| blob | cc7760bff8431d403a11b65906579456bd9355dc |
1 /* Copyright (c) 2003, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file util.c
8 * \brief Common functions for strings, IO, network, data structures,
9 * process control.
10 **/
12 /* This is required on rh7 to make strptime not complain.
13 */
14 #define _GNU_SOURCE
17 #ifdef HAVE_FCNTL_H
18 #include <fcntl.h>
19 #endif
20 #define UTIL_PRIVATE
31 #ifdef _WIN32
32 #include <io.h>
33 #include <direct.h>
34 #include <process.h>
35 #include <tchar.h>
36 #include <winbase.h>
37 #else
38 #include <dirent.h>
39 #include <pwd.h>
40 #include <grp.h>
41 #endif
43 /* math.h needs this on Linux */
44 #ifndef _USE_ISOC99_
45 #define _USE_ISOC99_ 1
46 #endif
47 #include <math.h>
48 #include <stdlib.h>
49 #include <stdio.h>
50 #include <string.h>
51 #include <assert.h>
52 #include <signal.h>
54 #ifdef HAVE_NETINET_IN_H
55 #include <netinet/in.h>
56 #endif
57 #ifdef HAVE_ARPA_INET_H
58 #include <arpa/inet.h>
59 #endif
60 #ifdef HAVE_ERRNO_H
61 #include <errno.h>
62 #endif
63 #ifdef HAVE_SYS_SOCKET_H
64 #include <sys/socket.h>
65 #endif
66 #ifdef HAVE_SYS_TIME_H
67 #include <sys/time.h>
68 #endif
69 #ifdef HAVE_UNISTD_H
70 #include <unistd.h>
71 #endif
72 #ifdef HAVE_SYS_STAT_H
73 #include <sys/stat.h>
74 #endif
75 #ifdef HAVE_SYS_FCNTL_H
76 #include <sys/fcntl.h>
77 #endif
78 #ifdef HAVE_TIME_H
79 #include <time.h>
80 #endif
81 #ifdef HAVE_MALLOC_MALLOC_H
82 #include <malloc/malloc.h>
83 #endif
84 #ifdef HAVE_MALLOC_H
85 #if !defined(OPENBSD) && !defined(__FreeBSD__)
86 /* OpenBSD has a malloc.h, but for our purposes, it only exists in order to
87 * scold us for being so stupid as to autodetect its presence. To be fair,
88 * they've done this since 1996, when autoconf was only 5 years old. */
89 #include <malloc.h>
90 #endif
91 #endif
92 #ifdef HAVE_MALLOC_NP_H
93 #include <malloc_np.h>
94 #endif
95 #ifdef HAVE_SYS_WAIT_H
96 #include <sys/wait.h>
97 #endif
98 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
99 #include <sys/prctl.h>
100 #endif
102 #ifdef __clang_analyzer__
103 #undef MALLOC_ZERO_WORKS
104 #endif
106 /* =====
107 * Assertion helper.
108 * ===== */
109 /** Helper for tor_assert: report the assertion failure. */
110 void
113 {
121 }
123 /* =====
124 * Memory management
125 * ===== */
126 #ifdef USE_DMALLOC
127 #undef strndup
128 #include <dmalloc.h>
129 /* Macro to pass the extra dmalloc args to another function. */
130 #define DMALLOC_FN_ARGS , file, line
132 #if defined(HAVE_DMALLOC_STRDUP)
133 /* the dmalloc_strdup should be fine as defined */
134 #elif defined(HAVE_DMALLOC_STRNDUP)
135 #define dmalloc_strdup(file, line, string, xalloc_b) \
136 dmalloc_strndup(file, line, (string), -1, xalloc_b)
137 #else
139 #endif
143 #define DMALLOC_FN_ARGS
144 #endif
146 /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to
147 * result. On error, log and terminate the process. (Same as malloc(size),
148 * but never returns NULL.)
149 *
150 * <b>file</b> and <b>line</b> are used if dmalloc is enabled, and
151 * ignored otherwise.
152 */
155 {
160 #ifndef MALLOC_ZERO_WORKS
161 /* Some libc mallocs don't work when size==0. Override them. */
164 }
165 #endif
167 #ifdef USE_DMALLOC
169 #else
171 #endif
175 /* If these functions die within a worker process, they won't call
176 * spawn_exit, but that's ok, since the parent will run out of memory soon
177 * anyway. */
179 }
181 }
183 /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with
184 * zero bytes, and return a pointer to the result. Log and terminate
185 * the process on error. (Same as calloc(size,1), but never returns NULL.)
186 */
189 {
190 /* You may ask yourself, "wouldn't it be smart to use calloc instead of
191 * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick
192 * we don't!" Indeed it does, but its optimizations are only a big win when
193 * we're allocating something very big (it knows if it just got the memory
194 * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero
195 * for big stuff, so we don't bother with calloc. */
199 }
201 /* The square root of SIZE_MAX + 1. If a is less than this, and b is less
202 * than this, then a*b is less than SIZE_MAX. (For example, if size_t is
203 * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and
204 * b are less than this, then their product is at most (65535*65535) ==
205 * 0xfffe0001. */
206 #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4))
208 /** Return non-zero if and only if the product of the arguments is exact. */
211 {
212 /* This first check is equivalent to
213 (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1)
215 Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it
216 will have some bit set in its most significant half.
217 */
221 }
223 /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill
224 * the memory with zero bytes, and return a pointer to the result.
225 * Log and terminate the process on error. (Same as
226 * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.)
227 * The second argument (<b>size</b>) should preferably be non-zero
228 * and a compile-time constant.
229 */
232 {
235 }
237 /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b>
238 * bytes long; return the new memory block. On error, log and
239 * terminate. (Like realloc(ptr,size), but never returns NULL.)
240 */
243 {
248 #ifndef MALLOC_ZERO_WORKS
249 /* Some libc mallocs don't work when size==0. Override them. */
252 }
253 #endif
255 #ifdef USE_DMALLOC
257 #else
259 #endif
264 }
266 }
268 /**
269 * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for
270 * overflow. Unlike other allocation functions, return NULL on overflow.
271 */
274 {
275 /* XXXX we can make this return 0, but we would need to check all the
276 * reallocarray users. */
280 }
282 /** Return a newly allocated copy of the NUL-terminated string s. On
283 * error, log and terminate. (Like strdup(s), but never returns
284 * NULL.)
285 */
288 {
292 #ifdef USE_DMALLOC
294 #else
296 #endif
300 }
302 }
304 /** Allocate and return a new string containing the first <b>n</b>
305 * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b>
306 * characters, only the first <b>n</b> are copied. The result is
307 * always NUL-terminated. (Like strndup(s,n), but never returns
308 * NULL.)
309 */
312 {
317 /* Performance note: Ordinarily we prefer strlcpy to strncpy. But
318 * this function gets called a whole lot, and platform strncpy is
319 * much faster than strlcpy when strlen(s) is much longer than n.
320 */
324 }
326 /** Allocate a chunk of <b>len</b> bytes, with the same contents as the
327 * <b>len</b> bytes starting at <b>mem</b>. */
330 {
337 }
339 /** As tor_memdup(), but add an extra 0 byte at the end of the resulting
340 * memory. */
343 {
351 }
353 /** Helper for places that need to take a function pointer to the right
354 * spelling of "free()". */
355 void
357 {
359 }
361 /** Call the platform malloc info function, and dump the results to the log at
362 * level <b>severity</b>. If no such function exists, do nothing. */
363 void
365 {
366 #ifdef HAVE_MALLINFO
371 "mallinfo() said: arena=%d, ordblks=%d, smblks=%d, hblks=%d, "
372 "hblkhd=%d, usmblks=%d, fsmblks=%d, uordblks=%d, fordblks=%d, "
377 #else
379 #endif
380 #ifdef USE_DMALLOC
385 );
386 #endif
387 }
389 /* =====
390 * Math
391 * ===== */
393 /**
394 * Returns the natural logarithm of d base e. We defined this wrapper here so
395 * to avoid conflicts with old versions of tor_log(), which were named log().
396 */
397 double
399 {
401 }
403 /** Return the long integer closest to <b>d</b>. We define this wrapper
404 * here so that not all users of math.h need to use the right incantations
405 * to get the c99 functions. */
406 long
408 {
409 #if defined(HAVE_LROUND)
411 #elif defined(HAVE_RINT)
413 #else
415 #endif
416 }
418 /** Return the 64-bit integer closest to d. We define this wrapper here so
419 * that not all users of math.h need to use the right incantations to get the
420 * c99 functions. */
421 int64_t
423 {
424 #if defined(HAVE_LLROUND)
426 #elif defined(HAVE_RINT)
428 #else
430 #endif
431 }
433 /** Returns floor(log2(u64)). If u64 is 0, (incorrectly) returns 0. */
434 int
436 {
441 }
445 }
449 }
453 }
457 }
461 }
463 }
465 /** Return the power of 2 in range [1,UINT64_MAX] closest to <b>u64</b>. If
466 * there are two powers of 2 equally close, round down. */
467 uint64_t
469 {
485 else
487 }
489 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
490 * <b>divisor</b> == 0. */
491 unsigned
493 {
499 }
501 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
502 * <b>divisor</b> == 0. */
503 uint32_t
505 {
511 }
513 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
514 * <b>divisor</b> == 0. */
515 uint64_t
517 {
523 }
525 /** Return the lowest x in [INT64_MIN, INT64_MAX] such that x is at least
526 * <b>number</b>, and x modulo <b>divisor</b> == 0. */
527 int64_t
529 {
535 }
537 /** Transform a random value <b>p</b> from the uniform distribution in
538 * [0.0, 1.0[ into a Laplace distributed value with location parameter
539 * <b>mu</b> and scale parameter <b>b</b>. Truncate the final result
540 * to be an integer in [INT64_MIN, INT64_MAX]. */
541 int64_t
543 {
547 /* This is the "inverse cumulative distribution function" from:
548 * http://en.wikipedia.org/wiki/Laplace_distribution */
550 /* Avoid taking log(0.0) == -INFINITY, as some processors or compiler
551 * options can cause the program to trap. */
553 }
559 }
561 /** Add random noise between INT64_MIN and INT64_MAX coming from a Laplace
562 * distribution with mu = 0 and b = <b>delta_f</b>/<b>epsilon</b> to
563 * <b>signal</b> based on the provided <b>random</b> value in [0.0, 1.0[.
