1 /* Copyright (c) 2003, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
8 * \brief Common functions for strings, IO, network, data structures,
12 /* This is required on rh7 to make strptime not complain.
25 #include "container.h"
28 #include "backtrace.h"
29 #include "util_process.h"
43 /* math.h needs this on Linux */
45 #define _USE_ISOC99_ 1
54 #ifdef HAVE_NETINET_IN_H
55 #include <netinet/in.h>
57 #ifdef HAVE_ARPA_INET_H
58 #include <arpa/inet.h>
63 #ifdef HAVE_SYS_SOCKET_H
64 #include <sys/socket.h>
66 #ifdef HAVE_SYS_TIME_H
72 #ifdef HAVE_SYS_STAT_H
75 #ifdef HAVE_SYS_FCNTL_H
76 #include <sys/fcntl.h>
81 #ifdef HAVE_MALLOC_MALLOC_H
82 #include <malloc/malloc.h>
85 #if !defined(OPENBSD) && !defined(__FreeBSD__)
86 /* OpenBSD has a malloc.h, but for our purposes, it only exists in order to
87 * scold us for being so stupid as to autodetect its presence. To be fair,
88 * they've done this since 1996, when autoconf was only 5 years old. */
92 #ifdef HAVE_MALLOC_NP_H
93 #include <malloc_np.h>
95 #ifdef HAVE_SYS_WAIT_H
98 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
99 #include <sys/prctl.h>
102 #ifdef __clang_analyzer__
103 #undef MALLOC_ZERO_WORKS
109 /** Helper for tor_assert: report the assertion failure. */
111 tor_assertion_failed_(const char *fname
, unsigned int line
,
112 const char *func
, const char *expr
)
115 log_err(LD_BUG
, "%s:%u: %s: Assertion %s failed; aborting.",
116 fname
, line
, func
, expr
);
117 tor_snprintf(buf
, sizeof(buf
),
118 "Assertion %s failed in %s at %s:%u",
119 expr
, func
, fname
, line
);
120 log_backtrace(LOG_ERR
, LD_BUG
, buf
);
129 /* Macro to pass the extra dmalloc args to another function. */
130 #define DMALLOC_FN_ARGS , file, line
132 #if defined(HAVE_DMALLOC_STRDUP)
133 /* the dmalloc_strdup should be fine as defined */
134 #elif defined(HAVE_DMALLOC_STRNDUP)
135 #define dmalloc_strdup(file, line, string, xalloc_b) \
136 dmalloc_strndup(file, line, (string), -1, xalloc_b)
138 #error "No dmalloc_strdup or equivalent"
141 #else /* not using dmalloc */
143 #define DMALLOC_FN_ARGS
146 /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to
147 * result. On error, log and terminate the process. (Same as malloc(size),
148 * but never returns NULL.)
150 * <b>file</b> and <b>line</b> are used if dmalloc is enabled, and
154 tor_malloc_(size_t size DMALLOC_PARAMS
)
158 tor_assert(size
< SIZE_T_CEILING
);
160 #ifndef MALLOC_ZERO_WORKS
161 /* Some libc mallocs don't work when size==0. Override them. */
168 result
= dmalloc_malloc(file
, line
, size
, DMALLOC_FUNC_MALLOC
, 0, 0);
170 result
= malloc(size
);
173 if (PREDICT_UNLIKELY(result
== NULL
)) {
174 log_err(LD_MM
,"Out of memory on malloc(). Dying.");
175 /* If these functions die within a worker process, they won't call
176 * spawn_exit, but that's ok, since the parent will run out of memory soon
183 /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with
184 * zero bytes, and return a pointer to the result. Log and terminate
185 * the process on error. (Same as calloc(size,1), but never returns NULL.)
188 tor_malloc_zero_(size_t size DMALLOC_PARAMS
)
190 /* You may ask yourself, "wouldn't it be smart to use calloc instead of
191 * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick
192 * we don't!" Indeed it does, but its optimizations are only a big win when
193 * we're allocating something very big (it knows if it just got the memory
194 * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero
195 * for big stuff, so we don't bother with calloc. */
196 void *result
= tor_malloc_(size DMALLOC_FN_ARGS
);
197 memset(result
, 0, size
);
201 /* The square root of SIZE_MAX + 1. If a is less than this, and b is less
202 * than this, then a*b is less than SIZE_MAX. (For example, if size_t is
203 * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and
204 * b are less than this, then their product is at most (65535*65535) ==
206 #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4))
208 /** Return non-zero if and only if the product of the arguments is exact. */
210 size_mul_check(const size_t x
, const size_t y
)
212 /* This first check is equivalent to
213 (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1)
215 Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it
216 will have some bit set in its most significant half.
218 return ((x
|y
) < SQRT_SIZE_MAX_P1
||
223 /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill
224 * the memory with zero bytes, and return a pointer to the result.
225 * Log and terminate the process on error. (Same as
226 * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.)
227 * The second argument (<b>size</b>) should preferably be non-zero
228 * and a compile-time constant.
231 tor_calloc_(size_t nmemb
, size_t size DMALLOC_PARAMS
)
233 tor_assert(size_mul_check(nmemb
, size
));
234 return tor_malloc_zero_((nmemb
* size
) DMALLOC_FN_ARGS
);
237 /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b>
238 * bytes long; return the new memory block. On error, log and
239 * terminate. (Like realloc(ptr,size), but never returns NULL.)
242 tor_realloc_(void *ptr
, size_t size DMALLOC_PARAMS
)
246 tor_assert(size
< SIZE_T_CEILING
);
248 #ifndef MALLOC_ZERO_WORKS
249 /* Some libc mallocs don't work when size==0. Override them. */
256 result
= dmalloc_realloc(file
, line
, ptr
, size
, DMALLOC_FUNC_REALLOC
, 0);
258 result
= realloc(ptr
, size
);
261 if (PREDICT_UNLIKELY(result
== NULL
)) {
262 log_err(LD_MM
,"Out of memory on realloc(). Dying.");
269 * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for
270 * overflow. Unlike other allocation functions, return NULL on overflow.
273 tor_reallocarray_(void *ptr
, size_t sz1
, size_t sz2 DMALLOC_PARAMS
)
275 /* XXXX we can make this return 0, but we would need to check all the
276 * reallocarray users. */
277 tor_assert(size_mul_check(sz1
, sz2
));
279 return tor_realloc(ptr
, (sz1
* sz2
) DMALLOC_FN_ARGS
);
282 /** Return a newly allocated copy of the NUL-terminated string s. On
283 * error, log and terminate. (Like strdup(s), but never returns
287 tor_strdup_(const char *s DMALLOC_PARAMS
)
293 dup
= dmalloc_strdup(file
, line
, s
, 0);
297 if (PREDICT_UNLIKELY(dup
== NULL
)) {
298 log_err(LD_MM
,"Out of memory on strdup(). Dying.");
304 /** Allocate and return a new string containing the first <b>n</b>
305 * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b>
306 * characters, only the first <b>n</b> are copied. The result is
307 * always NUL-terminated. (Like strndup(s,n), but never returns
311 tor_strndup_(const char *s
, size_t n DMALLOC_PARAMS
)
315 tor_assert(n
< SIZE_T_CEILING
);
316 dup
= tor_malloc_((n
+1) DMALLOC_FN_ARGS
);
317 /* Performance note: Ordinarily we prefer strlcpy to strncpy. But
318 * this function gets called a whole lot, and platform strncpy is
319 * much faster than strlcpy when strlen(s) is much longer than n.
326 /** Allocate a chunk of <b>len</b> bytes, with the same contents as the
327 * <b>len</b> bytes starting at <b>mem</b>. */
329 tor_memdup_(const void *mem
, size_t len DMALLOC_PARAMS
)
332 tor_assert(len
< SIZE_T_CEILING
);
334 dup
= tor_malloc_(len DMALLOC_FN_ARGS
);
335 memcpy(dup
, mem
, len
);
339 /** As tor_memdup(), but add an extra 0 byte at the end of the resulting
342 tor_memdup_nulterm_(const void *mem
, size_t len DMALLOC_PARAMS
)
345 tor_assert(len
< SIZE_T_CEILING
+1);
347 dup
= tor_malloc_(len
+1 DMALLOC_FN_ARGS
);
348 memcpy(dup
, mem
, len
);
353 /** Helper for places that need to take a function pointer to the right
354 * spelling of "free()". */
361 /** Call the platform malloc info function, and dump the results to the log at
362 * level <b>severity</b>. If no such function exists, do nothing. */
364 tor_log_mallinfo(int severity
)
368 memset(&mi
, 0, sizeof(mi
));
370 tor_log(severity
, LD_MM
,
371 "mallinfo() said: arena=%d, ordblks=%d, smblks=%d, hblks=%d, "
372 "hblkhd=%d, usmblks=%d, fsmblks=%d, uordblks=%d, fordblks=%d, "
374 mi
.arena
, mi
.ordblks
, mi
.smblks
, mi
.hblks
,
375 mi
.hblkhd
, mi
.usmblks
, mi
.fsmblks
, mi
.uordblks
, mi
.fordblks
,
381 dmalloc_log_changed(0, /* Since the program started. */
382 1, /* Log info about non-freed pointers. */
383 0, /* Do not log info about freed pointers. */
384 0 /* Do not log individual pointers. */
394 * Returns the natural logarithm of d base e. We defined this wrapper here so
395 * to avoid conflicts with old versions of tor_log(), which were named log().
398 tor_mathlog(double d
)
403 /** Return the long integer closest to <b>d</b>. We define this wrapper
404 * here so that not all users of math.h need to use the right incantations
405 * to get the c99 functions. */
409 #if defined(HAVE_LROUND)
411 #elif defined(HAVE_RINT)
412 return (long)rint(d
);
414 return (long)(d
> 0 ? d
+ 0.5 : ceil(d
- 0.5));
418 /** Return the 64-bit integer closest to d. We define this wrapper here so
419 * that not all users of math.h need to use the right incantations to get the
422 tor_llround(double d
)
424 #if defined(HAVE_LLROUND)
425 return (int64_t)llround(d
);
426 #elif defined(HAVE_RINT)
427 return (int64_t)rint(d
);
429 return (int64_t)(d
> 0 ? d
+ 0.5 : ceil(d
- 0.5));
433 /** Returns floor(log2(u64)). If u64 is 0, (incorrectly) returns 0. */
435 tor_log2(uint64_t u64
)
438 if (u64
>= (U64_LITERAL(1)<<32)) {
442 if (u64
>= (U64_LITERAL(1)<<16)) {
446 if (u64
>= (U64_LITERAL(1)<<8)) {
450 if (u64
>= (U64_LITERAL(1)<<4)) {
454 if (u64
>= (U64_LITERAL(1)<<2)) {
458 if (u64
>= (U64_LITERAL(1)<<1)) {
465 /** Return the power of 2 in range [1,UINT64_MAX] closest to <b>u64</b>. If
466 * there are two powers of 2 equally close, round down. */
468 round_to_power_of_2(uint64_t u64
)
477 low
= U64_LITERAL(1) << lg2
;
482 high
= U64_LITERAL(1) << (lg2
+1);
483 if (high
- u64
< u64
- low
)
489 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
490 * <b>divisor</b> == 0. */
492 round_to_next_multiple_of(unsigned number
, unsigned divisor
)
494 tor_assert(divisor
> 0);
495 if (UINT_MAX
- divisor
+ 1 >= number
)
496 number
+= divisor
- 1;
497 number
-= number
% divisor
;
501 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
502 * <b>divisor</b> == 0. */
504 round_uint32_to_next_multiple_of(uint32_t number
, uint32_t divisor
)
506 tor_assert(divisor
> 0);
507 if (UINT32_MAX
- divisor
+ 1 >= number
)
508 number
+= divisor
- 1;
509 number
-= number
% divisor
;
513 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
514 * <b>divisor</b> == 0. */
516 round_uint64_to_next_multiple_of(uint64_t number
, uint64_t divisor
)
518 tor_assert(divisor
> 0);
519 if (UINT64_MAX
- divisor
+ 1 >= number
)
520 number
+= divisor
- 1;
521 number
-= number
% divisor
;
525 /** Return the lowest x in [INT64_MIN, INT64_MAX] such that x is at least
526 * <b>number</b>, and x modulo <b>divisor</b> == 0. */
528 round_int64_to_next_multiple_of(int64_t number
, int64_t divisor
)
530 tor_assert(divisor
> 0);
531 if (number
>= 0 && INT64_MAX
- divisor
+ 1 >= number
)
532 number
+= divisor
- 1;
533 number
-= number
% divisor
;
537 /** Transform a random value <b>p</b> from the uniform distribution in
538 * [0.0, 1.0[ into a Laplace distributed value with location parameter
539 * <b>mu</b> and scale parameter <b>b</b>. Truncate the final result
540 * to be an integer in [INT64_MIN, INT64_MAX]. */
542 sample_laplace_distribution(double mu
, double b
, double p
)
545 tor_assert(p
>= 0.0 && p
< 1.0);
547 /* This is the "inverse cumulative distribution function" from:
548 * http://en.wikipedia.org/wiki/Laplace_distribution */
550 /* Avoid taking log(0.0) == -INFINITY, as some processors or compiler
551 * options can cause the program to trap. */
555 result
= mu
- b
* (p
> 0.5 ? 1.0 : -1.0)
556 * tor_mathlog(1.0 - 2.0 * fabs(p
- 0.5));
558 return cast_double_to_int64(result
);
561 /** Add random noise between INT64_MIN and INT64_MAX coming from a Laplace
562 * distribution with mu = 0 and b = <b>delta_f</b>/<b>epsilon</b> to
563 * <b>signal</b> based on the provided <b>random</b> value in [0.0, 1.0[.
564 * The epsilon value must be between ]0.0, 1.0]. delta_f must be greater
567 add_laplace_noise(int64_t signal
, double random
, double delta_f
,
572 /* epsilon MUST be between ]0.0, 1.0] */
573 tor_assert(epsilon
> 0.0 && epsilon
<= 1.0);
574 /* delta_f MUST be greater than 0. */
575 tor_assert(delta_f
> 0.0);
577 /* Just add noise, no further signal */
578 noise
= sample_laplace_distribution(0.0,
582 /* Clip (signal + noise) to [INT64_MIN, INT64_MAX] */
583 if (noise
> 0 && INT64_MAX
- noise
< signal
)
585 else if (noise
< 0 && INT64_MIN
- noise
> signal
)
588 return signal
+ noise
;
591 /** Return the number of bits set in <b>v</b>. */
593 n_bits_set_u8(uint8_t v
)
595 static const int nybble_table
[] = {
614 return nybble_table
[v
& 15] + nybble_table
[v
>>4];
618 * String manipulation
621 /** Remove from the string <b>s</b> every character which appears in
624 tor_strstrip(char *s
, const char *strip
)
628 if (strchr(strip
, *read
)) {
637 /** Return a pointer to a NUL-terminated hexadecimal string encoding
638 * the first <b>fromlen</b> bytes of <b>from</b>. (fromlen must be \<= 32.) The
639 * result does not need to be deallocated, but repeated calls to
640 * hex_str will trash old results.
643 hex_str(const char *from
, size_t fromlen
)
646 if (fromlen
>(sizeof(buf
)-1)/2)
647 fromlen
= (sizeof(buf
)-1)/2;
648 base16_encode(buf
,sizeof(buf
),from
,fromlen
);
652 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
655 tor_strlower(char *s
)
658 *s
= TOR_TOLOWER(*s
);
663 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
666 tor_strupper(char *s
)
669 *s
= TOR_TOUPPER(*s
);
674 /** Return 1 if every character in <b>s</b> is printable, else return 0.
677 tor_strisprint(const char *s
)
680 if (!TOR_ISPRINT(*s
))
687 /** Return 1 if no character in <b>s</b> is uppercase, else return 0.
690 tor_strisnonupper(const char *s
)
700 /** As strcmp, except that either string may be NULL. The NULL string is
701 * considered to be before any non-NULL string. */
703 strcmp_opt(const char *s1
, const char *s2
)
713 return strcmp(s1
, s2
);
717 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
721 strcmpstart(const char *s1
, const char *s2
)
723 size_t n
= strlen(s2
);
724 return strncmp(s1
, s2
, n
);
727 /** Compare the s1_len-byte string <b>s1</b> with <b>s2</b>,
728 * without depending on a terminating nul in s1. Sorting order is first by
729 * length, then lexically; return values are as for strcmp.
732 strcmp_len(const char *s1
, const char *s2
, size_t s1_len
)
734 size_t s2_len
= strlen(s2
);
739 return fast_memcmp(s1
, s2
, s2_len
);
742 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
746 strcasecmpstart(const char *s1
, const char *s2
)
748 size_t n
= strlen(s2
);
749 return strncasecmp(s1
, s2
, n
);
752 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
756 strcmpend(const char *s1
, const char *s2
)
758 size_t n1
= strlen(s1
), n2
= strlen(s2
);
760 return strcmp(s1
,s2
);
762 return strncmp(s1
+(n1
-n2
), s2
, n2
);
765 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
769 strcasecmpend(const char *s1
, const char *s2
)
771 size_t n1
= strlen(s1
), n2
= strlen(s2
);
772 if (n2
>n1
) /* then they can't be the same; figure out which is bigger */
773 return strcasecmp(s1
,s2
);
775 return strncasecmp(s1
+(n1
-n2
), s2
, n2
);
778 /** Compare the value of the string <b>prefix</b> with the start of the
779 * <b>memlen</b>-byte memory chunk at <b>mem</b>. Return as for strcmp.
781 * [As fast_memcmp(mem, prefix, strlen(prefix)) but returns -1 if memlen is
782 * less than strlen(prefix).]
785 fast_memcmpstart(const void *mem
, size_t memlen
,
788 size_t plen
= strlen(prefix
);
791 return fast_memcmp(mem
, prefix
, plen
);
794 /** Return a pointer to the first char of s that is not whitespace and
795 * not a comment, or to the terminating NUL if no such character exists.
798 eat_whitespace(const char *s
)
815 while (*s
&& *s
!= '\n')
821 /** Return a pointer to the first char of s that is not whitespace and
822 * not a comment, or to the terminating NUL if no such character exists.
825 eat_whitespace_eos(const char *s
, const char *eos
)
828 tor_assert(eos
&& s
<= eos
);
843 while (s
< eos
&& *s
&& *s
!= '\n')
850 /** Return a pointer to the first char of s that is not a space or a tab
851 * or a \\r, or to the terminating NUL if no such character exists. */
853 eat_whitespace_no_nl(const char *s
)
855 while (*s
== ' ' || *s
== '\t' || *s
== '\r')
860 /** As eat_whitespace_no_nl, but stop at <b>eos</b> whether we have
861 * found a non-whitespace character or not. */
863 eat_whitespace_eos_no_nl(const char *s
, const char *eos
)
865 while (s
< eos
&& (*s
== ' ' || *s
== '\t' || *s
== '\r'))
870 /** Return a pointer to the first char of s that is whitespace or <b>#</b>,
871 * or to the terminating NUL if no such character exists.
874 find_whitespace(const char *s
)
893 /** As find_whitespace, but stop at <b>eos</b> whether we have found a
894 * whitespace or not. */
896 find_whitespace_eos(const char *s
, const char *eos
)
916 /** Return the first occurrence of <b>needle</b> in <b>haystack</b> that
917 * occurs at the start of a line (that is, at the beginning of <b>haystack</b>
918 * or immediately after a newline). Return NULL if no such string is found.
