1
//! Module exposing the relay circuit reactor subsystem.
2
//!
3
//! See [`reactor`](crate::circuit::reactor) for a description of the overall architecture.
4
//!
5
//! #### `ForwardReactor`
6
//!
7
//! It handles
8
//!
9
//!  * unrecognized RELAY cells, by moving them in the forward direction (towards the exit)
10
//!  * recognized RELAY cells, by splitting each cell into messages, and handling
11
//!    each message individually as described in the table below
12
//!    (Note: since prop340 is not yet implemented, in practice there is only 1 message per cell).
13
//!  * RELAY_EARLY cells (**not yet implemented**)
14
//!  * DESTROY cells (**not yet implemented**)
15
//!  * PADDING_NEGOTIATE cells (**not yet implemented**)
16
//!
17
//! ```text
18
//!
19
//! Legend: `F` = "forward reactor", `B` = "backward reactor", `S` = "stream reactor"
20
//!
21
//! | RELAY cmd         | Received in | Handled in | Description                            |
22
//! |-------------------|-------------|------------|----------------------------------------|
23
//! | DROP              | F           | F          | Passed to PaddingController for        |
24
//! |                   |             |            | validation                             |
25
//! |-------------------|-------------|------------|----------------------------------------|
26
//! | EXTEND2           | F           |            | Handled by instructing the channel     |
27
//! |                   |             |            | provider to launch a new channel, and  |
28
//! |                   |             |            | waiting for the new channel on its     |
29
//! |                   |             |            | outgoing_chan_rx receiver              |
30
//! |                   |             |            | (**not yet implemented**)              |
31
//! |-------------------|-------------|------------|----------------------------------------|
32
//! | TRUNCATE          | F           | F          | (**not yet implemented**)              |
33
//! |                   |             |            |                                        |
34
//! |-------------------|-------------|------------|----------------------------------------|
35
//! | TODO              |             |            |                                        |
36
//! |                   |             |            |                                        |
37
//! ```
38

            
39
pub(crate) mod backward;
40
pub(crate) mod forward;
41

            
42
use std::sync::Arc;
43
use std::time::Duration;
44

            
45
use futures::StreamExt as _;
46
use futures::channel::mpsc;
47

            
48
use tor_cell::chancell::CircId;
49
use tor_cell::relaycell::RelayCmd;
50
use tor_linkspec::OwnedChanTarget;
51
use tor_memquota::mq_queue::{ChannelSpec, MpscSpec};
52
use tor_rtcompat::{DynTimeProvider, Runtime};
53

            
54
use crate::channel::Channel;
55
use crate::circuit::circhop::ReactorStreamComponents;
56
use crate::circuit::circhop::{CircHopOutbound, HopSettings};
57
use crate::circuit::reactor::Reactor as BaseReactor;
58
use crate::circuit::reactor::hop_mgr::HopMgr;
59
use crate::circuit::reactor::stream;
60
use crate::circuit::{CircuitRxReceiver, UniqId};
61
use crate::congestion::sendme::StreamRecvWindow;
62
use crate::crypto::cell::{InboundRelayLayer, OutboundRelayLayer};
63
use crate::memquota::{CircuitAccount, SpecificAccount};
64
use crate::relay::RelayCirc;
65
use crate::relay::channel_provider::ChannelProvider;
66
use crate::relay::reactor::backward::Backward;
67
use crate::relay::reactor::forward::Forward;
68
use crate::stream::flow_ctrl::xon_xoff::reader::XonXoffReaderCtrl;
69
use crate::stream::incoming::{
70
    IncomingCmdChecker, IncomingStream, IncomingStreamRequestFilter, IncomingStreamRequestHandler,
71
    StreamReqInfo,
72
};
73
use crate::stream::raw::StreamReceiver;
74
use crate::stream::{RECV_WINDOW_INIT, StreamComponents, StreamTarget, Tunnel};
75

            
76
// TODO(circpad): once padding is stabilized, the padding module will be moved out of client.
77
use crate::client::circuit::padding::{PaddingController, PaddingEventStream};
78

            
79
/// Type-alias for the relay base reactor type.
80
type RelayBaseReactor<R> = BaseReactor<R, Forward, Backward>;
81

            
82
/// The entry point of the circuit reactor subsystem.
83
#[allow(unused)] // TODO(relay)
84
#[must_use = "If you don't call run() on a reactor, the circuit won't work."]
85
pub(crate) struct Reactor<R: Runtime>(RelayBaseReactor<R>);
86

            
87
/// A handler customizing the relay stream reactor.
88
struct StreamHandler;
89

            
90
impl stream::StreamHandler for StreamHandler {
91
8
    fn halfstream_expiry(&self, hop: &CircHopOutbound) -> Duration {
92
8
        let ccontrol = hop.ccontrol();
93

            
94
        // Note: if we have no measurements for the RTT, this will be set to 0,
95
        // so the stream will be removed from the stream map immediately,
96
        // and any subsequent messages arriving on it will trigger
97
        // a proto violation causing the circuit to close.
98
        //
99
        // TODO(relay-tuning): we should make sure that this doesn't cause us to
100
        // wrongly close legitimate circuits that still have in-flight stream data
101
8
        ccontrol
102
8
            .lock()
103
8
            .expect("poisoned lock")
104
8
            .rtt()
105
8
            .max_rtt_usec()
106
8
            .map(|rtt| Duration::from_millis(u64::from(rtt)))
107
            // TODO(relay): we should fallback to a non-zero default here
108
            // if we don't have any RTT measurements yet
109
8
            .unwrap_or_default()
110
8
    }
111
}
112