564 * The epsilon value must be between ]0.0, 1.0]. delta_f must be greater
565 * than 0. */
566 int64_t
569 {
572 /* epsilon MUST be between ]0.0, 1.0] */
574 /* delta_f MUST be greater than 0. */
577 /* Just add noise, no further signal */
580 random);
582 /* Clip (signal + noise) to [INT64_MIN, INT64_MAX] */
587 else
589 }
591 /** Return the number of bits set in <b>v</b>. */
592 int
594 {
612 };
615 }
617 /* =====
618 * String manipulation
619 * ===== */
621 /** Remove from the string <b>s</b> every character which appears in
622 * <b>strip</b>. */
623 void
625 {
632 }
633 }
635 }
637 /** Return a pointer to a NUL-terminated hexadecimal string encoding
638 * the first <b>fromlen</b> bytes of <b>from</b>. (fromlen must be \<= 32.) The
639 * result does not need to be deallocated, but repeated calls to
640 * hex_str will trash old results.
641 */
644 {
650 }
652 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
653 * lowercase. */
654 void
656 {
660 }
661 }
663 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
664 * lowercase. */
665 void
667 {
671 }
672 }
674 /** Return 1 if every character in <b>s</b> is printable, else return 0.
675 */
676 int
678 {
682 s++;
683 }
685 }
687 /** Return 1 if no character in <b>s</b> is uppercase, else return 0.
688 */
689 int
691 {
695 s++;
696 }
698 }
700 /** As strcmp, except that either string may be NULL. The NULL string is
701 * considered to be before any non-NULL string. */
702 int
704 {
708 else
714 }
715 }
717 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
718 * strcmp.
719 */
720 int
722 {
725 }
727 /** Compare the s1_len-byte string <b>s1</b> with <b>s2</b>,
728 * without depending on a terminating nul in s1. Sorting order is first by
729 * length, then lexically; return values are as for strcmp.
730 */
731 int
733 {
740 }
742 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
743 * strcasecmp.
744 */
745 int
747 {
750 }
752 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
753 * strcmp.
754 */
755 int
757 {
761 else
763 }
765 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
766 * strcasecmp.
767 */
768 int
770 {
774 else
776 }
778 /** Compare the value of the string <b>prefix</b> with the start of the
779 * <b>memlen</b>-byte memory chunk at <b>mem</b>. Return as for strcmp.
780 *
781 * [As fast_memcmp(mem, prefix, strlen(prefix)) but returns -1 if memlen is
782 * less than strlen(prefix).]
783 */
784 int
787 {
792 }
794 /** Return a pointer to the first char of s that is not whitespace and
795 * not a comment, or to the terminating NUL if no such character exists.
796 */
799 {
817 }
818 }
819 }
821 /** Return a pointer to the first char of s that is not whitespace and
822 * not a comment, or to the terminating NUL if no such character exists.
823 */
826 {
845 }
846 }
848 }
850 /** Return a pointer to the first char of s that is not a space or a tab
851 * or a \\r, or to the terminating NUL if no such character exists. */
854 {
858 }
860 /** As eat_whitespace_no_nl, but stop at <b>eos</b> whether we have
861 * found a non-whitespace character or not. */
864 {
868 }
870 /** Return a pointer to the first char of s that is whitespace or <b>#</b>,
871 * or to the terminating NUL if no such character exists.
872 */
875 {
876 /* tor_assert(s); */
879 {
889 }
890 }
891 }
893 /** As find_whitespace, but stop at <b>eos</b> whether we have found a
894 * whitespace or not. */
897 {
898 /* tor_assert(s); */
901 {
911 }
912 }
914 }
916 /** Return the first occurrence of <b>needle</b> in <b>haystack</b> that
917 * occurs at the start of a line (that is, at the beginning of <b>haystack</b>
918 * or immediately after a newline). Return NULL if no such string is found.
919 */
922 {
932 else
937 }
939 /** Returns true if <b>string</b> could be a C identifier.
940 A C identifier must begin with a letter or an underscore and the
941 rest of its characters can be letters, numbers or underscores. No
942 length limit is imposed. */
943 int
945 {
961 }
962 }
965 }
967 /** Return true iff the 'len' bytes at 'mem' are all zero. */
968 int
970 {
973 };
975 /* It's safe to use fast_memcmp here, since the very worst thing an
976 * attacker could learn is how many initial bytes of a secret were zero */
981 }
982 /* Deal with leftover bytes. */
987 }
989 /** Return true iff the DIGEST_LEN bytes in digest are all zero. */
990 int
992 {
995 };
997 }
999 /** Return true if <b>string</b> is a valid 'key=[value]' string.
1000 * "value" is optional, to indicate the empty string. Log at logging
1001 * <b>severity</b> if something ugly happens. */
1002 int
1004 {
1005 /* position of equal sign in string */
1014 }
1020 }
1022 /* validate that the '=' is not in the beginning of the string. */
1027 }
1030 }
1032 /** Return true if <b>string</b> represents a valid IPv4 adddress in
1033 * 'a.b.c.d' form.
1034 */
1035 int
1037 {
1041 }
1043 /** Return true if <b>string</b> represents a valid IPv6 address in
1044 * a form that inet_pton() can parse.
1045 */
1046 int
1048 {
1052 }
1054 /** Return true iff <b>string</b> matches a pattern of DNS names
1055 * that we allow Tor clients to connect to.
1056 */
1057 int
1059 {
1071 }
1078 c++;
1079 else
1092 }
1094 /** Return true iff the DIGEST256_LEN bytes in digest are all zero. */
1095 int
1097 {
1099 }
1101 /* Helper: common code to check whether the result of a strtol or strtoul or
1102 * strtoll is correct. */
1103 #define CHECK_STRTOX_RESULT() \
1105 if (errno == ERANGE) \
1106 goto err; \
1108 if (endptr == s) \
1109 goto err; \
1111 if (!next && *endptr) \
1112 goto err; \
1114 if (r < min || r > max) \
1115 goto err; \
1116 if (ok) *ok = 1; \
1117 if (next) *next = endptr; \
1118 return r; \
1119 err: \
1120 if (ok) *ok = 0; \
1121 if (next) *next = endptr; \
1122 return 0
1124 /** Extract a long from the start of <b>s</b>, in the given numeric
1125 * <b>base</b>. If <b>base</b> is 0, <b>s</b> is parsed as a decimal,
1126 * octal, or hex number in the syntax of a C integer literal. If
1127 * there is unconverted data and <b>next</b> is provided, set
1128 * *<b>next</b> to the first unconverted character. An error has
1129 * occurred if no characters are converted; or if there are
1130 * unconverted characters and <b>next</b> is NULL; or if the parsed
1131 * value is not between <b>min</b> and <b>max</b>. When no error
1132 * occurs, return the parsed value and set *<b>ok</b> (if provided) to
1133 * 1. When an error occurs, return 0 and set *<b>ok</b> (if provided)
1134 * to 0.
1135 */
1136 long
1139 {
1147 }
1152 }
1154 /** As tor_parse_long(), but return an unsigned long. */
1155 unsigned long
1158 {
1166 }
1171 }
1173 /** As tor_parse_long(), but return a double. */
1174 double
1176 {
1183 }
1185 /** As tor_parse_long, but return a uint64_t. Only base 10 is guaranteed to
1186 * work for now. */
1187 uint64_t
1190 {
1198 }
1201 #ifdef HAVE_STRTOULL
1203 #elif defined(_WIN32)
1204 #if defined(_MSC_VER) && _MSC_VER < 1300
1210 #else
1212 #endif
1213 #elif SIZEOF_LONG == 8
1215 #else
1217 #endif
1220 }
1222 /** Encode the <b>srclen</b> bytes at <b>src</b> in a NUL-terminated,
1223 * uppercase hexadecimal string; store it in the <b>destlen</b>-byte buffer
1224 * <b>dest</b>.
1225 */
1226 void
1228 {
1241 }
1243 }
1245 /** Helper: given a hex digit, return its value, or -1 if it isn't hex. */
1248 {
1268 }
1269 }
1271 /** Helper: given a hex digit, return its value, or -1 if it isn't hex. */
1272 int
1274 {
1276 }
1278 /** Given a hexadecimal string of <b>srclen</b> bytes in <b>src</b>, decode it
1279 * and store the result in the <b>destlen</b>-byte buffer at <b>dest</b>.