921 find_str_at_start_of_line(const char *haystack
, const char *needle
)
923 size_t needle_len
= strlen(needle
);
926 if (!strncmp(haystack
, needle
, needle_len
))
929 haystack
= strchr(haystack
, '\n');
939 /** Returns true if <b>string</b> could be a C identifier.
940 A C identifier must begin with a letter or an underscore and the
941 rest of its characters can be letters, numbers or underscores. No
942 length limit is imposed. */
944 string_is_C_identifier(const char *string
)
947 size_t length
= strlen(string
);
951 for (iter
= 0; iter
< length
; iter
++) {
953 if (!(TOR_ISALPHA(string
[iter
]) ||
954 string
[iter
] == '_'))
957 if (!(TOR_ISALPHA(string
[iter
]) ||
958 TOR_ISDIGIT(string
[iter
]) ||
959 string
[iter
] == '_'))
967 /** Return true iff the 'len' bytes at 'mem' are all zero. */
969 tor_mem_is_zero(const char *mem
, size_t len
)
971 static const char ZERO
[] = {
972 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0,
974 while (len
>= sizeof(ZERO
)) {
975 /* It's safe to use fast_memcmp here, since the very worst thing an
976 * attacker could learn is how many initial bytes of a secret were zero */
977 if (fast_memcmp(mem
, ZERO
, sizeof(ZERO
)))
982 /* Deal with leftover bytes. */
984 return fast_memeq(mem
, ZERO
, len
);
989 /** Return true iff the DIGEST_LEN bytes in digest are all zero. */
991 tor_digest_is_zero(const char *digest
)
993 static const uint8_t ZERO_DIGEST
[] = {
994 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0
996 return tor_memeq(digest
, ZERO_DIGEST
, DIGEST_LEN
);
999 /** Return true if <b>string</b> is a valid 'key=[value]' string.
1000 * "value" is optional, to indicate the empty string. Log at logging
1001 * <b>severity</b> if something ugly happens. */
1003 string_is_key_value(int severity
, const char *string
)
1005 /* position of equal sign in string */
1006 const char *equal_sign_pos
= NULL
;
1010 if (strlen(string
) < 2) { /* "x=" is shortest args string */
1011 tor_log(severity
, LD_GENERAL
, "'%s' is too short to be a k=v value.",
1016 equal_sign_pos
= strchr(string
, '=');
1017 if (!equal_sign_pos
) {
1018 tor_log(severity
, LD_GENERAL
, "'%s' is not a k=v value.", escaped(string
));
1022 /* validate that the '=' is not in the beginning of the string. */
1023 if (equal_sign_pos
== string
) {
1024 tor_log(severity
, LD_GENERAL
, "'%s' is not a valid k=v value.",
1032 /** Return true if <b>string</b> represents a valid IPv4 adddress in
1036 string_is_valid_ipv4_address(const char *string
)
1038 struct in_addr addr
;
1040 return (tor_inet_pton(AF_INET
,string
,&addr
) == 1);
1043 /** Return true if <b>string</b> represents a valid IPv6 address in
1044 * a form that inet_pton() can parse.
1047 string_is_valid_ipv6_address(const char *string
)
1049 struct in6_addr addr
;
1051 return (tor_inet_pton(AF_INET6
,string
,&addr
) == 1);
1054 /** Return true iff <b>string</b> matches a pattern of DNS names
1055 * that we allow Tor clients to connect to.
1058 string_is_valid_hostname(const char *string
)
1061 smartlist_t
*components
;
1063 components
= smartlist_new();
1065 smartlist_split_string(components
,string
,".",0,0);
1067 SMARTLIST_FOREACH_BEGIN(components
, char *, c
) {
1074 if ((*c
>= 'a' && *c
<= 'z') ||
1075 (*c
>= 'A' && *c
<= 'Z') ||
1076 (*c
>= '0' && *c
<= '9') ||
1081 } while (result
&& *c
);
1083 } SMARTLIST_FOREACH_END(c
);
1085 SMARTLIST_FOREACH_BEGIN(components
, char *, c
) {
1087 } SMARTLIST_FOREACH_END(c
);
1089 smartlist_free(components
);
1094 /** Return true iff the DIGEST256_LEN bytes in digest are all zero. */
1096 tor_digest256_is_zero(const char *digest
)
1098 return tor_mem_is_zero(digest
, DIGEST256_LEN
);
1101 /* Helper: common code to check whether the result of a strtol or strtoul or
1102 * strtoll is correct. */
1103 #define CHECK_STRTOX_RESULT() \
1104 /* Did an overflow occur? */ \
1105 if (errno == ERANGE) \
1107 /* Was at least one character converted? */ \
1110 /* Were there unexpected unconverted characters? */ \
1111 if (!next && *endptr) \
1113 /* Is r within limits? */ \
1114 if (r < min || r > max) \
1117 if (next) *next = endptr; \
1121 if (next) *next = endptr; \
1124 /** Extract a long from the start of <b>s</b>, in the given numeric
1125 * <b>base</b>. If <b>base</b> is 0, <b>s</b> is parsed as a decimal,
1126 * octal, or hex number in the syntax of a C integer literal. If
1127 * there is unconverted data and <b>next</b> is provided, set
1128 * *<b>next</b> to the first unconverted character. An error has
1129 * occurred if no characters are converted; or if there are
1130 * unconverted characters and <b>next</b> is NULL; or if the parsed
1131 * value is not between <b>min</b> and <b>max</b>. When no error
1132 * occurs, return the parsed value and set *<b>ok</b> (if provided) to
1133 * 1. When an error occurs, return 0 and set *<b>ok</b> (if provided)
1137 tor_parse_long(const char *s
, int base
, long min
, long max
,
1138 int *ok
, char **next
)
1150 r
= strtol(s
, &endptr
, base
);
1151 CHECK_STRTOX_RESULT();
1154 /** As tor_parse_long(), but return an unsigned long. */
1156 tor_parse_ulong(const char *s
, int base
, unsigned long min
,
1157 unsigned long max
, int *ok
, char **next
)
1169 r
= strtoul(s
, &endptr
, base
);
1170 CHECK_STRTOX_RESULT();
1173 /** As tor_parse_long(), but return a double. */
1175 tor_parse_double(const char *s
, double min
, double max
, int *ok
, char **next
)
1181 r
= strtod(s
, &endptr
);
1182 CHECK_STRTOX_RESULT();
1185 /** As tor_parse_long, but return a uint64_t. Only base 10 is guaranteed to
1188 tor_parse_uint64(const char *s
, int base
, uint64_t min
,
1189 uint64_t max
, int *ok
, char **next
)
1201 #ifdef HAVE_STRTOULL
1202 r
= (uint64_t)strtoull(s
, &endptr
, base
);
1203 #elif defined(_WIN32)
1204 #if defined(_MSC_VER) && _MSC_VER < 1300
1205 tor_assert(base
<= 10);
1206 r
= (uint64_t)_atoi64(s
);
1208 while (TOR_ISSPACE(*endptr
)) endptr
++;
1209 while (TOR_ISDIGIT(*endptr
)) endptr
++;
1211 r
= (uint64_t)_strtoui64(s
, &endptr
, base
);
1213 #elif SIZEOF_LONG == 8
1214 r
= (uint64_t)strtoul(s
, &endptr
, base
);
1216 #error "I don't know how to parse 64-bit numbers."
1219 CHECK_STRTOX_RESULT();
1222 /** Encode the <b>srclen</b> bytes at <b>src</b> in a NUL-terminated,
1223 * uppercase hexadecimal string; store it in the <b>destlen</b>-byte buffer
1227 base16_encode(char *dest
, size_t destlen
, const char *src
, size_t srclen
)
1232 tor_assert(destlen
>= srclen
*2+1);
1233 tor_assert(destlen
< SIZE_T_CEILING
);
1238 *cp
++ = "0123456789ABCDEF"[ (*(const uint8_t*)src
) >> 4 ];
1239 *cp
++ = "0123456789ABCDEF"[ (*(const uint8_t*)src
) & 0xf ];
1245 /** Helper: given a hex digit, return its value, or -1 if it isn't hex. */
1247 hex_decode_digit_(char c
)
1260 case 'A': case 'a': return 10;
1261 case 'B': case 'b': return 11;
1262 case 'C': case 'c': return 12;
1263 case 'D': case 'd': return 13;
1264 case 'E': case 'e': return 14;
1265 case 'F': case 'f': return 15;
1271 /** Helper: given a hex digit, return its value, or -1 if it isn't hex. */
1273 hex_decode_digit(char c
)
1275 return hex_decode_digit_(c
);
1278 /** Given a hexadecimal string of <b>srclen</b> bytes in <b>src</b>, decode it
1279 * and store the result in the <b>destlen</b>-byte buffer at <b>dest</b>.
1280 * Return 0 on success, -1 on failure. */
1282 base16_decode(char *dest
, size_t destlen
, const char *src
, size_t srclen
)
1287 if ((srclen
% 2) != 0)
1289 if (destlen
< srclen
/2 || destlen
> SIZE_T_CEILING
)
1292 memset(dest
, 0, destlen
);
1296 v1
= hex_decode_digit_(*src
);
1297 v2
= hex_decode_digit_(*(src
+1));
1300 *(uint8_t*)dest
= (v1
<<4)|v2
;
1307 /** Allocate and return a new string representing the contents of <b>s</b>,
1308 * surrounded by quotes and using standard C escapes.
1310 * Generally, we use this for logging values that come in over the network to
1311 * keep them from tricking users, and for sending certain values to the
1314 * We trust values from the resolver, OS, configuration file, and command line
1315 * to not be maliciously ill-formed. We validate incoming routerdescs and
1316 * SOCKS requests and addresses from BEGIN cells as they're parsed;
1317 * afterwards, we trust them as non-malicious.
1320 esc_for_log(const char *s
)
1323 char *result
, *outp
;
1326 return tor_strdup("(null)");
1329 for (cp
= s
; *cp
; ++cp
) {
1340 if (TOR_ISPRINT(*cp
) && ((uint8_t)*cp
)<127)
1348 tor_assert(len
<= SSIZE_MAX
);
1350 result
= outp
= tor_malloc(len
);
1352 for (cp
= s
; *cp
; ++cp
) {
1353 /* This assertion should always succeed, since we will write at least
1354 * one char here, and two chars for closing quote and nul later */
1355 tor_assert((outp
-result
) < (ssize_t
)len
-2);
1376 if (TOR_ISPRINT(*cp
) && ((uint8_t)*cp
)<127) {
1379 tor_assert((outp
-result
) < (ssize_t
)len
-4);
1380 tor_snprintf(outp
, 5, "\\%03o", (int)(uint8_t) *cp
);
1387 tor_assert((outp
-result
) <= (ssize_t
)len
-2);
1394 /** Similar to esc_for_log. Allocate and return a new string representing
1395 * the first n characters in <b>chars</b>, surround by quotes and using
1396 * standard C escapes. If a NUL character is encountered in <b>chars</b>,
1397 * the resulting string will be terminated there.
1400 esc_for_log_len(const char *chars
, size_t n
)
1402 char *string
= tor_strndup(chars
, n
);
1403 char *string_escaped
= esc_for_log(string
);
1405 return string_escaped
;
1408 /** Allocate and return a new string representing the contents of <b>s</b>,
1409 * surrounded by quotes and using standard C escapes.
1411 * THIS FUNCTION IS NOT REENTRANT. Don't call it from outside the main
1412 * thread. Also, each call invalidates the last-returned value, so don't
1413 * try log_warn(LD_GENERAL, "%s %s", escaped(a), escaped(b));
1416 escaped(const char *s
)
1418 static char *escaped_val_
= NULL
;
1419 tor_free(escaped_val_
);
1422 escaped_val_
= esc_for_log(s
);
1424 escaped_val_
= NULL
;
1426 return escaped_val_
;
1429 /** Return a newly allocated string equal to <b>string</b>, except that every
1430 * character in <b>chars_to_escape</b> is preceded by a backslash. */
1432 tor_escape_str_for_pt_args(const char *string
, const char *chars_to_escape
)
1434 char *new_string
= NULL
;
1435 char *new_cp
= NULL
;
1436 size_t length
, new_length
;
1440 length
= strlen(string
);
1442 if (!length
) /* If we were given the empty string, return the same. */
1443 return tor_strdup("");
1444 /* (new_length > SIZE_MAX) => ((length * 2) + 1 > SIZE_MAX) =>
1445 (length*2 > SIZE_MAX - 1) => (length > (SIZE_MAX - 1)/2) */
1446 if (length
> (SIZE_MAX
- 1)/2) /* check for overflow */
1449 /* this should be enough even if all characters must be escaped */
1450 new_length
= (length
* 2) + 1;
1452 new_string
= new_cp
= tor_malloc(new_length
);
1455 if (strchr(chars_to_escape
, *string
))
1458 *new_cp
++ = *string
++;
1461 *new_cp
= '\0'; /* NUL-terminate the new string */
1470 /** Return the number of microseconds elapsed between *start and *end.
1473 tv_udiff(const struct timeval
*start
, const struct timeval
*end
)
1476 long secdiff
= end
->tv_sec
- start
->tv_sec
;
1478 if (labs(secdiff
+1) > LONG_MAX
/1000000) {
1479 log_warn(LD_GENERAL
, "comparing times on microsecond detail too far "
1480 "apart: %ld seconds", secdiff
);
1484 udiff
= secdiff
*1000000L + (end
->tv_usec
- start
->tv_usec
);
1488 /** Return the number of milliseconds elapsed between *start and *end.
1491 tv_mdiff(const struct timeval
*start
, const struct timeval
*end
)
1494 long secdiff
= end
->tv_sec
- start
->tv_sec
;
1496 if (labs(secdiff
+1) > LONG_MAX
/1000) {
1497 log_warn(LD_GENERAL
, "comparing times on millisecond detail too far "
1498 "apart: %ld seconds", secdiff
);
1502 /* Subtract and round */
1503 mdiff
= secdiff
*1000L +
1504 ((long)end
->tv_usec
- (long)start
->tv_usec
+ 500L) / 1000L;
1509 * Converts timeval to milliseconds.
1512 tv_to_msec(const struct timeval
*tv
)
1514 int64_t conv
= ((int64_t)tv
->tv_sec
)*1000L;
1515 /* Round ghetto-style */
1516 conv
+= ((int64_t)tv
->tv_usec
+500)/1000L;
1520 /** Yield true iff <b>y</b> is a leap-year. */
1521 #define IS_LEAPYEAR(y) (!(y % 4) && ((y % 100) || !(y % 400)))
1522 /** Helper: Return the number of leap-days between Jan 1, y1 and Jan 1, y2. */
1524 n_leapdays(int y1
, int y2
)
1528 return (y2
/4 - y1
/4) - (y2
/100 - y1
/100) + (y2
/400 - y1
/400);
1530 /** Number of days per month in non-leap year; used by tor_timegm and
1531 * parse_rfc1123_time. */
1532 static const int days_per_month
[] =
1533 { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
1535 /** Compute a time_t given a struct tm. The result is given in UTC, and
1536 * does not account for leap seconds. Return 0 on success, -1 on failure.
1539 tor_timegm(const struct tm
*tm
, time_t *time_out
)
1541 /* This is a pretty ironclad timegm implementation, snarfed from Python2.2.
1542 * It's way more brute-force than fiddling with tzset().
1544 time_t year
, days
, hours
, minutes
, seconds
;
1545 int i
, invalid_year
, dpm
;
1546 /* avoid int overflow on addition */
1547 if (tm
->tm_year
< INT32_MAX
-1900) {
1548 year
= tm
->tm_year
+ 1900;
1553 invalid_year
= (year
< 1970 || tm
->tm_year
>= INT32_MAX
-1900);
1555 if (tm
->tm_mon
>= 0 && tm
->tm_mon
<= 11) {
1556 dpm
= days_per_month
[tm
->tm_mon
];
1557 if (tm
->tm_mon
== 1 && !invalid_year
&& IS_LEAPYEAR(tm
->tm_year
)) {
1561 /* invalid month - default to 0 days per month */
1566 tm
->tm_mon
< 0 || tm
->tm_mon
> 11 ||
1567 tm
->tm_mday
< 1 || tm
->tm_mday
> dpm
||
1568 tm
->tm_hour
< 0 || tm
->tm_hour
> 23 ||
1569 tm
->tm_min
< 0 || tm
->tm_min
> 59 ||
1570 tm
->tm_sec
< 0 || tm
->tm_sec
> 60) {
1571 log_warn(LD_BUG
, "Out-of-range argument to tor_timegm");
1574 days
= 365 * (year
-1970) + n_leapdays(1970,(int)year
);
1575 for (i
= 0; i
< tm
->tm_mon
; ++i
)
1576 days
+= days_per_month
[i
];
1577 if (tm
->tm_mon
> 1 && IS_LEAPYEAR(year
))
1579 days
+= tm
->tm_mday
- 1;
1580 hours
= days
*24 + tm
->tm_hour
;
1582 minutes
= hours
*60 + tm
->tm_min
;
1583 seconds
= minutes
*60 + tm
->tm_sec
;
1584 *time_out
= seconds
;
1588 /* strftime is locale-specific, so we need to replace those parts */
1590 /** A c-locale array of 3-letter names of weekdays, starting with Sun. */
1591 static const char *WEEKDAY_NAMES
[] =
1592 { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" };
1593 /** A c-locale array of 3-letter names of months, starting with Jan. */
1594 static const char *MONTH_NAMES
[] =
1595 { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
1596 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
1598 /** Set <b>buf</b> to the RFC1123 encoding of the UTC value of <b>t</b>.
1599 * The buffer must be at least RFC1123_TIME_LEN+1 bytes long.
1601 * (RFC1123 format is "Fri, 29 Sep 2006 15:54:20 GMT". Note the "GMT"
1602 * rather than "UTC".)
1605 format_rfc1123_time(char *buf
, time_t t
)
1609 tor_gmtime_r(&t
, &tm
);
1611 strftime(buf
, RFC1123_TIME_LEN
+1, "___, %d ___ %Y %H:%M:%S GMT", &tm
);
1612 tor_assert(tm
.tm_wday
>= 0);
1613 tor_assert(tm
.tm_wday
<= 6);
1614 memcpy(buf
, WEEKDAY_NAMES
[tm
.tm_wday
], 3);
1615 tor_assert(tm
.tm_mon
>= 0);
1616 tor_assert(tm
.tm_mon
<= 11);
1617 memcpy(buf
+8, MONTH_NAMES
[tm
.tm_mon
], 3);
1620 /** Parse the (a subset of) the RFC1123 encoding of some time (in UTC) from
1621 * <b>buf</b>, and store the result in *<b>t</b>.
1623 * Note that we only accept the subset generated by format_rfc1123_time above,
1624 * not the full range of formats suggested by RFC 1123.
1626 * Return 0 on success, -1 on failure.
