1 /* Copyright (c) 2003, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
8 * \brief Common functions for strings, IO, network, data structures,
12 /* This is required on rh7 to make strptime not complain.
25 #include "container.h"
28 #include "backtrace.h"
29 #include "util_process.h"
43 /* math.h needs this on Linux */
45 #define _USE_ISOC99_ 1
54 #ifdef HAVE_NETINET_IN_H
55 #include <netinet/in.h>
57 #ifdef HAVE_ARPA_INET_H
58 #include <arpa/inet.h>
63 #ifdef HAVE_SYS_SOCKET_H
64 #include <sys/socket.h>
66 #ifdef HAVE_SYS_TIME_H
72 #ifdef HAVE_SYS_STAT_H
75 #ifdef HAVE_SYS_FCNTL_H
76 #include <sys/fcntl.h>
81 #ifdef HAVE_MALLOC_MALLOC_H
82 #include <malloc/malloc.h>
85 #if !defined(OPENBSD) && !defined(__FreeBSD__)
86 /* OpenBSD has a malloc.h, but for our purposes, it only exists in order to
87 * scold us for being so stupid as to autodetect its presence. To be fair,
88 * they've done this since 1996, when autoconf was only 5 years old. */
92 #ifdef HAVE_MALLOC_NP_H
93 #include <malloc_np.h>
95 #ifdef HAVE_SYS_WAIT_H
98 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
99 #include <sys/prctl.h>
102 #ifdef __clang_analyzer__
103 #undef MALLOC_ZERO_WORKS
109 /** Helper for tor_assert: report the assertion failure. */
111 tor_assertion_failed_(const char *fname
, unsigned int line
,
112 const char *func
, const char *expr
)
115 log_err(LD_BUG
, "%s:%u: %s: Assertion %s failed; aborting.",
116 fname
, line
, func
, expr
);
117 tor_snprintf(buf
, sizeof(buf
),
118 "Assertion %s failed in %s at %s:%u",
119 expr
, func
, fname
, line
);
120 log_backtrace(LOG_ERR
, LD_BUG
, buf
);
129 /* Macro to pass the extra dmalloc args to another function. */
130 #define DMALLOC_FN_ARGS , file, line
132 #if defined(HAVE_DMALLOC_STRDUP)
133 /* the dmalloc_strdup should be fine as defined */
134 #elif defined(HAVE_DMALLOC_STRNDUP)
135 #define dmalloc_strdup(file, line, string, xalloc_b) \
136 dmalloc_strndup(file, line, (string), -1, xalloc_b)
138 #error "No dmalloc_strdup or equivalent"
141 #else /* not using dmalloc */
143 #define DMALLOC_FN_ARGS
146 /** Allocate a chunk of <b>size</b> bytes of memory, and return a pointer to
147 * result. On error, log and terminate the process. (Same as malloc(size),
148 * but never returns NULL.)
150 * <b>file</b> and <b>line</b> are used if dmalloc is enabled, and
154 tor_malloc_(size_t size DMALLOC_PARAMS
)
158 tor_assert(size
< SIZE_T_CEILING
);
160 #ifndef MALLOC_ZERO_WORKS
161 /* Some libc mallocs don't work when size==0. Override them. */
168 result
= dmalloc_malloc(file
, line
, size
, DMALLOC_FUNC_MALLOC
, 0, 0);
170 result
= malloc(size
);
173 if (PREDICT_UNLIKELY(result
== NULL
)) {
174 log_err(LD_MM
,"Out of memory on malloc(). Dying.");
175 /* If these functions die within a worker process, they won't call
176 * spawn_exit, but that's ok, since the parent will run out of memory soon
183 /** Allocate a chunk of <b>size</b> bytes of memory, fill the memory with
184 * zero bytes, and return a pointer to the result. Log and terminate
185 * the process on error. (Same as calloc(size,1), but never returns NULL.)
188 tor_malloc_zero_(size_t size DMALLOC_PARAMS
)
190 /* You may ask yourself, "wouldn't it be smart to use calloc instead of
191 * malloc+memset? Perhaps libc's calloc knows some nifty optimization trick
192 * we don't!" Indeed it does, but its optimizations are only a big win when
193 * we're allocating something very big (it knows if it just got the memory
194 * from the OS in a pre-zeroed state). We don't want to use tor_malloc_zero
195 * for big stuff, so we don't bother with calloc. */
196 void *result
= tor_malloc_(size DMALLOC_FN_ARGS
);
197 memset(result
, 0, size
);
201 /* The square root of SIZE_MAX + 1. If a is less than this, and b is less
202 * than this, then a*b is less than SIZE_MAX. (For example, if size_t is
203 * 32 bits, then SIZE_MAX is 0xffffffff and this value is 0x10000. If a and
204 * b are less than this, then their product is at most (65535*65535) ==
206 #define SQRT_SIZE_MAX_P1 (((size_t)1) << (sizeof(size_t)*4))
208 /** Return non-zero if and only if the product of the arguments is exact. */
210 size_mul_check(const size_t x
, const size_t y
)
212 /* This first check is equivalent to
213 (x < SQRT_SIZE_MAX_P1 && y < SQRT_SIZE_MAX_P1)
215 Rationale: if either one of x or y is >= SQRT_SIZE_MAX_P1, then it
216 will have some bit set in its most significant half.
218 return ((x
|y
) < SQRT_SIZE_MAX_P1
||
223 /** Allocate a chunk of <b>nmemb</b>*<b>size</b> bytes of memory, fill
224 * the memory with zero bytes, and return a pointer to the result.
225 * Log and terminate the process on error. (Same as
226 * calloc(<b>nmemb</b>,<b>size</b>), but never returns NULL.)
227 * The second argument (<b>size</b>) should preferably be non-zero
228 * and a compile-time constant.