1280 * Return 0 on success, -1 on failure. */
1281 int
1283 {
1303 }
1305 }
1307 /** Allocate and return a new string representing the contents of <b>s</b>,
1308 * surrounded by quotes and using standard C escapes.
1309 *
1310 * Generally, we use this for logging values that come in over the network to
1311 * keep them from tricking users, and for sending certain values to the
1312 * controller.
1313 *
1314 * We trust values from the resolver, OS, configuration file, and command line
1315 * to not be maliciously ill-formed. We validate incoming routerdescs and
1316 * SOCKS requests and addresses from BEGIN cells as they're parsed;
1317 * afterwards, we trust them as non-malicious.
1318 */
1321 {
1327 }
1342 else
1345 }
1346 }
1353 /* This assertion should always succeed, since we will write at least
1354 * one char here, and two chars for closing quote and nul later */
1382 }
1384 }
1385 }
1392 }
1394 /** Similar to esc_for_log. Allocate and return a new string representing
1395 * the first n characters in <b>chars</b>, surround by quotes and using
1396 * standard C escapes. If a NUL character is encountered in <b>chars</b>,
1397 * the resulting string will be terminated there.
1398 */
1401 {
1406 }
1408 /** Allocate and return a new string representing the contents of <b>s</b>,
1409 * surrounded by quotes and using standard C escapes.
1410 *
1411 * THIS FUNCTION IS NOT REENTRANT. Don't call it from outside the main
1412 * thread. Also, each call invalidates the last-returned value, so don't
1413 * try log_warn(LD_GENERAL, "%s %s", escaped(a), escaped(b));
1414 */
1417 {
1423 else
1427 }
1429 /** Return a newly allocated string equal to <b>string</b>, except that every
1430 * character in <b>chars_to_escape</b> is preceded by a backslash. */
1433 {
1444 /* (new_length > SIZE_MAX) => ((length * 2) + 1 > SIZE_MAX) =>
1445 (length*2 > SIZE_MAX - 1) => (length > (SIZE_MAX - 1)/2) */
1449 /* this should be enough even if all characters must be escaped */
1459 }
1464 }
1466 /* =====
1467 * Time
1468 * ===== */
1470 /** Return the number of microseconds elapsed between *start and *end.
1471 */
1472 long
1474 {
1482 }
1486 }
1488 /** Return the number of milliseconds elapsed between *start and *end.
1489 */
1490 long
1492 {
1500 }
1502 /* Subtract and round */
1506 }
1508 /**
1509 * Converts timeval to milliseconds.
1510 */
1511 int64_t
1513 {
1515 /* Round ghetto-style */
1518 }
1520 /** Yield true iff <b>y</b> is a leap-year. */
1521 #define IS_LEAPYEAR(y) (!(y % 4) && ((y % 100) || !(y % 400)))
1522 /** Helper: Return the number of leap-days between Jan 1, y1 and Jan 1, y2. */
1523 static int
1525 {
1529 }
1530 /** Number of days per month in non-leap year; used by tor_timegm and
1531 * parse_rfc1123_time. */
1535 /** Compute a time_t given a struct tm. The result is given in UTC, and
1536 * does not account for leap seconds. Return 0 on success, -1 on failure.
1537 */
1538 int
1540 {
1541 /* This is a pretty ironclad timegm implementation, snarfed from Python2.2.
1542 * It's way more brute-force than fiddling with tzset().
1543 */
1546 /* avoid int overflow on addition */
1550 /* clamp year */
1552 }
1559 }
1561 /* invalid month - default to 0 days per month */
1563 }
1573 }
1586 }
1588 /* strftime is locale-specific, so we need to replace those parts */
1590 /** A c-locale array of 3-letter names of weekdays, starting with Sun. */
1593 /** A c-locale array of 3-letter names of months, starting with Jan. */
1598 /** Set <b>buf</b> to the RFC1123 encoding of the UTC value of <b>t</b>.
1599 * The buffer must be at least RFC1123_TIME_LEN+1 bytes long.
1600 *
1601 * (RFC1123 format is "Fri, 29 Sep 2006 15:54:20 GMT". Note the "GMT"
1602 * rather than "UTC".)
1603 */
1604 void
1606 {
1618 }
1620 /** Parse the (a subset of) the RFC1123 encoding of some time (in UTC) from
1621 * <b>buf</b>, and store the result in *<b>t</b>.
1622 *
1623 * Note that we only accept the subset generated by format_rfc1123_time above,
1624 * not the full range of formats suggested by RFC 1123.
1625 *
1626 * Return 0 on success, -1 on failure.
1627 */
1628 int
1630 {
1648 }
1655 }
1656 }
1662 }
1670 }
1678 }
1691 }
1695 }
1697 /** Set <b>buf</b> to the ISO8601 encoding of the local value of <b>t</b>.
1698 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1699 *
1700 * (ISO8601 format is 2006-10-29 10:57:20)
1701 */
1702 void
1704 {
1707 }
1709 /** Set <b>buf</b> to the ISO8601 encoding of the GMT value of <b>t</b>.
1710 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1711 */
1712 void
1714 {
1717 }
1719 /** As format_iso_time, but use the yyyy-mm-ddThh:mm:ss format to avoid
1720 * embedding an internal space. */
1721 void
1723 {
1726 }
1728 /** As format_iso_time_nospace, but include microseconds in decimal
1729 * fixed-point format. Requires that buf be at least ISO_TIME_USEC_LEN+1
1730 * bytes long. */
1731 void
1733 {
1737 }
1739 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1740 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1741 * failure. Ignore extraneous stuff in <b>cp</b> after the end of the time
1742 * string, unless <b>strict</b> is set. */
1743 int
1745 {
1757 }
1764 }
1777 }
1779 }
1781 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1782 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1783 * failure. Reject the string if any characters are present after the time.
1784 */
1785 int
1787 {
1789 }
1791 /** Given a <b>date</b> in one of the three formats allowed by HTTP (ugh),
1792 * parse it into <b>tm</b>. Return 0 on success, negative on failure. */
1793 int
1795 {
1805 /* First, try RFC1123 or RFC850 format: skip the weekday. */
1814 /* rfc1123-date */
1819 /* rfc850-date */
1822 }
1824 /* No comma; possibly asctime() format. */
1831 }
1832 }
1840 /* Okay, now decode the month. */
1841 /* set tm->tm_mon to dummy value so the check below fails. */
1846 }
1847 }
1858 }
1860 /** Given an <b>interval</b> in seconds, try to write it to the
1861 * <b>out_len</b>-byte buffer in <b>out</b> in a human-readable form.
1862 * Return 0 on success, -1 on failure.
1863 */
1864 int
1866 {
1867 /* We only report seconds if there's no hours. */
1870 /* -LONG_MIN is LONG_MAX + 1, which causes signed overflow */
1879 }
1883 }
1887 }
1899 }
1900 }
1902 /* =====
1903 * Cached time
1904 * ===== */
1906 #ifndef TIME_IS_FAST
1907 /** Cached estimate of the current time. Updated around once per second;
1908 * may be a few seconds off if we are really busy. This is a hack to avoid
1909 * calling time(NULL) (which not everybody has optimized) on critical paths.
1910 */
1913 /** Return a cached estimate of the current time from when
1914 * update_approx_time() was last called. This is a hack to avoid calling
1915 * time(NULL) on critical paths: please do not even think of calling it
1916 * anywhere else. */
1917 time_t
1919 {
1921 }
1923 /** Update the cached estimate of the current time. This function SHOULD be
1924 * called once per second, and MUST be called before the first call to
1925 * get_approx_time. */
1926 void
1928 {
1930 }
1931 #endif
1933 /* =====
1934 * Rate limiting
1935 * ===== */
1937 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return the number
1938 * of calls to rate_limit_is_ready (including this one!) since the last time
1939 * rate_limit_is_ready returned nonzero. Otherwise return 0. */
1940 static int
1942 {
1951 }
1952 }
1954 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return a newly
1955 * allocated string indicating how many messages were suppressed, suitable to
1956 * append to a log message. Otherwise return NULL. */
1959 {
1970 }
1973 }
1974 }
1976 /* =====
1977 * File helpers
1978 * ===== */
1980 /** Write <b>count</b> bytes from <b>buf</b> to <b>fd</b>. <b>isSocket</b>
1981 * must be 1 if fd was returned by socket() or accept(), and 0 if fd
1982 * was returned by open(). Return the number of bytes written, or -1
1983 * on error. Only use if fd is a blocking fd. */
1984 ssize_t
1986 {
1988 ssize_t result;
1994 else
1999 }
2001 }
2003 /** Read from <b>fd</b> to <b>buf</b>, until we get <b>count</b> bytes
2004 * or reach the end of the file. <b>isSocket</b> must be 1 if fd
2005 * was returned by socket() or accept(), and 0 if fd was returned by
2006 * open(). Return the number of bytes read, or -1 on error. Only use
2007 * if fd is a blocking fd. */
2008 ssize_t
2010 {
2012 ssize_t result;
2020 else
2027 }
2029 }
2031 /*
2032 * Filesystem operations.
2033 */
2035 /** Clean up <b>name</b> so that we can use it in a call to "stat". On Unix,
2036 * we do nothing. On Windows, we remove a trailing slash, unless the path is
2037 * the root of a disk. */
2038 static void
2040 {
2041 #ifdef _WIN32
2049 }
2050 #else
2052 #endif
2053 }
2055 /** Return:
2056 * FN_ERROR if filename can't be read, is NULL, or is zero-length,
2057 * FN_NOENT if it doesn't exist,
2058 * FN_FILE if it is a non-empty regular file, or a FIFO on unix-like systems,
2059 * FN_EMPTY for zero-byte regular files,
2060 * FN_DIR if it's a directory, and
2061 * FN_ERROR for any other file type.
