| blob | 390cff7dba408e35500d13871cd042c9f66d19a1 |
1 /* Copyright (c) 2003-2004, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2017, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file compat.c
8 * \brief Wrappers to make calls more portable. This code defines
9 * functions such as tor_snprintf, get/set various data types,
10 * renaming, setting socket options, switching user IDs. It is basically
11 * where the non-portable items are conditionally included depending on
12 * the platform.
13 **/
15 #define COMPAT_PRIVATE
18 #ifdef _WIN32
19 #include <winsock2.h>
20 #include <windows.h>
21 #include <sys/locking.h>
22 #endif
24 #ifdef HAVE_UNAME
25 #include <sys/utsname.h>
26 #endif
27 #ifdef HAVE_SYS_TYPES_H
28 #include <sys/types.h>
29 #endif
30 #ifdef HAVE_SYS_SYSCTL_H
31 #include <sys/sysctl.h>
32 #endif
33 #ifdef HAVE_SYS_STAT_H
34 #include <sys/stat.h>
35 #endif
36 #ifdef HAVE_UTIME_H
37 #include <utime.h>
38 #endif
39 #ifdef HAVE_SYS_UTIME_H
40 #include <sys/utime.h>
41 #endif
42 #ifdef HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45 #ifdef HAVE_SYS_FCNTL_H
46 #include <sys/fcntl.h>
47 #endif
48 #ifdef HAVE_PWD_H
49 #include <pwd.h>
50 #endif
51 #ifdef HAVE_GRP_H
52 #include <grp.h>
53 #endif
54 #ifdef HAVE_FCNTL_H
55 #include <fcntl.h>
56 #endif
57 #ifdef HAVE_ERRNO_H
58 #include <errno.h>
59 #endif
60 #ifdef HAVE_ARPA_INET_H
61 #include <arpa/inet.h>
62 #endif
63 #ifdef HAVE_CRT_EXTERNS_H
64 #include <crt_externs.h>
65 #endif
66 #ifdef HAVE_SYS_STATVFS_H
67 #include <sys/statvfs.h>
68 #endif
69 #ifdef HAVE_SYS_CAPABILITY_H
70 #include <sys/capability.h>
71 #endif
73 #ifdef _WIN32
74 #include <conio.h>
75 #include <wchar.h>
76 /* Some mingw headers lack these. :p */
77 #if defined(HAVE_DECL__GETWCH) && !HAVE_DECL__GETWCH
79 #endif
80 #ifndef WEOF
81 #define WEOF (wchar_t)(0xFFFF)
82 #endif
83 #if defined(HAVE_DECL_SECUREZEROMEMORY) && !HAVE_DECL_SECUREZEROMEMORY
86 {
90 }
91 #endif
92 #elif defined(HAVE_READPASSPHRASE_H)
93 #include <readpassphrase.h>
94 #else
96 #endif
98 /* Includes for the process attaching prevention */
99 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
100 /* Only use the linux prctl; the IRIX prctl is totally different */
101 #include <sys/prctl.h>
102 #elif defined(__APPLE__)
103 #include <sys/types.h>
104 #include <sys/ptrace.h>
105 #endif
107 #ifdef HAVE_NETDB_H
108 #include <netdb.h>
109 #endif
110 #ifdef HAVE_SYS_PARAM_H
112 #endif
113 #include <stdio.h>
114 #include <stdlib.h>
115 #include <assert.h>
116 #ifdef HAVE_SIGNAL_H
117 #include <signal.h>
118 #endif
119 #ifdef HAVE_SYS_MMAN_H
120 #include <sys/mman.h>
121 #endif
122 #ifdef HAVE_SYS_SYSLIMITS_H
123 #include <sys/syslimits.h>
124 #endif
125 #ifdef HAVE_SYS_FILE_H
126 #include <sys/file.h>
127 #endif
135 /* Inline the strl functions if the platform doesn't have them. */
136 #ifndef HAVE_STRLCPY
138 #endif
139 #ifndef HAVE_STRLCAT
141 #endif
143 /* When set_max_file_descriptors() is called, update this with the max file
144 * descriptor value so we can use it to check the limit when opening a new
145 * socket. Default value is what Debian sets as the default hard limit. */
148 /** As open(path, flags, mode), but return an fd with the close-on-exec mode
149 * set. */
150 int
152 {
155 #ifdef O_CLOEXEC
159 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
160 * even though we were built on a system with O_CLOEXEC support, we
161 * are running on one without. */
164 #endif
168 #ifdef FD_CLOEXEC
174 }
175 }
176 #endif
178 }
180 /** As fopen(path,mode), but ensures that the O_CLOEXEC bit is set on the
181 * underlying file handle. */
184 {
186 #ifdef FD_CLOEXEC
192 }
193 }
194 #endif
196 }
198 /** As rename(), but work correctly with the sandbox. */
199 int
201 {
205 }
207 /* Some MinGW builds have sys/mman.h, but not the corresponding symbols.
208 * Other configs rename the symbols using macros (including getpagesize).
209 * So check for sys/mman.h and unistd.h, and a getpagesize declaration. */
210 #if (defined(HAVE_SYS_MMAN_H) && defined(HAVE_UNISTD_H) && \
211 defined(HAVE_DECL_GETPAGESIZE))
212 #define COMPAT_HAS_MMAN_AND_PAGESIZE
213 #endif
215 #if defined(COMPAT_HAS_MMAN_AND_PAGESIZE) || defined(RUNNING_DOXYGEN)
216 /** Try to create a memory mapping for <b>filename</b> and return it. On
217 * failure, return NULL. Sets errno properly, using ERANGE to mean
218 * "empty file". */
219 tor_mmap_t *
221 {
239 }
241 /* Get the size of the file */
251 }
253 /*
254 * Should we check for weird crap like mmapping a named pipe here,
255 * or just wait for if (!size) below to fail?
256 */
257 /* ensure page alignment */
266 }
268 /* Zero-length file. If we call mmap on it, it will succeed but
269 * return NULL, and bad things will happen. So just fail. */
274 }
284 }
292 }
293 /** Release storage held for a memory mapping; returns 0 on success,
294 * or -1 on failure (and logs a warning). */
295 int
297 {
305 /* munmap() succeeded */
311 }
314 }
315 #elif defined(_WIN32)
316 tor_mmap_t *
318 {
326 #ifdef UNICODE
328 #else
330 #endif
333 NULL,
334 OPEN_EXISTING,
335 FILE_ATTRIBUTE_NORMAL,
346 }
351 }
356 }
360 NULL,
361 PAGE_READONLY,
362 size_high,
363 size_low,
364 NULL);
368 FILE_MAP_READ,
375 win_err: {
384 else
386 }
387 err:
394 }
396 /* Unmap the file, and return 0 for success or -1 for failure */
397 int
399 {
404 /* This is an ugly cast, but without it, "data" in struct tor_mmap_t would
405 have to be redefined as non-const. */
410 }
411 }
418 }
419 #else
420 tor_mmap_t *
422 {
432 }
434 /** Unmap the file mapped with tor_mmap_file(), and return 0 for success
435 * or -1 for failure.
