;
get_options_mutable()->ORPort_set = 1;
setup_mock_consensus();
+ monotime_enable_test_mocking();
+ monotime_coarse_set_mock_time_nsec(now);
or_circ = or_circuit_new(1, NULL);
/* Simulate that 10 cells have arrived in 1 second. There should be no
* refill since the bucket is already at maximum on the first cell. */
- update_approx_time(++now);
+ monotime_coarse_set_mock_time_nsec(now += BILLION);
for (int i = 0; i < 10; i++) {
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
}
get_intro2_burst_consensus_param(NULL) - 10);
/* Fully refill the bucket minus 1 cell. */
- update_approx_time(++now);
+ monotime_coarse_set_mock_time_nsec(now += BILLION);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
get_intro2_burst_consensus_param(NULL) - 1);
/* Receive an INTRODUCE2 at each second. We should have the bucket full
* since at every second it gets refilled. */
for (int i = 0; i < 10; i++) {
- update_approx_time(++now);
+ monotime_coarse_set_mock_time_nsec(now += BILLION);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
}
/* Last check if we can send the cell decrements the bucket so minus 1. */
get_intro2_burst_consensus_param(NULL) - 1);
/* Manually reset bucket for next test. */
- token_bucket_ctr_reset(&or_circ->introduce2_bucket, now);
+ token_bucket_ctr_reset(&or_circ->introduce2_bucket,
+ (uint32_t) monotime_coarse_absolute_sec());
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
get_intro2_burst_consensus_param(NULL));
}
/* One second has passed, we should have the rate minus 1 cell added. */
- update_approx_time(++now);
+ monotime_coarse_set_mock_time_nsec(now += BILLION);
tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
get_intro2_rate_consensus_param(NULL) - 1);
hs_free_all();
free_mock_consensus();
+ monotime_disable_test_mocking();
}
static void
#include "test/test.h"
#include "test/log_test_helpers.h"
#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/time/compat_time.h"
#include "core/or/or.h"
#include "core/or/channel.h"
tt_assert(circ);
circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_OR);
token_bucket_ctr_init(&circ->introduce2_bucket, 100, 100,
- (uint32_t) approx_time());
+ (uint32_t) monotime_coarse_absolute_sec());
done:
return circ;
}
projects / thirdparty / tor.git / commitdiff