231 tor_calloc_(size_t nmemb
, size_t size DMALLOC_PARAMS
)
233 tor_assert(size_mul_check(nmemb
, size
));
234 return tor_malloc_zero_((nmemb
* size
) DMALLOC_FN_ARGS
);
237 /** Change the size of the memory block pointed to by <b>ptr</b> to <b>size</b>
238 * bytes long; return the new memory block. On error, log and
239 * terminate. (Like realloc(ptr,size), but never returns NULL.)
242 tor_realloc_(void *ptr
, size_t size DMALLOC_PARAMS
)
246 tor_assert(size
< SIZE_T_CEILING
);
248 #ifndef MALLOC_ZERO_WORKS
249 /* Some libc mallocs don't work when size==0. Override them. */
256 result
= dmalloc_realloc(file
, line
, ptr
, size
, DMALLOC_FUNC_REALLOC
, 0);
258 result
= realloc(ptr
, size
);
261 if (PREDICT_UNLIKELY(result
== NULL
)) {
262 log_err(LD_MM
,"Out of memory on realloc(). Dying.");
269 * Try to realloc <b>ptr</b> so that it takes up sz1 * sz2 bytes. Check for
270 * overflow. Unlike other allocation functions, return NULL on overflow.
273 tor_reallocarray_(void *ptr
, size_t sz1
, size_t sz2 DMALLOC_PARAMS
)
275 /* XXXX we can make this return 0, but we would need to check all the
276 * reallocarray users. */
277 tor_assert(size_mul_check(sz1
, sz2
));
279 return tor_realloc(ptr
, (sz1
* sz2
) DMALLOC_FN_ARGS
);
282 /** Return a newly allocated copy of the NUL-terminated string s. On
283 * error, log and terminate. (Like strdup(s), but never returns
287 tor_strdup_(const char *s DMALLOC_PARAMS
)
293 dup
= dmalloc_strdup(file
, line
, s
, 0);
297 if (PREDICT_UNLIKELY(dup
== NULL
)) {
298 log_err(LD_MM
,"Out of memory on strdup(). Dying.");
304 /** Allocate and return a new string containing the first <b>n</b>
305 * characters of <b>s</b>. If <b>s</b> is longer than <b>n</b>
306 * characters, only the first <b>n</b> are copied. The result is
307 * always NUL-terminated. (Like strndup(s,n), but never returns
311 tor_strndup_(const char *s
, size_t n DMALLOC_PARAMS
)
315 tor_assert(n
< SIZE_T_CEILING
);
316 dup
= tor_malloc_((n
+1) DMALLOC_FN_ARGS
);
317 /* Performance note: Ordinarily we prefer strlcpy to strncpy. But
318 * this function gets called a whole lot, and platform strncpy is
319 * much faster than strlcpy when strlen(s) is much longer than n.
326 /** Allocate a chunk of <b>len</b> bytes, with the same contents as the
327 * <b>len</b> bytes starting at <b>mem</b>. */
329 tor_memdup_(const void *mem
, size_t len DMALLOC_PARAMS
)
332 tor_assert(len
< SIZE_T_CEILING
);
334 dup
= tor_malloc_(len DMALLOC_FN_ARGS
);
335 memcpy(dup
, mem
, len
);
339 /** As tor_memdup(), but add an extra 0 byte at the end of the resulting
342 tor_memdup_nulterm_(const void *mem
, size_t len DMALLOC_PARAMS
)
345 tor_assert(len
< SIZE_T_CEILING
+1);
347 dup
= tor_malloc_(len
+1 DMALLOC_FN_ARGS
);
348 memcpy(dup
, mem
, len
);
353 /** Helper for places that need to take a function pointer to the right
354 * spelling of "free()". */
361 /** Call the platform malloc info function, and dump the results to the log at
362 * level <b>severity</b>. If no such function exists, do nothing. */
364 tor_log_mallinfo(int severity
)
368 memset(&mi
, 0, sizeof(mi
));
370 tor_log(severity
, LD_MM
,
371 "mallinfo() said: arena=%d, ordblks=%d, smblks=%d, hblks=%d, "
372 "hblkhd=%d, usmblks=%d, fsmblks=%d, uordblks=%d, fordblks=%d, "
374 mi
.arena
, mi
.ordblks
, mi
.smblks
, mi
.hblks
,
375 mi
.hblkhd
, mi
.usmblks
, mi
.fsmblks
, mi
.uordblks
, mi
.fordblks
,
381 dmalloc_log_changed(0, /* Since the program started. */
382 1, /* Log info about non-freed pointers. */
383 0, /* Do not log info about freed pointers. */
384 0 /* Do not log individual pointers. */
394 * Returns the natural logarithm of d base e. We defined this wrapper here so
395 * to avoid conflicts with old versions of tor_log(), which were named log().