436 */
438 int
440 {
450 /* Can't fail in this mmap()/munmap()-free case */
452 }
453 #endif
455 /** Replacement for snprintf. Differs from platform snprintf in two
456 * ways: First, always NUL-terminates its output. Second, always
457 * returns -1 if the result is truncated. (Note that this return
458 * behavior does <i>not</i> conform to C99; it just happens to be
459 * easier to emulate "return -1" with conformant implementations than
460 * it is to emulate "return number that would be written" with
461 * non-conformant implementations.) */
462 int
464 {
471 }
473 /** Replacement for vsnprintf; behavior differs as tor_snprintf differs from
474 * snprintf.
475 */
476 int
478 {
484 #ifdef _WIN32
486 #else
488 #endif
493 }
495 /**
496 * Portable asprintf implementation. Does a printf() into a newly malloc'd
497 * string. Sets *<b>strp</b> to this string, and returns its length (not
498 * including the terminating NUL character).
499 *
500 * You can treat this function as if its implementation were something like
501 <pre>
502 char buf[_INFINITY_];
503 tor_snprintf(buf, sizeof(buf), fmt, args);
504 *strp = tor_strdup(buf);
505 return strlen(*strp):
506 </pre>
507 * Where _INFINITY_ is an imaginary constant so big that any string can fit
508 * into it.
509 */
510 int
512 {
519 /* LCOV_EXCL_START */
522 /* LCOV_EXCL_STOP */
523 }
525 }
527 /**
528 * Portable vasprintf implementation. Does a printf() into a newly malloc'd
529 * string. Differs from regular vasprintf in the same ways that
530 * tor_asprintf() differs from regular asprintf.
531 */
532 int
534 {
535 /* use a temporary variable in case *strp is in args. */
537 #ifdef HAVE_VASPRINTF
538 /* If the platform gives us one, use it. */
542 else
545 #elif defined(HAVE__VSCPRINTF)
546 /* On Windows, _vsnprintf won't tell us the length of the string if it
547 * overflows, so we need to use _vcsprintf to tell how much to allocate */
556 }
563 }
566 #else
567 /* Everywhere else, we have a decent vsnprintf that tells us how many
568 * characters we need. We give it a try on a short buffer first, since
569 * it might be nice to avoid the second vsnprintf call.
570 */
575 /* vsnprintf() was properly checked but tor_vsnprintf() available so
576 * why not use it? */
582 }
584 /* use of tor_vsnprintf() will ensure string is null terminated */
590 }
593 #endif
594 }
596 /** Given <b>hlen</b> bytes at <b>haystack</b> and <b>nlen</b> bytes at
597 * <b>needle</b>, return a pointer to the first occurrence of the needle
598 * within the haystack, or NULL if there is no such occurrence.
599 *
600 * This function is <em>not</em> timing-safe.
601 *
602 * Requires that <b>nlen</b> be greater than zero.
603 */
607 {
608 #if defined(HAVE_MEMMEM) && (!defined(__GNUC__) || __GNUC__ >= 2)
611 #else
612 /* This isn't as fast as the GLIBC implementation, but it doesn't need to
613 * be. */
624 /* Last position at which the needle could start. */
631 /* This comparison shouldn't be necessary, since if p was previously
632 * equal to last_possible_start, the next memchr call would be
633 * "memchr(p, first, 0)", which will return NULL. But it clarifies the
634 * logic. */
636 }
637 }
639 #endif
640 }
642 /**
643 * Tables to implement ctypes-replacement TOR_IS*() functions. Each table
644 * has 256 bits to look up whether a character is in some set or not. This
645 * fails on non-ASCII platforms, but it is hard to find a platform whose
646 * character set is not a superset of ASCII nowadays. */
648 /**@{*/
662 /** Upper-casing and lowercasing tables to map characters to upper/lowercase
663 * equivalents. Used by tor_toupper() and tor_tolower(). */
664 /**@{*/
682 };
700 };
701 /**@}*/
703 /** Helper for tor_strtok_r_impl: Advances cp past all characters in
704 * <b>sep</b>, and returns its new value. */
707 {
714 }
716 }
718 /** Implementation of strtok_r for platforms whose coders haven't figured out
719 * how to write one. Hey, retrograde libc developers! You can use this code
720 * here for free! */
723 {
735 }
742 }
749 }
751 }
753 #ifdef _WIN32
754 /** Take a filename and return a pointer to its final element. This
755 * function is called on __FILE__ to fix a MSVC nit where __FILE__
756 * contains the full path to the file. This is bad, because it
757 * confuses users to find the home directory of the person who
758 * compiled the binary in their warning messages.
759 */
762 {
774 }
776 }
777 #endif
779 /**
780 * Read a 16-bit value beginning at <b>cp</b>. Equivalent to
781 * *(uint16_t*)(cp), but will not cause segfaults on platforms that forbid
782 * unaligned memory access.
783 */
784 uint16_t
786 {
790 }
791 /**
792 * Read a 32-bit value beginning at <b>cp</b>. Equivalent to
793 * *(uint32_t*)(cp), but will not cause segfaults on platforms that forbid
794 * unaligned memory access.
795 */
796 uint32_t
798 {
802 }
803 /**
804 * Read a 64-bit value beginning at <b>cp</b>. Equivalent to
805 * *(uint64_t*)(cp), but will not cause segfaults on platforms that forbid
806 * unaligned memory access.
807 */
808 uint64_t
810 {
814 }
816 /**
817 * Set a 16-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
818 * *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
819 * unaligned memory access. */
820 void
822 {
824 }
825 /**
826 * Set a 32-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
827 * *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
828 * unaligned memory access. */
829 void
831 {
833 }
834 /**
835 * Set a 64-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
836 * *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
837 * unaligned memory access. */
838 void
840 {
842 }
844 /**
845 * Rename the file <b>from</b> to the file <b>to</b>. On Unix, this is
846 * the same as rename(2). On windows, this removes <b>to</b> first if
847 * it already exists.
848 * Returns 0 on success. Returns -1 and sets errno on failure.
