From d29a8ad564757866dee8d2cbd940c5028a03f2e3 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 10 Mar 2015 10:07:41 -0400
Subject: [PATCH 1/3] Add link protocol version counts to the heartbeat message

Closes ticket 15212
---
 changes/ticket15212    |  6 ++++++
 src/or/channeltls.c    |  3 +++
 src/or/connection_or.c |  1 +
 src/or/rephist.c       | 44 ++++++++++++++++++++++++++++++++++++++++++
 src/or/rephist.h       |  4 ++++
 src/or/status.c        |  4 +++-
 src/test/test_status.c |  8 +++++++-
 7 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 changes/ticket15212

diff --git a/changes/ticket15212 b/changes/ticket15212
new file mode 100644
index 000000000..2c41e3865
--- /dev/null
+++ b/changes/ticket15212
@@ -0,0 +1,6 @@
+  o Minor features (heartbeat):
+
+    - On relays, report how many connections we negotiated using each
+      version of the Tor link protocols. This information will let us
+      know if removing support for very old versions of the Tor
+      protocols is harming the network. Closes ticket 15212.
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index e194c1c4d..1cf697ccc 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -23,6 +23,7 @@
 #include "connection_or.h"
 #include "control.h"
 #include "relay.h"
+#include "rephist.h"
 #include "router.h"
 #include "routerlist.h"
 #include "scheduler.h"
@@ -1463,6 +1464,8 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
     return;
   }
 
+  rep_hist_note_negotiated_link_proto(highest_supported_version, started_here);
+
   chan->conn->link_proto = highest_supported_version;
   chan->conn->handshake_state->received_versions = 1;
 
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 85462d899..e0dff1c91 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -1819,6 +1819,7 @@ connection_tls_finish_handshake(or_connection_t *conn)
                                            conn->base_.port, digest_rcvd, 0);
     }
     tor_tls_block_renegotiation(conn->tls);
+    rep_hist_note_negotiated_link_proto(1, started_here);
     return connection_or_set_state_open(conn);
   } else {
     connection_or_change_state(conn, OR_CONN_STATE_OR_HANDSHAKING_V2);
diff --git a/src/or/rephist.c b/src/or/rephist.c
index 34908828a..fe0997c89 100644
--- a/src/or/rephist.c
+++ b/src/or/rephist.c
@@ -3121,6 +3121,50 @@ rep_hist_hs_stats_write(time_t now)
   return start_of_hs_stats_interval + WRITE_STATS_INTERVAL;
 }
 
+#define MAX_LINK_PROTO_TO_LOG 4
+static uint64_t link_proto_count[MAX_LINK_PROTO_TO_LOG+1][2];
+
+/** Note that we negotiated link protocol version <b>link_proto</b>, on
+ * a connection that started here iff <b>started_here</b> is true.
+ */
+void
+rep_hist_note_negotiated_link_proto(unsigned link_proto, int started_here)
+{
+  started_here = !!started_here; /* force to 0 or 1 */
+  if (link_proto > MAX_LINK_PROTO_TO_LOG) {
+    log_warn(LD_BUG, "Can't log link protocol %u", link_proto);
+    return;
+  }
+
+  link_proto_count[link_proto][started_here]++;
+}
+
+/** Log a heartbeat message explaining how many connections of each link
+ * protocol version we have used.
+ */
+void
+rep_hist_log_link_protocol_counts(void)
+{
+  log_notice(LD_HEARTBEAT,
+             "Since startup, we have initiated "
+             U64_FORMAT" v1 connections, "
+             U64_FORMAT" v2 connections, "
+             U64_FORMAT" v3 connections, and "
+             U64_FORMAT" v4 connections; and received "
+             U64_FORMAT" v1 connections, "
+             U64_FORMAT" v2 connections, "
+             U64_FORMAT" v3 connections, and "
+             U64_FORMAT" v4 connections.",
+             U64_PRINTF_ARG(link_proto_count[1][1]),
+             U64_PRINTF_ARG(link_proto_count[2][1]),
+             U64_PRINTF_ARG(link_proto_count[3][1]),
+             U64_PRINTF_ARG(link_proto_count[4][1]),
+             U64_PRINTF_ARG(link_proto_count[1][0]),
+             U64_PRINTF_ARG(link_proto_count[2][0]),
+             U64_PRINTF_ARG(link_proto_count[3][0]),
+             U64_PRINTF_ARG(link_proto_count[4][0]));
+}
+
 /** Free all storage held by the OR/link history caches, by the
  * bandwidth history arrays, by the port history, or by statistics . */
 void
diff --git a/src/or/rephist.h b/src/or/rephist.h
index 42710c4ed..f94b4e8ff 100644
--- a/src/or/rephist.h
+++ b/src/or/rephist.h
@@ -108,5 +108,9 @@ void rep_hist_stored_maybe_new_hs(const crypto_pk_t *pubkey);
 
 void rep_hist_free_all(void);
 
+void rep_hist_note_negotiated_link_proto(unsigned link_proto,
+                                         int started_here);
+void rep_hist_log_link_protocol_counts(void);
+
 #endif
 
diff --git a/src/or/status.c b/src/or/status.c
index 2acdd2824..8f7be0aa3 100644
--- a/src/or/status.c
+++ b/src/or/status.c
@@ -136,8 +136,10 @@ log_heartbeat(time_t now)
          "Average packaged cell fullness: %2.3f%%. "
          "TLS write overhead: %.f%%", fullness_pct, overhead_pct);
 