398 tor_mathlog(double d
)
403 /** Return the long integer closest to <b>d</b>. We define this wrapper
404 * here so that not all users of math.h need to use the right incantations
405 * to get the c99 functions. */
409 #if defined(HAVE_LROUND)
411 #elif defined(HAVE_RINT)
412 return (long)rint(d
);
414 return (long)(d
> 0 ? d
+ 0.5 : ceil(d
- 0.5));
418 /** Return the 64-bit integer closest to d. We define this wrapper here so
419 * that not all users of math.h need to use the right incantations to get the
422 tor_llround(double d
)
424 #if defined(HAVE_LLROUND)
425 return (int64_t)llround(d
);
426 #elif defined(HAVE_RINT)
427 return (int64_t)rint(d
);
429 return (int64_t)(d
> 0 ? d
+ 0.5 : ceil(d
- 0.5));
433 /** Returns floor(log2(u64)). If u64 is 0, (incorrectly) returns 0. */
435 tor_log2(uint64_t u64
)
438 if (u64
>= (U64_LITERAL(1)<<32)) {
442 if (u64
>= (U64_LITERAL(1)<<16)) {
446 if (u64
>= (U64_LITERAL(1)<<8)) {
450 if (u64
>= (U64_LITERAL(1)<<4)) {
454 if (u64
>= (U64_LITERAL(1)<<2)) {
458 if (u64
>= (U64_LITERAL(1)<<1)) {
465 /** Return the power of 2 in range [1,UINT64_MAX] closest to <b>u64</b>. If
466 * there are two powers of 2 equally close, round down. */
468 round_to_power_of_2(uint64_t u64
)
477 low
= U64_LITERAL(1) << lg2
;
482 high
= U64_LITERAL(1) << (lg2
+1);
483 if (high
- u64
< u64
- low
)
489 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
490 * <b>divisor</b> == 0. */
492 round_to_next_multiple_of(unsigned number
, unsigned divisor
)
494 number
+= divisor
- 1;
495 number
-= number
% divisor
;
499 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
500 * <b>divisor</b> == 0. */
502 round_uint32_to_next_multiple_of(uint32_t number
, uint32_t divisor
)
504 number
+= divisor
- 1;
505 number
-= number
% divisor
;
509 /** Return the lowest x such that x is at least <b>number</b>, and x modulo
510 * <b>divisor</b> == 0. */
512 round_uint64_to_next_multiple_of(uint64_t number
, uint64_t divisor
)
514 number
+= divisor
- 1;
515 number
-= number
% divisor
;
519 /** Return the lowest x in [INT64_MIN, INT64_MAX] such that x is at least
520 * <b>number</b>, and x modulo <b>divisor</b> == 0. */
522 round_int64_to_next_multiple_of(int64_t number
, int64_t divisor
)
524 tor_assert(divisor
> 0);
525 if (number
>= 0 && INT64_MAX
- divisor
+ 1 >= number
)
526 number
+= divisor
- 1;
527 number
-= number
% divisor
;
531 /** Transform a random value <b>p</b> from the uniform distribution in
532 * [0.0, 1.0[ into a Laplace distributed value with location parameter
533 * <b>mu</b> and scale parameter <b>b</b>. Truncate the final result
534 * to be an integer in [INT64_MIN, INT64_MAX]. */
536 sample_laplace_distribution(double mu
, double b
, double p
)
540 tor_assert(p
>= 0.0 && p
< 1.0);
541 /* This is the "inverse cumulative distribution function" from:
542 * http://en.wikipedia.org/wiki/Laplace_distribution */
543 result
= mu
- b
* (p
> 0.5 ? 1.0 : -1.0)
544 * tor_mathlog(1.0 - 2.0 * fabs(p
- 0.5));
546 if (result
>= INT64_MAX
)
548 else if (result
<= INT64_MIN
)
551 return (int64_t) result
;
554 /** Add random noise between INT64_MIN and INT64_MAX coming from a
555 * Laplace distribution with mu = 0 and b = <b>delta_f</b>/<b>epsilon</b>
556 * to <b>signal</b> based on the provided <b>random</b> value in
559 add_laplace_noise(int64_t signal
, double random
, double delta_f
,
562 int64_t noise
= sample_laplace_distribution(
563 0.0, /* just add noise, no further signal */
564 delta_f
/ epsilon
, random
);
566 if (noise
> 0 && INT64_MAX
- noise
< signal
)
568 else if (noise
< 0 && INT64_MIN
- noise
> signal
)
571 return signal
+ noise
;
574 /** Return the number of bits set in <b>v</b>. */
576 n_bits_set_u8(uint8_t v
)
578 static const int nybble_table
[] = {
597 return nybble_table
[v
& 15] + nybble_table
[v
>>4];
601 * String manipulation
604 /** Remove from the string <b>s</b> every character which appears in
607 tor_strstrip(char *s
, const char *strip
)
611 if (strchr(strip
, *read
)) {
620 /** Return a pointer to a NUL-terminated hexadecimal string encoding
621 * the first <b>fromlen</b> bytes of <b>from</b>. (fromlen must be \<= 32.) The
622 * result does not need to be deallocated, but repeated calls to
623 * hex_str will trash old results.
626 hex_str(const char *from
, size_t fromlen
)
629 if (fromlen
>(sizeof(buf
)-1)/2)
630 fromlen
= (sizeof(buf
)-1)/2;
631 base16_encode(buf
,sizeof(buf
),from
,fromlen
);
635 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
638 tor_strlower(char *s
)
641 *s
= TOR_TOLOWER(*s
);
646 /** Convert all alphabetic characters in the nul-terminated string <b>s</b> to
649 tor_strupper(char *s
)
652 *s
= TOR_TOUPPER(*s
);
657 /** Return 1 if every character in <b>s</b> is printable, else return 0.
660 tor_strisprint(const char *s
)
663 if (!TOR_ISPRINT(*s
))
670 /** Return 1 if no character in <b>s</b> is uppercase, else return 0.
673 tor_strisnonupper(const char *s
)
683 /** As strcmp, except that either string may be NULL. The NULL string is
684 * considered to be before any non-NULL string. */
686 strcmp_opt(const char *s1
, const char *s2
)
696 return strcmp(s1
, s2
);
700 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
704 strcmpstart(const char *s1
, const char *s2
)
706 size_t n
= strlen(s2
);
707 return strncmp(s1
, s2
, n
);
710 /** Compare the s1_len-byte string <b>s1</b> with <b>s2</b>,
711 * without depending on a terminating nul in s1. Sorting order is first by
712 * length, then lexically; return values are as for strcmp.