1629 parse_rfc1123_time(const char *buf
, time_t *t
)
1634 int i
, m
, invalid_year
;
1635 unsigned tm_mday
, tm_year
, tm_hour
, tm_min
, tm_sec
;
1638 if (strlen(buf
) != RFC1123_TIME_LEN
)
1640 memset(&tm
, 0, sizeof(tm
));
1641 if (tor_sscanf(buf
, "%3s, %2u %3s %u %2u:%2u:%2u GMT", weekday
,
1642 &tm_mday
, month
, &tm_year
, &tm_hour
,
1643 &tm_min
, &tm_sec
) < 7) {
1644 char *esc
= esc_for_log(buf
);
1645 log_warn(LD_GENERAL
, "Got invalid RFC1123 time %s", esc
);
1651 for (i
= 0; i
< 12; ++i
) {
1652 if (!strcmp(month
, MONTH_NAMES
[i
])) {
1658 char *esc
= esc_for_log(buf
);
1659 log_warn(LD_GENERAL
, "Got invalid RFC1123 time %s: No such month", esc
);
1665 invalid_year
= (tm_year
>= INT32_MAX
|| tm_year
< 1970);
1666 tor_assert(m
>= 0 && m
<= 11);
1667 dpm
= days_per_month
[m
];
1668 if (m
== 1 && !invalid_year
&& IS_LEAPYEAR(tm_year
)) {
1672 if (invalid_year
|| tm_mday
< 1 || tm_mday
> dpm
||
1673 tm_hour
> 23 || tm_min
> 59 || tm_sec
> 60) {
1674 char *esc
= esc_for_log(buf
);
1675 log_warn(LD_GENERAL
, "Got invalid RFC1123 time %s", esc
);
1679 tm
.tm_mday
= (int)tm_mday
;
1680 tm
.tm_year
= (int)tm_year
;
1681 tm
.tm_hour
= (int)tm_hour
;
1682 tm
.tm_min
= (int)tm_min
;
1683 tm
.tm_sec
= (int)tm_sec
;
1685 if (tm
.tm_year
< 1970) {
1686 char *esc
= esc_for_log(buf
);
1687 log_warn(LD_GENERAL
,
1688 "Got invalid RFC1123 time %s. (Before 1970)", esc
);
1694 return tor_timegm(&tm
, t
);
1697 /** Set <b>buf</b> to the ISO8601 encoding of the local value of <b>t</b>.
1698 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1700 * (ISO8601 format is 2006-10-29 10:57:20)
1703 format_local_iso_time(char *buf
, time_t t
)
1706 strftime(buf
, ISO_TIME_LEN
+1, "%Y-%m-%d %H:%M:%S", tor_localtime_r(&t
, &tm
));
1709 /** Set <b>buf</b> to the ISO8601 encoding of the GMT value of <b>t</b>.
1710 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1713 format_iso_time(char *buf
, time_t t
)
1716 strftime(buf
, ISO_TIME_LEN
+1, "%Y-%m-%d %H:%M:%S", tor_gmtime_r(&t
, &tm
));
1719 /** As format_iso_time, but use the yyyy-mm-ddThh:mm:ss format to avoid
1720 * embedding an internal space. */
1722 format_iso_time_nospace(char *buf
, time_t t
)
1724 format_iso_time(buf
, t
);
1728 /** As format_iso_time_nospace, but include microseconds in decimal
1729 * fixed-point format. Requires that buf be at least ISO_TIME_USEC_LEN+1
1732 format_iso_time_nospace_usec(char *buf
, const struct timeval
*tv
)
1735 format_iso_time_nospace(buf
, (time_t)tv
->tv_sec
);
1736 tor_snprintf(buf
+ISO_TIME_LEN
, 8, ".%06d", (int)tv
->tv_usec
);
1739 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1740 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1741 * failure. Ignore extraneous stuff in <b>cp</b> after the end of the time
1742 * string, unless <b>strict</b> is set. */
1744 parse_iso_time_(const char *cp
, time_t *t
, int strict
)
1747 unsigned int year
=0, month
=0, day
=0, hour
=0, minute
=0, second
=0;
1750 n_fields
= tor_sscanf(cp
, "%u-%2u-%2u %2u:%2u:%2u%c", &year
, &month
,
1751 &day
, &hour
, &minute
, &second
, &extra_char
);
1752 if (strict
? (n_fields
!= 6) : (n_fields
< 6)) {
1753 char *esc
= esc_for_log(cp
);
1754 log_warn(LD_GENERAL
, "ISO time %s was unparseable", esc
);
1758 if (year
< 1970 || month
< 1 || month
> 12 || day
< 1 || day
> 31 ||
1759 hour
> 23 || minute
> 59 || second
> 60 || year
>= INT32_MAX
) {
1760 char *esc
= esc_for_log(cp
);
1761 log_warn(LD_GENERAL
, "ISO time %s was nonsensical", esc
);
1765 st_tm
.tm_year
= (int)year
-1900;
1766 st_tm
.tm_mon
= month
-1;
1767 st_tm
.tm_mday
= day
;
1768 st_tm
.tm_hour
= hour
;
1769 st_tm
.tm_min
= minute
;
1770 st_tm
.tm_sec
= second
;
1772 if (st_tm
.tm_year
< 70) {
1773 char *esc
= esc_for_log(cp
);
1774 log_warn(LD_GENERAL
, "Got invalid ISO time %s. (Before 1970)", esc
);
1778 return tor_timegm(&st_tm
, t
);
1781 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1782 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1783 * failure. Reject the string if any characters are present after the time.
1786 parse_iso_time(const char *cp
, time_t *t
)
1788 return parse_iso_time_(cp
, t
, 1);
1791 /** Given a <b>date</b> in one of the three formats allowed by HTTP (ugh),
1792 * parse it into <b>tm</b>. Return 0 on success, negative on failure. */
1794 parse_http_time(const char *date
, struct tm
*tm
)
1800 unsigned tm_mday
, tm_year
, tm_hour
, tm_min
, tm_sec
;
1803 memset(tm
, 0, sizeof(*tm
));
1805 /* First, try RFC1123 or RFC850 format: skip the weekday. */
1806 if ((cp
= strchr(date
, ','))) {
1811 if (tor_sscanf(cp
, "%2u %3s %4u %2u:%2u:%2u GMT",
1812 &tm_mday
, month
, &tm_year
,
1813 &tm_hour
, &tm_min
, &tm_sec
) == 6) {
1816 } else if (tor_sscanf(cp
, "%2u-%3s-%2u %2u:%2u:%2u GMT",
1817 &tm_mday
, month
, &tm_year
,
1818 &tm_hour
, &tm_min
, &tm_sec
) == 6) {
1824 /* No comma; possibly asctime() format. */
1825 if (tor_sscanf(date
, "%3s %3s %2u %2u:%2u:%2u %4u",
1826 wkday
, month
, &tm_mday
,
1827 &tm_hour
, &tm_min
, &tm_sec
, &tm_year
) == 7) {
1833 tm
->tm_mday
= (int)tm_mday
;
1834 tm
->tm_year
= (int)tm_year
;
1835 tm
->tm_hour
= (int)tm_hour
;
1836 tm
->tm_min
= (int)tm_min
;
1837 tm
->tm_sec
= (int)tm_sec
;
1840 /* Okay, now decode the month. */
1841 /* set tm->tm_mon to dummy value so the check below fails. */
1843 for (i
= 0; i
< 12; ++i
) {
1844 if (!strcasecmp(MONTH_NAMES
[i
], month
)) {
1849 if (tm
->tm_year
< 0 ||
1850 tm
->tm_mon
< 0 || tm
->tm_mon
> 11 ||
1851 tm
->tm_mday
< 1 || tm
->tm_mday
> 31 ||
1852 tm
->tm_hour
< 0 || tm
->tm_hour
> 23 ||
1853 tm
->tm_min
< 0 || tm
->tm_min
> 59 ||
1854 tm
->tm_sec
< 0 || tm
->tm_sec
> 60)
1855 return -1; /* Out of range, or bad month. */
1860 /** Given an <b>interval</b> in seconds, try to write it to the
1861 * <b>out_len</b>-byte buffer in <b>out</b> in a human-readable form.
1862 * Return 0 on success, -1 on failure.
1865 format_time_interval(char *out
, size_t out_len
, long interval
)
1867 /* We only report seconds if there's no hours. */
1868 long sec
= 0, min
= 0, hour
= 0, day
= 0;
1870 /* -LONG_MIN is LONG_MAX + 1, which causes signed overflow */
1871 if (interval
< -LONG_MAX
)
1872 interval
= LONG_MAX
;
1873 else if (interval
< 0)
1874 interval
= -interval
;
1876 if (interval
>= 86400) {
1877 day
= interval
/ 86400;
1880 if (interval
>= 3600) {
1881 hour
= interval
/ 3600;
1884 if (interval
>= 60) {
1885 min
= interval
/ 60;
1891 return tor_snprintf(out
, out_len
, "%ld days, %ld hours, %ld minutes",
1894 return tor_snprintf(out
, out_len
, "%ld hours, %ld minutes", hour
, min
);
1896 return tor_snprintf(out
, out_len
, "%ld minutes, %ld seconds", min
, sec
);
1898 return tor_snprintf(out
, out_len
, "%ld seconds", sec
);
1906 #ifndef TIME_IS_FAST
1907 /** Cached estimate of the current time. Updated around once per second;
1908 * may be a few seconds off if we are really busy. This is a hack to avoid
1909 * calling time(NULL) (which not everybody has optimized) on critical paths.
1911 static time_t cached_approx_time
= 0;
1913 /** Return a cached estimate of the current time from when
1914 * update_approx_time() was last called. This is a hack to avoid calling
1915 * time(NULL) on critical paths: please do not even think of calling it
1920 return cached_approx_time
;
1923 /** Update the cached estimate of the current time. This function SHOULD be
1924 * called once per second, and MUST be called before the first call to
1925 * get_approx_time. */
1927 update_approx_time(time_t now
)
1929 cached_approx_time
= now
;
1937 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return the number
1938 * of calls to rate_limit_is_ready (including this one!) since the last time
1939 * rate_limit_is_ready returned nonzero. Otherwise return 0. */
1941 rate_limit_is_ready(ratelim_t
*lim
, time_t now
)
1943 if (lim
->rate
+ lim
->last_allowed
<= now
) {
1944 int res
= lim
->n_calls_since_last_time
+ 1;
1945 lim
->last_allowed
= now
;
1946 lim
->n_calls_since_last_time
= 0;
1949 ++lim
->n_calls_since_last_time
;
1954 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return a newly
1955 * allocated string indicating how many messages were suppressed, suitable to
1956 * append to a log message. Otherwise return NULL. */
1958 rate_limit_log(ratelim_t
*lim
, time_t now
)
1961 if ((n
= rate_limit_is_ready(lim
, now
))) {
1963 return tor_strdup("");
1967 " [%d similar message(s) suppressed in last %d seconds]",
1980 /** Write <b>count</b> bytes from <b>buf</b> to <b>fd</b>. <b>isSocket</b>
1981 * must be 1 if fd was returned by socket() or accept(), and 0 if fd
1982 * was returned by open(). Return the number of bytes written, or -1
1983 * on error. Only use if fd is a blocking fd. */
1985 write_all(tor_socket_t fd
, const char *buf
, size_t count
, int isSocket
)
1989 tor_assert(count
< SSIZE_MAX
);
1991 while (written
!= count
) {
1993 result
= tor_socket_send(fd
, buf
+written
, count
-written
, 0);
1995 result
= write((int)fd
, buf
+written
, count
-written
);
2000 return (ssize_t
)count
;
2003 /** Read from <b>fd</b> to <b>buf</b>, until we get <b>count</b> bytes
2004 * or reach the end of the file. <b>isSocket</b> must be 1 if fd
2005 * was returned by socket() or accept(), and 0 if fd was returned by
2006 * open(). Return the number of bytes read, or -1 on error. Only use
2007 * if fd is a blocking fd. */
2009 read_all(tor_socket_t fd
, char *buf
, size_t count
, int isSocket
)
2014 if (count
> SIZE_T_CEILING
|| count
> SSIZE_MAX
)
2017 while (numread
!= count
) {
2019 result
= tor_socket_recv(fd
, buf
+numread
, count
-numread
, 0);
2021 result
= read((int)fd
, buf
+numread
, count
-numread
);
2024 else if (result
== 0)
2028 return (ssize_t
)numread
;
2032 * Filesystem operations.
2035 /** Clean up <b>name</b> so that we can use it in a call to "stat". On Unix,
2036 * we do nothing. On Windows, we remove a trailing slash, unless the path is
2037 * the root of a disk. */
2039 clean_name_for_stat(char *name
)
2042 size_t len
= strlen(name
);
2045 if (name
[len
-1]=='\\' || name
[len
-1]=='/') {
2046 if (len
== 1 || (len
==3 && name
[1]==':'))
2056 * FN_ERROR if filename can't be read, is NULL, or is zero-length,
2057 * FN_NOENT if it doesn't exist,
2058 * FN_FILE if it is a non-empty regular file, or a FIFO on unix-like systems,
2059 * FN_EMPTY for zero-byte regular files,
2060 * FN_DIR if it's a directory, and
2061 * FN_ERROR for any other file type.
2062 * On FN_ERROR and FN_NOENT, sets errno. (errno is not set when FN_ERROR
2063 * is returned due to an unhandled file type.) */
2065 file_status(const char *fname
)
2070 if (!fname
|| strlen(fname
) == 0) {
2073 f
= tor_strdup(fname
);
2074 clean_name_for_stat(f
);
2075 log_debug(LD_FS
, "stat()ing %s", f
);
2076 r
= stat(sandbox_intern_string(f
), &st
);
2079 if (errno
== ENOENT
) {
2084 if (st
.st_mode
& S_IFDIR
) {
2086 } else if (st
.st_mode
& S_IFREG
) {
2087 if (st
.st_size
> 0) {
2089 } else if (st
.st_size
== 0) {
2095 } else if (st
.st_mode
& S_IFIFO
) {
2103 /** Check whether <b>dirname</b> exists and is private. If yes return 0. If
2104 * it does not exist, and <b>check</b>&CPD_CREATE is set, try to create it
2105 * and return 0 on success. If it does not exist, and
2106 * <b>check</b>&CPD_CHECK, and we think we can create it, return 0. Else
2107 * return -1. If CPD_GROUP_OK is set, then it's okay if the directory
2108 * is group-readable, but in all cases we create the directory mode 0700.
2109 * If CPD_GROUP_READ is set, existing directory behaves as CPD_GROUP_OK and
2110 * if the directory is created it will use mode 0750 with group read
2111 * permission. Group read privileges also assume execute permission
2112 * as norm for directories. If CPD_CHECK_MODE_ONLY is set, then we don't
2113 * alter the directory permissions if they are too permissive:
2114 * we just return -1.
2115 * When effective_user is not NULL, check permissions against the given user
2116 * and its primary group.
2119 check_private_dir(const char *dirname
, cpd_check_t check
,
2120 const char *effective_user
)
2126 unsigned unwanted_bits
= 0;
2127 const struct passwd
*pw
= NULL
;
2131 (void)effective_user
;
2134 tor_assert(dirname
);
2135 f
= tor_strdup(dirname
);
2136 clean_name_for_stat(f
);
2137 log_debug(LD_FS
, "stat()ing %s", f
);
2138 r
= stat(sandbox_intern_string(f
), &st
);
2141 if (errno
!= ENOENT
) {
2142 log_warn(LD_FS
, "Directory %s cannot be read: %s", dirname
,
2146 if (check
& CPD_CREATE
) {
2147 log_info(LD_GENERAL
, "Creating directory %s", dirname
);
2148 #if defined (_WIN32)
2151 if (check
& CPD_GROUP_READ
) {
2152 r
= mkdir(dirname
, 0750);
2154 r
= mkdir(dirname
, 0700);
2158 log_warn(LD_FS
, "Error creating directory %s: %s", dirname
,
2162 } else if (!(check
& CPD_CHECK
)) {
2163 log_warn(LD_FS
, "Directory %s does not exist.", dirname
);
2166 /* XXXX In the case where check==CPD_CHECK, we should look at the
2167 * parent directory a little harder. */
2170 if (!(st
.st_mode
& S_IFDIR
)) {
2171 log_warn(LD_FS
, "%s is not a directory", dirname
);
2175 if (effective_user
) {
2176 /* Look up the user and group information.
2177 * If we have a problem, bail out. */
2178 pw
= tor_getpwnam(effective_user
);
2180 log_warn(LD_CONFIG
, "Error setting configured user: %s not found",
2184 running_uid
= pw
->pw_uid
;
2185 running_gid
= pw
->pw_gid
;
2187 running_uid
= getuid();
2188 running_gid
= getgid();
2191 if (st
.st_uid
!= running_uid
) {
2192 const struct passwd
*pw
= NULL
;
2193 char *process_ownername
= NULL
;
2195 pw
= tor_getpwuid(running_uid
);
2196 process_ownername
= pw
? tor_strdup(pw
->pw_name
) : tor_strdup("<unknown>");
2198 pw
= tor_getpwuid(st
.st_uid
);
2200 log_warn(LD_FS
, "%s is not owned by this user (%s, %d) but by "
2201 "%s (%d). Perhaps you are running Tor as the wrong user?",
2202 dirname
, process_ownername
, (int)running_uid
,
2203 pw
? pw
->pw_name
: "<unknown>", (int)st
.st_uid
);
2205 tor_free(process_ownername
);
2208 if ( (check
& (CPD_GROUP_OK
|CPD_GROUP_READ
))
2209 && (st
.st_gid
!= running_gid
) ) {
2211 char *process_groupname
= NULL
;
2212 gr
= getgrgid(running_gid
);
2213 process_groupname
= gr
? tor_strdup(gr
->gr_name
) : tor_strdup("<unknown>");
2214 gr
= getgrgid(st
.st_gid
);
2216 log_warn(LD_FS
, "%s is not owned by this group (%s, %d) but by group "
2217 "%s (%d). Are you running Tor as the wrong user?",
2218 dirname
, process_groupname
, (int)running_gid
,
2219 gr
? gr
->gr_name
: "<unknown>", (int)st
.st_gid
);
2221 tor_free(process_groupname
);
2224 if (check
& (CPD_GROUP_OK
|CPD_GROUP_READ
)) {
2225 unwanted_bits
= 0027;
2227 unwanted_bits
= 0077;
2229 if ((st
.st_mode
& unwanted_bits
) != 0) {
2231 if (check
& CPD_CHECK_MODE_ONLY
) {
2232 log_warn(LD_FS
, "Permissions on directory %s are too permissive.",
2236 log_warn(LD_FS
, "Fixing permissions on directory %s", dirname
);
2237 new_mode
= st
.st_mode
;
2238 new_mode
|= 0700; /* Owner should have rwx */
2239 if (check
& CPD_GROUP_READ
) {
2240 new_mode
|= 0050; /* Group should have rx */
2242 new_mode
&= ~unwanted_bits
; /* Clear the bits that we didn't want set...*/
2243 if (chmod(dirname
, new_mode
)) {
2244 log_warn(LD_FS
, "Could not chmod directory %s: %s", dirname
,
2255 /** Create a file named <b>fname</b> with the contents <b>str</b>. Overwrite
2256 * the previous <b>fname</b> if possible. Return 0 on success, -1 on failure.
2258 * This function replaces the old file atomically, if possible. This
2259 * function, and all other functions in util.c that create files, create them
2263 write_str_to_file(const char *fname
, const char *str
, int bin
)
2266 if (!bin
&& strchr(str
, '\r')) {
2268 "We're writing a text string that already contains a CR to %s",
2272 return write_bytes_to_file(fname
, str
, strlen(str
), bin
);
2275 /** Represents a file that we're writing to, with support for atomic commit:
2276 * we can write into a temporary file, and either remove the file on
2277 * failure, or replace the original file on success. */
2278 struct open_file_t
{
2279 char *tempname
; /**< Name of the temporary file. */
2280 char *filename
; /**< Name of the original file. */
2281 unsigned rename_on_close
:1; /**< Are we using the temporary file or not? */
2282 unsigned binary
:1; /**< Did we open in binary mode? */
2283 int fd
; /**< fd for the open file. */
2284 FILE *stdio_file
; /**< stdio wrapper for <b>fd</b>. */
2287 /** Try to start writing to the file in <b>fname</b>, passing the flags
2288 * <b>open_flags</b> to the open() syscall, creating the file (if needed) with
2289 * access value <b>mode</b>. If the O_APPEND flag is set, we append to the
2290 * original file. Otherwise, we open a new temporary file in the same
2291 * directory, and either replace the original or remove the temporary file
2294 * Return the fd for the newly opened file, and store working data in
2295 * *<b>data_out</b>. The caller should not close the fd manually:
2296 * instead, call finish_writing_to_file() or abort_writing_to_file().