            
113
#[allow(unused)] // TODO(relay)
114
impl<R: Runtime> Reactor<R> {
115
    /// Create a new circuit reactor.
116
    ///
117
    /// Returns the [`Reactor`], a [`RelayCirc`] handle to it,
118
    /// and a [`Stream`](futures::Stream) of `IncomingStream`s.
119
    ///
120
    /// The reactor will send outbound messages on `channel`, receive incoming
121
    /// messages on `input`, and identify this circuit by the channel-local
122
    /// [`CircId`] provided.
123
    ///
124
    /// The internal unique identifier for this circuit will be `unique_id`.
125
    ///
126
    /// The returned `IncomingStream`s are exit, dns, or directory streams.
127
    /// An incoming stream is automatically rejected by the reactor
128
    /// if the provided `IncomingStreamRequestFilter` rejects it.
129
    /// You can also explicitly reject a stream by calling [`IncomingStream::reject`].
130
    /// If the `Stream` is dropped, the next incoming stream request
131
    /// (`BEGIN`, `BEGIN_DIR`, or RESOLVE`)
132
    /// on this circuit will cause the stream reactor to shut down,
133
    /// which will trigger a shutdown of all the circuit reactors (FWD, BWD),
134
    /// which causing the circuit to close.
135
    ///
136
    /// The streams not rejected by the `IncomingStreamRequestFilter` will
137
    /// get an entry in the circuit's stream map.
138
    /// Rejecting such a stream using [`IncomingStream::reject`] will remove the entry.
139
    ///
140
    /// The `IncomingStreamRequestFilter` should only perform inexpensive checks
141
    /// that won't block the reactor.
142
    /// More expensive, or blocking checks, should be handled outside of the circuit reactor,
143
    /// when processing new `IncomingStream`s from the returned Rust stream.
144
    ///
145
    /// Data and directory streams can be accepted by calling [`IncomingStream::accept_data`].
146
    /// The caller is responsible for proxying data between the resulting `DataStream`
147
    /// and the local application stream.
148
    ///
149
    // TODO(relay): say how RESOLVE streams should be handled
150
    //
151
    // TODO: declare a type-alias for the impl futures::Stream return type
152
    // when support for impl in type aliases gets stabilized.
153
    //
154
    // See issue #63063 <https://github.com/rust-lang/rust/issues/63063>
155
    //
156
    // TODO(DEDUP): the incoming stream handling is *very* similar
157
    // to the impll from ServiceOnionServiceDataTunnel::allow_stream_requests.
158
    // We should dedupe these someday, when we rewrite the client reactor
159
    // to use the new multi-reactor architecture
160
    #[allow(clippy::too_many_arguments)] // TODO
161
44
    pub(crate) fn new(
162
44
        runtime: R,
163
44
        channel: &Arc<Channel>,
164
44
        circ_id: CircId,
165
44
        unique_id: UniqId,
166
44
        input: CircuitRxReceiver,
167
44
        crypto_in: Box<dyn InboundRelayLayer + Send>,
168
44
        crypto_out: Box<dyn OutboundRelayLayer + Send>,
169
44
        settings: &HopSettings,
170
44
        chan_provider: Arc<dyn ChannelProvider<BuildSpec = OwnedChanTarget> + Send + Sync>,
171
44
        padding_ctrl: PaddingController,
172
44
        padding_event_stream: PaddingEventStream,
173
44
        incoming_filter: Box<dyn IncomingStreamRequestFilter>,
174
44
        allowed_stream_cmds: &[RelayCmd],
175
44
        memquota: &CircuitAccount,
176
44
    ) -> crate::Result<(
177
44
        Self,
178
44
        Arc<RelayCirc>,
179
44
        impl futures::Stream<Item = IncomingStream> + use<R>,
180
44
    )> {
181
        // NOTE: not registering this channel with the memquota subsystem is okay,
182
        // because it has no buffering (if ever decide to make the size of this buffer
183
        // non-zero for whatever reason, we must remember to register it with memquota
184
        // so that it counts towards the total memory usage for the circuit.
185
        #[allow(clippy::disallowed_methods)]
186
44
        let (stream_tx, stream_rx) = mpsc::channel(0);
187

            
188
        /// The size of the channel receiving IncomingStreamRequestContexts.
189
        ///
190
        // TODO(relay-tuning): buffer size
191
        //
192
        // This is currently set to 2x the initial receive window,
193
        // the same as the buffer size we use for onion services.
194
        // This value was picked arbitrarily,
195
        // and is not necessarily tuned for relay needs.
196
        const INCOMING_BUFFER: usize = crate::stream::STREAM_READER_BUFFER;
197

            
198
44
        let time_provider = DynTimeProvider::new(runtime.clone());
199
44
        let (incoming_sender, incoming_receiver) = MpscSpec::new(INCOMING_BUFFER)
200
44
            .new_mq(time_provider.clone(), memquota.as_raw_account())?;
201

            
202
        // Our IncomingCmdChecker does not reject BEGIN, BEGIN_DIR, RESOLVE cells,
203
        // but that doesn't necessarily mean the stream will be accepted.
204
        // An incoming stream can still be rejected at a later stage,
205
        // by the IncomingStreamRequestFilter, or directly by the consumer of the
206
        // futures::Stream<Item = IncomingStream> (by calling IncomingStream::reject()).
207
44
        let cmd_checker = IncomingCmdChecker::new_any(allowed_stream_cmds);
208
44
        let incoming_handler = IncomingStreamRequestHandler {
209
44
            incoming_sender,
210
44
            hop_num: None,
211
44
            cmd_checker,
212
44
            filter: incoming_filter,
213
44
        };
214
44
        let mut hop_mgr = HopMgr::new_with_incoming_handler(
215
44
            runtime.clone(),
216
44
            unique_id,
217
44
            StreamHandler,
218
44
            stream_tx,
219
44
            incoming_handler,
220
44
            memquota.clone(),
221
        );
222