715 strcmp_len(const char *s1
, const char *s2
, size_t s1_len
)
717 size_t s2_len
= strlen(s2
);
722 return fast_memcmp(s1
, s2
, s2_len
);
725 /** Compares the first strlen(s2) characters of s1 with s2. Returns as for
729 strcasecmpstart(const char *s1
, const char *s2
)
731 size_t n
= strlen(s2
);
732 return strncasecmp(s1
, s2
, n
);
735 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
739 strcmpend(const char *s1
, const char *s2
)
741 size_t n1
= strlen(s1
), n2
= strlen(s2
);
743 return strcmp(s1
,s2
);
745 return strncmp(s1
+(n1
-n2
), s2
, n2
);
748 /** Compares the last strlen(s2) characters of s1 with s2. Returns as for
752 strcasecmpend(const char *s1
, const char *s2
)
754 size_t n1
= strlen(s1
), n2
= strlen(s2
);
755 if (n2
>n1
) /* then they can't be the same; figure out which is bigger */
756 return strcasecmp(s1
,s2
);
758 return strncasecmp(s1
+(n1
-n2
), s2
, n2
);
761 /** Compare the value of the string <b>prefix</b> with the start of the
762 * <b>memlen</b>-byte memory chunk at <b>mem</b>. Return as for strcmp.
764 * [As fast_memcmp(mem, prefix, strlen(prefix)) but returns -1 if memlen is
765 * less than strlen(prefix).]
768 fast_memcmpstart(const void *mem
, size_t memlen
,
771 size_t plen
= strlen(prefix
);
774 return fast_memcmp(mem
, prefix
, plen
);
777 /** Return a pointer to the first char of s that is not whitespace and
778 * not a comment, or to the terminating NUL if no such character exists.
781 eat_whitespace(const char *s
)
798 while (*s
&& *s
!= '\n')
804 /** Return a pointer to the first char of s that is not whitespace and
805 * not a comment, or to the terminating NUL if no such character exists.
808 eat_whitespace_eos(const char *s
, const char *eos
)
811 tor_assert(eos
&& s
<= eos
);
826 while (s
< eos
&& *s
&& *s
!= '\n')
833 /** Return a pointer to the first char of s that is not a space or a tab
834 * or a \\r, or to the terminating NUL if no such character exists. */
836 eat_whitespace_no_nl(const char *s
)
838 while (*s
== ' ' || *s
== '\t' || *s
== '\r')
843 /** As eat_whitespace_no_nl, but stop at <b>eos</b> whether we have
844 * found a non-whitespace character or not. */
846 eat_whitespace_eos_no_nl(const char *s
, const char *eos
)
848 while (s
< eos
&& (*s
== ' ' || *s
== '\t' || *s
== '\r'))
853 /** Return a pointer to the first char of s that is whitespace or <b>#</b>,
854 * or to the terminating NUL if no such character exists.
857 find_whitespace(const char *s
)
876 /** As find_whitespace, but stop at <b>eos</b> whether we have found a
877 * whitespace or not. */
879 find_whitespace_eos(const char *s
, const char *eos
)
899 /** Return the first occurrence of <b>needle</b> in <b>haystack</b> that
900 * occurs at the start of a line (that is, at the beginning of <b>haystack</b>
901 * or immediately after a newline). Return NULL if no such string is found.
904 find_str_at_start_of_line(const char *haystack
, const char *needle
)
906 size_t needle_len
= strlen(needle
);
909 if (!strncmp(haystack
, needle
, needle_len
))
912 haystack
= strchr(haystack
, '\n');
922 /** Returns true if <b>string</b> could be a C identifier.
923 A C identifier must begin with a letter or an underscore and the
924 rest of its characters can be letters, numbers or underscores. No
925 length limit is imposed. */
927 string_is_C_identifier(const char *string
)
930 size_t length
= strlen(string
);
934 for (iter
= 0; iter
< length
; iter
++) {
936 if (!(TOR_ISALPHA(string
[iter
]) ||
937 string
[iter
] == '_'))
940 if (!(TOR_ISALPHA(string
[iter
]) ||
941 TOR_ISDIGIT(string
[iter
]) ||
942 string
[iter
] == '_'))
950 /** Return true iff the 'len' bytes at 'mem' are all zero. */
952 tor_mem_is_zero(const char *mem
, size_t len
)
954 static const char ZERO
[] = {
955 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0,
957 while (len
>= sizeof(ZERO
)) {
958 /* It's safe to use fast_memcmp here, since the very worst thing an
959 * attacker could learn is how many initial bytes of a secret were zero */
960 if (fast_memcmp(mem
, ZERO
, sizeof(ZERO
)))
965 /* Deal with leftover bytes. */
967 return fast_memeq(mem
, ZERO
, len
);
972 /** Return true iff the DIGEST_LEN bytes in digest are all zero. */
974 tor_digest_is_zero(const char *digest
)
976 static const uint8_t ZERO_DIGEST
[] = {
977 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0
979 return tor_memeq(digest
, ZERO_DIGEST
, DIGEST_LEN
);
982 /** Return true if <b>string</b> is a valid 'key=[value]' string.
983 * "value" is optional, to indicate the empty string. Log at logging
984 * <b>severity</b> if something ugly happens. */
986 string_is_key_value(int severity
, const char *string
)
988 /* position of equal sign in string */
989 const char *equal_sign_pos
= NULL
;
993 if (strlen(string
) < 2) { /* "x=" is shortest args string */
994 tor_log(severity
, LD_GENERAL
, "'%s' is too short to be a k=v value.",
999 equal_sign_pos
= strchr(string
, '=');
1000 if (!equal_sign_pos
) {
1001 tor_log(severity
, LD_GENERAL
, "'%s' is not a k=v value.", escaped(string
));
1005 /* validate that the '=' is not in the beginning of the string. */
1006 if (equal_sign_pos
== string
) {
1007 tor_log(severity
, LD_GENERAL
, "'%s' is not a valid k=v value.",
1015 /** Return true if <b>string</b> represents a valid IPv4 adddress in
1019 string_is_valid_ipv4_address(const char *string
)
1021 struct in_addr addr
;
1023 return (tor_inet_pton(AF_INET
,string
,&addr
) == 1);
1026 /** Return true if <b>string</b> represents a valid IPv6 address in
1027 * a form that inet_pton() can parse.