2297 * Returns -1 on failure.
2299 * NOTE: When not appending, the flags O_CREAT and O_TRUNC are treated
2300 * as true and the flag O_EXCL is treated as false.
2302 * NOTE: Ordinarily, O_APPEND means "seek to the end of the file before each
2303 * write()". We don't do that.
2306 start_writing_to_file(const char *fname
, int open_flags
, int mode
,
2307 open_file_t
**data_out
)
2309 open_file_t
*new_file
= tor_malloc_zero(sizeof(open_file_t
));
2310 const char *open_name
;
2314 tor_assert(data_out
);
2315 #if (O_BINARY != 0 && O_TEXT != 0)
2316 tor_assert((open_flags
& (O_BINARY
|O_TEXT
)) != 0);
2319 new_file
->filename
= tor_strdup(fname
);
2320 if (open_flags
& O_APPEND
) {
2322 new_file
->rename_on_close
= 0;
2324 open_flags
&= ~O_APPEND
;
2326 tor_asprintf(&new_file
->tempname
, "%s.tmp", fname
);
2327 open_name
= new_file
->tempname
;
2328 /* We always replace an existing temporary file if there is one. */
2329 open_flags
|= O_CREAT
|O_TRUNC
;
2330 open_flags
&= ~O_EXCL
;
2331 new_file
->rename_on_close
= 1;
2334 if (open_flags
& O_BINARY
)
2335 new_file
->binary
= 1;
2338 new_file
->fd
= tor_open_cloexec(open_name
, open_flags
, mode
);
2339 if (new_file
->fd
< 0) {
2340 log_warn(LD_FS
, "Couldn't open \"%s\" (%s) for writing: %s",
2341 open_name
, fname
, strerror(errno
));
2345 if (tor_fd_seekend(new_file
->fd
) < 0) {
2346 log_warn(LD_FS
, "Couldn't seek to end of file \"%s\": %s", open_name
,
2352 *data_out
= new_file
;
2354 return new_file
->fd
;
2357 if (new_file
->fd
>= 0)
2358 close(new_file
->fd
);
2360 tor_free(new_file
->filename
);
2361 tor_free(new_file
->tempname
);
2366 /** Given <b>file_data</b> from start_writing_to_file(), return a stdio FILE*
2367 * that can be used to write to the same file. The caller should not mix
2368 * stdio calls with non-stdio calls. */
2370 fdopen_file(open_file_t
*file_data
)
2372 tor_assert(file_data
);
2373 if (file_data
->stdio_file
)
2374 return file_data
->stdio_file
;
2375 tor_assert(file_data
->fd
>= 0);
2376 if (!(file_data
->stdio_file
= fdopen(file_data
->fd
,
2377 file_data
->binary
?"ab":"a"))) {
2378 log_warn(LD_FS
, "Couldn't fdopen \"%s\" [%d]: %s", file_data
->filename
,
2379 file_data
->fd
, strerror(errno
));
2381 return file_data
->stdio_file
;
2384 /** Combines start_writing_to_file with fdopen_file(): arguments are as
2385 * for start_writing_to_file, but */
2387 start_writing_to_stdio_file(const char *fname
, int open_flags
, int mode
,
2388 open_file_t
**data_out
)
2391 if (start_writing_to_file(fname
, open_flags
, mode
, data_out
)<0)
2393 if (!(res
= fdopen_file(*data_out
))) {
2394 abort_writing_to_file(*data_out
);
2400 /** Helper function: close and free the underlying file and memory in
2401 * <b>file_data</b>. If we were writing into a temporary file, then delete
2402 * that file (if abort_write is true) or replaces the target file with
2403 * the temporary file (if abort_write is false). */
2405 finish_writing_to_file_impl(open_file_t
*file_data
, int abort_write
)
2409 tor_assert(file_data
&& file_data
->filename
);
2410 if (file_data
->stdio_file
) {
2411 if (fclose(file_data
->stdio_file
)) {
2412 log_warn(LD_FS
, "Error closing \"%s\": %s", file_data
->filename
,
2414 abort_write
= r
= -1;
2416 } else if (file_data
->fd
>= 0 && close(file_data
->fd
) < 0) {
2417 log_warn(LD_FS
, "Error flushing \"%s\": %s", file_data
->filename
,
2419 abort_write
= r
= -1;
2422 if (file_data
->rename_on_close
) {
2423 tor_assert(file_data
->tempname
&& file_data
->filename
);
2425 int res
= unlink(file_data
->tempname
);
2427 /* We couldn't unlink and we'll leave a mess behind */
2428 log_warn(LD_FS
, "Failed to unlink %s: %s",
2429 file_data
->tempname
, strerror(errno
));
2433 tor_assert(strcmp(file_data
->filename
, file_data
->tempname
));
2434 if (replace_file(file_data
->tempname
, file_data
->filename
)) {
2435 log_warn(LD_FS
, "Error replacing \"%s\": %s", file_data
->filename
,
2442 tor_free(file_data
->filename
);
2443 tor_free(file_data
->tempname
);
2444 tor_free(file_data
);
2449 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2450 * needed, and if using a temporary file, replace the original file with
2451 * the temporary file. */
2453 finish_writing_to_file(open_file_t
*file_data
)
2455 return finish_writing_to_file_impl(file_data
, 0);
2458 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2459 * needed, and if using a temporary file, delete it. */
2461 abort_writing_to_file(open_file_t
*file_data
)
2463 return finish_writing_to_file_impl(file_data
, 1);
2466 /** Helper: given a set of flags as passed to open(2), open the file
2467 * <b>fname</b> and write all the sized_chunk_t structs in <b>chunks</b> to
2468 * the file. Do so as atomically as possible e.g. by opening temp files and
2471 write_chunks_to_file_impl(const char *fname
, const smartlist_t
*chunks
,
2474 open_file_t
*file
= NULL
;
2477 fd
= start_writing_to_file(fname
, open_flags
, 0600, &file
);
2480 SMARTLIST_FOREACH(chunks
, sized_chunk_t
*, chunk
,
2482 result
= write_all(fd
, chunk
->bytes
, chunk
->len
, 0);
2484 log_warn(LD_FS
, "Error writing to \"%s\": %s", fname
,
2488 tor_assert((size_t)result
== chunk
->len
);
2491 return finish_writing_to_file(file
);
2493 abort_writing_to_file(file
);
2497 /** Given a smartlist of sized_chunk_t, write them to a file
2498 * <b>fname</b>, overwriting or creating the file as necessary.
2499 * If <b>no_tempfile</b> is 0 then the file will be written
2502 write_chunks_to_file(const char *fname
, const smartlist_t
*chunks
, int bin
,
2505 int flags
= OPEN_FLAGS_REPLACE
|(bin
?O_BINARY
:O_TEXT
);
2508 /* O_APPEND stops write_chunks_to_file from using tempfiles */
2511 return write_chunks_to_file_impl(fname
, chunks
, flags
);
2514 /** Write <b>len</b> bytes, starting at <b>str</b>, to <b>fname</b>
2515 using the open() flags passed in <b>flags</b>. */
2517 write_bytes_to_file_impl(const char *fname
, const char *str
, size_t len
,
2521 sized_chunk_t c
= { str
, len
};
2522 smartlist_t
*chunks
= smartlist_new();
2523 smartlist_add(chunks
, &c
);
2524 r
= write_chunks_to_file_impl(fname
, chunks
, flags
);
2525 smartlist_free(chunks
);
2529 /** As write_str_to_file, but does not assume a NUL-terminated
2530 * string. Instead, we write <b>len</b> bytes, starting at <b>str</b>. */
2532 write_bytes_to_file
,(const char *fname
, const char *str
, size_t len
,
2535 return write_bytes_to_file_impl(fname
, str
, len
,
2536 OPEN_FLAGS_REPLACE
|(bin
?O_BINARY
:O_TEXT
));
2539 /** As write_bytes_to_file, but if the file already exists, append the bytes
2540 * to the end of the file instead of overwriting it. */
2542 append_bytes_to_file(const char *fname
, const char *str
, size_t len
,
2545 return write_bytes_to_file_impl(fname
, str
, len
,
2546 OPEN_FLAGS_APPEND
|(bin
?O_BINARY
:O_TEXT
));
2549 /** Like write_str_to_file(), but also return -1 if there was a file
2550 already residing in <b>fname</b>. */
2552 write_bytes_to_new_file(const char *fname
, const char *str
, size_t len
,
2555 return write_bytes_to_file_impl(fname
, str
, len
,
2556 OPEN_FLAGS_DONT_REPLACE
|
2557 (bin
?O_BINARY
:O_TEXT
));
2561 * Read the contents of the open file <b>fd</b> presuming it is a FIFO
2562 * (or similar) file descriptor for which the size of the file isn't
2563 * known ahead of time. Return NULL on failure, and a NUL-terminated
2564 * string on success. On success, set <b>sz_out</b> to the number of
2568 read_file_to_str_until_eof(int fd
, size_t max_bytes_to_read
, size_t *sz_out
)
2572 char *string
= NULL
;
2573 size_t string_max
= 0;
2575 if (max_bytes_to_read
+1 >= SIZE_T_CEILING
)
2579 /* XXXX This "add 1K" approach is a little goofy; if we care about
2580 * performance here, we should be doubling. But in practice we shouldn't
2581 * be using this function on big files anyway. */
2582 string_max
= pos
+ 1024;
2583 if (string_max
> max_bytes_to_read
)
2584 string_max
= max_bytes_to_read
+ 1;
2585 string
= tor_realloc(string
, string_max
);
2586 r
= read(fd
, string
+ pos
, string_max
- pos
- 1);
2593 } while (r
> 0 && pos
< max_bytes_to_read
);
2595 tor_assert(pos
< string_max
);
2601 /** Read the contents of <b>filename</b> into a newly allocated
2602 * string; return the string on success or NULL on failure.
2604 * If <b>stat_out</b> is provided, store the result of stat()ing the
2605 * file into <b>stat_out</b>.
2607 * If <b>flags</b> & RFTS_BIN, open the file in binary mode.
2608 * If <b>flags</b> & RFTS_IGNORE_MISSING, don't warn if the file
2612 * This function <em>may</em> return an erroneous result if the file
2613 * is modified while it is running, but must not crash or overflow.
2614 * Right now, the error case occurs when the file length grows between
2615 * the call to stat and the call to read_all: the resulting string will
2619 read_file_to_str(const char *filename
, int flags
, struct stat
*stat_out
)
2621 int fd
; /* router file */
2622 struct stat statbuf
;
2625 int bin
= flags
& RFTS_BIN
;
2627 tor_assert(filename
);
2629 fd
= tor_open_cloexec(filename
,O_RDONLY
|(bin
?O_BINARY
:O_TEXT
),0);
2631 int severity
= LOG_WARN
;
2632 int save_errno
= errno
;
2633 if (errno
== ENOENT
&& (flags
& RFTS_IGNORE_MISSING
))
2634 severity
= LOG_INFO
;
2635 log_fn(severity
, LD_FS
,"Could not open \"%s\": %s",filename
,
2641 if (fstat(fd
, &statbuf
)<0) {
2642 int save_errno
= errno
;
2644 log_warn(LD_FS
,"Could not fstat \"%s\".",filename
);
2650 /** When we detect that we're reading from a FIFO, don't read more than
2651 * this many bytes. It's insane overkill for most uses. */
2652 #define FIFO_READ_MAX (1024*1024)
2653 if (S_ISFIFO(statbuf
.st_mode
)) {
2655 string
= read_file_to_str_until_eof(fd
, FIFO_READ_MAX
, &sz
);
2656 if (string
&& stat_out
) {
2657 statbuf
.st_size
= sz
;
2658 memcpy(stat_out
, &statbuf
, sizeof(struct stat
));
2665 if ((uint64_t)(statbuf
.st_size
)+1 >= SIZE_T_CEILING
) {
2670 string
= tor_malloc((size_t)(statbuf
.st_size
+1));
2672 r
= read_all(fd
,string
,(size_t)statbuf
.st_size
,0);
2674 int save_errno
= errno
;
2675 log_warn(LD_FS
,"Error reading from file \"%s\": %s", filename
,
2682 string
[r
] = '\0'; /* NUL-terminate the result. */
2684 #if defined(_WIN32) || defined(__CYGWIN__)
2685 if (!bin
&& strchr(string
, '\r')) {
2686 log_debug(LD_FS
, "We didn't convert CRLF to LF as well as we hoped "
2687 "when reading %s. Coping.",
2689 tor_strstrip(string
, "\r");
2693 statbuf
.st_size
= (size_t) r
;
2696 if (r
!= statbuf
.st_size
) {
2697 /* Unless we're using text mode on win32, we'd better have an exact
2698 * match for size. */
2699 int save_errno
= errno
;
2700 log_warn(LD_FS
,"Could read only %d of %ld bytes of file \"%s\".",
2701 (int)r
, (long)statbuf
.st_size
,filename
);
2709 memcpy(stat_out
, &statbuf
, sizeof(struct stat
));
2715 #define TOR_ISODIGIT(c) ('0' <= (c) && (c) <= '7')
2717 /** Given a c-style double-quoted escaped string in <b>s</b>, extract and
2718 * decode its contents into a newly allocated string. On success, assign this
2719 * string to *<b>result</b>, assign its length to <b>size_out</b> (if
2720 * provided), and return a pointer to the position in <b>s</b> immediately
2721 * after the string. On failure, return NULL.
2724 unescape_string(const char *s
, char **result
, size_t *size_out
)
2739 if (cp
[1] == 'x' || cp
[1] == 'X') {
2740 if (!(TOR_ISXDIGIT(cp
[2]) && TOR_ISXDIGIT(cp
[3])))
2743 } else if (TOR_ISODIGIT(cp
[1])) {
2745 if (TOR_ISODIGIT(*cp
)) ++cp
;
2746 if (TOR_ISODIGIT(*cp
)) ++cp
;
2747 } else if (cp
[1] == 'n' || cp
[1] == 'r' || cp
[1] == 't' || cp
[1] == '"'
2748 || cp
[1] == '\\' || cp
[1] == '\'') {
2760 out
= *result
= tor_malloc(cp
-s
+ 1);
2767 if (size_out
) *size_out
= out
- *result
;
2770 tor_fragile_assert();
2776 case 'n': *out
++ = '\n'; cp
+= 2; break;
2777 case 'r': *out
++ = '\r'; cp
+= 2; break;
2778 case 't': *out
++ = '\t'; cp
+= 2; break;
2783 x1
= hex_decode_digit(cp
[2]);
2784 x2
= hex_decode_digit(cp
[3]);
2785 if (x1
== -1 || x2
== -1) {
2790 *out
++ = ((x1
<<4) + x2
);
2794 case '0': case '1': case '2': case '3': case '4': case '5':
2799 if (TOR_ISODIGIT(*cp
)) { n
= n
*8 + *cp
-'0'; cp
++; }
2800 if (TOR_ISODIGIT(*cp
)) { n
= n
*8 + *cp
-'0'; cp
++; }
2801 if (n
> 255) { tor_free(*result
); return NULL
; }
2813 tor_free(*result
); return NULL
;
2822 /** Given a string containing part of a configuration file or similar format,
2823 * advance past comments and whitespace and try to parse a single line. If we
2824 * parse a line successfully, set *<b>key_out</b> to a new string holding the
2825 * key portion and *<b>value_out</b> to a new string holding the value portion
2826 * of the line, and return a pointer to the start of the next line. If we run
2827 * out of data, return a pointer to the end of the string. If we encounter an
2828 * error, return NULL and set *<b>err_out</b> (if provided) to an error
2832 parse_config_line_from_str_verbose(const char *line
, char **key_out
,
2834 const char **err_out
)
2836 /* I believe the file format here is supposed to be:
2837 FILE = (EMPTYLINE | LINE)* (EMPTYLASTLINE | LASTLINE)?
2839 EMPTYLASTLINE = SPACE* | COMMENT
2840 EMPTYLINE = EMPTYLASTLINE NL
2841 SPACE = ' ' | '\r' | '\t'
2842 COMMENT = '#' NOT-NL*
2843 NOT-NL = Any character except '\n'
2846 LASTLINE = SPACE* KEY SPACE* VALUES
2849 KEYCHAR = Any character except ' ', '\r', '\n', '\t', '#', "\"
2851 VALUES = QUOTEDVALUE | NORMALVALUE
2852 QUOTEDVALUE = QUOTE QVCHAR* QUOTE EOLSPACE?
2854 QVCHAR = KEYCHAR | ESC ('n' | 't' | 'r' | '"' | ESC |'\'' | OCTAL | HEX)
2856 OCTAL = ODIGIT (ODIGIT ODIGIT?)?
2857 HEX = ('x' | 'X') HEXDIGIT HEXDIGIT
2859 HEXDIGIT = '0'..'9' | 'a' .. 'f' | 'A' .. 'F'
2860 EOLSPACE = SPACE* COMMENT?
2862 NORMALVALUE = (VALCHAR | ESC ESC_IGNORE | CONTINUATION)* EOLSPACE?
2863 VALCHAR = Any character except ESC, '#', and '\n'
2864 ESC_IGNORE = Any character except '#' or '\n'
2865 CONTINUATION = ESC NL ( COMMENT NL )*
2868 const char *key
, *val
, *cp
;
2869 int continuation
= 0;
2871 tor_assert(key_out
);
2872 tor_assert(value_out
);
2874 *key_out
= *value_out
= NULL
;
2876 /* Skip until the first keyword. */
2878 while (TOR_ISSPACE(*line
))
2881 while (*line
&& *line
!= '\n')
2888 if (!*line
) { /* End of string? */
2889 *key_out
= *value_out
= NULL
;
2893 /* Skip until the next space or \ followed by newline. */
2895 while (*line
&& !TOR_ISSPACE(*line
) && *line
!= '#' &&
2896 ! (line
[0] == '\\' && line
[1] == '\n'))
2898 *key_out
= tor_strndup(key
, line
-key
);
2900 /* Skip until the value. */
2901 while (*line
== ' ' || *line
== '\t')
2906 /* Find the end of the line. */
2907 if (*line
== '\"') { // XXX No continuation handling is done here
2908 if (!(line
= unescape_string(line
, value_out
, NULL
))) {
2910 *err_out
= "Invalid escape sequence in quoted string";
2913 while (*line
== ' ' || *line
== '\t')
2915 if (*line
&& *line
!= '#' && *line
!= '\n') {
2917 *err_out
= "Excess data after quoted string";
2921 /* Look for the end of the line. */
2922 while (*line
&& *line
!= '\n' && (*line
!= '#' || continuation
)) {
2923 if (*line
== '\\' && line
[1] == '\n') {
2926 } else if (*line
== '#') {
2929 } while (*line
&& *line
!= '\n');
2937 if (*line
== '\n') {
2942 /* Now back cp up to be the last nonspace character */
2943 while (cp
>val
&& TOR_ISSPACE(*(cp
-1)))
2946 tor_assert(cp
>= val
);
2948 /* Now copy out and decode the value. */
2949 *value_out
= tor_strndup(val
, cp
-val
);
2952 v_out
= v_in
= *value_out
;
2957 } while (*v_in
&& *v_in
!= '\n');
2960 } else if (v_in
[0] == '\\' && v_in
[1] == '\n') {
2973 } while (*line
&& *line
!= '\n');
2975 while (TOR_ISSPACE(*line
)) ++line
;
2980 /** Expand any homedir prefix on <b>filename</b>; return a newly allocated
2983 expand_filename(const char *filename
)
2985 tor_assert(filename
);
2987 return tor_strdup(filename
);
2989 if (*filename
== '~') {
2990 char *home
, *result
=NULL
;
2993 if (filename
[1] == '/' || filename
[1] == '\0') {
2994 home
= getenv("HOME");
2996 log_warn(LD_CONFIG
, "Couldn't find $HOME environment variable while "
2997 "expanding \"%s\"; defaulting to \"\".", filename
);
2998 home
= tor_strdup("");
3000 home
= tor_strdup(home
);
3002 rest
= strlen(filename
)>=2?(filename
+2):"";
3005 char *username
, *slash
;
3006 slash
= strchr(filename
, '/');
3008 username
= tor_strndup(filename
+1,slash
-filename
-1);
3010 username
= tor_strdup(filename
+1);
3011 if (!(home
= get_user_homedir(username
))) {
3012 log_warn(LD_CONFIG
,"Couldn't get homedir for \"%s\"",username
);
3017 rest
= slash
? (slash
+1) : "";
3019 log_warn(LD_CONFIG
, "Couldn't expand homedir on system without pwd.h");
3020 return tor_strdup(filename
);
3024 /* Remove trailing slash. */
3025 if (strlen(home
)>1 && !strcmpend(home
,PATH_SEPARATOR
)) {
3026 home
[strlen(home
)-1] = '\0';
3028 tor_asprintf(&result
,"%s"PATH_SEPARATOR
"%s",home
,rest
);
3032 return tor_strdup(filename
);
3037 #define MAX_SCANF_WIDTH 9999
3039 /** Helper: given an ASCII-encoded decimal digit, return its numeric value.