849 */
850 int
852 {
853 #ifndef _WIN32
855 #else
857 {
869 }
871 #endif
872 }
874 /** Change <b>fname</b>'s modification time to now. */
875 int
877 {
881 }
883 /** Represents a lockfile on which we hold the lock. */
885 /** Name of the file */
887 /** File descriptor used to hold the file open */
889 };
891 /** Try to get a lock on the lockfile <b>filename</b>, creating it as
892 * necessary. If someone else has the lock and <b>blocking</b> is true,
893 * wait until the lock is available. Otherwise return immediately whether
894 * we succeeded or not.
895 *
896 * Set *<b>locked_out</b> to true if somebody else had the lock, and to false
897 * otherwise.
898 *
899 * Return a <b>tor_lockfile_t</b> on success, NULL on failure.
900 *
901 * (Implementation note: because we need to fall back to fcntl on some
902 * platforms, these locks are per-process, not per-thread. If you want
903 * to do in-process locking, use tor_mutex_t like a normal person.
904 * On Windows, when <b>blocking</b> is true, the maximum time that
905 * is actually waited is 10 seconds, after which NULL is returned
906 * and <b>locked_out</b> is set to 1.)
907 */
908 tor_lockfile_t *
910 {
921 }
923 #ifdef _WIN32
928 else
932 }
933 #elif defined(HAVE_FLOCK)
937 else
941 }
942 #else
943 {
951 else
955 }
956 }
957 #endif
963 }
965 /** Release the lock held as <b>lockfile</b>. */
966 void
968 {
972 #ifdef _WIN32
977 }
978 #elif defined(HAVE_FLOCK)
982 }
983 #else
984 /* Closing the lockfile is sufficient. */
985 #endif
991 }
993 /** @{ */
994 /** Some old versions of Unix didn't define constants for these values,
995 * and instead expect you to say 0, 1, or 2. */
996 #ifndef SEEK_SET
997 #define SEEK_SET 0
998 #endif
999 #ifndef SEEK_CUR
1000 #define SEEK_CUR 1
1001 #endif
1002 #ifndef SEEK_END
1003 #define SEEK_END 2
1004 #endif
1005 /** @} */
1007 /** Return the position of <b>fd</b> with respect to the start of the file. */
1008 off_t
1010 {
1011 #ifdef _WIN32
1013 #else
1015 #endif
1016 }
1018 /** Move <b>fd</b> to the end of the file. Return -1 on error, 0 on success.
1019 * If the file is a pipe, do nothing and succeed.
1020 **/
1021 int
1023 {
1024 #ifdef _WIN32
1026 #else
1028 #ifdef ESPIPE
1029 /* If we get an error and ESPIPE, then it's a pipe or a socket of a fifo:
1030 * no need to worry. */
1033 #endif
1035 #endif
1036 }
1038 /** Move <b>fd</b> to position <b>pos</b> in the file. Return -1 on error, 0
1039 * on success. */
1040 int
1042 {
1043 #ifdef _WIN32
1045 #else
1047 #endif
1048 }
1050 /** Replacement for ftruncate(fd, 0): move to the front of the file and remove
1051 * all the rest of the file. Return -1 on error, 0 on success. */
1052 int
1054 {
1055 /* Rumor has it that some versions of ftruncate do not move the file pointer.
1056 */
1060 #ifdef _WIN32
1062 #else
1064 #endif
1065 }
1067 #undef DEBUG_SOCKET_COUNTING
1068 #ifdef DEBUG_SOCKET_COUNTING
1069 /** A bitarray of all fds that should be passed to tor_socket_close(). Only
1070 * used if DEBUG_SOCKET_COUNTING is defined. */
1072 /** The size of <b>open_sockets</b>, in bits. */
1074 #endif
1076 /** Count of number of sockets currently open. (Undercounts sockets opened by
1077 * eventdns and libevent.) */
1080 /** Mutex to protect open_sockets, max_socket, and n_sockets_open. */
1083 /** Helper: acquire the socket accounting lock. */
1086 {
1090 }
1092 /** Helper: release the socket accounting lock. */
1095 {
1097 }
1099 /** As close(), but guaranteed to work for sockets across platforms (including
1100 * Windows, where close()ing a socket doesn't work. Returns 0 on success and
1101 * the socket error code on failure. */
1102 int
1104 {
1107 /* On Windows, you have to call close() on fds returned by open(),
1108 * and closesocket() on fds returned by socket(). On Unix, everything
1109 * gets close()'d. We abstract this difference by always using
1110 * tor_close_socket to close sockets, and always using close() on
1111 * files.
1112 */
1113 #if defined(_WIN32)
1115 #else
1117 #endif
1123 }
1126 }
1128 /** As tor_close_socket_simple(), but keeps track of the number
1129 * of open sockets. Returns 0 on success, -1 on failure. */
1132 {
1136 #ifdef DEBUG_SOCKET_COUNTING
1143 }
1144 #endif
1148 #ifdef _WIN32
1151 #else
1154 #endif
1156 }
1161 }
1163 /** @{ */
1164 #ifdef DEBUG_SOCKET_COUNTING
1165 /** Helper: if DEBUG_SOCKET_COUNTING is enabled, remember that <b>s</b> is
1166 * now an open socket. */
1169 {
1170 /* XXXX This bitarray business will NOT work on windows: sockets aren't
1171 small ints there. */
1179 }
1180 }
1184 }
1186 }
1187 #else
1188 #define mark_socket_open(s) STMT_NIL
1189 #endif
1190 /** @} */
1192 /** As socket(), but counts the number of open sockets. */
1195 {
1197 }
1199 /** Mockable wrapper for connect(). */
1202 socklen_t address_len))
1203 {
1205 }
1207 /** As socket(), but creates a nonblocking socket and
1208 * counts the number of open sockets. */
1209 tor_socket_t
1211 {
1213 }
1215 /** As socket(), but counts the number of open sockets and handles
1216 * socket creation with either of SOCK_CLOEXEC and SOCK_NONBLOCK specified.
1217 * <b>cloexec</b> and <b>nonblock</b> should be either 0 or 1 to indicate
1218 * if the corresponding extension should be used.*/
1219 tor_socket_t
1222 {
1223 tor_socket_t s;
1225 /* We are about to create a new file descriptor so make sure we have
1226 * enough of them. */
1228 #ifdef _WIN32
1230 #else
1232 #endif
1234 }
1236 #if defined(SOCK_CLOEXEC) && defined(SOCK_NONBLOCK)
1242 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
1243 * even though we were built on a system with SOCK_CLOEXEC and SOCK_NONBLOCK
1244 * support, we are running on one without. */
1253 #if defined(FD_CLOEXEC)
1259 }
1260 }
1261 #else
1263 #endif
1269 }
1270 }
1274 socket_ok:
1280 }
1282 /** As accept(), but counts the number of open sockets. */
1283 tor_socket_t
1285 {
1287 }
1289 /** As accept(), but returns a nonblocking socket and
1290 * counts the number of open sockets. */
1291 tor_socket_t
1294 {
1296 }
1298 /** As accept(), but counts the number of open sockets and handles
1299 * socket creation with either of SOCK_CLOEXEC and SOCK_NONBLOCK specified.