1030 string_is_valid_ipv6_address(const char *string
)
1032 struct in6_addr addr
;
1034 return (tor_inet_pton(AF_INET6
,string
,&addr
) == 1);
1037 /** Return true iff <b>string</b> matches a pattern of DNS names
1038 * that we allow Tor clients to connect to.
1040 * Note: This allows certain technically invalid characters ('_') to cope
1041 * with misconfigured zones that have been encountered in the wild.
1044 string_is_valid_hostname(const char *string
)
1047 smartlist_t
*components
;
1049 components
= smartlist_new();
1051 smartlist_split_string(components
,string
,".",0,0);
1053 SMARTLIST_FOREACH_BEGIN(components
, char *, c
) {
1054 if ((c
[0] == '-') || (*c
== '_')) {
1060 if ((*c
>= 'a' && *c
<= 'z') ||
1061 (*c
>= 'A' && *c
<= 'Z') ||
1062 (*c
>= '0' && *c
<= '9') ||
1063 (*c
== '-') || (*c
== '_'))
1067 } while (result
&& *c
);
1069 } SMARTLIST_FOREACH_END(c
);
1071 SMARTLIST_FOREACH_BEGIN(components
, char *, c
) {
1073 } SMARTLIST_FOREACH_END(c
);
1075 smartlist_free(components
);
1080 /** Return true iff the DIGEST256_LEN bytes in digest are all zero. */
1082 tor_digest256_is_zero(const char *digest
)
1084 return tor_mem_is_zero(digest
, DIGEST256_LEN
);
1087 /* Helper: common code to check whether the result of a strtol or strtoul or
1088 * strtoll is correct. */
1089 #define CHECK_STRTOX_RESULT() \
1090 /* Did an overflow occur? */ \
1091 if (errno == ERANGE) \
1093 /* Was at least one character converted? */ \
1096 /* Were there unexpected unconverted characters? */ \
1097 if (!next && *endptr) \
1099 /* Is r within limits? */ \
1100 if (r < min || r > max) \
1103 if (next) *next = endptr; \
1107 if (next) *next = endptr; \
1110 /** Extract a long from the start of <b>s</b>, in the given numeric
1111 * <b>base</b>. If <b>base</b> is 0, <b>s</b> is parsed as a decimal,
1112 * octal, or hex number in the syntax of a C integer literal. If
1113 * there is unconverted data and <b>next</b> is provided, set
1114 * *<b>next</b> to the first unconverted character. An error has
1115 * occurred if no characters are converted; or if there are
1116 * unconverted characters and <b>next</b> is NULL; or if the parsed
1117 * value is not between <b>min</b> and <b>max</b>. When no error
1118 * occurs, return the parsed value and set *<b>ok</b> (if provided) to
1119 * 1. When an error occurs, return 0 and set *<b>ok</b> (if provided)
1123 tor_parse_long(const char *s
, int base
, long min
, long max
,
1124 int *ok
, char **next
)
1136 r
= strtol(s
, &endptr
, base
);
1137 CHECK_STRTOX_RESULT();
1140 /** As tor_parse_long(), but return an unsigned long. */
1142 tor_parse_ulong(const char *s
, int base
, unsigned long min
,
1143 unsigned long max
, int *ok
, char **next
)
1155 r
= strtoul(s
, &endptr
, base
);
1156 CHECK_STRTOX_RESULT();
1159 /** As tor_parse_long(), but return a double. */
1161 tor_parse_double(const char *s
, double min
, double max
, int *ok
, char **next
)
1167 r
= strtod(s
, &endptr
);
1168 CHECK_STRTOX_RESULT();
1171 /** As tor_parse_long, but return a uint64_t. Only base 10 is guaranteed to
1174 tor_parse_uint64(const char *s
, int base
, uint64_t min
,
1175 uint64_t max
, int *ok
, char **next
)
1187 #ifdef HAVE_STRTOULL
1188 r
= (uint64_t)strtoull(s
, &endptr
, base
);
1189 #elif defined(_WIN32)
1190 #if defined(_MSC_VER) && _MSC_VER < 1300
1191 tor_assert(base
<= 10);
1192 r
= (uint64_t)_atoi64(s
);
1194 while (TOR_ISSPACE(*endptr
)) endptr
++;
1195 while (TOR_ISDIGIT(*endptr
)) endptr
++;
1197 r
= (uint64_t)_strtoui64(s
, &endptr
, base
);
1199 #elif SIZEOF_LONG == 8
1200 r
= (uint64_t)strtoul(s
, &endptr
, base
);
1202 #error "I don't know how to parse 64-bit numbers."
1205 CHECK_STRTOX_RESULT();
1208 /** Encode the <b>srclen</b> bytes at <b>src</b> in a NUL-terminated,
1209 * uppercase hexadecimal string; store it in the <b>destlen</b>-byte buffer
1213 base16_encode(char *dest
, size_t destlen
, const char *src
, size_t srclen
)
1218 tor_assert(destlen
>= srclen
*2+1);
1219 tor_assert(destlen
< SIZE_T_CEILING
);
1224 *cp
++ = "0123456789ABCDEF"[ (*(const uint8_t*)src
) >> 4 ];
1225 *cp
++ = "0123456789ABCDEF"[ (*(const uint8_t*)src
) & 0xf ];
1231 /** Helper: given a hex digit, return its value, or -1 if it isn't hex. */
1233 hex_decode_digit_(char c
)
1246 case 'A': case 'a': return 10;
1247 case 'B': case 'b': return 11;
1248 case 'C': case 'c': return 12;
1249 case 'D': case 'd': return 13;
1250 case 'E': case 'e': return 14;
1251 case 'F': case 'f': return 15;
1257 /** Helper: given a hex digit, return its value, or -1 if it isn't hex. */
1259 hex_decode_digit(char c
)
1261 return hex_decode_digit_(c
);
1264 /** Given a hexadecimal string of <b>srclen</b> bytes in <b>src</b>, decode it
1265 * and store the result in the <b>destlen</b>-byte buffer at <b>dest</b>.