            
223
        // On the relay side, we always have one "hop" (ourselves).
224
        //
225
        // Clients will need to call this function in response to CtrlMsg::Create
226
        // (TODO: for clients, we probably will need to store a bunch more state here)
227
44
        hop_mgr.add_hop(settings.clone())?;
228

            
229
        // TODO(relay): currently we don't need buffering on this channel,
230
        // but we might need it if we start using it for more than just EXTENDED2 events
231
        #[allow(clippy::disallowed_methods)]
232
44
        let (fwd_ev_tx, fwd_ev_rx) = mpsc::channel(0);
233
44
        let forward = Forward::new(
234
44
            channel,
235
44
            unique_id,
236
44
            crypto_out,
237
44
            chan_provider,
238
44
            fwd_ev_tx,
239
44
            memquota.clone(),
240
        );
241
44
        let backward = Backward::new(crypto_in);
242

            
243
44
        let (inner, handle) = BaseReactor::new(
244
44
            runtime,
245
44
            channel,
246
44
            circ_id,
247
44
            unique_id,
248
44
            input,
249
44
            forward,
250
44
            backward,
251
44
            hop_mgr,
252
44
            padding_ctrl,
253
44
            padding_event_stream,
254
44
            stream_rx,
255
44
            fwd_ev_rx,
256
44
            memquota,
257
44
        );
258

            
259
44
        let reactor = Self(inner);
260
44
        let handle = Arc::new(RelayCirc(handle));
261

            
262
        // Note: tunnel is a bit of a misnomer for relays
263
44
        let tunnel = Arc::clone(&handle);
264
        // TODO(relay): this is more or less copy-pasta from client code
265
44
        let stream = incoming_receiver.map(move |req_ctx| {
266
            let StreamReqInfo {
267
12
                req,
268
12
                stream_id,
269
12
                hop,
270
                stream_components:
271
                    ReactorStreamComponents {
272
12
                        stream_inbound_rx,
273
12
                        stream_outbound_tx,
274
12
                        rate_limit_rx,
275
12
                        drain_rate_request_rx,
276
                    },
277
12
                memquota,
278
12
                relay_cell_format,
279
12
            } = req_ctx;
280

            
281
            // There is no originating hop if we're a relay
282
12
            debug_assert!(hop.is_none());
283

            
284
12
            let target = StreamTarget {
285
12
                tunnel: Tunnel::Relay(Arc::clone(&tunnel)),
286
12
                tx: stream_outbound_tx,
287
12
                hop: None,
288
12
                stream_id,
289
12
                relay_cell_format,
290
12
                rate_limit_stream: rate_limit_rx,
291
12
            };
292

            
293
            // can be used to build a reader that supports XON/XOFF flow control
294
12
            let xon_xoff_reader_ctrl =
295
12
                XonXoffReaderCtrl::new(drain_rate_request_rx, target.clone());
296

            
297
12
            let reader = StreamReceiver {
298
12
                target: target.clone(),
299
12
                receiver: stream_inbound_rx,
300
12
                recv_window: StreamRecvWindow::new(RECV_WINDOW_INIT),
301
12
                ended: false,
302
12
            };
303

            
304
12
            let components = StreamComponents {
305
12
                stream_receiver: reader,
306
12
                target,
307
12
                memquota,
308
12
                xon_xoff_reader_ctrl,
309
12
            };
310

            
311
12
            IncomingStream::new(time_provider.clone(), req, components)
312
12
        });
313

            
314
44
        Ok((reactor, handle, stream))
315
44
    }
316

            
317
    /// Launch the reactor, and run until the circuit closes or we
318
    /// encounter an error.
319
    ///
320
    /// Once this method returns, the circuit is dead and cannot be
321
    /// used again.
322
44
    pub(crate) async fn run(mut self) -> crate::Result<()> {
323
44
        self.0.run().await
324
44
    }
325
}
326

            
327
#[cfg(test)]
328
pub(crate) mod test {
329
    // @@ begin test lint list maintained by maint/add_warning @@
330
    #![allow(clippy::bool_assert_comparison)]
331
    #![allow(clippy::clone_on_copy)]
332
    #![allow(clippy::dbg_macro)]
333
    #![allow(clippy::mixed_attributes_style)]
334
    #![allow(clippy::print_stderr)]
335
    #![allow(clippy::print_stdout)]
336
    #![allow(clippy::single_char_pattern)]
337
    #![allow(clippy::unwrap_used)]
338
    #![allow(clippy::unchecked_time_subtraction)]
339
    #![allow(clippy::useless_vec)]
340
    #![allow(clippy::needless_pass_by_value)]
341
    #![allow(clippy::string_slice)] // See arti#2571
342
    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->
343

            
344
    use super::*;
345
    use crate::circuit::reactor::test::{AllowAllStreamsFilter, rmsg_to_ccmsg};
346
    use crate::circuit::test::fake_mpsc;
347
    use crate::circuit::{CircParameters, CircuitRxSender};
348
    use crate::client::circuit::padding::new_padding;
349
    use crate::congestion::test_utils::params::build_cc_vegas_params;
350
    use crate::crypto::cell::RelayCellBody;
351
    use crate::crypto::cell::{InboundRelayLayer, OutboundRelayLayer};
352
    use crate::relay::channel::test::{DummyChan, DummyChanProvider, working_dummy_channel};
353
    use crate::stream::flow_ctrl::params::FlowCtrlParameters;
354
    use crate::stream::incoming::{IncomingStream, IncomingStreamRequest};
355

