hs-v3: Privatize access to HS DoS consensus param

Remove the public functions returning the HS DoS consensus param or default
values as it is exclusively used internally now.

Rename the param_* variables to consensus_param_* for better code semantic.

Finally, make some private functions available to unit tests.

Signed-off-by: David Goulet <dgoulet@torproject.org>

src/feature/hs/hs_dos.c

@@ -46,14 +46,14 @@
 #define HS_DOS_INTRODUCE_ENABLED_DEFAULT 0
 
 /* Consensus parameters. */
-static uint32_t param_introduce_rate_per_sec =
+static uint32_t consensus_param_introduce_rate_per_sec =
   HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC;
-static uint32_t param_introduce_burst_per_sec =
+static uint32_t consensus_param_introduce_burst_per_sec =
   HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC;
-static uint32_t param_introduce_defense_enabled =
+static uint32_t consensus_param_introduce_defense_enabled =
   HS_DOS_INTRODUCE_ENABLED_DEFAULT;
 
-static uint32_t
+STATIC uint32_t
 get_intro2_enable_consensus_param(const networkstatus_t *ns)
 {
   return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSDefense",
@@ -61,7 +61,7 @@ get_intro2_enable_consensus_param(const networkstatus_t *ns)
 }
 
 /* Return the parameter for the introduction rate per sec. */
-static uint32_t
+STATIC uint32_t
 get_intro2_rate_consensus_param(const networkstatus_t *ns)
 {
   return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSRatePerSec",
@@ -70,7 +70,7 @@ get_intro2_rate_consensus_param(const networkstatus_t *ns)
 }
 
 /* Return the parameter for the introduction burst per sec. */
-static uint32_t
+STATIC uint32_t
 get_intro2_burst_consensus_param(const networkstatus_t *ns)
 {
   return networkstatus_get_param(ns, "HiddenServiceEnableIntroDoSBurstPerSec",
@@ -90,8 +90,8 @@ update_intro_circuits(void)
   SMARTLIST_FOREACH_BEGIN(intro_circs, circuit_t *, circ) {
     /* Adjust the rate/burst value that might have changed. */
     token_bucket_ctr_adjust(&TO_OR_CIRCUIT(circ)->introduce2_bucket,
-                            param_introduce_rate_per_sec,
-                            param_introduce_burst_per_sec);
+                            consensus_param_introduce_rate_per_sec,
+                            consensus_param_introduce_burst_per_sec);
   } SMARTLIST_FOREACH_END(circ);
 
   smartlist_free(intro_circs);
@@ -101,9 +101,12 @@ update_intro_circuits(void)
 static void
 set_consensus_parameters(const networkstatus_t *ns)
 {
-  param_introduce_rate_per_sec = get_intro2_rate_consensus_param(ns);
-  param_introduce_burst_per_sec = get_intro2_burst_consensus_param(ns);
-  param_introduce_defense_enabled = get_intro2_enable_consensus_param(ns);
+  consensus_param_introduce_rate_per_sec =
+    get_intro2_rate_consensus_param(ns);
+  consensus_param_introduce_burst_per_sec =
+    get_intro2_burst_consensus_param(ns);
+  consensus_param_introduce_defense_enabled =
+    get_intro2_enable_consensus_param(ns);
 
   /* The above might have changed which means we need to go through all
    * introduction circuits (relay side) and update the token buckets. */
@@ -114,27 +117,6 @@ set_consensus_parameters(const networkstatus_t *ns)
  * Public API.
  */
 
-/* Return the INTRODUCE2 cell rate per second (param or default). */
-uint32_t
-hs_dos_get_intro2_rate_param(void)
-{
-  return param_introduce_rate_per_sec;
-}
-
-/* Return the INTRODUCE2 cell burst per second (param or default). */
-uint32_t
-hs_dos_get_intro2_burst_param(void)
-{
-  return param_introduce_burst_per_sec;
-}
-
-/* Return the INTRODUCE2 DoS defense enabled flag (param or default). */
-unsigned int
-hs_dos_get_intro2_enabled_param(void)
-{
-  return (unsigned int) param_introduce_defense_enabled;
-}
-
 /* Initialize the INTRODUCE2 token bucket for the DoS defenses using the
  * consensus/default values. We might get a cell extension that changes those
  * later but if we don't, the default or consensus parameters are used. */
@@ -143,10 +125,11 @@ hs_dos_setup_default_intro2_defenses(or_circuit_t *circ)
 {
   tor_assert(circ);
 