1266 * Return 0 on success, -1 on failure. */
1268 base16_decode(char *dest
, size_t destlen
, const char *src
, size_t srclen
)
1273 if ((srclen
% 2) != 0)
1275 if (destlen
< srclen
/2 || destlen
> SIZE_T_CEILING
)
1278 memset(dest
, 0, destlen
);
1282 v1
= hex_decode_digit_(*src
);
1283 v2
= hex_decode_digit_(*(src
+1));
1286 *(uint8_t*)dest
= (v1
<<4)|v2
;
1293 /** Allocate and return a new string representing the contents of <b>s</b>,
1294 * surrounded by quotes and using standard C escapes.
1296 * Generally, we use this for logging values that come in over the network to
1297 * keep them from tricking users, and for sending certain values to the
1300 * We trust values from the resolver, OS, configuration file, and command line
1301 * to not be maliciously ill-formed. We validate incoming routerdescs and
1302 * SOCKS requests and addresses from BEGIN cells as they're parsed;
1303 * afterwards, we trust them as non-malicious.
1306 esc_for_log(const char *s
)
1309 char *result
, *outp
;
1312 return tor_strdup("(null)");
1315 for (cp
= s
; *cp
; ++cp
) {
1326 if (TOR_ISPRINT(*cp
) && ((uint8_t)*cp
)<127)
1334 tor_assert(len
<= SSIZE_MAX
);
1336 result
= outp
= tor_malloc(len
);
1338 for (cp
= s
; *cp
; ++cp
) {
1339 /* This assertion should always succeed, since we will write at least
1340 * one char here, and two chars for closing quote and nul later */
1341 tor_assert((outp
-result
) < (ssize_t
)len
-2);
1362 if (TOR_ISPRINT(*cp
) && ((uint8_t)*cp
)<127) {
1365 tor_assert((outp
-result
) < (ssize_t
)len
-4);
1366 tor_snprintf(outp
, 5, "\\%03o", (int)(uint8_t) *cp
);
1373 tor_assert((outp
-result
) <= (ssize_t
)len
-2);
1380 /** Similar to esc_for_log. Allocate and return a new string representing
1381 * the first n characters in <b>chars</b>, surround by quotes and using
1382 * standard C escapes. If a NUL character is encountered in <b>chars</b>,
1383 * the resulting string will be terminated there.
1386 esc_for_log_len(const char *chars
, size_t n
)
1388 char *string
= tor_strndup(chars
, n
);
1389 char *string_escaped
= esc_for_log(string
);
1391 return string_escaped
;
1394 /** Allocate and return a new string representing the contents of <b>s</b>,
1395 * surrounded by quotes and using standard C escapes.
1397 * THIS FUNCTION IS NOT REENTRANT. Don't call it from outside the main
1398 * thread. Also, each call invalidates the last-returned value, so don't
1399 * try log_warn(LD_GENERAL, "%s %s", escaped(a), escaped(b));
1402 escaped(const char *s
)
1404 static char *escaped_val_
= NULL
;
1405 tor_free(escaped_val_
);
1408 escaped_val_
= esc_for_log(s
);
1410 escaped_val_
= NULL
;
1412 return escaped_val_
;
1415 /** Return a newly allocated string equal to <b>string</b>, except that every
1416 * character in <b>chars_to_escape</b> is preceded by a backslash. */
1418 tor_escape_str_for_pt_args(const char *string
, const char *chars_to_escape
)
1420 char *new_string
= NULL
;
1421 char *new_cp
= NULL
;
1422 size_t length
, new_length
;
1426 length
= strlen(string
);
1428 if (!length
) /* If we were given the empty string, return the same. */
1429 return tor_strdup("");
1430 /* (new_length > SIZE_MAX) => ((length * 2) + 1 > SIZE_MAX) =>
1431 (length*2 > SIZE_MAX - 1) => (length > (SIZE_MAX - 1)/2) */
1432 if (length
> (SIZE_MAX
- 1)/2) /* check for overflow */
1435 /* this should be enough even if all characters must be escaped */
1436 new_length
= (length
* 2) + 1;
1438 new_string
= new_cp
= tor_malloc(new_length
);
1441 if (strchr(chars_to_escape
, *string
))
1444 *new_cp
++ = *string
++;
1447 *new_cp
= '\0'; /* NUL-terminate the new string */
1456 /** Return the number of microseconds elapsed between *start and *end.
1459 tv_udiff(const struct timeval
*start
, const struct timeval
*end
)
1462 long secdiff
= end
->tv_sec
- start
->tv_sec
;
1464 if (labs(secdiff
+1) > LONG_MAX
/1000000) {
1465 log_warn(LD_GENERAL
, "comparing times on microsecond detail too far "
1466 "apart: %ld seconds", secdiff
);
1470 udiff
= secdiff
*1000000L + (end
->tv_usec
- start
->tv_usec
);
1474 /** Return the number of milliseconds elapsed between *start and *end.
1477 tv_mdiff(const struct timeval
*start
, const struct timeval
*end
)
1480 long secdiff
= end
->tv_sec
- start
->tv_sec
;
1482 if (labs(secdiff
+1) > LONG_MAX
/1000) {
1483 log_warn(LD_GENERAL
, "comparing times on millisecond detail too far "
1484 "apart: %ld seconds", secdiff
);
1488 /* Subtract and round */
1489 mdiff
= secdiff
*1000L +
1490 ((long)end
->tv_usec
- (long)start
->tv_usec
+ 500L) / 1000L;
1495 * Converts timeval to milliseconds.