            
356
    use futures::AsyncReadExt as _;
357
    use tracing_test::traced_test;
358

            
359
    use tor_cell::chancell::{ChanCell, ChanCmd, msg as chanmsg};
360
    use tor_cell::relaycell::{AnyRelayMsgOuter, RelayCellFormat, StreamId, msg as relaymsg};
361
    use tor_linkspec::{EncodedLinkSpec, HasRelayIds, LinkSpec};
362
    use tor_protover::{Protocols, named};
363
    use tor_rtcompat::SpawnExt;
364
    use tor_rtcompat::{DynTimeProvider, Runtime};
365
    use tor_rtmock::MockRuntime;
366

            
367
    use chanmsg::{AnyChanMsg, Destroy, DestroyReason, HandshakeType};
368
    use relaymsg::SendmeTag;
369

            
370
    use std::net::IpAddr;
371
    use std::sync::{Arc, Mutex, mpsc};
372
    use std::task::{Context, Poll, Waker};
373

            
374
    // An inbound encryption layer that doesn't do any crypto.
375
    struct DummyInboundCrypto {}
376

            
377
    // An outbound encryption layer that doesn't do any crypto.
378
    struct DummyOutboundCrypto {
379
        /// Channel for controlling whether the current cell is meant for us or not.
380
        ///
381
        /// Useful for tests that check if recognized/unrecognized
382
        /// cells are handled/forwarded correctly.
383
        recognized_rx: mpsc::Receiver<Recognized>,
384
    }
385

            
386
    const DUMMY_TAG: [u8; 20] = [1; 20];
387

            
388
    impl InboundRelayLayer for DummyInboundCrypto {
389
        fn originate(&mut self, _cmd: ChanCmd, _cell: &mut RelayCellBody) -> SendmeTag {
390
            DUMMY_TAG.into()
391
        }
392

            
393
        fn encrypt_inbound(&mut self, _cmd: ChanCmd, _cell: &mut RelayCellBody) {}
394
    }
395

            
396
    impl OutboundRelayLayer for DummyOutboundCrypto {
397
        fn decrypt_outbound(
398
            &mut self,
399
            _cmd: ChanCmd,
400
            _cell: &mut RelayCellBody,
401
        ) -> Option<SendmeTag> {
402
            // Note: this should never block.
403
            let recognized = self.recognized_rx.recv().unwrap();
404

            
405
            match recognized {
406
                Recognized::Yes => Some(DUMMY_TAG.into()),
407
                Recognized::No => None,
408
            }
409
        }
410
    }
411

            
412
    struct ReactorTestCtrl {
413
        /// The relay circuit handle.
414
        relay_circ: Arc<RelayCirc>,
415
        /// Mock channel -> circuit reactor MPSC channel.
416
        circmsg_send: CircuitRxSender,
417
        /// The inbound channel ("towards the client").
418
        inbound_chan: DummyChan,
419
        /// The outbound channel ("away from the client"), if any.
420
        ///
421
        /// Shared with the DummyChanProvider, which initializes this
422
        /// when the relay reactor launches a channel to the next hop
423
        /// via `get_or_launch()`.
424
        outbound_chan: Arc<Mutex<Option<DummyChan>>>,
425
        /// MPSC channel for telling the DummyOutboundCrypto that the next
426
        /// cell we're about to send to the reactor should be "recognized".
427
        recognized_tx: mpsc::Sender<Recognized>,
428
    }
429

            
430
    /// Whether a forward cell to send should be "recognized"
431
    /// or "unrecognized" by the relay under test.
432
    enum Recognized {
433
        /// Recognized
434
        Yes,
435
        /// Unrecognized
436
        No,
437
    }
438

            
439
    impl ReactorTestCtrl {
440
        /// Spawn a relay circuit reactor, returning a `ReactorTestCtrl` for
441
        /// controlling it.
442
        fn spawn_reactor<R: Runtime>(
443
            rt: &R,
444
            allowed_stream_cmds: &[RelayCmd],
445
        ) -> (Self, impl futures::Stream<Item = IncomingStream>) {
446
            let inbound_chan = working_dummy_channel(rt);
447
            let circid = CircId::new(1337).unwrap();
448
            let unique_id = UniqId::new(8, 17);
449
            let (padding_ctrl, padding_stream) = new_padding(DynTimeProvider::new(rt.clone()));
450
            let (circmsg_send, circmsg_recv) = fake_mpsc(64);
451
            let params = CircParameters::new(
452
                true,
453
                build_cc_vegas_params(),
454
                FlowCtrlParameters::defaults_for_tests(),
455
            );
456
            let settings = HopSettings::from_params_and_caps(
457
                crate::circuit::circhop::HopNegotiationType::Full,
458
                &params,
459
                &[named::FLOWCTRL_CC].into_iter().collect::<Protocols>(),
460
            )
461
            .unwrap();
462

            
463
            let outbound_chan = Arc::new(Mutex::new(None));
464
            let (recognized_tx, recognized_rx) = mpsc::channel();
465
            let chan_provider = Arc::new(DummyChanProvider::new(
466
                rt.clone(),
467
                Arc::clone(&outbound_chan),
468
            ));
469

            
470
            let (reactor, relay_circ, incoming_streams) = Reactor::new(
471
                rt.clone(),
472
                &Arc::clone(&inbound_chan.channel),
473
                circid,
474
                unique_id,
475
                circmsg_recv,
476
                Box::new(DummyInboundCrypto {}),
477
                Box::new(DummyOutboundCrypto { recognized_rx }),
478
                &settings,
479
                chan_provider,
480
                padding_ctrl,
481
                padding_stream,
482
                Box::new(AllowAllStreamsFilter),
483
                allowed_stream_cmds,
484
                &CircuitAccount::new_noop(),
485
            )
486
            .unwrap();
487