1300 * <b>cloexec</b> and <b>nonblock</b> should be either 0 or 1 to indicate
1301 * if the corresponding extension should be used.*/
1302 tor_socket_t
1305 {
1306 tor_socket_t s;
1308 /* We are about to create a new file descriptor so make sure we have
1309 * enough of them. */
1311 #ifdef _WIN32
1313 #else
1315 #endif
1317 }
1319 #if defined(HAVE_ACCEPT4) && defined(SOCK_CLOEXEC) && defined(SOCK_NONBLOCK)
1325 /* If we got an error, see if it is ENOSYS. ENOSYS indicates that,
1326 * even though we were built on a system with accept4 support, we
1327 * are running on one without. Also, check for EINVAL, which indicates that
1328 * we are missing SOCK_CLOEXEC/SOCK_NONBLOCK support. */
1331 #endif
1337 #if defined(FD_CLOEXEC)
1343 }
1344 }
1345 #else
1347 #endif
1353 }
1354 }
1358 socket_ok:
1364 }
1366 /** Return the number of sockets we currently have opened. */
1367 int
1369 {
1375 }
1377 /** Mockable wrapper for getsockname(). */
1381 {
1383 }
1385 /** Turn <b>socket</b> into a nonblocking socket. Return 0 on success, -1
1386 * on failure.
1387 */
1388 int
1390 {
1391 #if defined(_WIN32)
1394 #else
1401 }
1406 }
1407 #endif
1410 }
1412 /**
1413 * Allocate a pair of connected sockets. (Like socketpair(family,
1414 * type,protocol,fd), but works on systems that don't have
1415 * socketpair.)
1416 *
1417 * Currently, only (AF_UNIX, SOCK_STREAM, 0) sockets are supported.
1418 *
1419 * Note that on systems without socketpair, this call will fail if
1420 * localhost is inaccessible (for example, if the networking
1421 * stack is down). And even if it succeeds, the socket pair will not
1422 * be able to read while localhost is down later (the socket pair may
1423 * even close, depending on OS-specific timeouts).
1424 *
1425 * Returns 0 on success and -errno on failure; do not rely on the value
1426 * of errno or WSAGetLastError().
1427 **/
1428 /* It would be nicer just to set errno, but that won't work for windows. */
1429 int
1431 {
1432 //don't use win32 socketpairs (they are always bad)
1433 #if defined(HAVE_SOCKETPAIR) && !defined(_WIN32)
1436 #ifdef SOCK_CLOEXEC
1440 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
1441 * even though we were built on a system with SOCK_CLOEXEC support, we
1442 * are running on one without. */
1445 #endif
1451 #if defined(FD_CLOEXEC)
1458 }
1459 }
1466 }
1467 }
1468 #endif
1471 sockets_ok:
1476 }
1480 }
1484 #else
1486 #endif
1487 }
1489 #ifdef NEED_ERSATZ_SOCKETPAIR
1493 {
1501 }
1502 }
1504 /**
1505 * Helper used to implement socketpair on systems that lack it, by
1506 * making a direct connection to localhost.
1507 */
1508 STATIC int
1510 {
1511 /* This socketpair does not work when localhost is down. So
1512 * it's really not the same thing at all. But it's close enough
1513 * for now, and really, when localhost is down sometimes, we
1514 * have other problems too.
1515 */
1519 tor_addr_t listen_tor_addr;
1523 tor_addr_t connect_tor_addr;
1526 socklen_t size;
1536 #ifdef AF_UNIX
1538 #endif
1539 ) {
1540 #ifdef _WIN32
1542 #else
1544 #endif
1545 }
1548 }
1555 /* Assume we're on an IPv6-only system */
1559 /* Keep the previous behaviour, which was to return the IPv4 error.
1560 * (This may be less informative on IPv6-only systems.)
1561 * XX/teor - is there a better way to decide which errno to return?
1562 * (I doubt we care much either way, once there is an error.)
1563 */
1565 }
1566 }
1567 }
1568 /* If there is no 127.0.0.1 or ::1, this will and must fail. Otherwise, we
1569 * risk exposing a socketpair on a routable IP address. (Some BSD jails
1570 * use a routable address for localhost. Fortunately, they have the real
1571 * AF_UNIX socketpair.) */
1576 }
1580 listen_addr,
1590 /* We want to find out the port number to connect to. */
1605 /* Now check we are talking to ourself by matching port and host on the
1606 two sockets. */
1609 /* Set *_tor_addr and *_port to the address and port that was used */
1616 }
1623 abort_tidy_up_and_fail:
1624 #ifdef _WIN32
1626 #else
1628 #endif
1629 tidy_up_and_fail:
1639 }
1641 #undef SIZEOF_SOCKADDR
1643 #endif
1645 /* Return the maximum number of allowed sockets. */
1646 int
1648 {
1650 }
1652 /** Number of extra file descriptors to keep in reserve beyond those that we
1653 * tell Tor it's allowed to use. */
1656 /** Learn the maximum allowed number of file descriptors, and tell the
1657 * system we want to use up to that number. (Some systems have a low soft
1658 * limit, and let us set it higher.) We compute this by finding the largest
1659 * number that we can use.
1660 *
1661 * If the limit is below the reserved file descriptor value (ULIMIT_BUFFER),
1662 * return -1 and <b>max_out</b> is untouched.
1663 *
1664 * If we can't find a number greater than or equal to <b>limit</b>, then we
1665 * fail by returning -1 and <b>max_out</b> is untouched.
1666 *
1667 * If we are unable to set the limit value because of setrlimit() failing,
1668 * return -1 and <b>max_out</b> is set to the current maximum value returned
1669 * by getrlimit().