1498 tv_to_msec(const struct timeval
*tv
)
1500 int64_t conv
= ((int64_t)tv
->tv_sec
)*1000L;
1501 /* Round ghetto-style */
1502 conv
+= ((int64_t)tv
->tv_usec
+500)/1000L;
1506 /** Yield true iff <b>y</b> is a leap-year. */
1507 #define IS_LEAPYEAR(y) (!(y % 4) && ((y % 100) || !(y % 400)))
1508 /** Helper: Return the number of leap-days between Jan 1, y1 and Jan 1, y2. */
1510 n_leapdays(int y1
, int y2
)
1514 return (y2
/4 - y1
/4) - (y2
/100 - y1
/100) + (y2
/400 - y1
/400);
1516 /** Number of days per month in non-leap year; used by tor_timegm and
1517 * parse_rfc1123_time. */
1518 static const int days_per_month
[] =
1519 { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
1521 /** Compute a time_t given a struct tm. The result is given in UTC, and
1522 * does not account for leap seconds. Return 0 on success, -1 on failure.
1525 tor_timegm(const struct tm
*tm
, time_t *time_out
)
1527 /* This is a pretty ironclad timegm implementation, snarfed from Python2.2.
1528 * It's way more brute-force than fiddling with tzset().
1530 time_t year
, days
, hours
, minutes
, seconds
;
1531 int i
, invalid_year
, dpm
;
1532 /* avoid int overflow on addition */
1533 if (tm
->tm_year
< INT32_MAX
-1900) {
1534 year
= tm
->tm_year
+ 1900;
1539 invalid_year
= (year
< 1970 || tm
->tm_year
>= INT32_MAX
-1900);
1541 if (tm
->tm_mon
>= 0 && tm
->tm_mon
<= 11) {
1542 dpm
= days_per_month
[tm
->tm_mon
];
1543 if (tm
->tm_mon
== 1 && !invalid_year
&& IS_LEAPYEAR(tm
->tm_year
)) {
1547 /* invalid month - default to 0 days per month */
1552 tm
->tm_mon
< 0 || tm
->tm_mon
> 11 ||
1553 tm
->tm_mday
< 1 || tm
->tm_mday
> dpm
||
1554 tm
->tm_hour
< 0 || tm
->tm_hour
> 23 ||
1555 tm
->tm_min
< 0 || tm
->tm_min
> 59 ||
1556 tm
->tm_sec
< 0 || tm
->tm_sec
> 60) {
1557 log_warn(LD_BUG
, "Out-of-range argument to tor_timegm");
1560 days
= 365 * (year
-1970) + n_leapdays(1970,(int)year
);
1561 for (i
= 0; i
< tm
->tm_mon
; ++i
)
1562 days
+= days_per_month
[i
];
1563 if (tm
->tm_mon
> 1 && IS_LEAPYEAR(year
))
1565 days
+= tm
->tm_mday
- 1;
1566 hours
= days
*24 + tm
->tm_hour
;
1568 minutes
= hours
*60 + tm
->tm_min
;
1569 seconds
= minutes
*60 + tm
->tm_sec
;
1570 *time_out
= seconds
;
1574 /* strftime is locale-specific, so we need to replace those parts */
1576 /** A c-locale array of 3-letter names of weekdays, starting with Sun. */
1577 static const char *WEEKDAY_NAMES
[] =
1578 { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" };
1579 /** A c-locale array of 3-letter names of months, starting with Jan. */
1580 static const char *MONTH_NAMES
[] =
1581 { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
1582 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
1584 /** Set <b>buf</b> to the RFC1123 encoding of the UTC value of <b>t</b>.
1585 * The buffer must be at least RFC1123_TIME_LEN+1 bytes long.
1587 * (RFC1123 format is "Fri, 29 Sep 2006 15:54:20 GMT". Note the "GMT"
1588 * rather than "UTC".)
1591 format_rfc1123_time(char *buf
, time_t t
)
1595 tor_gmtime_r(&t
, &tm
);
1597 strftime(buf
, RFC1123_TIME_LEN
+1, "___, %d ___ %Y %H:%M:%S GMT", &tm
);
1598 tor_assert(tm
.tm_wday
>= 0);
1599 tor_assert(tm
.tm_wday
<= 6);
1600 memcpy(buf
, WEEKDAY_NAMES
[tm
.tm_wday
], 3);
1601 tor_assert(tm
.tm_mon
>= 0);
1602 tor_assert(tm
.tm_mon
<= 11);
1603 memcpy(buf
+8, MONTH_NAMES
[tm
.tm_mon
], 3);
1606 /** Parse the (a subset of) the RFC1123 encoding of some time (in UTC) from
1607 * <b>buf</b>, and store the result in *<b>t</b>.
1609 * Note that we only accept the subset generated by format_rfc1123_time above,
1610 * not the full range of formats suggested by RFC 1123.
1612 * Return 0 on success, -1 on failure.