2062 * On FN_ERROR and FN_NOENT, sets errno. (errno is not set when FN_ERROR
2063 * is returned due to an unhandled file type.) */
2064 file_status_t
2066 {
2072 }
2081 }
2083 }
2093 }
2094 #ifndef _WIN32
2097 #endif
2100 }
2101 }
2103 /** Check whether <b>dirname</b> exists and is private. If yes return 0. If
2104 * it does not exist, and <b>check</b>&CPD_CREATE is set, try to create it
2105 * and return 0 on success. If it does not exist, and
2106 * <b>check</b>&CPD_CHECK, and we think we can create it, return 0. Else
2107 * return -1. If CPD_GROUP_OK is set, then it's okay if the directory
2108 * is group-readable, but in all cases we create the directory mode 0700.
2109 * If CPD_GROUP_READ is set, existing directory behaves as CPD_GROUP_OK and
2110 * if the directory is created it will use mode 0750 with group read
2111 * permission. Group read privileges also assume execute permission
2112 * as norm for directories. If CPD_CHECK_MODE_ONLY is set, then we don't
2113 * alter the directory permissions if they are too permissive:
2114 * we just return -1.
2115 * When effective_user is not NULL, check permissions against the given user
2116 * and its primary group.
2117 */
2118 int
2121 {
2125 #ifndef _WIN32
2128 uid_t running_uid;
2129 gid_t running_gid;
2130 #else
2132 #endif
2145 }
2148 #if defined (_WIN32)
2150 #else
2155 }
2156 #endif
2161 }
2165 }
2166 /* XXXX In the case where check==CPD_CHECK, we should look at the
2167 * parent directory a little harder. */
2169 }
2173 }
2174 #ifndef _WIN32
2176 /* Look up the user and group information.
2177 * If we have a problem, bail out. */
2181 effective_user);
2183 }
2189 }
2207 }
2223 }
2228 }
2233 dirname);
2235 }
2241 }
2249 }
2250 }
2251 #endif
2253 }
2255 /** Create a file named <b>fname</b> with the contents <b>str</b>. Overwrite
2256 * the previous <b>fname</b> if possible. Return 0 on success, -1 on failure.
2257 *
2258 * This function replaces the old file atomically, if possible. This
2259 * function, and all other functions in util.c that create files, create them
2260 * with mode 0600.
2261 */
2262 int
2264 {
2265 #ifdef _WIN32
2270 }
2271 #endif
2273 }
2275 /** Represents a file that we're writing to, with support for atomic commit:
2276 * we can write into a temporary file, and either remove the file on
2277 * failure, or replace the original file on success. */
2285 };
2287 /** Try to start writing to the file in <b>fname</b>, passing the flags
2288 * <b>open_flags</b> to the open() syscall, creating the file (if needed) with
2289 * access value <b>mode</b>. If the O_APPEND flag is set, we append to the
2290 * original file. Otherwise, we open a new temporary file in the same
2291 * directory, and either replace the original or remove the temporary file
2292 * when we're done.
2293 *
2294 * Return the fd for the newly opened file, and store working data in
2295 * *<b>data_out</b>. The caller should not close the fd manually:
2296 * instead, call finish_writing_to_file() or abort_writing_to_file().
2297 * Returns -1 on failure.
2298 *
2299 * NOTE: When not appending, the flags O_CREAT and O_TRUNC are treated
2300 * as true and the flag O_EXCL is treated as false.
2301 *
2302 * NOTE: Ordinarily, O_APPEND means "seek to the end of the file before each
2303 * write()". We don't do that.
2304 */
2305 int
2308 {
2315 #if (O_BINARY != 0 && O_TEXT != 0)
2317 #endif
2328 /* We always replace an existing temporary file if there is one. */
2332 }
2333 #if O_BINARY != 0
2336 #endif
2343 }
2349 }
2350 }
2356 err:
2364 }
2366 /** Given <b>file_data</b> from start_writing_to_file(), return a stdio FILE*
2367 * that can be used to write to the same file. The caller should not mix
2368 * stdio calls with non-stdio calls. */
2371 {
2380 }
2382 }
2384 /** Combines start_writing_to_file with fdopen_file(): arguments are as
2385 * for start_writing_to_file, but */
2389 {
2396 }
2398 }
2400 /** Helper function: close and free the underlying file and memory in
2401 * <b>file_data</b>. If we were writing into a temporary file, then delete
2402 * that file (if abort_write is true) or replaces the target file with
2403 * the temporary file (if abort_write is false). */
2404 static int
2406 {
2415 }
2420 }
2427 /* We couldn't unlink and we'll leave a mess behind */
2431 }
2438 }
2439 }
2440 }
2447 }
2449 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2450 * needed, and if using a temporary file, replace the original file with
2451 * the temporary file. */
2452 int
2454 {
2456 }
2458 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2459 * needed, and if using a temporary file, delete it. */
2460 int
2462 {
2464 }
2466 /** Helper: given a set of flags as passed to open(2), open the file
2467 * <b>fname</b> and write all the sized_chunk_t structs in <b>chunks</b> to
2468 * the file. Do so as atomically as possible e.g. by opening temp files and
2469 * renaming. */
2470 static int
2473 {
2476 ssize_t result;
2481 {
2487 }
2489 });
2492 err:
2495 }
2497 /** Given a smartlist of sized_chunk_t, write them to a file
2498 * <b>fname</b>, overwriting or creating the file as necessary.
2499 * If <b>no_tempfile</b> is 0 then the file will be written
2500 * atomically. */
2501 int
2504 {
2508 /* O_APPEND stops write_chunks_to_file from using tempfiles */
2510 }
2512 }
2514 /** Write <b>len</b> bytes, starting at <b>str</b>, to <b>fname</b>
2515 using the open() flags passed in <b>flags</b>. */
2516 static int
2519 {
2527 }
2529 /** As write_str_to_file, but does not assume a NUL-terminated
2530 * string. Instead, we write <b>len</b> bytes, starting at <b>str</b>. */
2534 {
2537 }
2539 /** As write_bytes_to_file, but if the file already exists, append the bytes
2540 * to the end of the file instead of overwriting it. */
2541 int
2544 {
2547 }
2549 /** Like write_str_to_file(), but also return -1 if there was a file
2550 already residing in <b>fname</b>. */
2551 int
2554 {
2556 OPEN_FLAGS_DONT_REPLACE|
2558 }
2560 /**
2561 * Read the contents of the open file <b>fd</b> presuming it is a FIFO
2562 * (or similar) file descriptor for which the size of the file isn't
2563 * known ahead of time. Return NULL on failure, and a NUL-terminated
2564 * string on success. On success, set <b>sz_out</b> to the number of
2565 * bytes read.
2566 */
2569 {
2570 ssize_t r;
2579 /* XXXX This "add 1K" approach is a little goofy; if we care about
2580 * performance here, we should be doubling. But in practice we shouldn't
2581 * be using this function on big files anyway. */
2590 }
2599 }
2601 /** Read the contents of <b>filename</b> into a newly allocated
2602 * string; return the string on success or NULL on failure.
2603 *
2604 * If <b>stat_out</b> is provided, store the result of stat()ing the
2605 * file into <b>stat_out</b>.
2606 *
2607 * If <b>flags</b> & RFTS_BIN, open the file in binary mode.
2608 * If <b>flags</b> & RFTS_IGNORE_MISSING, don't warn if the file
2609 * doesn't exist.
2610 */
2611 /*
2612 * This function <em>may</em> return an erroneous result if the file
2613 * is modified while it is running, but must not crash or overflow.
2614 * Right now, the error case occurs when the file length grows between
2615 * the call to stat and the call to read_all: the resulting string will
2616 * be truncated.
2617 */
2620 {
2624 ssize_t r;
2639 }
2647 }
2649 #ifndef _WIN32
2650 /** When we detect that we're reading from a FIFO, don't read more than
2651 * this many bytes. It's insane overkill for most uses. */
2652 #define FIFO_READ_MAX (1024*1024)
2659 }
2662 }
2663 #endif
2668 }
2681 }
2684 #if defined(_WIN32) || defined(__CYGWIN__)
2688 filename);
2691 }
2695 #endif
2697 /* Unless we're using text mode on win32, we'd better have an exact
2698 * match for size. */
2706 }
2710 }
2713 }
2717 /** Given a c-style double-quoted escaped string in <b>s</b>, extract and
2718 * decode its contents into a newly allocated string. On success, assign this
2719 * string to *<b>result</b>, assign its length to <b>size_out</b> (if
2720 * provided), and return a pointer to the position in <b>s</b> immediately
2721 * after the string. On failure, return NULL.
2722 */
2725 {
2752 }
2757 }
2758 }
2759 end_of_loop:
2764 {
2775 {
2780 {
2788 }
2792 }
2796 {
2803 }
2814 }
2818 }
2819 }
2820 }
2822 /** Given a string containing part of a configuration file or similar format,
2823 * advance past comments and whitespace and try to parse a single line. If we
2824 * parse a line successfully, set *<b>key_out</b> to a new string holding the
2825 * key portion and *<b>value_out</b> to a new string holding the value portion
2826 * of the line, and return a pointer to the start of the next line. If we run
2827 * out of data, return a pointer to the end of the string. If we encounter an
2828 * error, return NULL and set *<b>err_out</b> (if provided) to an error
2829 * message.