-  if (public_server_mode(options))
+  if (public_server_mode(options)) {
     rep_hist_log_circuit_handshake_stats(now);
+    rep_hist_log_link_protocol_counts();
+  }
 
   circuit_log_ancient_one_hop_circuits(1800);
 
diff --git a/src/test/test_status.c b/src/test/test_status.c
index 0aa82ca08..3888a1b4e 100644
--- a/src/test/test_status.c
+++ b/src/test/test_status.c
@@ -337,7 +337,7 @@ NS(test_main)(void *arg)
   actual = log_heartbeat(0);
 
   tt_int_op(actual, OP_EQ, expected);
-  tt_int_op(CALLED(logv), OP_EQ, 4);
+  tt_int_op(CALLED(logv), OP_EQ, 5);
 
   done:
     NS_UNMOCK(tls_get_write_overhead_ratio);
@@ -430,6 +430,12 @@ NS(logv)(int severity, log_domain_mask_t domain,
       tt_int_op(va_arg(ap, int), OP_EQ, 1);  /* handshakes assigned (NTOR) */
       tt_int_op(va_arg(ap, int), OP_EQ, 1);  /* handshakes requested (NTOR) */
       break;
+    case 4:
+      tt_int_op(severity, OP_EQ, LOG_NOTICE);
+      tt_int_op(domain, OP_EQ, LD_HEARTBEAT);
+      tt_ptr_op(strstr(funcname, "rep_hist_log_link_protocol_counts"),
+                OP_NE, NULL);
+      break;
     default:
       tt_abort_msg("unexpected call to logv()");  // TODO: prettyprint args
       break;

From 9063f29160615b379f907009e7158f1fcf1ed84c Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 12 Mar 2015 12:49:08 -0400
Subject: [PATCH 2/3] Revert "Make TransProxyType ipfw work correctly"

This reverts commit 681802817deb6fb93b95f8284856fd42f3556600.

(I didn't mean to backport this, but somehow I had based my branch
for #15205 on it.)
---
 changes/bug15064         | 4 ----
 src/or/connection_edge.c | 3 +--
 2 files changed, 1 insertion(+), 6 deletions(-)
 delete mode 100644 changes/bug15064

diff --git a/changes/bug15064 b/changes/bug15064
deleted file mode 100644
index e6bd747b1..000000000
--- a/changes/bug15064
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Major bugfixes (FreeBSD IPFW transparent proxy):
-    - Fix address detection with FreeBSD transparent proxies,
-      when "TransProxyType ipfw" is in use.
-      Fixes bug 15064; bugfix on 0.2.5.4-alpha.
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 1eeb22fce..49f9ba497 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1531,8 +1531,7 @@ connection_ap_get_original_destination(entry_connection_t *conn,
   if (options->TransProxyType_parsed == TPT_PF_DIVERT)
     return destination_from_socket(conn, req);
 
-  if (options->TransProxyType_parsed == TPT_DEFAULT ||
-      options->TransProxyType_parsed == TPT_IPFW)
+  if (options->TransProxyType_parsed == TPT_DEFAULT)
     return destination_from_pf(conn, req);
 
   (void)conn;

From b3281fc6d634ac32c6ce591313600b0ed56a9347 Mon Sep 17 00:00:00 2001
From: Yawning Angel <yawning@schwanenlied.me>
Date: Thu, 12 Mar 2015 15:37:48 +0000
Subject: [PATCH 3/3] Initialize the extorport auth cookie before launching
 PTs.

PTs expect the auth cookie to be available immedieately after launch,
leading to a race condition when PTs opt to cache the extorport cookie
once immediately after startup.

Fixes #15240.
---
 changes/bug15240 |  6 ++++++
 src/or/config.c  | 13 +++++++------
 2 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100644 changes/bug15240

diff --git a/changes/bug15240 b/changes/bug15240
new file mode 100644
index 000000000..e11f804a1
--- /dev/null
+++ b/changes/bug15240
@@ -0,0 +1,6 @@
+  o Minor bugfixes (pluggable transports):
+    - Initialize the extended OR Port authentication cookie before launching
+      pluggable transports. This prevents a race condition that occured when
+      server-side pluggable transports would cache the authentication cookie
+      before it has been (re)generated. Fixes bug 15240; bugfix on
+      0.2.5.1-alpha.
diff --git a/src/or/config.c b/src/or/config.c
index 5ba8c997f..fca350c20 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1451,6 +1451,13 @@ options_act(const or_options_t *old_options)
     rep_hist_load_mtbf_data(time(NULL));
   }
 
+  /* If we have an ExtORPort, initialize its auth cookie. */
+  if (running_tor &&
+      init_ext_or_cookie_authentication(!!options->ExtORPort_lines) < 0) {
+    log_warn(LD_CONFIG,"Error creating Extended ORPort cookie file.");
+    return -1;
+  }
+
   mark_transport_list();
   pt_prepare_proxy_list_for_config_read();
   if (!options->DisableNetwork) {
@@ -1555,12 +1562,6 @@ options_act(const or_options_t *old_options)
     return -1;
   }
 
-  /* If we have an ExtORPort, initialize its auth cookie. */
-  if (init_ext_or_cookie_authentication(!!options->ExtORPort_lines) < 0) {
-    log_warn(LD_CONFIG,"Error creating Extended ORPort cookie file.");
-    return -1;
-  }
-
   monitor_owning_controller_process(options->OwningControllerProcess);
 
   /* reload keys as needed for rendezvous services. */