            
488
            rt.spawn(async {
489
                let _ = reactor.run().await;
490
            })
491
            .unwrap();
492

            
493
            let ctrl = Self {
494
                relay_circ,
495
                circmsg_send,
496
                recognized_tx,
497
                inbound_chan,
498
                outbound_chan,
499
            };
500

            
501
            (ctrl, incoming_streams)
502
        }
503

            
504
        /// Simulate the sending of a forward relay message through our relay.
505
        async fn send_fwd(
506
            &mut self,
507
            id: Option<StreamId>,
508
            msg: relaymsg::AnyRelayMsg,
509
            recognized: Recognized,
510
            early: bool,
511
        ) {
512
            // This a bit janky, but for each forward cell we send to the reactor
513
            // we need to send a bit of metadata to the DummyOutboundLayer
514
            // specifying whether the cell should be treated as recognized
515
            // or unrecognized
516
            self.recognized_tx.send(recognized).unwrap();
517
            self.circmsg_send
518
                .send(rmsg_to_ccmsg(id, msg, early))
519
                .await
520
                .unwrap();
521
        }
522

            
523
        /// Simulate the sending of a forward channel message through our relay.
524
        async fn send_fwd_cmsg(&mut self, msg: chanmsg::AnyChanMsg) {
525
            self.circmsg_send.send(msg).await.unwrap();
526
        }
527

            
528
        /// Whether the reactor opened an outbound channel
529
        /// (i.e. a channel to the next relay in the circuit).
530
        fn outbound_chan_launched(&self) -> bool {
531
            self.outbound_chan.lock().unwrap().is_some()
532
        }
533

            
534
        /// Perform the CREATE2 handshake.
535
        async fn do_create2_handshake(
536
            &mut self,
537
            rt: &MockRuntime,
538
            expected_hs_type: HandshakeType,
539
        ) -> Option<CircId> {
540
            // First, check that the reactor actually sent a CREATE2 to the next hop...
541
            let (circid, msg) = self.read_outbound().into_circid_and_msg();
542
            let _create2 = match msg {
543
                chanmsg::AnyChanMsg::Create2(c) => {
544
                    assert_eq!(c.handshake_type(), expected_hs_type);
545
                    c
546
                }
547
                _ => panic!("unexpected forwarded {msg:?}"),
548
            };
549

            
550
            let handshake = vec![];
551
            let created2 = chanmsg::Created2::new(handshake.clone());
552
            // ...and then finalize the handshake by pretending to be
553
            // the responding relay
554
            self.write_outbound(circid, chanmsg::AnyChanMsg::Created2(created2));
555
            rt.advance_until_stalled().await;
556

            
557
            // Make sure we actually did send an EXTENDED2 towards the client
558
            let msg = self.read_inbound();
559
            let rmsg = match msg.msg() {
560
                chanmsg::AnyChanMsg::Relay(r) => AnyRelayMsgOuter::decode_singleton(
561
                    RelayCellFormat::V0,
562
                    r.clone().into_relay_body(),
563
                )
564
                .unwrap(),
565
                _ => panic!("unexpected forwarded {msg:?}"),
566
            };
567

            
568
            match rmsg.msg() {
569
                relaymsg::AnyRelayMsg::Extended2(e) => {
570
                    assert_eq!(e.clone().into_body(), handshake);
571
                }
572
                _ => panic!("unexpected relay message {rmsg:?}"),
573
            }
574

            
575
            circid
576
        }
577

            
578
        /// Whether the circuit is closing (e.g. due to a proto violation).
579
        fn is_closing(&self) -> bool {
580
            self.relay_circ.is_closing()
581
        }
582

            
583
        /// Read a cell from the inbound channel
584
        /// (moving towards the client).
585
        ///
586
        /// Panics if there are no ready cells on the inbound MPSC channel.
587
        fn read_inbound(&mut self) -> ChanCell<AnyChanMsg> {
588
            #[allow(deprecated)] // TODO(#2386)
589
            self.inbound_chan.rx.try_next().unwrap().unwrap()
590
        }
591

            
592
        /// Read a cell from the outbound channel
593
        /// (moving towards the next hop).
594
        ///
595
        /// Panics if there are no ready cells on the outbound MPSC channel.
596
        fn read_outbound(&mut self) -> ChanCell<AnyChanMsg> {
597
            let mut lock = self.outbound_chan.lock().unwrap();
598
            let chan = lock.as_mut().unwrap();
599
            #[allow(deprecated)] // TODO(#2386)
600
            chan.rx.try_next().unwrap().unwrap()
601
        }
602

            
603
        /// Write to the sending end of the outbound Tor channel.
604
        ///
605
        /// Simulates the receipt of a cell from the next hop.
606
        ///
607
        /// Panics if the outbound chan sender is full.
608
        fn write_outbound(&mut self, circid: Option<CircId>, msg: chanmsg::AnyChanMsg) {
609
            let mut lock = self.outbound_chan.lock().unwrap();
610
            let chan = lock.as_mut().unwrap();
611
            let cell = ChanCell::new(circid, msg);
612