2830 */
2835 {
2836 /* I believe the file format here is supposed to be:
2837 FILE = (EMPTYLINE | LINE)* (EMPTYLASTLINE | LASTLINE)?
2839 EMPTYLASTLINE = SPACE* | COMMENT
2840 EMPTYLINE = EMPTYLASTLINE NL
2841 SPACE = ' ' | '\r' | '\t'
2842 COMMENT = '#' NOT-NL*
2843 NOT-NL = Any character except '\n'
2844 NL = '\n'
2846 LASTLINE = SPACE* KEY SPACE* VALUES
2847 LINE = LASTLINE NL
2848 KEY = KEYCHAR+
2849 KEYCHAR = Any character except ' ', '\r', '\n', '\t', '#', "\"
2851 VALUES = QUOTEDVALUE | NORMALVALUE
2852 QUOTEDVALUE = QUOTE QVCHAR* QUOTE EOLSPACE?
2853 QUOTE = '"'
2854 QVCHAR = KEYCHAR | ESC ('n' | 't' | 'r' | '"' | ESC |'\'' | OCTAL | HEX)
2855 ESC = "\\"
2856 OCTAL = ODIGIT (ODIGIT ODIGIT?)?
2857 HEX = ('x' | 'X') HEXDIGIT HEXDIGIT
2858 ODIGIT = '0' .. '7'
2859 HEXDIGIT = '0'..'9' | 'a' .. 'f' | 'A' .. 'F'
2860 EOLSPACE = SPACE* COMMENT?
2862 NORMALVALUE = (VALCHAR | ESC ESC_IGNORE | CONTINUATION)* EOLSPACE?
2863 VALCHAR = Any character except ESC, '#', and '\n'
2864 ESC_IGNORE = Any character except '#' or '\n'
2865 CONTINUATION = ESC NL ( COMMENT NL )*
2866 */
2876 /* Skip until the first keyword. */
2885 }
2886 }
2891 }
2893 /* Skip until the next space or \ followed by newline. */
2900 /* Skip until the value. */
2906 /* Find the end of the line. */
2912 }
2919 }
2921 /* Look for the end of the line. */
2934 }
2935 }
2941 }
2942 /* Now back cp up to be the last nonspace character */
2948 /* Now copy out and decode the value. */
2964 }
2965 }
2967 }
2968 }
2974 }
2978 }
2980 /** Expand any homedir prefix on <b>filename</b>; return a newly allocated
2981 * string. */
2984 {
2986 #ifdef _WIN32
2988 #else
3001 }
3004 #ifdef HAVE_PWD_H
3009 else
3015 }
3018 #else
3021 #endif
3022 }
3024 /* Remove trailing slash. */
3027 }
3033 }
3034 #endif
3035 }
3037 #define MAX_SCANF_WIDTH 9999
3039 /** Helper: given an ASCII-encoded decimal digit, return its numeric value.
3040 * NOTE: requires that its input be in-bounds. */
3041 static int
3043 {
3047 }
3049 /** Helper: Read an unsigned int from *<b>bufp</b> of up to <b>width</b>
3050 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3051 * success, store the result in <b>out</b>, advance bufp to the next
3052 * character, and return 0. On failure, return -1. */
3053 static int
3055 {
3068 // Check for overflow beforehand, without actually causing any overflow
3069 // This preserves functionality on compilers that don't wrap overflow
3070 // (i.e. that trap or optimise away overflow)
3071 // result * base + digit > ULONG_MAX
3072 // result * base > ULONG_MAX - digit
3077 }
3084 }
3086 /** Helper: Read an signed int from *<b>bufp</b> of up to <b>width</b>
3087 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3088 * success, store the result in <b>out</b>, advance bufp to the next
3089 * character, and return 0. On failure, return -1. */
3090 static int
3092 {
3105 }
3113 // Avoid overflow on the cast to signed long when result is LONG_MIN
3114 // by subtracting 1 from the unsigned long positive value,
3115 // then, after it has been cast to signed and negated,
3116 // subtracting the original 1 (the double-subtraction is intentional).
3117 // Otherwise, the cast to signed could cause a temporary long
3118 // to equal LONG_MAX + 1, which is undefined.
3119 // We avoid underflow on the subtraction by treating -0 as positive.
3125 }
3128 }
3130 /** Helper: Read a decimal-formatted double from *<b>bufp</b> of up to
3131 * <b>width</b> characters. (Handle arbitrary width if <b>width</b> is less
3132 * than 0.) On success, store the result in <b>out</b>, advance bufp to the
3133 * next character, and return 0. On failure, return -1. */
3134 static int
3136 {
3149 }
3155 }
3165 }
3167 }
3174 }
3176 /** Helper: copy up to <b>width</b> non-space characters from <b>bufp</b> to
3177 * <b>out</b>. Make sure <b>out</b> is nul-terminated. Advance <b>bufp</b>
3178 * to the next non-space character or the EOS. */
3179 static int
3181 {
3188 }
3191 }
3193 /** Locale-independent, minimal, no-surprises scanf variant, accepting only a
3194 * restricted pattern format. For more info on what it supports, see
3195 * tor_sscanf() documentation. */
3196 int
3198 {
3209 }
3221 }
3224 }
3228 }
3244 }
3269 }
3302 }
3303 }
3304 }
3307 }
3309 /** Minimal sscanf replacement: parse <b>buf</b> according to <b>pattern</b>
3310 * and store the results in the corresponding argument fields. Differs from
3311 * sscanf in that:
3312 * <ul><li>It only handles %u, %lu, %x, %lx, %[NUM]s, %d, %ld, %lf, and %c.
3313 * <li>It only handles decimal inputs for %lf. (12.3, not 1.23e1)
3314 * <li>It does not handle arbitrarily long widths.
3315 * <li>Numbers do not consume any space characters.
3316 * <li>It is locale-independent.
3317 * <li>%u and %x do not consume any space.
3318 * <li>It returns -1 on malformed patterns.</ul>
3319 *
3320 * (As with other locale-independent functions, we need this to parse data that
3321 * is in ASCII without worrying that the C library's locale-handling will make
3322 * miscellaneous characters look like numbers, spaces, and so on.)
3323 */
3324 int
3326 {
3333 }
3335 /** Append the string produced by tor_asprintf(<b>pattern</b>, <b>...</b>)
3336 * to <b>sl</b>. */
3337 void
3339 {
3344 }
3346 /** va_list-based backend of smartlist_add_asprintf. */
3347 void
3350 {
3357 }
3359 /** Return a new list containing the filenames in the directory <b>dirname</b>.
3360 * Return NULL on error or if <b>dirname</b> is not a directory.
3361 */
3362 smartlist_t *
3364 {
3366 #ifdef _WIN32
3370 HANDLE handle;
3371 WIN32_FIND_DATA findData;
3373 #ifdef UNICODE
3375 #else
3377 #endif
3381 }
3384 #ifdef UNICODE
3387 #else
3389 #endif
3393 }
3395 DWORD err;
3400 }
3402 }
3403 }
3406 #else
3419 }
3421 #endif
3423 }
3425 /** Return true iff <b>filename</b> is a relative path. */
3426 int
3428 {
3431 #ifdef _WIN32
3437 #endif
3438 else
3440 }
3442 /* =====
3443 * Process helpers
3444 * ===== */
3446 #ifndef _WIN32
3447 /* Based on code contributed by christian grothoff */
3448 /** True iff we've called start_daemon(). */
3450 /** True iff we've called finish_daemon(). */
3452 /** Socketpair used to communicate between parent and child process while
3453 * daemonizing. */
3455 /** Start putting the process into daemon mode: fork and drop all resources
3456 * except standard fds. The parent process never returns, but stays around
3457 * until finish_daemon is called. (Note: it's safe to call this more
3458 * than once: calls after the first are ignored.)
3459 */
3460 void
3462 {
3463 pid_t pid;
3472 }
3477 }
3487 }
3491 else
3497 /*
3498 * Fork one more time, so the parent (the session group leader) can exit.
3499 * This means that we, as a non-session group leader, can never regain a
3500 * controlling terminal. This part is recommended by Stevens's
3501 * _Advanced Programming in the Unix Environment_.
3502 */
3505 }
3509 }
3510 }
3512 /** Finish putting the process into daemon mode: drop standard fds, and tell
3513 * the parent process to exit. (Note: it's safe to call this more than once:
3514 * calls after the first are ignored. Calls start_daemon first if it hasn't
3515 * been called already.)
3516 */
3517 void
3519 {
3530 /* Don't hold the wrong FS mounted */
3534 }
3540 }
3541 /* close fds linking to invoking terminal, but
3542 * close usual incoming fds, but redirect them somewhere
3543 * useful so the fds don't get reallocated elsewhere.
3544 */
3550 }
3553 /* signal success */
3556 }
3558 }
3559 #else
3560 /* defined(_WIN32) */
3561 void
3563 {
3564 }
3565 void
3567 {
3569 }
3570 #endif
3572 /** Write the current process ID, followed by NL, into <b>filename</b>.
3573 */
3574 void
3576 {
3583 #ifdef _WIN32
3585 #else
3587 #endif
3589 }
3590 }
3592 #ifdef _WIN32
3593 HANDLE
3595 {
3604 }
3605 #endif
3607 /** Format a single argument for being put on a Windows command line.