1670 *
1671 * Otherwise, return 0 and store the maximum we found inside <b>max_out</b>
1672 * and set <b>max_sockets</b> with that value as well.*/
1673 int
1675 {
1680 }
1682 /* Define some maximum connections values for systems where we cannot
1683 * automatically determine a limit. Re Cygwin, see
1684 * http://archives.seul.org/or/talk/Aug-2006/msg00210.html
1685 * For an iPhone, 9999 should work. For Windows and all other unknown
1686 * systems we use 15000 as the default. */
1687 #ifndef HAVE_GETRLIMIT
1688 #if defined(CYGWIN) || defined(__CYGWIN__)
1691 #elif defined(_WIN32)
1694 #else
1697 #endif
1702 "We do not support more than %lu file descriptors "
1706 }
1715 }
1721 }
1726 }
1727 /* Set the current limit value so if the attempt to set the limit to the
1728 * max fails at least we'll have a valid value of maximum sockets. */
1734 #ifdef OPEN_MAX
1736 /* On some platforms, OPEN_MAX is the real limit, and getrlimit() is
1737 * full of nasty lies. I'm looking at you, OSX 10.5.... */
1748 }
1750 }
1751 }
1757 }
1758 }
1759 /* leave some overhead for logs, etc, */
1768 }
1770 #ifndef _WIN32
1771 /** Log details of current user and group credentials. Return 0 on
1772 * success. Logs and return -1 on failure.
1773 */
1774 static int
1776 {
1777 /** Log level to use when describing non-error UID/GID status. */
1778 #define CREDENTIAL_LOG_LEVEL LOG_INFO
1779 /* Real, effective and saved UIDs */
1781 /* Read, effective and saved GIDs */
1783 /* Supplementary groups */
1786 /* Number of supplementary groups */
1789 /* log UIDs */
1790 #ifdef HAVE_GETRESUID
1798 }
1799 #else
1800 /* getresuid is not present on MacOS X, so we can't get the saved (E)UID */
1808 #endif
1810 /* log GIDs */
1811 #ifdef HAVE_GETRESGID
1819 }
1820 #else
1821 /* getresgid is not present on MacOS X, so we can't get the saved (E)GID */
1828 #endif
1830 /* log supplementary groups */
1838 }
1852 }
1864 }
1867 }
1868 #endif
1870 #ifndef _WIN32
1871 /** Cached struct from the last getpwname() call we did successfully. */
1874 /** Helper: copy a struct passwd object.
1875 *
1876 * We only copy the fields pw_uid, pw_gid, pw_name, pw_dir. Tor doesn't use
1877 * any others, and I don't want to run into incompatibilities.
1878 */
1881 {
1891 }
1893 /** Helper: free one of our cached 'struct passwd' values. */
1894 static void
1896 {
1903 }
1905 /** Wrapper around getpwnam() that caches result. Used so that we don't need
1906 * to give the sandbox access to /etc/passwd.
1907 *
1908 * The following fields alone will definitely be copied in the output: pw_uid,
1909 * pw_gid, pw_name, pw_dir. Other fields are not present in cached values.
1910 *
1911 * When called with a NULL argument, this function clears storage associated
1912 * with static variables it uses.
1913 **/
1916 {
1923 }
1931 }
1933 /* Lookup failed */
1941 }
1943 /** Wrapper around getpwnam() that can use cached result from
1944 * tor_getpwnam(). Used so that we don't need to give the sandbox access to
1945 * /etc/passwd.
1946 *
1947 * The following fields alone will definitely be copied in the output: pw_uid,
1948 * pw_gid, pw_name, pw_dir. Other fields are not present in cached values.
1949 */
1952 {
1957 }
1959 /* Lookup failed */
1967 }
1968 #endif
1970 /** Return true iff we were compiled with capability support, and capabilities
1971 * seem to work. **/
1972 int
1974 {
1975 #ifdef HAVE_LINUX_CAPABILITIES
1981 #else
1983 #endif
1984 }
1986 #ifdef HAVE_LINUX_CAPABILITIES
1987 /** Helper. Drop all capabilities but a small set, and set PR_KEEPCAPS as
1988 * appropriate.
1989 *
1990 * If pre_setuid, retain only CAP_NET_BIND_SERVICE, CAP_SETUID, and
1991 * CAP_SETGID, and use PR_KEEPCAPS to ensure that capabilities persist across
1992 * setuid().
1993 *
1994 * If not pre_setuid, retain only CAP_NET_BIND_SERVICE, and disable
1995 * PR_KEEPCAPS.
1996 *
1997 * Return 0 on success, and -1 on failure.
1998 */
1999 static int
2001 {
2002 /* We keep these three capabilities, and these only, as we setuid.
2003 * After we setuid, we drop all but the first. */
2006 };
2013 /* Sets whether we keep capabilities across a setuid. */
2018 }
2025 }
2038 }
2041 }
2042 #endif
2044 /** Call setuid and setgid to run as <b>user</b> and switch to their
2045 * primary group. Return 0 on success. On failure, log and return -1.
2046 *
2047 * If SWITCH_ID_KEEP_BINDLOW is set in 'flags', try to use the capability
2048 * system to retain the abilitity to bind low ports.
2049 *
2050 * If SWITCH_ID_WARN_IF_NO_CAPS is set in flags, also warn if we have
2051 * don't have capability support.
2052 */
2053 int
2055 {
2056 #ifndef _WIN32
2058 uid_t old_uid;
2059 gid_t old_gid;
2069 /* Log the initial credential state */
2075 /* Get old UID/GID to check if we changed correctly */
2079 /* Lookup the user and group information, if we have a problem, bail out. */
2084 }
2086 #ifdef HAVE_LINUX_CAPABILITIES
2091 }
2092 #else
2097 }
2098 #endif
2100 /* Properly switch egid,gid,euid,uid here or bail out */
2107 "you want to be. (If you did not set the User option in your "
2108 "torrc, check whether it was specified on the command line "
2113 }
2115 }
2121 }
2127 }
2133 }
2139 }
2141 /* This is how OpenBSD rolls:
2142 if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) ||
2143 setgid(pw->pw_gid) || setuid(pw->pw_uid) || seteuid(pw->pw_uid)) {
2144 setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) {
2145 log_warn(LD_GENERAL, "Error setting configured UID/GID: %s",
2146 strerror(errno));
2147 return -1;
2148 }
2149 */
2151 /* We've properly switched egid, gid, euid, uid, and supplementary groups if
2152 * we're here. */
2153 #ifdef HAVE_LINUX_CAPABILITIES
2157 }
2158 #endif
2160 #if !defined(CYGWIN) && !defined(__CYGWIN__)
2161 /* If we tried to drop privilege to a group/user other than root, attempt to
2162 * restore root (E)(U|G)ID, and abort if the operation succeeds */
2164 /* Only check for privilege dropping if we were asked to be non-root */
2166 /* Try changing GID/EGID */
2172 }
2174 /* Try changing UID/EUID */
2180 }
2181 }
2182 #endif
2184 /* Check what really happened */
2187 }
2191 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && defined(HAVE_PRCTL)
2192 #ifdef PR_SET_DUMPABLE
2194 /* Re-enable core dumps if we're not running as root. */
2198 }
2199 }
2200 #endif
2201 #endif
2204 #else
2210 #endif
2211 }
2213 /* We only use the linux prctl for now. There is no Win32 support; this may
2214 * also work on various BSD systems and Mac OS X - send testing feedback!