            
613
            chan.tx.try_send(Ok(cell)).unwrap();
614
        }
615
    }
616

            
617
    fn dummy_linkspecs() -> Vec<EncodedLinkSpec> {
618
        vec![
619
            LinkSpec::Ed25519Id([43; 32].into()).encode().unwrap(),
620
            LinkSpec::RsaId([45; 20].into()).encode().unwrap(),
621
            LinkSpec::OrPort("127.0.0.1".parse::<IpAddr>().unwrap(), 999)
622
                .encode()
623
                .unwrap(),
624
        ]
625
    }
626

            
627
    /// Assert that we have sent a DESTROY cell with the specified `reason`
628
    /// both towards the "client" and towards the "next hop", if there is one,
629
    /// and that the relay circuit is shutting down.
630
    ///
631
    /// The test is expected to drain the inbound Tor "channel"
632
    /// of any non-ending cells it might be expecting before calling this function.
633
    fn assert_destroy_sent(ctrl: &mut ReactorTestCtrl, reason: DestroyReason) {
634
        assert!(ctrl.is_closing());
635

            
636
        macro_rules! assert_cell_is_destroy {
637
            ($cell:expr) => {{
638
                match $cell.msg() {
639
                    chanmsg::AnyChanMsg::Destroy(d) => {
640
                        assert_eq!(d.reason(), reason);
641
                    }
642
                    _ => panic!("unexpected ending {:?}", $cell),
643
                }
644
            }};
645
        }
646

            
647
        // We *always* send a DESTROY towards the client
648
        // when killing the circuit
649
        let cell = ctrl.read_inbound();
650
        assert_cell_is_destroy!(cell);
651

            
652
        // If there's an outbound channel, ensure we sent a DESTROY over it too.
653
        if ctrl.outbound_chan_launched() {
654
            let cell = ctrl.read_outbound();
655
            assert_cell_is_destroy!(cell);
656
        }
657
    }
658

            
659
    macro_rules! expect_cell {
660
        ($cell:expr, $chanmsg:tt, $relaymsg:tt) => {{
661
            let msg = match $cell.msg() {
662
                chanmsg::AnyChanMsg::$chanmsg(m) => {
663
                    let body = m.clone().into_relay_body();
664
                    AnyRelayMsgOuter::decode_singleton(RelayCellFormat::V0, body).unwrap()
665
                }
666
                _ => panic!("unexpected forwarded {:?}", $cell),
667
            };
668

            
669
            match msg.msg() {
670
                relaymsg::AnyRelayMsg::$relaymsg(m) => m.clone(),
671
                _ => panic!("unexpected cell {msg:?}"),
672
            }
673
        }};
674
    }
675

            
676
    #[traced_test]
677
    #[test]
678
    fn reject_extend2_relay() {
679
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
680
            let (mut ctrl, _incoming_streams) =
681
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
682
            rt.advance_until_stalled().await;
683

            
684
            let linkspecs = dummy_linkspecs();
685
            let extend2 = relaymsg::Extend2::new(linkspecs, HandshakeType::NTOR_V3, vec![]).into();
686
            ctrl.send_fwd(None, extend2, Recognized::Yes, false).await;
687
            rt.advance_until_stalled().await;
688

            
689
            assert!(logs_contain("got EXTEND2 in a RELAY cell?!"));
690
            assert!(!ctrl.outbound_chan_launched());
691
            assert_destroy_sent(&mut ctrl, DestroyReason::NONE);
692
        });
693
    }
694

            
695
    #[traced_test]
696
    #[test]
697
    fn reject_extend2_previous_hop() {
698
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
699
            let (mut ctrl, _incoming_streams) =
700
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
701
            rt.advance_until_stalled().await;
702

            
703
            // No outbound circuits yet
704
            assert!(!ctrl.outbound_chan_launched());
705

            
706
            // Build a linkspec with the identities of the dummy channel
707
            let mut linkspecs = ctrl
708
                .inbound_chan
709
                .channel
710
                .target()
711
                .identities()
712
                .map(|id| LinkSpec::from(id.to_owned()).encode())
713
                .collect::<Result<Vec<_>, _>>()
714
                .unwrap();
715

            
716
            // Make sure this channel actually has some identities
717
            // (i.e. that it's not a client channel or something)
718
            assert_eq!(linkspecs.len(), 2);
719

            
720
            // There must be at least one IPv4 OR port address
721
            linkspecs.push(
722
                LinkSpec::OrPort("127.0.0.1".parse::<IpAddr>().unwrap(), 999)
723
                    .encode()
724
                    .unwrap(),
725
            );
726
            let handshake_type = HandshakeType::NTOR_V3;
727
            let extend2 = relaymsg::Extend2::new(linkspecs, handshake_type, vec![]).into();
728
            ctrl.send_fwd(None, extend2, Recognized::Yes, true).await;
729
            rt.advance_until_stalled().await;
730

            
731
            // The reactor handled the EXTEND2 and launched an outbound channel
732
            assert!(logs_contain("Cannot extend circuit to previous hop"));
733
            assert!(!ctrl.outbound_chan_launched());
734
            assert!(ctrl.is_closing());
735
        });
736
    }
737

            
738
    #[traced_test]
739
    #[test]
740
    fn extend_and_forward() {
741
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
742
            let (mut ctrl, _incoming_streams) =
743
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
744
            rt.advance_until_stalled().await;
745

            
746
            // No outbound circuits yet
747
            assert!(!ctrl.outbound_chan_launched());
748

            
749
            let linkspecs = dummy_linkspecs();
750
            let handshake_type = HandshakeType::NTOR_V3;
751
            let extend2 = relaymsg::Extend2::new(linkspecs, handshake_type, vec![]).into();
752
            ctrl.send_fwd(None, extend2, Recognized::Yes, true).await;
753
            rt.advance_until_stalled().await;
754