3608 * Returns a newly allocated string */
3611 {
3617 /* Backslash we can point to when one is inserted into the string */
3620 /* Smartlist of *char */
3624 /* Quote string if it contains whitespace or is empty */
3627 /* Build up smartlist of *chars */
3630 /* Double up backslashes preceding a quote */
3634 /* Escape the quote */
3638 /* Count backslashes until we know whether to double up */
3639 bs_counter++;
3641 /* Don't double up slashes preceding a non-quote */
3646 }
3647 }
3648 /* Don't double up trailing backslashes */
3652 /* Allocate space for argument, quotes (if needed), and terminator */
3657 /* Add leading quote */
3662 /* Add characters */
3664 {
3666 });
3668 /* Add trailing quote */
3675 }
3677 /** Format a command line for use on Windows, which takes the command as a
3678 * string rather than string array. Follows the rules from "Parsing C++
3679 * Command-Line Arguments" in MSDN. Algorithm based on list2cmdline in the
3680 * Python subprocess module. Returns a newly allocated string */
3683 {
3688 /* Format each argument and put the result in a smartlist */
3692 }
3694 /* Join the arguments with whitespace */
3697 /* Free the newly allocated arguments, and the smartlist */
3699 {
3701 });
3705 }
3707 /* As format_{hex,dex}_number_sigsafe, but takes a <b>radix</b> argument
3708 * in range 2..16 inclusive. */
3709 static int
3712 {
3717 /* NOT tor_assert. This needs to be safe to run from within a signal handler,
3718 * and from within the 'tor_assert() has failed' code. */
3722 /* Count how many digits we need. */
3728 }
3730 /* Not long enough */
3744 /* NOT tor_assert; see above. */
3747 }
3750 }
3752 /**
3753 * Helper function to output hex numbers from within a signal handler.
3754 *
3755 * Writes the nul-terminated hexadecimal digits of <b>x</b> into a buffer
3756 * <b>buf</b> of size <b>buf_len</b>, and return the actual number of digits
3757 * written, not counting the terminal NUL.
3758 *
3759 * If there is insufficient space, write nothing and return 0.
3760 *
3761 * This accepts an unsigned int because format_helper_exit_status() needs to
3762 * call it with a signed int and an unsigned char, and since the C standard
3763 * does not guarantee that an int is wider than a char (an int must be at
3764 * least 16 bits but it is permitted for a char to be that wide as well), we
3765 * can't assume a signed int is sufficient to accomodate an unsigned char.
3766 * Thus, format_helper_exit_status() will still need to emit any require '-'
3767 * on its own.
3768 *
3769 * For most purposes, you'd want to use tor_snprintf("%x") instead of this
3770 * function; it's designed to be used in code paths where you can't call
3771 * arbitrary C functions.
3772 */
3773 int
3775 {
3777 }
3779 /** As format_hex_number_sigsafe, but format the number in base 10. */
3780 int
3782 {
3784 }
3786 #ifndef _WIN32
3787 /** Format <b>child_state</b> and <b>saved_errno</b> as a hex string placed in
3788 * <b>hex_errno</b>. Called between fork and _exit, so must be signal-handler
3789 * safe.
3790 *
3791 * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available.
3792 *
3793 * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded
3794 * with spaces. CHILD_STATE indicates where
3795 * in the processs of starting the child process did the failure occur (see
3796 * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of
3797 * errno when the failure occurred.
3798 *
3799 * On success return the number of characters added to hex_errno, not counting
3800 * the terminating NUL; return -1 on error.
3801 */
3802 STATIC int
3805 {
3812 /* Fill hex_errno with spaces, and a trailing newline (memset may
3813 not be signal handler safe, so we can't use it) */
3818 /* Convert errno to be unsigned for hex conversion */
3820 // Avoid overflow on the cast to unsigned int when result is INT_MIN
3821 // by adding 1 to the signed int negative value,
3822 // then, after it has been negated and cast to unsigned,
3823 // adding the original 1 back (the double-addition is intentional).
3824 // Otherwise, the cast to signed could cause a temporary int
3825 // to equal INT_MAX + 1, which is undefined.
3829 }
3831 /*
3832 * Count how many chars of space we have left, and keep a pointer into the
3833 * current point in the buffer.
3834 */
3838 /* Emit child_state */
3844 /* Adjust left and cur */
3850 /* Now the '/' */
3853 /* Adjust left and cur */
3859 /* Need minus? */
3866 }
3868 /* Emit unsigned_errno */
3874 /* Adjust left and cur */
3878 /* Check that we have enough space left for a newline and a NUL */
3882 /* Emit the newline and NUL */
3890 err:
3891 /*
3892 * In error exit, just write a '\0' in the first char so whatever called
3893 * this at least won't fall off the end.
3894 */
3897 done:
3899 }
3900 #endif
3902 /* Maximum number of file descriptors, if we cannot get it via sysconf() */
3903 #define DEFAULT_MAX_FD 256
3905 /** Terminate the process of <b>process_handle</b>.
3906 * Code borrowed from Python's os.kill. */
3907 int
3909 {
3910 #ifdef _WIN32
3916 else
3918 }
3921 /* We haven't got a waitpid yet, so we can just kill off the process. */
3923 }
3924 #endif
3927 }
3929 /** Return the Process ID of <b>process_handle</b>. */
3930 int
3932 {
3933 #ifdef _WIN32
3935 #else
3937 #endif
3938 }
3940 #ifdef _WIN32
3941 HANDLE
3943 {
3945 }
3946 #else
3947 /* DOCDOC tor_process_get_stdout_pipe */
3950 {
3952 }
3953 #endif
3955 /* DOCDOC process_handle_new */
3958 {
3961 #ifdef _WIN32
3965 #else
3969 #endif
3972 }
3974 #ifndef _WIN32
3975 /** Invoked when a process that we've launched via tor_spawn_background() has
3976 * been found to have terminated.
3977 */
3978 static void
3980 {
3988 }
3989 #endif
3991 /**
3992 * @name child-process states
3993 *
3994 * Each of these values represents a possible state that a child process can
3995 * be in. They're used to determine what to say when telling the parent how
3996 * far along we were before failure.
3997 *
3998 * @{
3999 */
4000 #define CHILD_STATE_INIT 0
4001 #define CHILD_STATE_PIPE 1
4002 #define CHILD_STATE_MAXFD 2
4003 #define CHILD_STATE_FORK 3
4004 #define CHILD_STATE_DUPOUT 4
4005 #define CHILD_STATE_DUPERR 5
4006 #define CHILD_STATE_DUPIN 6
4007 #define CHILD_STATE_CLOSEFD 7
4008 #define CHILD_STATE_EXEC 8
4009 #define CHILD_STATE_FAILEXEC 9
4010 /** @} */
4011 /** Start a program in the background. If <b>filename</b> contains a '/', then
4012 * it will be treated as an absolute or relative path. Otherwise, on
4013 * non-Windows systems, the system path will be searched for <b>filename</b>.
4014 * On Windows, only the current directory will be searched. Here, to search the
4015 * system path (as well as the application directory, current working
4016 * directory, and system directories), set filename to NULL.
4017 *
4018 * The strings in <b>argv</b> will be passed as the command line arguments of
4019 * the child program (following convention, argv[0] should normally be the
4020 * filename of the executable, and this must be the case if <b>filename</b> is
4021 * NULL). The last element of argv must be NULL. A handle to the child process
4022 * will be returned in process_handle (which must be non-NULL). Read
4023 * process_handle.status to find out if the process was successfully launched.
4024 * For convenience, process_handle.status is returned by this function.
4025 *
4026 * Some parts of this code are based on the POSIX subprocess module from
4027 * Python, and example code from
4028 * http://msdn.microsoft.com/en-us/library/ms682499%28v=vs.85%29.aspx.
4029 */
4030 int
4034 {
4035 #ifdef _WIN32
4045 STARTUPINFOA siStartInfo;
4048 SECURITY_ATTRIBUTES saAttr;
4053 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4056 /* Assume failure to start process */
4059 /* Set up pipe for stdout */
4065 }
4068 "Failed to configure pipe for stdout communication with child "
4071 }
4073 /* Set up pipe for stderr */
4079 }
4082 "Failed to configure pipe for stderr communication with child "
4085 }
4087 /* Set up pipe for stdin */
4093 }
4096 "Failed to configure pipe for stdin communication with child "
4099 }
4101 /* Create the child process */
4103 /* Windows expects argv to be a whitespace delimited string, so join argv up
4104 */
4118 /* Create the child process */
4122 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4126 /*(TODO: set CREATE_NEW CONSOLE/PROCESS_GROUP to make GetExitCodeProcess()
4127 * work?) */
4142 /* TODO: Close hProcess and hThread in process_handle->pid? */
4147 }
4149 /* TODO: Close pipes on exit */
4153 pid_t pid;
4158 ssize_t nbytes;
4165 /* Represents where in the process of spawning the program is;
4166 this is used for printing out the error message */
4175 /* We do the strlen here because strlen() is not signal handler safe,
4176 and we are not allowed to use unsafe functions between fork and exec */
4181 /* Set up pipe for redirecting stdout, stderr, and stdin of child */
4188 }
4200 }
4214 }
4218 #ifdef _SC_OPEN_MAX
4225 }
4226 }
4227 #else
4229 #endif
4235 /* In child */
4237 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
4238 /* Attempt to have the kernel issue a SIGTERM if the parent
4239 * goes away. Certain attributes of the binary being execve()ed
4240 * will clear this during the execve() call, but it's better
4241 * than nothing.