2215 *
2216 * On recent Gnu/Linux kernels it is possible to create a system-wide policy
2217 * that will prevent non-root processes from attaching to other processes
2218 * unless they are the parent process; thus gdb can attach to programs that
2219 * they execute but they cannot attach to other processes running as the same
2220 * user. The system wide policy may be set with the sysctl
2221 * kernel.yama.ptrace_scope or by inspecting
2222 * /proc/sys/kernel/yama/ptrace_scope and it is 1 by default on Ubuntu 11.04.
2223 *
2224 * This ptrace scope will be ignored on Gnu/Linux for users with
2225 * CAP_SYS_PTRACE and so it is very likely that root will still be able to
2226 * attach to the Tor process.
2227 */
2228 /** Attempt to disable debugger attachment: return 1 on success, -1 on
2229 * failure, and 0 if we don't know how to try on this platform. */
2230 int
2232 {
2237 "Attemping to disable debugger attachment to Tor for "
2239 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && defined(HAVE_PRCTL)
2240 #ifdef PR_SET_DUMPABLE
2243 #endif
2244 #endif
2245 #if defined(__APPLE__) && defined(PT_DENY_ATTACH)
2249 }
2250 #endif
2252 // XXX: TODO - Mac OS X has dtrace and this may be disabled.
2253 // XXX: TODO - Windows probably has something similar
2261 }
2263 }
2265 #ifdef HAVE_PWD_H
2266 /** Allocate and return a string containing the home directory for the
2267 * user <b>username</b>. Only works on posix-like systems. */
2270 {
2277 }
2279 }
2280 #endif
2282 /** Modify <b>fname</b> to contain the name of its parent directory. Doesn't
2283 * actually examine the filesystem; does a purely syntactic modification.
2284 *
2285 * The parent of the root director is considered to be iteself.
2286 *
2287 * Path separators are the forward slash (/) everywhere and additionally
2288 * the backslash (\) on Win32.
2289 *
2290 * Cuts off any number of trailing path separators but otherwise ignores
2291 * them for purposes of finding the parent directory.
2292 *
2293 * Returns 0 if a parent directory was successfully found, -1 otherwise (fname
2294 * did not have any path separators or only had them at the end).
2295 * */
2296 int
2298 {
2302 #ifdef _WIN32
2303 /* If we start with, say, c:, then don't consider that the start of the path
2304 */
2307 }
2308 #endif
2309 /* Now we want to remove all path-separators at the end of the string,
2310 * and to remove the end of the string starting with the path separator
2311 * before the last non-path-separator. In perl, this would be
2312 * s#[/]*$##; s#/[^/]*$##;
2313 * on a unixy platform.
2314 */
2319 #ifdef _WIN32
2321 #endif
2322 );
2325 /* This is the first separator in the file name; don't remove it! */
2328 }
2334 }
2335 }
2337 }
2339 #ifndef _WIN32
2340 /** Return a newly allocated string containing the output of getcwd(). Return
2341 * NULL on failure. (We can't just use getcwd() into a PATH_MAX buffer, since
2342 * Hurd hasn't got a PATH_MAX.)
2343 */
2346 {
2347 #ifdef PATH_MAX
2348 #define MAX_CWD PATH_MAX
2349 #else
2350 #define MAX_CWD 4096
2351 #endif
2356 }
2357 #endif
2359 /** Expand possibly relative path <b>fname</b> to an absolute path.
2360 * Return a newly allocated string, possibly equal to <b>fname</b>. */
2363 {
2364 #ifdef _WIN32
2367 /* We don't want to assume that tor_free can free a string allocated
2368 * with malloc. On failure, return fname (it's better than nothing). */
2373 #else
2386 /* LCOV_EXCL_START Can't make getcwd fail. */
2387 /* If getcwd failed, the best we can do here is keep using the
2388 * relative path. (Perhaps / isn't readable by this UID/GID.) */
2392 /* LCOV_EXCL_STOP */
2393 }
2394 }
2396 #endif
2397 }
2399 #ifndef HAVE__NSGETENVIRON
2400 #ifndef HAVE_EXTERN_ENVIRON_DECLARED
2401 /* Some platforms declare environ under some circumstances, others don't. */
2402 #ifndef RUNNING_DOXYGEN
2404 #endif
2405 #endif
2406 #endif
2408 /** Return the current environment. This is a portable replacement for
2409 * 'environ'. */
2412 {
2413 #ifdef HAVE__NSGETENVIRON
2414 /* This is for compatibility between OSX versions. Otherwise (for example)
2415 * when we do a mostly-static build on OSX 10.7, the resulting binary won't
2416 * work on OSX 10.6. */
2418 #else
2420 #endif
2421 }
2423 /** Get name of current host and write it to <b>name</b> array, whose
2424 * length is specified by <b>namelen</b> argument. Return 0 upon
2425 * successfull completion; otherwise return return -1. (Currently,
2426 * this function is merely a mockable wrapper for POSIX gethostname().)
2427 */
2430 {
2432 }
2434 /** Set *addr to the IP address (in dotted-quad notation) stored in *str.
2435 * Return 1 on success, 0 if *str is badly formatted.
2436 * (Like inet_aton(str,addr), but works on Windows and Solaris.)
2437 */
2438 int
2440 {
2451 }
2453 /** Given <b>af</b>==AF_INET and <b>src</b> a struct in_addr, or
2454 * <b>af</b>==AF_INET6 and <b>src</b> a struct in6_addr, try to format the
2455 * address and store it in the <b>len</b>-byte buffer <b>dst</b>. Returns
2456 * <b>dst</b> on success, NULL on failure.
2457 *
2458 * (Like inet_ntop(af,src,dst,len), but works on platforms that don't have it:
2459 * Tor sometimes needs to format ipv6 addresses even on platforms without ipv6
2460 * support.) */
2463 {
2467 else
2477 }
2481 /* This is an IPv4 address. */
2490 }
2495 }
2503 }
2507 }
2510 }
2511 }
2529 }
2530 }
2538 }
2539 }
2541 /** Given <b>af</b>==AF_INET or <b>af</b>==AF_INET6, and a string <b>src</b>
2542 * encoding an IPv4 address or IPv6 address correspondingly, try to parse the
2543 * address and store the result in <b>dst</b> (which must have space for a
2544 * struct in_addr or a struct in6_addr, as appropriate). Return 1 on success,
2545 * 0 on a bad parse, and -1 on a bad <b>af</b>.