            
755
            // The reactor handled the EXTEND2 and launched an outbound channel
756
            assert!(logs_contain(
757
                "Launched channel to the next hop circ_id=Circ 8.17"
758
            ));
759
            assert!(ctrl.outbound_chan_launched());
760
            assert!(!ctrl.is_closing());
761

            
762
            let _circid = ctrl.do_create2_handshake(&rt, handshake_type).await;
763
            assert!(logs_contain("Got CREATED2 response from next hop"));
764
            assert!(logs_contain("Extended circuit to the next hop"));
765

            
766
            // Time to forward a message to the next hop!
767
            let early = false;
768
            let begin = relaymsg::Begin::new("127.0.0.1", 1111, 0).unwrap();
769
            ctrl.send_fwd(None, begin.clone().into(), Recognized::No, early)
770
                .await;
771
            rt.advance_until_stalled().await;
772

            
773
            // Ensure the other end received the BEGIN cell
774
            let cell = ctrl.read_outbound();
775
            let recvd_begin = expect_cell!(cell, Relay, Begin);
776
            assert_eq!(begin, recvd_begin);
777

            
778
            // Now send the same message again, but this time in a RELAY_EARLY
779
            let early = true;
780
            let begin = relaymsg::Begin::new("127.0.0.1", 1111, 0).unwrap();
781
            ctrl.send_fwd(None, begin.clone().into(), Recognized::No, early)
782
                .await;
783
            rt.advance_until_stalled().await;
784
            let cell = ctrl.read_outbound();
785
            let recvd_begin = expect_cell!(cell, RelayEarly, Begin);
786
            assert_eq!(begin, recvd_begin);
787
        });
788
    }
789

            
790
    #[traced_test]
791
    #[test]
792
    fn forward_before_extend() {
793
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
794
            let (mut ctrl, _incoming_streams) =
795
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
796
            rt.advance_until_stalled().await;
797

            
798
            // Send an arbitrary unrecognized cell. The reactor should flag this as
799
            // a protocol violation, because we don't have an outbound channel to forward it on.
800
            let extend2 = relaymsg::End::new_misc().into();
801
            ctrl.send_fwd(None, extend2, Recognized::No, true).await;
802
            rt.advance_until_stalled().await;
803

            
804
            // The reactor handled the EXTEND2 and launched an outbound channel
805
            assert!(logs_contain(
806
                "Asked to forward cell before the circuit was extended?!"
807
            ));
808
            assert_destroy_sent(&mut ctrl, DestroyReason::NONE);
809
        });
810
    }
811

            
812
    #[traced_test]
813
    #[test]
814
    fn reject_invalid_begin() {
815
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
816
            let (mut ctrl, _incoming_streams) =
817
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
818
            rt.advance_until_stalled().await;
819

            
820
            let begin = relaymsg::Begin::new("127.0.0.1", 1111, 0).unwrap().into();
821

            
822
            // BEGIN cells *must* have a stream ID, so expect the reactor to reject this
823
            // and close the circuit
824
            ctrl.send_fwd(None, begin, Recognized::Yes, false).await;
825
            rt.advance_until_stalled().await;
826

            
827
            assert!(logs_contain(
828
                "Invalid stream ID [scrubbed] for relay command BEGIN"
829
            ));
830
            assert_destroy_sent(&mut ctrl, DestroyReason::NONE);
831
        });
832
    }
833

            
834
    #[traced_test]
835
    #[test]
836
    fn destroy_from_client() {
837
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
838
            let (mut ctrl, _incoming_streams) =
839
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
840
            rt.advance_until_stalled().await;
841

            
842
            // Simulate the client sending us a DESTROY cell
843
            let destroy = Destroy::new(DestroyReason::PROTOCOL);
844
            ctrl.send_fwd_cmsg(destroy.into()).await;
845
            rt.advance_until_stalled().await;
846

            
847
            assert!(logs_contain(
848
                "Received outbound DESTROY, circuit shutting down"
849
            ));
850

            
851
            // Ensure the destroy reason (PROTOCOL) is not propagated
852
            assert_destroy_sent(&mut ctrl, DestroyReason::NONE);
853
        });
854
    }
855

            
856
    #[traced_test]
857
    #[test]
858
    fn destroy_from_next_hop() {
859
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
860
            let (mut ctrl, _incoming_streams) =
861
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
862
            rt.advance_until_stalled().await;
863

            
864
            // Extend the circuit by another hop
865
            let linkspecs = dummy_linkspecs();
866
            let handshake_type = HandshakeType::NTOR_V3;
867
            let extend2 = relaymsg::Extend2::new(linkspecs, handshake_type, vec![]).into();
868
            ctrl.send_fwd(None, extend2, Recognized::Yes, true).await;
869
            rt.advance_until_stalled().await;
870
            let circid = ctrl.do_create2_handshake(&rt, handshake_type).await;
871
            assert!(logs_contain("Extended circuit to the next hop"));
872
            assert!(ctrl.outbound_chan_launched());
873

            
874
            // Simulate the client sending us a DESTROY cell
875
            let destroy = Destroy::new(DestroyReason::PROTOCOL);
876
            ctrl.write_outbound(circid, destroy.into());
877
            rt.advance_until_stalled().await;
878

            
879
            // We have *not* received an outbound destroy
880
            assert!(!logs_contain(
881
                "Received outbound DESTROY, circuit shutting down"
882
            ));
883

            
884
            // We received an inbound one (from the next hop)
885
            assert!(logs_contain(
886
                "Received inbound DESTROY, circuit shutting down"
887
            ));
888

            
889
            // Ensure the destroy reason (PROTOCOL) is not propagated
890
            // This will check that we've sent a DESTROY cell in both directions.
891
            assert_destroy_sent(&mut ctrl, DestroyReason::NONE);
892
        });
893
    }
894