4242 */
4244 #endif
4248 /* Link child stdout to the write end of the pipe */
4255 /* Link child stderr to the write end of the pipe */
4262 /* Link child stdin to the read end of the pipe */
4276 /* Close all other fds, including the read end of the pipe */
4277 /* XXX: We should now be doing enough FD_CLOEXEC setting to make
4278 * this needless. */
4281 }
4285 /* Call the requested program. We need the cast because
4286 execvp doesn't define argv as const, even though it
4287 does not modify the arguments */
4293 }
4295 /* If we got here, the exec or open(/dev/null) failed */
4299 error:
4300 {
4301 /* XXX: are we leaking fds from the pipe? */
4307 /* Write the error message. GCC requires that we check the return
4308 value, but there is nothing we can do if it fails */
4309 /* TODO: Don't use STDOUT, use a pipe set up just for this purpose */
4312 }
4313 }
4318 /* Never reached, but avoids compiler warning */
4320 }
4322 /* In parent */
4333 }
4339 /* TODO: If the child process forked but failed to exec, waitpid it */
4341 /* Return read end of the pipes to caller, and close write end */
4349 }
4352 process_handle_waitpid_cb,
4353 process_handle);
4362 }
4364 /* Return write end of the stdin pipe to caller, and close the read end */
4372 }
4375 /* Set stdin/stdout/stderr pipes to be non-blocking */
4381 }
4382 /* Open the buffered IO streams */
4390 }
4392 /** Destroy all resources allocated by the process handle in
4393 * <b>process_handle</b>.
4394 * If <b>also_terminate_process</b> is true, also terminate the
4395 * process of the process handle. */
4399 {
4406 #ifdef _WIN32
4408 #else
4410 #endif
4413 errstr);
4417 }
4418 }
4422 #ifdef _WIN32
4431 #else
4442 #endif
4446 }
4448 /** Get the exit code of a process specified by <b>process_handle</b> and store
4449 * it in <b>exit_code</b>, if set to a non-NULL value. If <b>block</b> is set
4450 * to true, the call will block until the process has exited. Otherwise if
4451 * the process is still running, the function will return
4452 * PROCESS_EXIT_RUNNING, and exit_code will be left unchanged. Returns
4453 * PROCESS_EXIT_EXITED if the process did exit. If there is a failure,
4454 * PROCESS_EXIT_ERROR will be returned and the contents of exit_code (if
4455 * non-NULL) will be undefined. N.B. Under *nix operating systems, this will
4456 * probably not work in Tor, because waitpid() is called in main.c to reap any
4457 * terminated child processes.*/
4458 int
4461 {
4462 #ifdef _WIN32
4463 DWORD retval;
4464 BOOL success;
4467 /* Wait for the process to exit */
4473 }
4477 /* Process has not exited */
4483 }
4484 }
4493 }
4494 }
4495 #else
4500 /* We haven't processed a SIGCHLD yet. */
4506 }
4508 /* We already got a SIGCHLD for this process, and handled it. */
4511 }
4514 /* Process has not exited */
4520 }
4526 }
4533 }
4535 /** Helper: return the number of characters in <b>s</b> preceding the first
4536 * occurrence of <b>ch</b>. If <b>ch</b> does not occur in <b>s</b>, return
4537 * the length of <b>s</b>. Should be equivalent to strspn(s, "ch"). */
4540 {
4544 else
4546 }
4548 /** Return non-zero iff getenv would consider <b>s1</b> and <b>s2</b>
4549 * to have the same name as strings in a process's environment. */
4550 int
4552 {
4558 }
4560 /** Free <b>env</b> (assuming it was produced by
4561 * process_environment_make). */
4562 void
4564 {
4567 /* As both an optimization hack to reduce consing on Unixoid systems
4568 * and a nice way to ensure that some otherwise-Windows-specific
4569 * code will always get tested before changes to it get merged, the
4570 * strings which env->unixoid_environment_block points to are packed
4571 * into env->windows_environment_block. */
4576 }
4578 /** Make a process_environment_t containing the environment variables
4579 * specified in <b>env_vars</b> (as C strings of the form
4580 * "NAME=VALUE"). */
4581 process_environment_t *
4583 {
4592 /* env->unixoid_environment_block is already NULL-terminated,
4593 * because we assume that NULL == 0 (and check that during compilation). */
4603 }
4606 /* env->windows_environment_block is already
4607 * (NUL-terminated-empty-string)-terminated. */
4609 /* Some versions of Windows supposedly require that environment
4610 * blocks be sorted. Or maybe some Windows programs (or their
4611 * runtime libraries) fail to look up strings in non-sorted
4612 * environment blocks.
4613 *
4614 * Also, sorting strings makes it easy to find duplicate environment
4615 * variables and environment-variable strings without an '=' on all
4616 * OSes, and they can cause badness. Let's complain about those. */
4621 /* Now copy the strings into the environment blocks. */
4622 {
4633 "Preparing an environment containing a variable "
4635 s);
4636 }
4640 "Preparing an environment containing two variables "
4643 }
4647 /* Actually copy the string into the environment. */
4651 }
4654 }
4659 }
4661 /** Return a newly allocated smartlist containing every variable in
4662 * this process's environment, as a NUL-terminated string of the form
4663 * "NAME=VALUE". Note that on some/many/most/all OSes, the parent
4664 * process can put strings not of that form in our environment;
4665 * callers should try to not get crashed by that.
4666 *
4667 * The returned strings are heap-allocated, and must be freed by the
4668 * caller. */
4671 {
4677 }
4680 }
4682 /** For each string s in <b>env_vars</b> such that
4683 * environment_variable_names_equal(s, <b>new_var</b>), remove it; if
4684 * <b>free_p</b> is non-zero, call <b>free_old</b>(s). If
4685 * <b>new_var</b> contains '=', insert it into <b>env_vars</b>. */
4686 void
4691 {
4697 }
4698 }
4703 }
4704 }
4706 #ifdef _WIN32
4707 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4708 * <b>hProcess</b> is NULL, the function will return immediately if there is
4709 * nothing more to read. Otherwise <b>hProcess</b> should be set to the handle
4710 * to the process owning the <b>h</b>. In this case, the function will exit
4711 * only once the process has exited, or <b>count</b> bytes are read. Returns
4712 * the number of bytes read, or -1 on error. */
4713 ssize_t
4716 {
4718 BOOL retval;
4719 DWORD byte_count;
4726 /* Check if there is anything to read */
4734 /* Nothing available: process exited or it is busy */
4736 /* Exit if we don't know whether the process is running */
4740 /* The process exited and there's nothing left to read from it */
4744 /* If process is not running, check for output one more time in case
4745 it wrote something after the peek was performed. Otherwise keep on
4746 waiting for output */
4753 }
4755 /* There is data to read; read it */
4763 /* End of file */
4765 }
4767 }
4769 }
4770 #else
4771 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4772 * <b>process</b> is NULL, the function will return immediately if there is
4773 * nothing more to read. Otherwise data will be read until end of file, or
4774 * <b>count</b> bytes are read. Returns the number of bytes read, or -1 on
4775 * error. Sets <b>eof</b> to true if <b>eof</b> is not NULL and the end of the
4776 * file has been reached. */
4777 ssize_t
4781 {
4792 /* Use fgets because that is what we use in log_from_pipe() */
4804 else
4810 }
4811 }
4812 }
4816 }
4820 }
4821 #endif
4823 /** Read from stdout of a process until the process exits. */
4824 ssize_t
4827 {
4828 #ifdef _WIN32
4830 process_handle);
4831 #else
4834 #endif
4835 }
4837 /** Read from stdout of a process until the process exits. */
4838 ssize_t
4841 {
4842 #ifdef _WIN32
4844 process_handle);
4845 #else
4848 #endif
4849 }
4851 /** Split buf into lines, and add to smartlist. The buffer <b>buf</b> will be
4852 * modified. The resulting smartlist will consist of pointers to buf, so there
4853 * is no need to free the contents of sl. <b>buf</b> must be a NUL-terminated
4854 * string. <b>len</b> should be set to the length of the buffer excluding the
4855 * NUL. Non-printable characters (including NUL) will be replaced with "." */
4856 int
4858 {
4859 /* Index in buf of the start of the current line */
4861 /* Index in buf of the current character being processed */
4863 /* Are we currently in a line */
4866 /* Loop over string */
4868 /* Loop until end of line or end of string */
4872 /* End of line */
4874 /* Point cur to the next line */
4875 cur++;
4876 /* Line starts at start and ends with a nul */
4881 }
4884 /* Skip leading vertical space */
4885 ;
4891 }
4892 }
4893 }
4894 /* We are at the end of the line or end of string. If in_line is true there
4895 * is a line which starts at buf+start and ends at a NUL. cur points to
4896 * the character after the NUL. */
4900 }
4902 }
4904 /** Return a string corresponding to <b>stream_status</b>. */
4907 {
4920 }
4921 }
4923 /* DOCDOC */
4924 static void
4927 {
4928 /* Parse error message */
4939 /* Failed to parse message from child process, log it as a
4940 warning */
4944 }
4945 }
4947 #ifdef _WIN32
4949 /** Return a smartlist containing lines outputted from
4950 * <b>handle</b>. Return NULL on error, and set
4951 * <b>stream_status_out</b> appropriately. */
4955 {
4968 }
4972 }
4974 /* End with a null even if there isn't a \r\n at the end */
4975 /* TODO: What if this is a partial line? */
4978 /* Split up the buffer */
4982 /* Currently 'lines' is populated with strings residing on the
4983 stack. Replace them with their exact copies on the heap: */
4990 }
4992 /** Read from stream, and send lines to log at the specified log level.