3040 * NOTE: requires that its input be in-bounds. */
3042 digit_to_num(char d
)
3044 int num
= ((int)d
) - (int)'0';
3045 tor_assert(num
<= 9 && num
>= 0);
3049 /** Helper: Read an unsigned int from *<b>bufp</b> of up to <b>width</b>
3050 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3051 * success, store the result in <b>out</b>, advance bufp to the next
3052 * character, and return 0. On failure, return -1. */
3054 scan_unsigned(const char **bufp
, unsigned long *out
, int width
, int base
)
3056 unsigned long result
= 0;
3057 int scanned_so_far
= 0;
3058 const int hex
= base
==16;
3059 tor_assert(base
== 10 || base
== 16);
3060 if (!bufp
|| !*bufp
|| !out
)
3063 width
=MAX_SCANF_WIDTH
;
3065 while (**bufp
&& (hex
?TOR_ISXDIGIT(**bufp
):TOR_ISDIGIT(**bufp
))
3066 && scanned_so_far
< width
) {
3067 int digit
= hex
?hex_decode_digit(*(*bufp
)++):digit_to_num(*(*bufp
)++);
3068 // Check for overflow beforehand, without actually causing any overflow
3069 // This preserves functionality on compilers that don't wrap overflow
3070 // (i.e. that trap or optimise away overflow)
3071 // result * base + digit > ULONG_MAX
3072 // result * base > ULONG_MAX - digit
3073 if (result
> (ULONG_MAX
- digit
)/base
)
3074 return -1; /* Processing this digit would overflow */
3075 result
= result
* base
+ digit
;
3079 if (!scanned_so_far
) /* No actual digits scanned */
3086 /** Helper: Read an signed int from *<b>bufp</b> of up to <b>width</b>
3087 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3088 * success, store the result in <b>out</b>, advance bufp to the next
3089 * character, and return 0. On failure, return -1. */
3091 scan_signed(const char **bufp
, long *out
, int width
)
3094 unsigned long result
= 0;
3096 if (!bufp
|| !*bufp
|| !out
)
3099 width
=MAX_SCANF_WIDTH
;
3101 if (**bufp
== '-') {
3107 if (scan_unsigned(bufp
, &result
, width
, 10) < 0)
3110 if (neg
&& result
> 0) {
3111 if (result
> ((unsigned long)LONG_MAX
) + 1)
3112 return -1; /* Underflow */
3113 // Avoid overflow on the cast to signed long when result is LONG_MIN
3114 // by subtracting 1 from the unsigned long positive value,
3115 // then, after it has been cast to signed and negated,
3116 // subtracting the original 1 (the double-subtraction is intentional).
3117 // Otherwise, the cast to signed could cause a temporary long
3118 // to equal LONG_MAX + 1, which is undefined.
3119 // We avoid underflow on the subtraction by treating -0 as positive.
3120 *out
= (-(long)(result
- 1)) - 1;
3122 if (result
> LONG_MAX
)
3123 return -1; /* Overflow */
3124 *out
= (long)result
;
3130 /** Helper: Read a decimal-formatted double from *<b>bufp</b> of up to
3131 * <b>width</b> characters. (Handle arbitrary width if <b>width</b> is less
3132 * than 0.) On success, store the result in <b>out</b>, advance bufp to the
3133 * next character, and return 0. On failure, return -1. */
3135 scan_double(const char **bufp
, double *out
, int width
)
3139 int scanned_so_far
= 0;
3141 if (!bufp
|| !*bufp
|| !out
)
3144 width
=MAX_SCANF_WIDTH
;
3146 if (**bufp
== '-') {
3151 while (**bufp
&& TOR_ISDIGIT(**bufp
) && scanned_so_far
< width
) {
3152 const int digit
= digit_to_num(*(*bufp
)++);
3153 result
= result
* 10 + digit
;
3156 if (**bufp
== '.') {
3157 double fracval
= 0, denominator
= 1;
3160 while (**bufp
&& TOR_ISDIGIT(**bufp
) && scanned_so_far
< width
) {
3161 const int digit
= digit_to_num(*(*bufp
)++);
3162 fracval
= fracval
* 10 + digit
;
3166 result
+= fracval
/ denominator
;
3169 if (!scanned_so_far
) /* No actual digits scanned */
3172 *out
= neg
? -result
: result
;
3176 /** Helper: copy up to <b>width</b> non-space characters from <b>bufp</b> to
3177 * <b>out</b>. Make sure <b>out</b> is nul-terminated. Advance <b>bufp</b>
3178 * to the next non-space character or the EOS. */
3180 scan_string(const char **bufp
, char *out
, int width
)
3182 int scanned_so_far
= 0;
3183 if (!bufp
|| !out
|| width
< 0)
3185 while (**bufp
&& ! TOR_ISSPACE(**bufp
) && scanned_so_far
< width
) {
3186 *out
++ = *(*bufp
)++;
3193 /** Locale-independent, minimal, no-surprises scanf variant, accepting only a
3194 * restricted pattern format. For more info on what it supports, see
3195 * tor_sscanf() documentation. */
3197 tor_vsscanf(const char *buf
, const char *pattern
, va_list ap
)
3202 if (*pattern
!= '%') {
3203 if (*buf
== *pattern
) {
3214 if (TOR_ISDIGIT(*pattern
)) {
3215 width
= digit_to_num(*pattern
++);
3216 while (TOR_ISDIGIT(*pattern
)) {
3218 width
+= digit_to_num(*pattern
++);
3219 if (width
> MAX_SCANF_WIDTH
)
3222 if (!width
) /* No zero-width things. */
3225 if (*pattern
== 'l') {
3229 if (*pattern
== 'u' || *pattern
== 'x') {
3231 const int base
= (*pattern
== 'u') ? 10 : 16;
3234 if (scan_unsigned(&buf
, &u
, width
, base
)<0)
3237 unsigned long *out
= va_arg(ap
, unsigned long *);
3240 unsigned *out
= va_arg(ap
, unsigned *);
3243 *out
= (unsigned) u
;
3247 } else if (*pattern
== 'f') {
3248 double *d
= va_arg(ap
, double *);
3250 return -1; /* float not supported */
3253 if (scan_double(&buf
, d
, width
)<0)
3257 } else if (*pattern
== 'd') {
3259 if (scan_signed(&buf
, &lng
, width
)<0)
3262 long *out
= va_arg(ap
, long *);
3265 int *out
= va_arg(ap
, int *);
3266 if (lng
< INT_MIN
|| lng
> INT_MAX
)
3272 } else if (*pattern
== 's') {
3273 char *s
= va_arg(ap
, char *);
3278 if (scan_string(&buf
, s
, width
)<0)
3282 } else if (*pattern
== 'c') {
3283 char *ch
= va_arg(ap
, char *);
3293 } else if (*pattern
== '%') {
3301 return -1; /* Unrecognized pattern component. */
3309 /** Minimal sscanf replacement: parse <b>buf</b> according to <b>pattern</b>
3310 * and store the results in the corresponding argument fields. Differs from
3312 * <ul><li>It only handles %u, %lu, %x, %lx, %[NUM]s, %d, %ld, %lf, and %c.
3313 * <li>It only handles decimal inputs for %lf. (12.3, not 1.23e1)
3314 * <li>It does not handle arbitrarily long widths.
3315 * <li>Numbers do not consume any space characters.
3316 * <li>It is locale-independent.
3317 * <li>%u and %x do not consume any space.
3318 * <li>It returns -1 on malformed patterns.</ul>
3320 * (As with other locale-independent functions, we need this to parse data that
3321 * is in ASCII without worrying that the C library's locale-handling will make
3322 * miscellaneous characters look like numbers, spaces, and so on.)
3325 tor_sscanf(const char *buf
, const char *pattern
, ...)
3329 va_start(ap
, pattern
);
3330 r
= tor_vsscanf(buf
, pattern
, ap
);
3335 /** Append the string produced by tor_asprintf(<b>pattern</b>, <b>...</b>)
3338 smartlist_add_asprintf(struct smartlist_t
*sl
, const char *pattern
, ...)
3341 va_start(ap
, pattern
);
3342 smartlist_add_vasprintf(sl
, pattern
, ap
);
3346 /** va_list-based backend of smartlist_add_asprintf. */
3348 smartlist_add_vasprintf(struct smartlist_t
*sl
, const char *pattern
,
3353 tor_vasprintf(&str
, pattern
, args
);
3354 tor_assert(str
!= NULL
);
3356 smartlist_add(sl
, str
);
3359 /** Return a new list containing the filenames in the directory <b>dirname</b>.
3360 * Return NULL on error or if <b>dirname</b> is not a directory.
3363 tor_listdir(const char *dirname
)
3365 smartlist_t
*result
;
3368 TCHAR tpattern
[MAX_PATH
] = {0};
3369 char name
[MAX_PATH
*2+1] = {0};
3371 WIN32_FIND_DATA findData
;
3372 tor_asprintf(&pattern
, "%s\\*", dirname
);
3374 mbstowcs(tpattern
,pattern
,MAX_PATH
);
3376 strlcpy(tpattern
, pattern
, MAX_PATH
);
3378 if (INVALID_HANDLE_VALUE
== (handle
= FindFirstFile(tpattern
, &findData
))) {
3382 result
= smartlist_new();
3385 wcstombs(name
,findData
.cFileName
,MAX_PATH
);
3386 name
[sizeof(name
)-1] = '\0';
3388 strlcpy(name
,findData
.cFileName
,sizeof(name
));
3390 if (strcmp(name
, ".") &&
3391 strcmp(name
, "..")) {
3392 smartlist_add(result
, tor_strdup(name
));
3394 if (!FindNextFile(handle
, &findData
)) {
3396 if ((err
= GetLastError()) != ERROR_NO_MORE_FILES
) {
3397 char *errstr
= format_win32_error(err
);
3398 log_warn(LD_FS
, "Error reading directory '%s': %s", dirname
, errstr
);
3407 const char *prot_dname
= sandbox_intern_string(dirname
);
3410 if (!(d
= opendir(prot_dname
)))
3413 result
= smartlist_new();
3414 while ((de
= readdir(d
))) {
3415 if (!strcmp(de
->d_name
, ".") ||
3416 !strcmp(de
->d_name
, ".."))
3418 smartlist_add(result
, tor_strdup(de
->d_name
));
3425 /** Return true iff <b>filename</b> is a relative path. */
3427 path_is_relative(const char *filename
)
3429 if (filename
&& filename
[0] == '/')
3432 else if (filename
&& filename
[0] == '\\')
3434 else if (filename
&& strlen(filename
)>3 && TOR_ISALPHA(filename
[0]) &&
3435 filename
[1] == ':' && filename
[2] == '\\')
3447 /* Based on code contributed by christian grothoff */
3448 /** True iff we've called start_daemon(). */
3449 static int start_daemon_called
= 0;
3450 /** True iff we've called finish_daemon(). */
3451 static int finish_daemon_called
= 0;
3452 /** Socketpair used to communicate between parent and child process while
3454 static int daemon_filedes
[2];
3455 /** Start putting the process into daemon mode: fork and drop all resources
3456 * except standard fds. The parent process never returns, but stays around
3457 * until finish_daemon is called. (Note: it's safe to call this more
3458 * than once: calls after the first are ignored.)
3465 if (start_daemon_called
)
3467 start_daemon_called
= 1;
3469 if (pipe(daemon_filedes
)) {
3470 log_err(LD_GENERAL
,"pipe failed; exiting. Error was %s", strerror(errno
));
3475 log_err(LD_GENERAL
,"fork failed. Exiting.");
3478 if (pid
) { /* Parent */
3482 close(daemon_filedes
[1]); /* we only read */
3484 while (0 < read(daemon_filedes
[0], &c
, sizeof(char))) {
3492 exit(1); /* child reported error */
3493 } else { /* Child */
3494 close(daemon_filedes
[0]); /* we only write */
3496 pid
= setsid(); /* Detach from controlling terminal */
3498 * Fork one more time, so the parent (the session group leader) can exit.
3499 * This means that we, as a non-session group leader, can never regain a
3500 * controlling terminal. This part is recommended by Stevens's
3501 * _Advanced Programming in the Unix Environment_.
3506 set_main_thread(); /* We are now the main thread. */
3512 /** Finish putting the process into daemon mode: drop standard fds, and tell
3513 * the parent process to exit. (Note: it's safe to call this more than once:
3514 * calls after the first are ignored. Calls start_daemon first if it hasn't
3515 * been called already.)
3518 finish_daemon(const char *desired_cwd
)
3522 if (finish_daemon_called
)
3524 if (!start_daemon_called
)
3526 finish_daemon_called
= 1;
3530 /* Don't hold the wrong FS mounted */
3531 if (chdir(desired_cwd
) < 0) {
3532 log_err(LD_GENERAL
,"chdir to \"%s\" failed. Exiting.",desired_cwd
);
3536 nullfd
= tor_open_cloexec("/dev/null", O_RDWR
, 0);
3538 log_err(LD_GENERAL
,"/dev/null can't be opened. Exiting.");
3541 /* close fds linking to invoking terminal, but
3542 * close usual incoming fds, but redirect them somewhere
3543 * useful so the fds don't get reallocated elsewhere.
3545 if (dup2(nullfd
,0) < 0 ||
3546 dup2(nullfd
,1) < 0 ||
3547 dup2(nullfd
,2) < 0) {
3548 log_err(LD_GENERAL
,"dup2 failed. Exiting.");
3553 /* signal success */
3554 if (write(daemon_filedes
[1], &c
, sizeof(char)) != sizeof(char)) {
3555 log_err(LD_GENERAL
,"write failed. Exiting.");
3557 close(daemon_filedes
[1]);
3560 /* defined(_WIN32) */
3566 finish_daemon(const char *cp
)
3572 /** Write the current process ID, followed by NL, into <b>filename</b>.
3575 write_pidfile(char *filename
)
3579 if ((pidfile
= fopen(filename
, "w")) == NULL
) {
3580 log_warn(LD_FS
, "Unable to open \"%s\" for writing: %s", filename
,
3584 fprintf(pidfile
, "%d\n", (int)_getpid());
3586 fprintf(pidfile
, "%d\n", (int)getpid());
3594 load_windows_system_library(const TCHAR
*library_name
)
3596 TCHAR path
[MAX_PATH
];
3598 n
= GetSystemDirectory(path
, MAX_PATH
);
3599 if (n
== 0 || n
+ _tcslen(library_name
) + 2 >= MAX_PATH
)
3601 _tcscat(path
, TEXT("\\"));
3602 _tcscat(path
, library_name
);
3603 return LoadLibrary(path
);
3607 /** Format a single argument for being put on a Windows command line.
3608 * Returns a newly allocated string */
3610 format_win_cmdline_argument(const char *arg
)
3612 char *formatted_arg
;
3617 /* Backslash we can point to when one is inserted into the string */
3618 const char backslash
= '\\';
3620 /* Smartlist of *char */
3621 smartlist_t
*arg_chars
;
3622 arg_chars
= smartlist_new();
3624 /* Quote string if it contains whitespace or is empty */
3625 need_quotes
= (strchr(arg
, ' ') || strchr(arg
, '\t') || '\0' == arg
[0]);
3627 /* Build up smartlist of *chars */
3628 for (c
=arg
; *c
!= '\0'; c
++) {
3630 /* Double up backslashes preceding a quote */
3631 for (i
=0; i
<(bs_counter
*2); i
++)
3632 smartlist_add(arg_chars
, (void*)&backslash
);
3634 /* Escape the quote */
3635 smartlist_add(arg_chars
, (void*)&backslash
);
3636 smartlist_add(arg_chars
, (void*)c
);
3637 } else if ('\\' == *c
) {
3638 /* Count backslashes until we know whether to double up */
3641 /* Don't double up slashes preceding a non-quote */
3642 for (i
=0; i
<bs_counter
; i
++)
3643 smartlist_add(arg_chars
, (void*)&backslash
);
3645 smartlist_add(arg_chars
, (void*)c
);
3648 /* Don't double up trailing backslashes */
3649 for (i
=0; i
<bs_counter
; i
++)
3650 smartlist_add(arg_chars
, (void*)&backslash
);
3652 /* Allocate space for argument, quotes (if needed), and terminator */
3653 const size_t formatted_arg_len
= smartlist_len(arg_chars
) +
3654 (need_quotes
? 2 : 0) + 1;
3655 formatted_arg
= tor_malloc_zero(formatted_arg_len
);
3657 /* Add leading quote */
3660 formatted_arg
[i
++] = '"';
3662 /* Add characters */
3663 SMARTLIST_FOREACH(arg_chars
, char*, c
,
3665 formatted_arg
[i
++] = *c
;
3668 /* Add trailing quote */
3670 formatted_arg
[i
++] = '"';
3671 formatted_arg
[i
] = '\0';
3673 smartlist_free(arg_chars
);
3674 return formatted_arg
;
3677 /** Format a command line for use on Windows, which takes the command as a
3678 * string rather than string array. Follows the rules from "Parsing C++
3679 * Command-Line Arguments" in MSDN. Algorithm based on list2cmdline in the
3680 * Python subprocess module. Returns a newly allocated string */
3682 tor_join_win_cmdline(const char *argv
[])
3684 smartlist_t
*argv_list
;
3688 /* Format each argument and put the result in a smartlist */
3689 argv_list
= smartlist_new();
3690 for (i
=0; argv
[i
] != NULL
; i
++) {
3691 smartlist_add(argv_list
, (void *)format_win_cmdline_argument(argv
[i
]));
3694 /* Join the arguments with whitespace */
3695 joined_argv
= smartlist_join_strings(argv_list
, " ", 0, NULL
);
3697 /* Free the newly allocated arguments, and the smartlist */
3698 SMARTLIST_FOREACH(argv_list
, char *, arg
,
3702 smartlist_free(argv_list
);
3707 /* As format_{hex,dex}_number_sigsafe, but takes a <b>radix</b> argument
3708 * in range 2..16 inclusive. */
3710 format_number_sigsafe(unsigned long x
, char *buf
, int buf_len
,
3717 /* NOT tor_assert. This needs to be safe to run from within a signal handler,
3718 * and from within the 'tor_assert() has failed' code. */
3719 if (radix
< 2 || radix
> 16)
3722 /* Count how many digits we need. */
3725 while (tmp
>= radix
) {
3730 /* Not long enough */
3731 if (!buf
|| len
>= buf_len
)
3737 unsigned digit
= (unsigned) (x
% radix
);
3738 tor_assert(cp
> buf
);
3740 *cp
= "0123456789ABCDEF"[digit
];
3744 /* NOT tor_assert; see above. */
3753 * Helper function to output hex numbers from within a signal handler.