-  circ->introduce2_dos_defense_enabled = param_introduce_defense_enabled;
+  circ->introduce2_dos_defense_enabled =
+    consensus_param_introduce_defense_enabled;
   token_bucket_ctr_init(&circ->introduce2_bucket,
-                        param_introduce_rate_per_sec,
-                        param_introduce_burst_per_sec,
+                        consensus_param_introduce_rate_per_sec,
+                        consensus_param_introduce_burst_per_sec,
                         (uint32_t) approx_time());
 }
 

src/feature/hs/hs_dos.h

@@ -24,14 +24,14 @@ void hs_dos_consensus_has_changed(const networkstatus_t *ns);
 bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ);
 void hs_dos_setup_default_intro2_defenses(or_circuit_t *circ);
 
-unsigned int hs_dos_get_intro2_enabled_param(void);
-uint32_t hs_dos_get_intro2_rate_param(void);
-uint32_t hs_dos_get_intro2_burst_param(void);
-
 #ifdef HS_DOS_PRIVATE
 
 #ifdef TOR_UNIT_TESTS
 
+STATIC uint32_t get_intro2_enable_consensus_param(const networkstatus_t *ns);
+STATIC uint32_t get_intro2_rate_consensus_param(const networkstatus_t *ns);
+STATIC uint32_t get_intro2_burst_consensus_param(const networkstatus_t *ns);
+
 #endif /* define(TOR_UNIT_TESTS) */
 
 #endif /* defined(HS_DOS_PRIVATE) */

src/test/test_hs_dos.c

@@ -8,6 +8,7 @@
 
 #define CIRCUITLIST_PRIVATE
 #define NETWORKSTATUS_PRIVATE
+#define HS_DOS_PRIVATE
 
 #include "test/test.h"
 #include "test/test_helpers.h"
@@ -57,11 +58,8 @@ test_can_send_intro2(void *arg)
 
   /* Make that circuit a service intro point. */
   circuit_change_purpose(TO_CIRCUIT(or_circ), CIRCUIT_PURPOSE_INTRO_POINT);
+  hs_dos_setup_default_intro2_defenses(or_circ);
   or_circ->introduce2_dos_defense_enabled = 1;
-  /* Initialize the INTRODUCE2 token bucket for the rate limiting. */
-  token_bucket_ctr_init(&or_circ->introduce2_bucket,
-                        hs_dos_get_intro2_rate_param(),
-                        hs_dos_get_intro2_burst_param(), now);
 
   /* Brand new circuit, we should be able to send INTRODUCE2 cells. */
   tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
@@ -73,13 +71,13 @@ test_can_send_intro2(void *arg)
     tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
   }
   tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
-             hs_dos_get_intro2_burst_param() - 10);
+             get_intro2_burst_consensus_param(NULL) - 10);
 
   /* Fully refill the bucket minus 1 cell. */
   update_approx_time(++now);
   tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
   tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
-             hs_dos_get_intro2_burst_param() - 1);
+             get_intro2_burst_consensus_param(NULL) - 1);
 
   /* Receive an INTRODUCE2 at each second. We should have the bucket full
    * since at every second it gets refilled. */
@@ -89,18 +87,18 @@ test_can_send_intro2(void *arg)
   }
   /* Last check if we can send the cell decrements the bucket so minus 1. */
   tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
-             hs_dos_get_intro2_burst_param() - 1);
+             get_intro2_burst_consensus_param(NULL) - 1);
 
   /* Manually reset bucket for next test. */
   token_bucket_ctr_reset(&or_circ->introduce2_bucket, now);
   tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
-             hs_dos_get_intro2_burst_param());
+             get_intro2_burst_consensus_param(NULL));
 
   /* Do a full burst in the current second which should empty the bucket and
    * we shouldn't be allowed to send one more cell after that. We go minus 1
    * cell else the very last check if we can send the INTRO2 cell returns
    * false because the bucket goes down to 0. */
-  for (uint32_t i = 0; i < hs_dos_get_intro2_burst_param() - 1; i++) {
+  for (uint32_t i = 0; i < get_intro2_burst_consensus_param(NULL) - 1; i++) {
     tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
   }
   tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ, 1);
@@ -118,7 +116,7 @@ test_can_send_intro2(void *arg)
   update_approx_time(++now);
   tt_int_op(true, OP_EQ, hs_dos_can_send_intro2(or_circ));
   tt_uint_op(token_bucket_ctr_get(&or_circ->introduce2_bucket), OP_EQ,
-             hs_dos_get_intro2_rate_param() - 1);
+             get_intro2_rate_consensus_param(NULL) - 1);
 
  done:
   circuit_free_(TO_CIRCUIT(or_circ));