4993 * Returns -1 if there is a error reading, and 0 otherwise.
4994 * If the generated stream is flushed more often than on new lines, or
4995 * a read exceeds 256 bytes, lines will be truncated. This should be fixed,
4996 * along with the corresponding problem on *nix (see bug #2045).
4997 */
4998 static int
5000 {
5007 /* Error */
5010 }
5013 /* There's nothing to read (process is busy or has exited) */
5016 }
5018 /* End with a null even if there isn't a \r\n at the end */
5019 /* TODO: What if this is a partial line? */
5023 /* Split up the buffer */
5027 /* Log each line */
5029 {
5031 });
5035 }
5037 #else
5039 /** Return a smartlist containing lines outputted from
5040 * <b>handle</b>. Return NULL on error, and set
5041 * <b>stream_status_out</b> appropriately. */
5045 {
5060 }
5062 done:
5065 }
5067 /** Read from stream, and send lines to log at the specified log level.
5068 * Returns 1 if stream is closed normally, -1 if there is a error reading, and
5069 * 0 otherwise. Handles lines from tor-fw-helper and
5070 * tor_spawn_background() specially.
5071 */
5072 static int
5075 {
5088 }
5092 /* Check if buf starts with SPAWN_ERROR_MESSAGE */
5097 }
5098 }
5100 /* We should never get here */
5102 }
5103 #endif
5105 /** Reads from <b>stream</b> and stores input in <b>buf_out</b> making
5106 * sure it's below <b>count</b> bytes.
5107 * If the string has a trailing newline, we strip it off.
5108 *
5109 * This function is specifically created to handle input from managed
5110 * proxies, according to the pluggable transports spec. Make sure it
5111 * fits your needs before using it.
5112 *
5113 * Returns:
5114 * IO_STREAM_CLOSED: If the stream is closed.
5115 * IO_STREAM_EAGAIN: If there is nothing to read and we should check back
5116 * later.
5117 * IO_STREAM_TERM: If something is wrong with the stream.
5118 * IO_STREAM_OKAY: If everything went okay and we got a string
5119 * in <b>buf_out</b>. */
5120 enum stream_status
5122 {
5132 /* Program has closed stream (probably it exited) */
5133 /* TODO: check error */
5137 /* Nothing more to read, try again next time */
5140 /* There was a problem, abandon this child process */
5142 }
5143 }
5147 /* this probably means we got a NUL at the start of the string. */
5149 }
5152 /* Remove the trailing newline */
5155 /* No newline; check whether we overflowed the buffer */
5159 /* TODO: What to do with this error? */
5160 }
5163 }
5165 /* We should never get here */
5167 }
5169 /** Parse a <b>line</b> from tor-fw-helper and issue an appropriate
5170 * log message to our user. */
5171 static void
5173 {
5184 /* We need to check for SPAWN_ERROR_MESSAGE again here, since it's
5185 * possible that it got sent after we tried to read it in log_from_pipe.
5186 *
5187 * XXX Ideally, we should be using one of stdout/stderr for the real
5188 * output, and one for the output of the startup code. We used to do that
5189 * before cd05f35d2c.
5190 */
5194 }
5211 /* If there are more than 5 tokens, they are part of [<message>].
5212 Let's use a second smartlist to form the whole message;
5213 strncat loops suck. */
5223 /* wrap the message in log-friendly wrapping */
5227 }
5241 else
5246 "Please make sure that your router supports port "
5247 "forwarding protocols (like NAT-PMP). Note that if '%s' is "
5248 "your ORPort, your relay will be unable to receive inbound "
5251 internal_port);
5257 }
5261 err:
5265 done:
5270 }
5272 /** Read what tor-fw-helper has to say in its stdout and handle it
5273 * appropriately */
5274 static int
5277 {
5281 fw_helper_output =
5285 /* if EAGAIN we should retry in the future */
5287 }
5289 /* Handle the lines we got: */
5298 }
5300 /** Spawn tor-fw-helper and ask it to forward the ports in
5301 * <b>ports_to_forward</b>. <b>ports_to_forward</b> contains strings
5302 * of the form "<external port>:<internal port>", which is the format
5303 * that tor-fw-helper expects. */
5304 void
5308 {
5309 /* When fw-helper succeeds, how long do we wait until running it again */
5310 #define TIME_TO_EXEC_FWHELPER_SUCCESS 300
5311 /* When fw-helper failed to start, how long do we wait until running it again
5312 */
5313 #define TIME_TO_EXEC_FWHELPER_FAIL 60
5315 /* Static variables are initialized to zero, so child_handle.status=0
5316 * which corresponds to it not running on startup */
5325 /* Start the child, if it is not already running */
5328 /*tor-fw-helper cli looks like this: tor_fw_helper -p :5555 -p 4555:1111 */
5335 /* check for overflow during 'argv' allocation:
5336 (len(ports_to_forward)*2 + 2)*sizeof(char*) > SIZE_MAX ==
5337 len(ports_to_forward) > (((SIZE_MAX/sizeof(char*)) - 2)/2) */
5343 }
5344 /* check for overflow during 'argv_index' increase:
5345 ((len(ports_to_forward)*2 + 2) > INT_MAX) ==
5346 len(ports_to_forward) > (INT_MAX - 2)/2 */
5351 }
5353 /* Calculate number of cli arguments: one for the filename, two
5354 for each smartlist element (one for "-p" and one for the
5355 ports), and one for the final NULL. */
5366 /* Assume tor-fw-helper will succeed, start it later*/
5372 }
5374 #ifdef _WIN32
5375 /* Passing NULL as lpApplicationName makes Windows search for the .exe */
5377 #else
5379 #endif
5386 filename);
5389 }
5394 }
5396 /* If child is running, read from its stdout and stderr) */
5398 /* Read from stdout/stderr and log result */
5400 #ifdef _WIN32
5402 #else
5405 #endif
5410 }
5413 /* There was a problem in the child process */
5415 }
5417 /* Combine the two statuses in order of severity */
5419 /* There was a failure */
5421 #ifdef _WIN32
5423 PROCESS_EXIT_RUNNING) {
5424 /* process has exited or there was an error */
5425 /* TODO: Do something with the process return value */
5426 /* TODO: What if the process output something since
5427 * between log_from_handle and tor_get_exit_code? */
5429 }
5430 #else
5432 /* stdout or stderr was closed, the process probably
5433 * exited. It will be reaped by waitpid() in main.c */
5434 /* TODO: Do something with the process return value */
5436 #endif
5437 else
5438 /* Both are fine */
5441 /* If either pipe indicates a failure, act on it */
5449 }
5451 /* TODO: The child might not actually be finished (maybe it failed or
5452 closed stdout/stderr), so maybe we shouldn't start another? */
5453 }
5454 }
5455 }
5457 /** Initialize the insecure RNG <b>rng</b> from a seed value <b>seed</b>. */
5458 void
5460 {
5462 }
5464 /** Return a randomly chosen value in the range 0..TOR_WEAK_RANDOM_MAX based
5465 * on the RNG state of <b>rng</b>. This entropy will not be cryptographically
5466 * strong; do not rely on it for anything an adversary should not be able to
5467 * predict. */
5468 int32_t
5470 {
5471 /* Here's a linear congruential generator. OpenBSD and glibc use these
5472 * parameters; they aren't too bad, and should have maximal period over the
5473 * range 0..INT32_MAX. We don't want to use the platform rand() or random(),
5474 * since some platforms have bad weak RNGs that only return values in the
5475 * range 0..INT16_MAX, which just isn't enough. */
5478 }
5480 /** Return a random number in the range [0 , <b>top</b>). {That is, the range
5481 * of integers i such that 0 <= i < top.} Chooses uniformly. Requires that
5482 * top is greater than 0. This randomness is not cryptographically strong; do
5483 * not rely on it for anything an adversary should not be able to predict. */
5484 int32_t
5486 {
5487 /* We don't want to just do tor_weak_random() % top, since random() is often
5488 * implemented with an LCG whose modulus is a power of 2, and those are
5489 * cyclic in their low-order bits. */
5497 }
5499 /** Cast a given double value to a int64_t. Return 0 if number is NaN.
5500 * Returns either INT64_MIN or INT64_MAX if number is outside of the int64_t
5501 * range. */
5503 {
5506 /* NaN is a special case that can't be used with the logic below. */
5509 }
5511 /* Time to validate if result can overflows a int64_t value. Fun with
5512 * float! Find that exponent exp such that
5513 * number == x * 2^exp
5514 * for some x with abs(x) in [0.5, 1.0). Note that this implies that the
5515 * magnitude of number is strictly less than 2^exp.
5516 *
5517 * If number is infinite, the call to frexp is legal but the contents of
5518 * exp are unspecified. */
5521 /* If the magnitude of number is strictly less than 2^63, the truncated
5522 * version of number is guaranteed to be representable. The only
5523 * representable integer for which this is not the case is INT64_MIN, but
5524 * it is covered by the logic below. */
5527 }
5529 /* Handle infinities and finite numbers with magnitude >= 2^63. */
5531 }