3755 * Writes the nul-terminated hexadecimal digits of <b>x</b> into a buffer
3756 * <b>buf</b> of size <b>buf_len</b>, and return the actual number of digits
3757 * written, not counting the terminal NUL.
3759 * If there is insufficient space, write nothing and return 0.
3761 * This accepts an unsigned int because format_helper_exit_status() needs to
3762 * call it with a signed int and an unsigned char, and since the C standard
3763 * does not guarantee that an int is wider than a char (an int must be at
3764 * least 16 bits but it is permitted for a char to be that wide as well), we
3765 * can't assume a signed int is sufficient to accomodate an unsigned char.
3766 * Thus, format_helper_exit_status() will still need to emit any require '-'
3769 * For most purposes, you'd want to use tor_snprintf("%x") instead of this
3770 * function; it's designed to be used in code paths where you can't call
3771 * arbitrary C functions.
3774 format_hex_number_sigsafe(unsigned long x
, char *buf
, int buf_len
)
3776 return format_number_sigsafe(x
, buf
, buf_len
, 16);
3779 /** As format_hex_number_sigsafe, but format the number in base 10. */
3781 format_dec_number_sigsafe(unsigned long x
, char *buf
, int buf_len
)
3783 return format_number_sigsafe(x
, buf
, buf_len
, 10);
3787 /** Format <b>child_state</b> and <b>saved_errno</b> as a hex string placed in
3788 * <b>hex_errno</b>. Called between fork and _exit, so must be signal-handler
3791 * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available.
3793 * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded
3794 * with spaces. CHILD_STATE indicates where
3795 * in the processs of starting the child process did the failure occur (see
3796 * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of
3797 * errno when the failure occurred.
3799 * On success return the number of characters added to hex_errno, not counting
3800 * the terminating NUL; return -1 on error.
3803 format_helper_exit_status(unsigned char child_state
, int saved_errno
,
3806 unsigned int unsigned_errno
;
3812 /* Fill hex_errno with spaces, and a trailing newline (memset may
3813 not be signal handler safe, so we can't use it) */
3814 for (i
= 0; i
< (HEX_ERRNO_SIZE
- 1); i
++)
3816 hex_errno
[HEX_ERRNO_SIZE
- 1] = '\n';
3818 /* Convert errno to be unsigned for hex conversion */
3819 if (saved_errno
< 0) {
3820 // Avoid overflow on the cast to unsigned int when result is INT_MIN
3821 // by adding 1 to the signed int negative value,
3822 // then, after it has been negated and cast to unsigned,
3823 // adding the original 1 back (the double-addition is intentional).
3824 // Otherwise, the cast to signed could cause a temporary int
3825 // to equal INT_MAX + 1, which is undefined.
3826 unsigned_errno
= ((unsigned int) -(saved_errno
+ 1)) + 1;
3828 unsigned_errno
= (unsigned int) saved_errno
;
3832 * Count how many chars of space we have left, and keep a pointer into the
3833 * current point in the buffer.
3835 left
= HEX_ERRNO_SIZE
+1;
3838 /* Emit child_state */
3839 written
= format_hex_number_sigsafe(child_state
, cur
, left
);
3844 /* Adjust left and cur */
3853 /* Adjust left and cur */
3860 if (saved_errno
< 0) {
3868 /* Emit unsigned_errno */
3869 written
= format_hex_number_sigsafe(unsigned_errno
, cur
, left
);
3874 /* Adjust left and cur */
3878 /* Check that we have enough space left for a newline and a NUL */
3882 /* Emit the newline and NUL */
3886 res
= (int)(cur
- hex_errno
- 1);
3892 * In error exit, just write a '\0' in the first char so whatever called
3893 * this at least won't fall off the end.
3902 /* Maximum number of file descriptors, if we cannot get it via sysconf() */
3903 #define DEFAULT_MAX_FD 256
3905 /** Terminate the process of <b>process_handle</b>.
3906 * Code borrowed from Python's os.kill. */
3908 tor_terminate_process(process_handle_t
*process_handle
)
3911 if (tor_get_exit_code(process_handle
, 0, NULL
) == PROCESS_EXIT_RUNNING
) {
3912 HANDLE handle
= process_handle
->pid
.hProcess
;
3914 if (!TerminateProcess(handle
, 0))
3920 if (process_handle
->waitpid_cb
) {
3921 /* We haven't got a waitpid yet, so we can just kill off the process. */
3922 return kill(process_handle
->pid
, SIGTERM
);
3929 /** Return the Process ID of <b>process_handle</b>. */
3931 tor_process_get_pid(process_handle_t
*process_handle
)
3934 return (int) process_handle
->pid
.dwProcessId
;
3936 return (int) process_handle
->pid
;
3942 tor_process_get_stdout_pipe(process_handle_t
*process_handle
)
3944 return process_handle
->stdout_pipe
;
3947 /* DOCDOC tor_process_get_stdout_pipe */
3949 tor_process_get_stdout_pipe(process_handle_t
*process_handle
)
3951 return process_handle
->stdout_handle
;
3955 /* DOCDOC process_handle_new */
3956 static process_handle_t
*
3957 process_handle_new(void)
3959 process_handle_t
*out
= tor_malloc_zero(sizeof(process_handle_t
));
3962 out
->stdin_pipe
= INVALID_HANDLE_VALUE
;
3963 out
->stdout_pipe
= INVALID_HANDLE_VALUE
;
3964 out
->stderr_pipe
= INVALID_HANDLE_VALUE
;
3966 out
->stdin_pipe
= -1;
3967 out
->stdout_pipe
= -1;
3968 out
->stderr_pipe
= -1;
3975 /** Invoked when a process that we've launched via tor_spawn_background() has
3976 * been found to have terminated.
3979 process_handle_waitpid_cb(int status
, void *arg
)
3981 process_handle_t
*process_handle
= arg
;
3983 process_handle
->waitpid_exit_status
= status
;
3984 clear_waitpid_callback(process_handle
->waitpid_cb
);
3985 if (process_handle
->status
== PROCESS_STATUS_RUNNING
)
3986 process_handle
->status
= PROCESS_STATUS_NOTRUNNING
;
3987 process_handle
->waitpid_cb
= 0;
3992 * @name child-process states
3994 * Each of these values represents a possible state that a child process can
3995 * be in. They're used to determine what to say when telling the parent how
3996 * far along we were before failure.
4000 #define CHILD_STATE_INIT 0
4001 #define CHILD_STATE_PIPE 1
4002 #define CHILD_STATE_MAXFD 2
4003 #define CHILD_STATE_FORK 3
4004 #define CHILD_STATE_DUPOUT 4
4005 #define CHILD_STATE_DUPERR 5
4006 #define CHILD_STATE_DUPIN 6
4007 #define CHILD_STATE_CLOSEFD 7
4008 #define CHILD_STATE_EXEC 8
4009 #define CHILD_STATE_FAILEXEC 9
4011 /** Start a program in the background. If <b>filename</b> contains a '/', then
4012 * it will be treated as an absolute or relative path. Otherwise, on
4013 * non-Windows systems, the system path will be searched for <b>filename</b>.
4014 * On Windows, only the current directory will be searched. Here, to search the
4015 * system path (as well as the application directory, current working
4016 * directory, and system directories), set filename to NULL.
4018 * The strings in <b>argv</b> will be passed as the command line arguments of
4019 * the child program (following convention, argv[0] should normally be the
4020 * filename of the executable, and this must be the case if <b>filename</b> is
4021 * NULL). The last element of argv must be NULL. A handle to the child process
4022 * will be returned in process_handle (which must be non-NULL). Read
4023 * process_handle.status to find out if the process was successfully launched.
4024 * For convenience, process_handle.status is returned by this function.
4026 * Some parts of this code are based on the POSIX subprocess module from
4027 * Python, and example code from
4028 * http://msdn.microsoft.com/en-us/library/ms682499%28v=vs.85%29.aspx.
4031 tor_spawn_background(const char *const filename
, const char **argv
,
4032 process_environment_t
*env
,
4033 process_handle_t
**process_handle_out
)
4036 HANDLE stdout_pipe_read
= NULL
;
4037 HANDLE stdout_pipe_write
= NULL
;
4038 HANDLE stderr_pipe_read
= NULL
;
4039 HANDLE stderr_pipe_write
= NULL
;
4040 HANDLE stdin_pipe_read
= NULL
;
4041 HANDLE stdin_pipe_write
= NULL
;
4042 process_handle_t
*process_handle
;
4045 STARTUPINFOA siStartInfo
;
4046 BOOL retval
= FALSE
;
4048 SECURITY_ATTRIBUTES saAttr
;
4051 saAttr
.nLength
= sizeof(SECURITY_ATTRIBUTES
);
4052 saAttr
.bInheritHandle
= TRUE
;
4053 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4054 saAttr
.lpSecurityDescriptor
= NULL
;
4056 /* Assume failure to start process */
4057 status
= PROCESS_STATUS_ERROR
;
4059 /* Set up pipe for stdout */
4060 if (!CreatePipe(&stdout_pipe_read
, &stdout_pipe_write
, &saAttr
, 0)) {
4061 log_warn(LD_GENERAL
,
4062 "Failed to create pipe for stdout communication with child process: %s",
4063 format_win32_error(GetLastError()));
4066 if (!SetHandleInformation(stdout_pipe_read
, HANDLE_FLAG_INHERIT
, 0)) {
4067 log_warn(LD_GENERAL
,
4068 "Failed to configure pipe for stdout communication with child "
4069 "process: %s", format_win32_error(GetLastError()));
4073 /* Set up pipe for stderr */
4074 if (!CreatePipe(&stderr_pipe_read
, &stderr_pipe_write
, &saAttr
, 0)) {
4075 log_warn(LD_GENERAL
,
4076 "Failed to create pipe for stderr communication with child process: %s",
4077 format_win32_error(GetLastError()));
4080 if (!SetHandleInformation(stderr_pipe_read
, HANDLE_FLAG_INHERIT
, 0)) {
4081 log_warn(LD_GENERAL
,
4082 "Failed to configure pipe for stderr communication with child "
4083 "process: %s", format_win32_error(GetLastError()));
4087 /* Set up pipe for stdin */
4088 if (!CreatePipe(&stdin_pipe_read
, &stdin_pipe_write
, &saAttr
, 0)) {
4089 log_warn(LD_GENERAL
,
4090 "Failed to create pipe for stdin communication with child process: %s",
4091 format_win32_error(GetLastError()));
4094 if (!SetHandleInformation(stdin_pipe_write
, HANDLE_FLAG_INHERIT
, 0)) {
4095 log_warn(LD_GENERAL
,
4096 "Failed to configure pipe for stdin communication with child "
4097 "process: %s", format_win32_error(GetLastError()));
4101 /* Create the child process */
4103 /* Windows expects argv to be a whitespace delimited string, so join argv up
4105 joined_argv
= tor_join_win_cmdline(argv
);
4107 process_handle
= process_handle_new();
4108 process_handle
->status
= status
;
4110 ZeroMemory(&(process_handle
->pid
), sizeof(PROCESS_INFORMATION
));
4111 ZeroMemory(&siStartInfo
, sizeof(STARTUPINFO
));
4112 siStartInfo
.cb
= sizeof(STARTUPINFO
);
4113 siStartInfo
.hStdError
= stderr_pipe_write
;
4114 siStartInfo
.hStdOutput
= stdout_pipe_write
;
4115 siStartInfo
.hStdInput
= stdin_pipe_read
;
4116 siStartInfo
.dwFlags
|= STARTF_USESTDHANDLES
;
4118 /* Create the child process */
4120 retval
= CreateProcessA(filename
, // module name
4121 joined_argv
, // command line
4122 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4123 NULL
, // process security attributes
4124 NULL
, // primary thread security attributes
4125 TRUE
, // handles are inherited
4126 /*(TODO: set CREATE_NEW CONSOLE/PROCESS_GROUP to make GetExitCodeProcess()
4128 CREATE_NO_WINDOW
, // creation flags
4129 (env
==NULL
) ? NULL
: env
->windows_environment_block
,
4130 NULL
, // use parent's current directory
4131 &siStartInfo
, // STARTUPINFO pointer
4132 &(process_handle
->pid
)); // receives PROCESS_INFORMATION
4134 tor_free(joined_argv
);
4137 log_warn(LD_GENERAL
,
4138 "Failed to create child process %s: %s", filename
?filename
:argv
[0],
4139 format_win32_error(GetLastError()));
4140 tor_free(process_handle
);
4142 /* TODO: Close hProcess and hThread in process_handle->pid? */
4143 process_handle
->stdout_pipe
= stdout_pipe_read
;
4144 process_handle
->stderr_pipe
= stderr_pipe_read
;
4145 process_handle
->stdin_pipe
= stdin_pipe_write
;
4146 status
= process_handle
->status
= PROCESS_STATUS_RUNNING
;
4149 /* TODO: Close pipes on exit */
4150 *process_handle_out
= process_handle
;
4159 process_handle_t
*process_handle
;
4162 const char *error_message
= SPAWN_ERROR_MESSAGE
;
4163 size_t error_message_length
;
4165 /* Represents where in the process of spawning the program is;
4166 this is used for printing out the error message */
4167 unsigned char child_state
= CHILD_STATE_INIT
;
4169 char hex_errno
[HEX_ERRNO_SIZE
+ 2]; /* + 1 should be sufficient actually */
4171 static int max_fd
= -1;
4173 status
= PROCESS_STATUS_ERROR
;
4175 /* We do the strlen here because strlen() is not signal handler safe,
4176 and we are not allowed to use unsafe functions between fork and exec */
4177 error_message_length
= strlen(error_message
);
4179 child_state
= CHILD_STATE_PIPE
;
4181 /* Set up pipe for redirecting stdout, stderr, and stdin of child */
4182 retval
= pipe(stdout_pipe
);
4184 log_warn(LD_GENERAL
,
4185 "Failed to set up pipe for stdout communication with child process: %s",
4190 retval
= pipe(stderr_pipe
);
4192 log_warn(LD_GENERAL
,
4193 "Failed to set up pipe for stderr communication with child process: %s",
4196 close(stdout_pipe
[0]);
4197 close(stdout_pipe
[1]);
4202 retval
= pipe(stdin_pipe
);
4204 log_warn(LD_GENERAL
,
4205 "Failed to set up pipe for stdin communication with child process: %s",
4208 close(stdout_pipe
[0]);
4209 close(stdout_pipe
[1]);
4210 close(stderr_pipe
[0]);
4211 close(stderr_pipe
[1]);
4216 child_state
= CHILD_STATE_MAXFD
;
4220 max_fd
= (int) sysconf(_SC_OPEN_MAX
);
4222 max_fd
= DEFAULT_MAX_FD
;
4223 log_warn(LD_GENERAL
,
4224 "Cannot find maximum file descriptor, assuming %d", max_fd
);
4228 max_fd
= DEFAULT_MAX_FD
;
4231 child_state
= CHILD_STATE_FORK
;
4237 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
4238 /* Attempt to have the kernel issue a SIGTERM if the parent
4239 * goes away. Certain attributes of the binary being execve()ed
4240 * will clear this during the execve() call, but it's better
4243 prctl(PR_SET_PDEATHSIG
, SIGTERM
);
4246 child_state
= CHILD_STATE_DUPOUT
;
4248 /* Link child stdout to the write end of the pipe */
4249 retval
= dup2(stdout_pipe
[1], STDOUT_FILENO
);
4253 child_state
= CHILD_STATE_DUPERR
;
4255 /* Link child stderr to the write end of the pipe */
4256 retval
= dup2(stderr_pipe
[1], STDERR_FILENO
);
4260 child_state
= CHILD_STATE_DUPIN
;
4262 /* Link child stdin to the read end of the pipe */
4263 retval
= dup2(stdin_pipe
[0], STDIN_FILENO
);
4267 child_state
= CHILD_STATE_CLOSEFD
;
4269 close(stderr_pipe
[0]);
4270 close(stderr_pipe
[1]);
4271 close(stdout_pipe
[0]);
4272 close(stdout_pipe
[1]);
4273 close(stdin_pipe
[0]);
4274 close(stdin_pipe
[1]);
4276 /* Close all other fds, including the read end of the pipe */
4277 /* XXX: We should now be doing enough FD_CLOEXEC setting to make
4279 for (fd
= STDERR_FILENO
+ 1; fd
< max_fd
; fd
++) {
4283 child_state
= CHILD_STATE_EXEC
;
4285 /* Call the requested program. We need the cast because
4286 execvp doesn't define argv as const, even though it
4287 does not modify the arguments */
4289 execve(filename
, (char *const *) argv
, env
->unixoid_environment_block
);
4291 static char *new_env
[] = { NULL
};
4292 execve(filename
, (char *const *) argv
, new_env
);
4295 /* If we got here, the exec or open(/dev/null) failed */
4297 child_state
= CHILD_STATE_FAILEXEC
;
4301 /* XXX: are we leaking fds from the pipe? */
4304 n
= format_helper_exit_status(child_state
, errno
, hex_errno
);
4307 /* Write the error message. GCC requires that we check the return
4308 value, but there is nothing we can do if it fails */
4309 /* TODO: Don't use STDOUT, use a pipe set up just for this purpose */
4310 nbytes
= write(STDOUT_FILENO
, error_message
, error_message_length
);
4311 nbytes
= write(STDOUT_FILENO
, hex_errno
, n
);
4318 /* Never reached, but avoids compiler warning */
4325 log_warn(LD_GENERAL
, "Failed to fork child process: %s", strerror(errno
));
4326 close(stdin_pipe
[0]);
4327 close(stdin_pipe
[1]);
4328 close(stdout_pipe
[0]);
4329 close(stdout_pipe
[1]);
4330 close(stderr_pipe
[0]);
4331 close(stderr_pipe
[1]);
4335 process_handle
= process_handle_new();
4336 process_handle
->status
= status
;
4337 process_handle
->pid
= pid
;
4339 /* TODO: If the child process forked but failed to exec, waitpid it */
4341 /* Return read end of the pipes to caller, and close write end */
4342 process_handle
->stdout_pipe
= stdout_pipe
[0];
4343 retval
= close(stdout_pipe
[1]);
4346 log_warn(LD_GENERAL
,
4347 "Failed to close write end of stdout pipe in parent process: %s",
4351 process_handle
->waitpid_cb
= set_waitpid_callback(pid
,
4352 process_handle_waitpid_cb
,
4355 process_handle
->stderr_pipe
= stderr_pipe
[0];
4356 retval
= close(stderr_pipe
[1]);
4359 log_warn(LD_GENERAL
,
4360 "Failed to close write end of stderr pipe in parent process: %s",
4364 /* Return write end of the stdin pipe to caller, and close the read end */
4365 process_handle
->stdin_pipe
= stdin_pipe
[1];
4366 retval
= close(stdin_pipe
[0]);
4369 log_warn(LD_GENERAL
,
4370 "Failed to close read end of stdin pipe in parent process: %s",
4374 status
= process_handle
->status
= PROCESS_STATUS_RUNNING
;
4375 /* Set stdin/stdout/stderr pipes to be non-blocking */
4376 if (fcntl(process_handle
->stdout_pipe
, F_SETFL
, O_NONBLOCK
) < 0 ||
4377 fcntl(process_handle
->stderr_pipe
, F_SETFL
, O_NONBLOCK
) < 0 ||
4378 fcntl(process_handle
->stdin_pipe
, F_SETFL
, O_NONBLOCK
) < 0) {
4379 log_warn(LD_GENERAL
, "Failed to set stderror/stdout/stdin pipes "
4380 "nonblocking in parent process: %s", strerror(errno
));
4382 /* Open the buffered IO streams */
4383 process_handle
->stdout_handle
= fdopen(process_handle
->stdout_pipe
, "r");
4384 process_handle
->stderr_handle
= fdopen(process_handle
->stderr_pipe
, "r");
4385 process_handle
->stdin_handle
= fdopen(process_handle
->stdin_pipe
, "r");
4387 *process_handle_out
= process_handle
;
4388 return process_handle
->status
;
4392 /** Destroy all resources allocated by the process handle in
4393 * <b>process_handle</b>.