            
895
    #[traced_test]
896
    #[test]
897
    fn truncate() {
898
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
899
            let (mut ctrl, _incoming_streams) =
900
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
901
            rt.advance_until_stalled().await;
902

            
903
            // Simulate the client sending us a TRUNCATE cell
904
            let truncate = relaymsg::Truncate::default().into();
905
            ctrl.send_fwd(None, truncate, Recognized::Yes, false).await;
906
            rt.advance_until_stalled().await;
907

            
908
            assert!(logs_contain(
909
                "Circuit protocol violation: TRUNCATE not allowed"
910
            ));
911

            
912
            assert_destroy_sent(&mut ctrl, DestroyReason::NONE);
913
        });
914
    }
915

            
916
    #[traced_test]
917
    #[test]
918
    fn data_stream() {
919
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
920
            const TO_SEND: &[u8] = b"The bells were musical in the silvery sun";
921

            
922
            let (mut ctrl, mut incoming_streams) =
923
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
924
            rt.advance_until_stalled().await;
925

            
926
            let begin = relaymsg::Begin::new("127.0.0.1", 1111, 0).unwrap().into();
927
            ctrl.send_fwd(StreamId::new(1), begin, Recognized::Yes, false)
928
                .await;
929
            rt.advance_until_stalled().await;
930

            
931
            let data = relaymsg::Data::new(TO_SEND).unwrap().into();
932
            ctrl.send_fwd(StreamId::new(1), data, Recognized::Yes, false)
933
                .await;
934

            
935
            // We should have a pending incoming stream
936
            let pending = incoming_streams.next().await.unwrap();
937

            
938
            // Accept it, and let's see what we have!
939
            let mut stream = pending
940
                .accept_data(relaymsg::Connected::new_empty())
941
                .await
942
                .unwrap();
943

            
944
            let mut recv_buf = [0_u8; TO_SEND.len()];
945
            stream.read_exact(&mut recv_buf).await.unwrap();
946
            assert_eq!(recv_buf, TO_SEND);
947
        });
948
    }
949

            
950
    #[traced_test]
951
    #[test]
952
    fn reject_stream() {
953
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
954
            let (mut ctrl, mut incoming_streams) =
955
                ReactorTestCtrl::spawn_reactor(&rt, &[RelayCmd::BEGIN]);
956
            rt.advance_until_stalled().await;
957

            
958
            let begin = relaymsg::Begin::new("127.0.0.1", 1111, 0).unwrap().into();
959
            ctrl.send_fwd(StreamId::new(1), begin, Recognized::Yes, false)
960
                .await;
961
            rt.advance_until_stalled().await;
962

            
963
            // We should have a pending incoming stream
964
            let pending = incoming_streams.next().await.unwrap();
965

            
966
            // Reject the stream, and wait for the reactor to finish sending the END
967
            let end = relaymsg::End::new_misc();
968
            pending.reject(end.clone()).await.unwrap();
969
            rt.advance_until_stalled().await;
970

            
971
            // The END cell written to the Tor channel should be the same as
972
            // the one we sent above, in reject().
973
            let cell = ctrl.read_inbound();
974
            let actual_end = expect_cell!(cell, Relay, End);
975
            assert_eq!(end.reason(), actual_end.reason());
976

            
977
            // Sending another message on this stream results is flagged
978
            // as a proto violation
979
            let data = relaymsg::Data::new(b"no dice").unwrap().into();
980
            ctrl.send_fwd(StreamId::new(1), data, Recognized::Yes, false)
981
                .await;
982
            rt.advance_until_stalled().await;
983

            
984
            assert!(logs_contain("Stream protocol violation"));
985
            assert!(logs_contain(
986
                "Unexpected RelayCmd(DATA) message on unknown stream 1"
987
            ));
988
        });
989
    }
990

            
991
    #[traced_test]
992
    #[test]
993
    fn only_allow_begin_dir() {
994
        tor_rtmock::MockRuntime::test_with_various(|rt| async move {
995
            let (mut ctrl, mut incoming_streams) = ReactorTestCtrl::spawn_reactor(
996
                &rt,
997
                // The stream reactor will only accept BEGIN_DIR streams
998
                &[RelayCmd::BEGIN_DIR],
999
            );
            rt.advance_until_stalled().await;
            // Directory streams should be allowed (because BEGIN_DIR is allowed)...
            let begin_dir = relaymsg::BeginDir::default().into();
            ctrl.send_fwd(StreamId::new(1), begin_dir, Recognized::Yes, false)
                .await;
            rt.advance_until_stalled().await;
            let pending_dir_stream = incoming_streams.next().await.unwrap();
            assert!(matches!(
                pending_dir_stream.request(),
                IncomingStreamRequest::BeginDir(_)
            ));
            let begin = relaymsg::Begin::new("127.0.0.1", 1111, 0).unwrap().into();
            ctrl.send_fwd(StreamId::new(2), begin, Recognized::Yes, false)
                .await;
            rt.advance_until_stalled().await;
            // ... but the exit stream is not
            assert!(logs_contain("stream reactor shut down"));
            assert!(logs_contain(
                "Stream protocol violation: Unexpected BEGIN on incoming stream circ_id=Circ 8.17"
            ));
            // The reactor won't create an IncomingStream,
            // because the stream request is rejected right away
            let mut noop_cx = Context::from_waker(Waker::noop());
            assert_eq!(
                incoming_streams.poll_next_unpin(&mut noop_cx).map(|_| ()),
                Poll::Pending
            );
        });
    }
}