2546 *
2547 * (Like inet_pton(af,src,dst) but works on platforms that don't have it: Tor
2548 * sometimes needs to format ipv6 addresses even on platforms without ipv6
2549 * support.) */
2550 int
2552 {
2569 ;
2574 /* We use "scanf" because some platform inet_aton()s are too lax
2575 * about IPv4 addresses of the form "1.2.3" */
2586 }
2594 ssize_t len;
2608 setWords++;
2622 }
2623 }
2637 }
2641 }
2646 }
2647 }
2649 /** Similar behavior to Unix gethostbyname: resolve <b>name</b>, and set
2650 * *<b>addr</b> to the proper IP address, in host byte order. Returns 0
2651 * on success, -1 on failure; 1 on transient failure.
2652 *
2653 * (This function exists because standard windows gethostbyname
2654 * doesn't treat raw IP addresses properly.)
2655 */
2659 {
2660 tor_addr_t myaddr;
2669 }
2672 }
2674 /** Hold the result of our call to <b>uname</b>. */
2676 /** True iff uname_result is set. */
2679 /** Return a pointer to a description of our platform.
2680 */
2682 {
2683 #ifdef HAVE_UNAME
2685 #endif
2687 #ifdef HAVE_UNAME
2689 /* (Linux says 0 is success, Solaris says 1 is success) */
2692 #endif
2693 {
2694 #ifdef _WIN32
2695 OSVERSIONINFOEX info;
2707 /* { 4, 0, "Windows NT 4.0" }, */
2710 /* { 4, 0, "Windows 95" } */
2713 };
2721 }
2725 else
2733 }
2734 }
2735 }
2744 else
2748 }
2749 #ifdef VER_NT_SERVER
2753 }
2754 #endif
2755 #else
2756 /* LCOV_EXCL_START -- can't provoke uname failure */
2758 /* LCOV_EXCL_STOP */
2759 #endif
2760 }
2762 }
2764 }
2766 /*
2767 * Process control
2768 */
2770 /** Implementation logic for compute_num_cpus(). */
2771 static int
2773 {
2774 #ifdef _WIN32
2775 SYSTEM_INFO info;
2780 else
2782 #elif defined(HAVE_SYSCONF)
2783 #ifdef _SC_NPROCESSORS_CONF
2785 #else
2787 #endif
2788 #ifdef _SC_NPROCESSORS_ONLN
2790 #else
2792 #endif
2802 "are available. Telling Tor to only use %ld. You can over"
2805 }
2807 }
2811 else
2813 #else
2815 #endif
2816 }
2818 #define MAX_DETECTABLE_CPUS 16
2820 /** Return how many CPUs we are running with. We assume that nobody is
2821 * using hot-swappable CPUs, so we don't recompute this after the first
2822 * time. Return -1 if we don't know how to tell the number of CPUs on this
2823 * system.
2824 */
2825 int
2827 {
2833 /* LCOV_EXCL_START */
2835 "will not autodetect any more than %d, though. If you "
2839 /* LCOV_EXCL_STOP */
2840 }
2841 }
2843 }
2845 #if !defined(_WIN32)
2846 /** Defined iff we need to add locks when defining fake versions of reentrant
2847 * versions of time-related functions. */
2848 #define TIME_FNS_NEED_LOCKS
2849 #endif
2851 /** Helper: Deal with confused or out-of-bounds values from localtime_r and
2852 * friends. (On some platforms, they can give out-of-bounds values or can
2853 * return NULL.) If <b>islocal</b>, this is a localtime result; otherwise
2854 * it's from gmtime. The function returned <b>r</b>, when given <b>timep</b>
2855 * as its input. If we need to store new results, store them in
2856 * <b>resultbuf</b>. */
2860 {
2864 /* We can't strftime dates after 9999 CE, and we want to avoid dates
2865 * before 1 CE (avoiding the year 0 issue and negative years). */
2884 }
2886 }
2888 /* If we get here, gmtime or localtime returned NULL. It might have done
2889 * this because of overrun or underrun, or it might have done it because of
2890 * some other weird issue. */
2905 /* Rounding down to INT32_MAX isn't so great, but keep in mind that we
2906 * only do it if gmtime/localtime tells us NULL. */
2918 }
2919 }
2921 /* If we get here, then gmtime/localtime failed without getting an extreme
2922 * value for *timep */
2923 /* LCOV_EXCL_START */
2928 /* LCOV_EXCL_STOP */
2929 done:
2934 outcome);
2936 }
2938 /** @{ */
2939 /** As localtime_r, but defined for platforms that don't have it:
2940 *
2941 * Convert *<b>timep</b> to a struct tm in local time, and store the value in
2942 * *<b>result</b>. Return the result on success, or NULL on failure.
2943 */
2944 #ifdef HAVE_LOCALTIME_R
2947 {
2951 }
2952 #elif defined(TIME_FNS_NEED_LOCKS)
2955 {
2966 }
2967 #else
2970 {
2977 }
2978 #endif
2979 /** @} */
2981 /** @{ */
2982 /** As gmtime_r, but defined for platforms that don't have it:
2983 *
2984 * Convert *<b>timep</b> to a struct tm in UTC, and store the value in
2985 * *<b>result</b>. Return the result on success, or NULL on failure.
2986 */
2987 #ifdef HAVE_GMTIME_R
2990 {
2994 }
2995 #elif defined(TIME_FNS_NEED_LOCKS)
2998 {
3009 }
3010 #else
3013 {
3020 }
3021 #endif
3023 #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
3024 /** Attempt to raise the current and max rlimit to infinity for our process.
3025 * This only needs to be done once and can probably only be done when we have
3026 * not already dropped privileges.
3027 */
3028 static int
3030 {
3031 /* Future consideration for Windows is probably SetProcessWorkingSetSize
3032 * This is similar to setting the memory rlimit of RLIMIT_MEMLOCK
3033 * http://msdn.microsoft.com/en-us/library/ms686234(VS.85).aspx
3034 */
3038 /* RLIM_INFINITY is -1 on some platforms. */
3046 }
3050 }
3053 }
3054 #endif
3056 /** Attempt to lock all current and all future memory pages.
3057 * This should only be called once and while we're privileged.
3058 * Like mlockall() we return 0 when we're successful and -1 when we're not.
3059 * Unlike mlockall() we return 1 if we've already attempted to lock memory.