4394 * If <b>also_terminate_process</b> is true, also terminate the
4395 * process of the process handle. */
4397 tor_process_handle_destroy
,(process_handle_t
*process_handle
,
4398 int also_terminate_process
))
4400 if (!process_handle
)
4403 if (also_terminate_process
) {
4404 if (tor_terminate_process(process_handle
) < 0) {
4405 const char *errstr
=
4407 format_win32_error(GetLastError());
4411 log_notice(LD_GENERAL
, "Failed to terminate process with "
4412 "PID '%d' ('%s').", tor_process_get_pid(process_handle
),
4415 log_info(LD_GENERAL
, "Terminated process with PID '%d'.",
4416 tor_process_get_pid(process_handle
));
4420 process_handle
->status
= PROCESS_STATUS_NOTRUNNING
;
4423 if (process_handle
->stdout_pipe
)
4424 CloseHandle(process_handle
->stdout_pipe
);
4426 if (process_handle
->stderr_pipe
)
4427 CloseHandle(process_handle
->stderr_pipe
);
4429 if (process_handle
->stdin_pipe
)
4430 CloseHandle(process_handle
->stdin_pipe
);
4432 if (process_handle
->stdout_handle
)
4433 fclose(process_handle
->stdout_handle
);
4435 if (process_handle
->stderr_handle
)
4436 fclose(process_handle
->stderr_handle
);
4438 if (process_handle
->stdin_handle
)
4439 fclose(process_handle
->stdin_handle
);
4441 clear_waitpid_callback(process_handle
->waitpid_cb
);
4444 memset(process_handle
, 0x0f, sizeof(process_handle_t
));
4445 tor_free(process_handle
);
4448 /** Get the exit code of a process specified by <b>process_handle</b> and store
4449 * it in <b>exit_code</b>, if set to a non-NULL value. If <b>block</b> is set
4450 * to true, the call will block until the process has exited. Otherwise if
4451 * the process is still running, the function will return
4452 * PROCESS_EXIT_RUNNING, and exit_code will be left unchanged. Returns
4453 * PROCESS_EXIT_EXITED if the process did exit. If there is a failure,
4454 * PROCESS_EXIT_ERROR will be returned and the contents of exit_code (if
4455 * non-NULL) will be undefined. N.B. Under *nix operating systems, this will
4456 * probably not work in Tor, because waitpid() is called in main.c to reap any
4457 * terminated child processes.*/
4459 tor_get_exit_code(process_handle_t
*process_handle
,
4460 int block
, int *exit_code
)
4467 /* Wait for the process to exit */
4468 retval
= WaitForSingleObject(process_handle
->pid
.hProcess
, INFINITE
);
4469 if (retval
!= WAIT_OBJECT_0
) {
4470 log_warn(LD_GENERAL
, "WaitForSingleObject() failed (%d): %s",
4471 (int)retval
, format_win32_error(GetLastError()));
4472 return PROCESS_EXIT_ERROR
;
4475 retval
= WaitForSingleObject(process_handle
->pid
.hProcess
, 0);
4476 if (WAIT_TIMEOUT
== retval
) {
4477 /* Process has not exited */
4478 return PROCESS_EXIT_RUNNING
;
4479 } else if (retval
!= WAIT_OBJECT_0
) {
4480 log_warn(LD_GENERAL
, "WaitForSingleObject() failed (%d): %s",
4481 (int)retval
, format_win32_error(GetLastError()));
4482 return PROCESS_EXIT_ERROR
;
4486 if (exit_code
!= NULL
) {
4487 success
= GetExitCodeProcess(process_handle
->pid
.hProcess
,
4490 log_warn(LD_GENERAL
, "GetExitCodeProcess() failed: %s",
4491 format_win32_error(GetLastError()));
4492 return PROCESS_EXIT_ERROR
;
4499 if (process_handle
->waitpid_cb
) {
4500 /* We haven't processed a SIGCHLD yet. */
4501 retval
= waitpid(process_handle
->pid
, &stat_loc
, block
?0:WNOHANG
);
4502 if (retval
== process_handle
->pid
) {
4503 clear_waitpid_callback(process_handle
->waitpid_cb
);
4504 process_handle
->waitpid_cb
= NULL
;
4505 process_handle
->waitpid_exit_status
= stat_loc
;
4508 /* We already got a SIGCHLD for this process, and handled it. */
4509 retval
= process_handle
->pid
;
4510 stat_loc
= process_handle
->waitpid_exit_status
;
4513 if (!block
&& 0 == retval
) {
4514 /* Process has not exited */
4515 return PROCESS_EXIT_RUNNING
;
4516 } else if (retval
!= process_handle
->pid
) {
4517 log_warn(LD_GENERAL
, "waitpid() failed for PID %d: %s",
4518 process_handle
->pid
, strerror(errno
));
4519 return PROCESS_EXIT_ERROR
;
4522 if (!WIFEXITED(stat_loc
)) {
4523 log_warn(LD_GENERAL
, "Process %d did not exit normally",
4524 process_handle
->pid
);
4525 return PROCESS_EXIT_ERROR
;
4528 if (exit_code
!= NULL
)
4529 *exit_code
= WEXITSTATUS(stat_loc
);
4532 return PROCESS_EXIT_EXITED
;
4535 /** Helper: return the number of characters in <b>s</b> preceding the first
4536 * occurrence of <b>ch</b>. If <b>ch</b> does not occur in <b>s</b>, return
4537 * the length of <b>s</b>. Should be equivalent to strspn(s, "ch"). */
4538 static INLINE
size_t
4539 str_num_before(const char *s
, char ch
)
4541 const char *cp
= strchr(s
, ch
);
4548 /** Return non-zero iff getenv would consider <b>s1</b> and <b>s2</b>
4549 * to have the same name as strings in a process's environment. */
4551 environment_variable_names_equal(const char *s1
, const char *s2
)
4553 size_t s1_name_len
= str_num_before(s1
, '=');
4554 size_t s2_name_len
= str_num_before(s2
, '=');
4556 return (s1_name_len
== s2_name_len
&&
4557 tor_memeq(s1
, s2
, s1_name_len
));
4560 /** Free <b>env</b> (assuming it was produced by
4561 * process_environment_make). */
4563 process_environment_free(process_environment_t
*env
)
4565 if (env
== NULL
) return;
4567 /* As both an optimization hack to reduce consing on Unixoid systems
4568 * and a nice way to ensure that some otherwise-Windows-specific
4569 * code will always get tested before changes to it get merged, the
4570 * strings which env->unixoid_environment_block points to are packed
4571 * into env->windows_environment_block. */
4572 tor_free(env
->unixoid_environment_block
);
4573 tor_free(env
->windows_environment_block
);
4578 /** Make a process_environment_t containing the environment variables
4579 * specified in <b>env_vars</b> (as C strings of the form
4581 process_environment_t
*
4582 process_environment_make(struct smartlist_t
*env_vars
)
4584 process_environment_t
*env
= tor_malloc_zero(sizeof(process_environment_t
));
4585 size_t n_env_vars
= smartlist_len(env_vars
);
4587 size_t total_env_length
;
4588 smartlist_t
*env_vars_sorted
;
4590 tor_assert(n_env_vars
+ 1 != 0);
4591 env
->unixoid_environment_block
= tor_calloc(n_env_vars
+ 1, sizeof(char *));
4592 /* env->unixoid_environment_block is already NULL-terminated,
4593 * because we assume that NULL == 0 (and check that during compilation). */
4595 total_env_length
= 1; /* terminating NUL of terminating empty string */
4596 for (i
= 0; i
< n_env_vars
; ++i
) {
4597 const char *s
= smartlist_get(env_vars
, i
);
4598 size_t slen
= strlen(s
);
4600 tor_assert(slen
+ 1 != 0);
4601 tor_assert(slen
+ 1 < SIZE_MAX
- total_env_length
);
4602 total_env_length
+= slen
+ 1;
4605 env
->windows_environment_block
= tor_malloc_zero(total_env_length
);
4606 /* env->windows_environment_block is already
4607 * (NUL-terminated-empty-string)-terminated. */
4609 /* Some versions of Windows supposedly require that environment
4610 * blocks be sorted. Or maybe some Windows programs (or their
4611 * runtime libraries) fail to look up strings in non-sorted
4612 * environment blocks.
4614 * Also, sorting strings makes it easy to find duplicate environment
4615 * variables and environment-variable strings without an '=' on all
4616 * OSes, and they can cause badness. Let's complain about those. */
4617 env_vars_sorted
= smartlist_new();
4618 smartlist_add_all(env_vars_sorted
, env_vars
);
4619 smartlist_sort_strings(env_vars_sorted
);
4621 /* Now copy the strings into the environment blocks. */
4623 char *cp
= env
->windows_environment_block
;
4624 const char *prev_env_var
= NULL
;
4626 for (i
= 0; i
< n_env_vars
; ++i
) {
4627 const char *s
= smartlist_get(env_vars_sorted
, i
);
4628 size_t slen
= strlen(s
);
4629 size_t s_name_len
= str_num_before(s
, '=');
4631 if (s_name_len
== slen
) {
4632 log_warn(LD_GENERAL
,
4633 "Preparing an environment containing a variable "
4634 "without a value: %s",
4637 if (prev_env_var
!= NULL
&&
4638 environment_variable_names_equal(s
, prev_env_var
)) {
4639 log_warn(LD_GENERAL
,
4640 "Preparing an environment containing two variables "
4641 "with the same name: %s and %s",
4647 /* Actually copy the string into the environment. */
4648 memcpy(cp
, s
, slen
+1);
4649 env
->unixoid_environment_block
[i
] = cp
;
4653 tor_assert(cp
== env
->windows_environment_block
+ total_env_length
- 1);
4656 smartlist_free(env_vars_sorted
);
4661 /** Return a newly allocated smartlist containing every variable in
4662 * this process's environment, as a NUL-terminated string of the form
4663 * "NAME=VALUE". Note that on some/many/most/all OSes, the parent
4664 * process can put strings not of that form in our environment;
4665 * callers should try to not get crashed by that.
4667 * The returned strings are heap-allocated, and must be freed by the
4669 struct smartlist_t
*
4670 get_current_process_environment_variables(void)
4672 smartlist_t
*sl
= smartlist_new();
4674 char **environ_tmp
; /* Not const char ** ? Really? */
4675 for (environ_tmp
= get_environment(); *environ_tmp
; ++environ_tmp
) {
4676 smartlist_add(sl
, tor_strdup(*environ_tmp
));
4682 /** For each string s in <b>env_vars</b> such that
4683 * environment_variable_names_equal(s, <b>new_var</b>), remove it; if
4684 * <b>free_p</b> is non-zero, call <b>free_old</b>(s). If
4685 * <b>new_var</b> contains '=', insert it into <b>env_vars</b>. */
4687 set_environment_variable_in_smartlist(struct smartlist_t
*env_vars
,
4688 const char *new_var
,
4689 void (*free_old
)(void*),
4692 SMARTLIST_FOREACH_BEGIN(env_vars
, const char *, s
) {
4693 if (environment_variable_names_equal(s
, new_var
)) {
4694 SMARTLIST_DEL_CURRENT(env_vars
, s
);
4696 free_old((void *)s
);
4699 } SMARTLIST_FOREACH_END(s
);
4701 if (strchr(new_var
, '=') != NULL
) {
4702 smartlist_add(env_vars
, (void *)new_var
);
4707 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4708 * <b>hProcess</b> is NULL, the function will return immediately if there is
4709 * nothing more to read. Otherwise <b>hProcess</b> should be set to the handle
4710 * to the process owning the <b>h</b>. In this case, the function will exit
4711 * only once the process has exited, or <b>count</b> bytes are read. Returns
4712 * the number of bytes read, or -1 on error. */
4714 tor_read_all_handle(HANDLE h
, char *buf
, size_t count
,
4715 const process_handle_t
*process
)
4720 BOOL process_exited
= FALSE
;
4722 if (count
> SIZE_T_CEILING
|| count
> SSIZE_MAX
)
4725 while (numread
!= count
) {
4726 /* Check if there is anything to read */
4727 retval
= PeekNamedPipe(h
, NULL
, 0, NULL
, &byte_count
, NULL
);
4729 log_warn(LD_GENERAL
,
4730 "Failed to peek from handle: %s",
4731 format_win32_error(GetLastError()));
4733 } else if (0 == byte_count
) {
4734 /* Nothing available: process exited or it is busy */
4736 /* Exit if we don't know whether the process is running */
4737 if (NULL
== process
)
4740 /* The process exited and there's nothing left to read from it */
4744 /* If process is not running, check for output one more time in case
4745 it wrote something after the peek was performed. Otherwise keep on
4746 waiting for output */
4747 tor_assert(process
!= NULL
);
4748 byte_count
= WaitForSingleObject(process
->pid
.hProcess
, 0);
4749 if (WAIT_TIMEOUT
!= byte_count
)
4750 process_exited
= TRUE
;
4755 /* There is data to read; read it */
4756 retval
= ReadFile(h
, buf
+numread
, count
-numread
, &byte_count
, NULL
);
4757 tor_assert(byte_count
+ numread
<= count
);
4759 log_warn(LD_GENERAL
, "Failed to read from handle: %s",
4760 format_win32_error(GetLastError()));
4762 } else if (0 == byte_count
) {
4766 numread
+= byte_count
;
4768 return (ssize_t
)numread
;
4771 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4772 * <b>process</b> is NULL, the function will return immediately if there is
4773 * nothing more to read. Otherwise data will be read until end of file, or
4774 * <b>count</b> bytes are read. Returns the number of bytes read, or -1 on
4775 * error. Sets <b>eof</b> to true if <b>eof</b> is not NULL and the end of the
4776 * file has been reached. */
4778 tor_read_all_handle(FILE *h
, char *buf
, size_t count
,
4779 const process_handle_t
*process
,
4788 if (count
> SIZE_T_CEILING
|| count
> SSIZE_MAX
)
4791 while (numread
!= count
) {
4792 /* Use fgets because that is what we use in log_from_pipe() */
4793 retval
= fgets(buf
+numread
, (int)(count
-numread
), h
);
4794 if (NULL
== retval
) {
4796 log_debug(LD_GENERAL
, "fgets() reached end of file");
4801 if (EAGAIN
== errno
) {
4807 log_warn(LD_GENERAL
, "fgets() from handle failed: %s",
4813 tor_assert(retval
!= NULL
);
4814 tor_assert(strlen(retval
) + numread
<= count
);
4815 numread
+= strlen(retval
);
4818 log_debug(LD_GENERAL
, "fgets() read %d bytes from handle", (int)numread
);
4819 return (ssize_t
)numread
;
4823 /** Read from stdout of a process until the process exits. */
4825 tor_read_all_from_process_stdout(const process_handle_t
*process_handle
,
4826 char *buf
, size_t count
)
4829 return tor_read_all_handle(process_handle
->stdout_pipe
, buf
, count
,
4832 return tor_read_all_handle(process_handle
->stdout_handle
, buf
, count
,
4833 process_handle
, NULL
);
4837 /** Read from stdout of a process until the process exits. */
4839 tor_read_all_from_process_stderr(const process_handle_t
*process_handle
,
4840 char *buf
, size_t count
)
4843 return tor_read_all_handle(process_handle
->stderr_pipe
, buf
, count
,
4846 return tor_read_all_handle(process_handle
->stderr_handle
, buf
, count
,
4847 process_handle
, NULL
);
4851 /** Split buf into lines, and add to smartlist. The buffer <b>buf</b> will be
4852 * modified. The resulting smartlist will consist of pointers to buf, so there
4853 * is no need to free the contents of sl. <b>buf</b> must be a NUL-terminated
4854 * string. <b>len</b> should be set to the length of the buffer excluding the
4855 * NUL. Non-printable characters (including NUL) will be replaced with "." */
4857 tor_split_lines(smartlist_t
*sl
, char *buf
, int len
)
4859 /* Index in buf of the start of the current line */
4861 /* Index in buf of the current character being processed */
4863 /* Are we currently in a line */
4866 /* Loop over string */
4868 /* Loop until end of line or end of string */
4869 for (; cur
< len
; cur
++) {
4871 if ('\r' == buf
[cur
] || '\n' == buf
[cur
]) {
4874 /* Point cur to the next line */
4876 /* Line starts at start and ends with a nul */
4879 if (!TOR_ISPRINT(buf
[cur
]))
4883 if ('\r' == buf
[cur
] || '\n' == buf
[cur
]) {
4884 /* Skip leading vertical space */
4889 if (!TOR_ISPRINT(buf
[cur
]))
4894 /* We are at the end of the line or end of string. If in_line is true there
4895 * is a line which starts at buf+start and ends at a NUL. cur points to
4896 * the character after the NUL. */
4898 smartlist_add(sl
, (void *)(buf
+start
));
4901 return smartlist_len(sl
);
4904 /** Return a string corresponding to <b>stream_status</b>. */
4906 stream_status_to_string(enum stream_status stream_status
)
4908 switch (stream_status
) {
4909 case IO_STREAM_OKAY
:
4911 case IO_STREAM_EAGAIN
:
4912 return "temporarily unavailable";
4913 case IO_STREAM_TERM
:
4914 return "terminated";
4915 case IO_STREAM_CLOSED
:
4918 tor_fragile_assert();
4925 log_portfw_spawn_error_message(const char *buf
,
4926 const char *executable
, int *child_status
)
4928 /* Parse error message */
4929 int retval
, child_state
, saved_errno
;
4930 retval
= tor_sscanf(buf
, SPAWN_ERROR_MESSAGE
"%x/%x",
4931 &child_state
, &saved_errno
);
4933 log_warn(LD_GENERAL
,
4934 "Failed to start child process \"%s\" in state %d: %s",
4935 executable
, child_state
, strerror(saved_errno
));
4939 /* Failed to parse message from child process, log it as a
4941 log_warn(LD_GENERAL
,
4942 "Unexpected message from port forwarding helper \"%s\": %s",
4949 /** Return a smartlist containing lines outputted from
4950 * <b>handle</b>. Return NULL on error, and set
4951 * <b>stream_status_out</b> appropriately. */
4952 MOCK_IMPL(smartlist_t
*,
4953 tor_get_lines_from_handle
, (HANDLE
*handle
,
4954 enum stream_status
*stream_status_out
))
4957 char stdout_buf
[600] = {0};
4958 smartlist_t
*lines
= NULL
;
4960 tor_assert(stream_status_out
);
4962 *stream_status_out
= IO_STREAM_TERM
;
4964 pos
= tor_read_all_handle(handle
, stdout_buf
, sizeof(stdout_buf
) - 1, NULL
);
4966 *stream_status_out
= IO_STREAM_TERM
;
4970 *stream_status_out
= IO_STREAM_EAGAIN
;
4974 /* End with a null even if there isn't a \r\n at the end */
4975 /* TODO: What if this is a partial line? */
4976 stdout_buf
[pos
] = '\0';
4978 /* Split up the buffer */
4979 lines
= smartlist_new();
4980 tor_split_lines(lines
, stdout_buf
, pos
);
4982 /* Currently 'lines' is populated with strings residing on the
4983 stack. Replace them with their exact copies on the heap: */
4984 SMARTLIST_FOREACH(lines
, char *, line
,
4985 SMARTLIST_REPLACE_CURRENT(lines
, line
, tor_strdup(line
)));
4987 *stream_status_out
= IO_STREAM_OKAY
;
4992 /** Read from stream, and send lines to log at the specified log level.