3060 */
3061 int
3063 {
3068 }
3072 /*
3073 * Future consideration for Windows may be VirtualLock
3074 * VirtualLock appears to implement mlock() but not mlockall()
3075 *
3076 * http://msdn.microsoft.com/en-us/library/aa366895(VS.85).aspx
3077 */
3079 #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
3082 }
3089 /* Apple - it's 2009! I'm looking at you. Grrr. */
3095 }
3099 }
3100 #else
3103 #endif
3104 }
3106 /**
3107 * On Windows, WSAEWOULDBLOCK is not always correct: when you see it,
3108 * you need to ask the socket for its actual errno. Also, you need to
3109 * get your errors from WSAGetLastError, not errno. (If you supply a
3110 * socket of -1, we check WSAGetLastError, but don't correct
3111 * WSAEWOULDBLOCKs.)
3112 *
3113 * The upshot of all of this is that when a socket call fails, you
3114 * should call tor_socket_errno <em>at most once</em> on the failing
3115 * socket to get the error.
3116 */
3117 #if defined(_WIN32)
3118 int
3120 {
3128 }
3130 }
3131 #endif
3133 #if defined(_WIN32)
3151 /* What's the difference between NOTSUPP and NOSUPPORT? :) */
3171 /* Yes, some of these start with WSA, not WSAE. No, I don't know why. */
3176 #ifdef WSATYPE_NOT_FOUND
3178 #endif
3184 /* There are some more error codes whose numeric values are marked
3185 * <b>OS dependent</b>. They start with WSA_, apparently for the same
3186 * reason that practitioners of some craft traditions deliberately
3187 * introduce imperfections into their baskets and rugs "to allow the
3188 * evil spirits to escape." If we catch them, then our binaries
3189 * might not report consistent results across versions of Windows.
3190 * Thus, I'm going to let them all fall through.
3191 */
3193 };
3194 /** There does not seem to be a strerror equivalent for Winsock errors.
3195 * Naturally, we have to roll our own.
3196 */
3199 {
3204 }
3206 }
3207 #endif
3209 /** Called before we make any calls to network-related functions.
3210 * (Some operating systems require their network libraries to be
3211 * initialized.) */
3212 int
3214 {
3215 #ifdef _WIN32
3216 /* This silly exercise is necessary before windows will allow
3217 * gethostbyname to work. */
3218 WSADATA WSAData;
3224 }
3229 }
3230 /* WSAData.iMaxSockets might show the max sockets we're allowed to use.
3231 * We might use it to complain if we're trying to be a server but have
3232 * too few sockets available. */
3233 #endif
3235 }
3237 #ifdef _WIN32
3238 /** Return a newly allocated string describing the windows system error code
3239 * <b>err</b>. Note that error codes are different from errno. Error codes
3240 * come from GetLastError() when a winapi call fails. errno is set only when
3241 * ANSI functions fail. Whee. */
3244 {
3247 DWORD n;
3249 /* Somebody once decided that this interface was better than strerror(). */
3251 FORMAT_MESSAGE_FROM_SYSTEM |
3252 FORMAT_MESSAGE_IGNORE_INSERTS,
3259 #ifdef UNICODE
3263 * make sure. */
3264 else
3269 #else
3271 #endif
3274 }
3277 }
3279 }
3280 #endif
3282 #if defined(HW_PHYSMEM64)
3283 /* This appears to be an OpenBSD thing */
3284 #define INT64_HW_MEM HW_PHYSMEM64
3285 #elif defined(HW_MEMSIZE)
3286 /* OSX defines this one */
3287 #define INT64_HW_MEM HW_MEMSIZE
3288 #endif
3290 /**
3291 * Helper: try to detect the total system memory, and return it. On failure,
3292 * return 0.
3293 */
3294 static uint64_t
3296 {
3297 #if defined(__linux__)
3298 /* On linux, sysctl is deprecated. Because proc is so awesome that you
3299 * shouldn't _want_ to write portable code, I guess? */
3313 /* Use the system sscanf so that space will match a wider number of space */
3321 err:
3322 /* LCOV_EXCL_START Can't reach this unless proc is broken. */
3326 /* LCOV_EXCL_STOP */
3327 #elif defined (_WIN32)
3328 /* Windows has MEMORYSTATUSEX; pretty straightforward. */
3329 MEMORYSTATUSEX ms;
3337 #elif defined(HAVE_SYSCTL) && defined(INT64_HW_MEM)
3338 /* On many systems, HW_PYHSMEM is clipped to 32 bits; let's use a better
3339 * variant if we know about it. */
3348 #elif defined(HAVE_SYSCTL) && defined(HW_PHYSMEM)
3349 /* On some systems (like FreeBSD I hope) you can use a size_t with
3350 * HW_PHYSMEM. */
3359 #else
3360 /* I have no clue. */
3362 #endif
3363 }
3365 /**
3366 * Try to find out how much physical memory the system has. On success,
3367 * return 0 and set *<b>mem_out</b> to that value. On failure, return -1.
3368 */
3369 int
3371 {
3375 /* LCOV_EXCL_START -- can't make this happen without mocking. */
3376 /* We couldn't find our memory total */
3378 /* We have no cached value either */
3381 }
3385 /* LCOV_EXCL_STOP */
3386 }
3388 #if SIZE_MAX != UINT64_MAX
3390 /* I think this could happen if we're a 32-bit Tor running on a 64-bit
3391 * system: we could have more system memory than would fit in a
3392 * size_t. */
3394 }
3395 #endif
3400 }
3402 /** Emit the password prompt <b>prompt</b>, then read up to <b>buflen</b>
3403 * bytes of passphrase into <b>output</b>. Return the number of bytes in
3404 * the passphrase, excluding terminating NUL.
3405 */
3406 ssize_t
3408 {
3411 #if defined(HAVE_READPASSPHRASE)
3416 #elif defined(_WIN32)
3420 }
3446 }
3447 }
3448 done_reading:
3449 ;
3451 #ifndef WC_ERR_INVALID_CHARS
3452 #define WC_ERR_INVALID_CHARS 0x80
3453 #endif
3455 /* Now convert it to UTF-8 */
3464 }
3470 done:
3474 #else
3476 #endif
3477 }
3479 /** Return the amount of free disk space we have permission to use, in
3480 * bytes. Return -1 if the amount of free space can't be determined. */
3481 int64_t
3483 {
3484 #ifdef HAVE_STATVFS
3500 }
3503 #elif defined(_WIN32)
3504 ULARGE_INTEGER freeBytesAvail;
3505 BOOL ok;
3510 }
3512 #else
3516 #endif
3517 }