4993 * Returns -1 if there is a error reading, and 0 otherwise.
4994 * If the generated stream is flushed more often than on new lines, or
4995 * a read exceeds 256 bytes, lines will be truncated. This should be fixed,
4996 * along with the corresponding problem on *nix (see bug #2045).
4999 log_from_handle(HANDLE
*pipe
, int severity
)
5005 pos
= tor_read_all_handle(pipe
, buf
, sizeof(buf
) - 1, NULL
);
5008 log_warn(LD_GENERAL
, "Failed to read data from subprocess");
5013 /* There's nothing to read (process is busy or has exited) */
5014 log_debug(LD_GENERAL
, "Subprocess had nothing to say");
5018 /* End with a null even if there isn't a \r\n at the end */
5019 /* TODO: What if this is a partial line? */
5021 log_debug(LD_GENERAL
, "Subprocess had %d bytes to say", pos
);
5023 /* Split up the buffer */
5024 lines
= smartlist_new();
5025 tor_split_lines(lines
, buf
, pos
);
5028 SMARTLIST_FOREACH(lines
, char *, line
,
5030 log_fn(severity
, LD_GENERAL
, "Port forwarding helper says: %s", line
);
5032 smartlist_free(lines
);
5039 /** Return a smartlist containing lines outputted from
5040 * <b>handle</b>. Return NULL on error, and set
5041 * <b>stream_status_out</b> appropriately. */
5042 MOCK_IMPL(smartlist_t
*,
5043 tor_get_lines_from_handle
, (FILE *handle
,
5044 enum stream_status
*stream_status_out
))
5046 enum stream_status stream_status
;
5047 char stdout_buf
[400];
5048 smartlist_t
*lines
= NULL
;
5051 memset(stdout_buf
, 0, sizeof(stdout_buf
));
5053 stream_status
= get_string_from_pipe(handle
,
5054 stdout_buf
, sizeof(stdout_buf
) - 1);
5055 if (stream_status
!= IO_STREAM_OKAY
)
5058 if (!lines
) lines
= smartlist_new();
5059 smartlist_add(lines
, tor_strdup(stdout_buf
));
5063 *stream_status_out
= stream_status
;
5067 /** Read from stream, and send lines to log at the specified log level.
5068 * Returns 1 if stream is closed normally, -1 if there is a error reading, and
5069 * 0 otherwise. Handles lines from tor-fw-helper and
5070 * tor_spawn_background() specially.
5073 log_from_pipe(FILE *stream
, int severity
, const char *executable
,
5077 enum stream_status r
;
5080 r
= get_string_from_pipe(stream
, buf
, sizeof(buf
) - 1);
5082 if (r
== IO_STREAM_CLOSED
) {
5084 } else if (r
== IO_STREAM_EAGAIN
) {
5086 } else if (r
== IO_STREAM_TERM
) {
5090 tor_assert(r
== IO_STREAM_OKAY
);
5092 /* Check if buf starts with SPAWN_ERROR_MESSAGE */
5093 if (strcmpstart(buf
, SPAWN_ERROR_MESSAGE
) == 0) {
5094 log_portfw_spawn_error_message(buf
, executable
, child_status
);
5096 log_fn(severity
, LD_GENERAL
, "Port forwarding helper says: %s", buf
);
5100 /* We should never get here */
5105 /** Reads from <b>stream</b> and stores input in <b>buf_out</b> making
5106 * sure it's below <b>count</b> bytes.
5107 * If the string has a trailing newline, we strip it off.
5109 * This function is specifically created to handle input from managed
5110 * proxies, according to the pluggable transports spec. Make sure it
5111 * fits your needs before using it.
5114 * IO_STREAM_CLOSED: If the stream is closed.
5115 * IO_STREAM_EAGAIN: If there is nothing to read and we should check back
5117 * IO_STREAM_TERM: If something is wrong with the stream.
5118 * IO_STREAM_OKAY: If everything went okay and we got a string
5119 * in <b>buf_out</b>. */
5121 get_string_from_pipe(FILE *stream
, char *buf_out
, size_t count
)
5126 tor_assert(count
<= INT_MAX
);
5128 retval
= fgets(buf_out
, (int)count
, stream
);
5132 /* Program has closed stream (probably it exited) */
5133 /* TODO: check error */
5134 return IO_STREAM_CLOSED
;
5136 if (EAGAIN
== errno
) {
5137 /* Nothing more to read, try again next time */
5138 return IO_STREAM_EAGAIN
;
5140 /* There was a problem, abandon this child process */
5141 return IO_STREAM_TERM
;
5145 len
= strlen(buf_out
);
5147 /* this probably means we got a NUL at the start of the string. */
5148 return IO_STREAM_EAGAIN
;
5151 if (buf_out
[len
- 1] == '\n') {
5152 /* Remove the trailing newline */
5153 buf_out
[len
- 1] = '\0';
5155 /* No newline; check whether we overflowed the buffer */
5157 log_info(LD_GENERAL
,
5158 "Line from stream was truncated: %s", buf_out
);
5159 /* TODO: What to do with this error? */
5162 return IO_STREAM_OKAY
;
5165 /* We should never get here */
5166 return IO_STREAM_TERM
;
5169 /** Parse a <b>line</b> from tor-fw-helper and issue an appropriate
5170 * log message to our user. */
5172 handle_fw_helper_line(const char *executable
, const char *line
)
5174 smartlist_t
*tokens
= smartlist_new();
5175 char *message
= NULL
;
5176 char *message_for_log
= NULL
;
5177 const char *external_port
= NULL
;
5178 const char *internal_port
= NULL
;
5179 const char *result
= NULL
;
5183 if (strcmpstart(line
, SPAWN_ERROR_MESSAGE
) == 0) {
5184 /* We need to check for SPAWN_ERROR_MESSAGE again here, since it's
5185 * possible that it got sent after we tried to read it in log_from_pipe.
5187 * XXX Ideally, we should be using one of stdout/stderr for the real
5188 * output, and one for the output of the startup code. We used to do that
5189 * before cd05f35d2c.
5192 log_portfw_spawn_error_message(line
, executable
, &child_status
);
5196 smartlist_split_string(tokens
, line
, NULL
,
5197 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, -1);
5199 if (smartlist_len(tokens
) < 5)
5202 if (strcmp(smartlist_get(tokens
, 0), "tor-fw-helper") ||
5203 strcmp(smartlist_get(tokens
, 1), "tcp-forward"))
5206 external_port
= smartlist_get(tokens
, 2);
5207 internal_port
= smartlist_get(tokens
, 3);
5208 result
= smartlist_get(tokens
, 4);
5210 if (smartlist_len(tokens
) > 5) {
5211 /* If there are more than 5 tokens, they are part of [<message>].
5212 Let's use a second smartlist to form the whole message;
5213 strncat loops suck. */
5215 int message_words_n
= smartlist_len(tokens
) - 5;
5216 smartlist_t
*message_sl
= smartlist_new();
5217 for (i
= 0; i
< message_words_n
; i
++)
5218 smartlist_add(message_sl
, smartlist_get(tokens
, 5+i
));
5220 tor_assert(smartlist_len(message_sl
) > 0);
5221 message
= smartlist_join_strings(message_sl
, " ", 0, NULL
);
5223 /* wrap the message in log-friendly wrapping */
5224 tor_asprintf(&message_for_log
, " ('%s')", message
);
5226 smartlist_free(message_sl
);
5229 port
= atoi(external_port
);
5230 if (port
< 1 || port
> 65535)
5233 port
= atoi(internal_port
);
5234 if (port
< 1 || port
> 65535)
5237 if (!strcmp(result
, "SUCCESS"))
5239 else if (!strcmp(result
, "FAIL"))
5245 log_warn(LD_GENERAL
, "Tor was unable to forward TCP port '%s' to '%s'%s. "
5246 "Please make sure that your router supports port "
5247 "forwarding protocols (like NAT-PMP). Note that if '%s' is "
5248 "your ORPort, your relay will be unable to receive inbound "
5249 "traffic.", external_port
, internal_port
,
5250 message_for_log
? message_for_log
: "",
5253 log_info(LD_GENERAL
,
5254 "Tor successfully forwarded TCP port '%s' to '%s'%s.",
5255 external_port
, internal_port
,
5256 message_for_log
? message_for_log
: "");
5262 log_warn(LD_GENERAL
, "tor-fw-helper sent us a string we could not "
5263 "parse (%s).", line
);
5266 SMARTLIST_FOREACH(tokens
, char *, cp
, tor_free(cp
));
5267 smartlist_free(tokens
);
5269 tor_free(message_for_log
);
5272 /** Read what tor-fw-helper has to say in its stdout and handle it
5275 handle_fw_helper_output(const char *executable
,
5276 process_handle_t
*process_handle
)
5278 smartlist_t
*fw_helper_output
= NULL
;
5279 enum stream_status stream_status
= 0;
5282 tor_get_lines_from_handle(tor_process_get_stdout_pipe(process_handle
),
5284 if (!fw_helper_output
) { /* didn't get any output from tor-fw-helper */
5285 /* if EAGAIN we should retry in the future */
5286 return (stream_status
== IO_STREAM_EAGAIN
) ? 0 : -1;
5289 /* Handle the lines we got: */
5290 SMARTLIST_FOREACH_BEGIN(fw_helper_output
, char *, line
) {
5291 handle_fw_helper_line(executable
, line
);
5293 } SMARTLIST_FOREACH_END(line
);
5295 smartlist_free(fw_helper_output
);
5300 /** Spawn tor-fw-helper and ask it to forward the ports in
5301 * <b>ports_to_forward</b>. <b>ports_to_forward</b> contains strings
5302 * of the form "<external port>:<internal port>", which is the format
5303 * that tor-fw-helper expects. */
5305 tor_check_port_forwarding(const char *filename
,
5306 smartlist_t
*ports_to_forward
,
5309 /* When fw-helper succeeds, how long do we wait until running it again */
5310 #define TIME_TO_EXEC_FWHELPER_SUCCESS 300
5311 /* When fw-helper failed to start, how long do we wait until running it again
5313 #define TIME_TO_EXEC_FWHELPER_FAIL 60
5315 /* Static variables are initialized to zero, so child_handle.status=0
5316 * which corresponds to it not running on startup */
5317 static process_handle_t
*child_handle
=NULL
;
5319 static time_t time_to_run_helper
= 0;
5320 int stderr_status
, retval
;
5321 int stdout_status
= 0;
5323 tor_assert(filename
);
5325 /* Start the child, if it is not already running */
5326 if ((!child_handle
|| child_handle
->status
!= PROCESS_STATUS_RUNNING
) &&
5327 time_to_run_helper
< now
) {
5328 /*tor-fw-helper cli looks like this: tor_fw_helper -p :5555 -p 4555:1111 */
5329 const char **argv
; /* cli arguments */
5331 int argv_index
= 0; /* index inside 'argv' */
5333 tor_assert(smartlist_len(ports_to_forward
) > 0);
5335 /* check for overflow during 'argv' allocation:
5336 (len(ports_to_forward)*2 + 2)*sizeof(char*) > SIZE_MAX ==
5337 len(ports_to_forward) > (((SIZE_MAX/sizeof(char*)) - 2)/2) */
5338 if ((size_t) smartlist_len(ports_to_forward
) >
5339 (((SIZE_MAX
/sizeof(char*)) - 2)/2)) {
5340 log_warn(LD_GENERAL
,
5341 "Overflow during argv allocation. This shouldn't happen.");
5344 /* check for overflow during 'argv_index' increase:
5345 ((len(ports_to_forward)*2 + 2) > INT_MAX) ==
5346 len(ports_to_forward) > (INT_MAX - 2)/2 */
5347 if (smartlist_len(ports_to_forward
) > (INT_MAX
- 2)/2) {
5348 log_warn(LD_GENERAL
,
5349 "Overflow during argv_index increase. This shouldn't happen.");
5353 /* Calculate number of cli arguments: one for the filename, two
5354 for each smartlist element (one for "-p" and one for the
5355 ports), and one for the final NULL. */
5356 args_n
= 1 + 2*smartlist_len(ports_to_forward
) + 1;
5357 argv
= tor_calloc(args_n
, sizeof(char *));
5359 argv
[argv_index
++] = filename
;
5360 SMARTLIST_FOREACH_BEGIN(ports_to_forward
, const char *, port
) {
5361 argv
[argv_index
++] = "-p";
5362 argv
[argv_index
++] = port
;
5363 } SMARTLIST_FOREACH_END(port
);
5364 argv
[argv_index
] = NULL
;
5366 /* Assume tor-fw-helper will succeed, start it later*/
5367 time_to_run_helper
= now
+ TIME_TO_EXEC_FWHELPER_SUCCESS
;
5370 tor_process_handle_destroy(child_handle
, 1);
5371 child_handle
= NULL
;
5375 /* Passing NULL as lpApplicationName makes Windows search for the .exe */
5376 status
= tor_spawn_background(NULL
, argv
, NULL
, &child_handle
);
5378 status
= tor_spawn_background(filename
, argv
, NULL
, &child_handle
);
5381 tor_free_((void*)argv
);
5384 if (PROCESS_STATUS_ERROR
== status
) {
5385 log_warn(LD_GENERAL
, "Failed to start port forwarding helper %s",
5387 time_to_run_helper
= now
+ TIME_TO_EXEC_FWHELPER_FAIL
;
5391 log_info(LD_GENERAL
,
5392 "Started port forwarding helper (%s) with pid '%d'",
5393 filename
, tor_process_get_pid(child_handle
));
5396 /* If child is running, read from its stdout and stderr) */
5397 if (child_handle
&& PROCESS_STATUS_RUNNING
== child_handle
->status
) {
5398 /* Read from stdout/stderr and log result */
5401 stderr_status
= log_from_handle(child_handle
->stderr_pipe
, LOG_INFO
);
5403 stderr_status
= log_from_pipe(child_handle
->stderr_handle
,
5404 LOG_INFO
, filename
, &retval
);
5406 if (handle_fw_helper_output(filename
, child_handle
) < 0) {
5407 log_warn(LD_GENERAL
, "Failed to handle fw helper output.");
5413 /* There was a problem in the child process */
5414 time_to_run_helper
= now
+ TIME_TO_EXEC_FWHELPER_FAIL
;
5417 /* Combine the two statuses in order of severity */
5418 if (-1 == stdout_status
|| -1 == stderr_status
)
5419 /* There was a failure */
5422 else if (!child_handle
|| tor_get_exit_code(child_handle
, 0, NULL
) !=
5423 PROCESS_EXIT_RUNNING
) {
5424 /* process has exited or there was an error */
5425 /* TODO: Do something with the process return value */
5426 /* TODO: What if the process output something since
5427 * between log_from_handle and tor_get_exit_code? */
5431 else if (1 == stdout_status
|| 1 == stderr_status
)
5432 /* stdout or stderr was closed, the process probably
5433 * exited. It will be reaped by waitpid() in main.c */
5434 /* TODO: Do something with the process return value */
5441 /* If either pipe indicates a failure, act on it */
5444 log_info(LD_GENERAL
, "Port forwarding helper terminated");
5445 child_handle
->status
= PROCESS_STATUS_NOTRUNNING
;
5447 log_warn(LD_GENERAL
, "Failed to read from port forwarding helper");
5448 child_handle
->status
= PROCESS_STATUS_ERROR
;
5451 /* TODO: The child might not actually be finished (maybe it failed or
5452 closed stdout/stderr), so maybe we shouldn't start another? */
5457 /** Initialize the insecure RNG <b>rng</b> from a seed value <b>seed</b>. */
5459 tor_init_weak_random(tor_weak_rng_t
*rng
, unsigned seed
)
5461 rng
->state
= (uint32_t)(seed
& 0x7fffffff);
5464 /** Return a randomly chosen value in the range 0..TOR_WEAK_RANDOM_MAX based
5465 * on the RNG state of <b>rng</b>. This entropy will not be cryptographically
5466 * strong; do not rely on it for anything an adversary should not be able to
5469 tor_weak_random(tor_weak_rng_t
*rng
)
5471 /* Here's a linear congruential generator. OpenBSD and glibc use these
5472 * parameters; they aren't too bad, and should have maximal period over the
5473 * range 0..INT32_MAX. We don't want to use the platform rand() or random(),
5474 * since some platforms have bad weak RNGs that only return values in the
5475 * range 0..INT16_MAX, which just isn't enough. */
5476 rng
->state
= (rng
->state
* 1103515245 + 12345) & 0x7fffffff;
5477 return (int32_t) rng
->state
;
5480 /** Return a random number in the range [0 , <b>top</b>). {That is, the range
5481 * of integers i such that 0 <= i < top.} Chooses uniformly. Requires that
5482 * top is greater than 0. This randomness is not cryptographically strong; do
5483 * not rely on it for anything an adversary should not be able to predict. */
5485 tor_weak_random_range(tor_weak_rng_t
*rng
, int32_t top
)
5487 /* We don't want to just do tor_weak_random() % top, since random() is often
5488 * implemented with an LCG whose modulus is a power of 2, and those are
5489 * cyclic in their low-order bits. */
5490 int divisor
, result
;
5491 tor_assert(top
> 0);
5492 divisor
= TOR_WEAK_RANDOM_MAX
/ top
;
5494 result
= (int32_t)(tor_weak_random(rng
) / divisor
);
5495 } while (result
>= top
);
5499 /** Cast a given double value to a int64_t. Return 0 if number is NaN.
5500 * Returns either INT64_MIN or INT64_MAX if number is outside of the int64_t
5502 int64_t cast_double_to_int64(double number
)
5506 /* NaN is a special case that can't be used with the logic below. */
5507 if (isnan(number
)) {
5511 /* Time to validate if result can overflows a int64_t value. Fun with
5512 * float! Find that exponent exp such that
5513 * number == x * 2^exp
5514 * for some x with abs(x) in [0.5, 1.0). Note that this implies that the
5515 * magnitude of number is strictly less than 2^exp.
5517 * If number is infinite, the call to frexp is legal but the contents of
5518 * exp are unspecified. */
5519 frexp(number
, &exp
);
5521 /* If the magnitude of number is strictly less than 2^63, the truncated
5522 * version of number is guaranteed to be representable. The only
5523 * representable integer for which this is not the case is INT64_MIN, but
5524 * it is covered by the logic below. */
5525 if (isfinite(number
) && exp
<= 63) {
5529 /* Handle infinities and finite numbers with magnitude >= 2^63. */
5530 return signbit(number
) ? INT64_MIN
: INT64_MAX
;