1615 parse_rfc1123_time(const char *buf
, time_t *t
)
1620 int i
, m
, invalid_year
;
1621 unsigned tm_mday
, tm_year
, tm_hour
, tm_min
, tm_sec
;
1624 if (strlen(buf
) != RFC1123_TIME_LEN
)
1626 memset(&tm
, 0, sizeof(tm
));
1627 if (tor_sscanf(buf
, "%3s, %2u %3s %u %2u:%2u:%2u GMT", weekday
,
1628 &tm_mday
, month
, &tm_year
, &tm_hour
,
1629 &tm_min
, &tm_sec
) < 7) {
1630 char *esc
= esc_for_log(buf
);
1631 log_warn(LD_GENERAL
, "Got invalid RFC1123 time %s", esc
);
1637 for (i
= 0; i
< 12; ++i
) {
1638 if (!strcmp(month
, MONTH_NAMES
[i
])) {
1644 char *esc
= esc_for_log(buf
);
1645 log_warn(LD_GENERAL
, "Got invalid RFC1123 time %s: No such month", esc
);
1651 invalid_year
= (tm_year
>= INT32_MAX
|| tm_year
< 1970);
1652 tor_assert(m
>= 0 && m
<= 11);
1653 dpm
= days_per_month
[m
];
1654 if (m
== 1 && !invalid_year
&& IS_LEAPYEAR(tm_year
)) {
1658 if (invalid_year
|| tm_mday
< 1 || tm_mday
> dpm
||
1659 tm_hour
> 23 || tm_min
> 59 || tm_sec
> 60) {
1660 char *esc
= esc_for_log(buf
);
1661 log_warn(LD_GENERAL
, "Got invalid RFC1123 time %s", esc
);
1665 tm
.tm_mday
= (int)tm_mday
;
1666 tm
.tm_year
= (int)tm_year
;
1667 tm
.tm_hour
= (int)tm_hour
;
1668 tm
.tm_min
= (int)tm_min
;
1669 tm
.tm_sec
= (int)tm_sec
;
1671 if (tm
.tm_year
< 1970) {
1672 char *esc
= esc_for_log(buf
);
1673 log_warn(LD_GENERAL
,
1674 "Got invalid RFC1123 time %s. (Before 1970)", esc
);
1680 return tor_timegm(&tm
, t
);
1683 /** Set <b>buf</b> to the ISO8601 encoding of the local value of <b>t</b>.
1684 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1686 * (ISO8601 format is 2006-10-29 10:57:20)
1689 format_local_iso_time(char *buf
, time_t t
)
1692 strftime(buf
, ISO_TIME_LEN
+1, "%Y-%m-%d %H:%M:%S", tor_localtime_r(&t
, &tm
));
1695 /** Set <b>buf</b> to the ISO8601 encoding of the GMT value of <b>t</b>.
1696 * The buffer must be at least ISO_TIME_LEN+1 bytes long.
1699 format_iso_time(char *buf
, time_t t
)
1702 strftime(buf
, ISO_TIME_LEN
+1, "%Y-%m-%d %H:%M:%S", tor_gmtime_r(&t
, &tm
));
1705 /** As format_iso_time, but use the yyyy-mm-ddThh:mm:ss format to avoid
1706 * embedding an internal space. */
1708 format_iso_time_nospace(char *buf
, time_t t
)
1710 format_iso_time(buf
, t
);
1714 /** As format_iso_time_nospace, but include microseconds in decimal
1715 * fixed-point format. Requires that buf be at least ISO_TIME_USEC_LEN+1
1718 format_iso_time_nospace_usec(char *buf
, const struct timeval
*tv
)
1721 format_iso_time_nospace(buf
, (time_t)tv
->tv_sec
);
1722 tor_snprintf(buf
+ISO_TIME_LEN
, 8, ".%06d", (int)tv
->tv_usec
);
1725 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1726 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1727 * failure. Ignore extraneous stuff in <b>cp</b> after the end of the time
1728 * string, unless <b>strict</b> is set. */
1730 parse_iso_time_(const char *cp
, time_t *t
, int strict
)
1733 unsigned int year
=0, month
=0, day
=0, hour
=0, minute
=0, second
=0;
1736 n_fields
= tor_sscanf(cp
, "%u-%2u-%2u %2u:%2u:%2u%c", &year
, &month
,
1737 &day
, &hour
, &minute
, &second
, &extra_char
);
1738 if (strict
? (n_fields
!= 6) : (n_fields
< 6)) {
1739 char *esc
= esc_for_log(cp
);
1740 log_warn(LD_GENERAL
, "ISO time %s was unparseable", esc
);
1744 if (year
< 1970 || month
< 1 || month
> 12 || day
< 1 || day
> 31 ||
1745 hour
> 23 || minute
> 59 || second
> 60 || year
>= INT32_MAX
) {
1746 char *esc
= esc_for_log(cp
);
1747 log_warn(LD_GENERAL
, "ISO time %s was nonsensical", esc
);
1751 st_tm
.tm_year
= (int)year
-1900;
1752 st_tm
.tm_mon
= month
-1;
1753 st_tm
.tm_mday
= day
;
1754 st_tm
.tm_hour
= hour
;
1755 st_tm
.tm_min
= minute
;
1756 st_tm
.tm_sec
= second
;
1758 if (st_tm
.tm_year
< 70) {
1759 char *esc
= esc_for_log(cp
);
1760 log_warn(LD_GENERAL
, "Got invalid ISO time %s. (Before 1970)", esc
);
1764 return tor_timegm(&st_tm
, t
);
1767 /** Given an ISO-formatted UTC time value (after the epoch) in <b>cp</b>,
1768 * parse it and store its value in *<b>t</b>. Return 0 on success, -1 on
1769 * failure. Reject the string if any characters are present after the time.
1772 parse_iso_time(const char *cp
, time_t *t
)
1774 return parse_iso_time_(cp
, t
, 1);
1777 /** Given a <b>date</b> in one of the three formats allowed by HTTP (ugh),
1778 * parse it into <b>tm</b>. Return 0 on success, negative on failure. */
1780 parse_http_time(const char *date
, struct tm
*tm
)
1786 unsigned tm_mday
, tm_year
, tm_hour
, tm_min
, tm_sec
;
1789 memset(tm
, 0, sizeof(*tm
));
1791 /* First, try RFC1123 or RFC850 format: skip the weekday. */
1792 if ((cp
= strchr(date
, ','))) {
1797 if (tor_sscanf(cp
, "%2u %3s %4u %2u:%2u:%2u GMT",
1798 &tm_mday
, month
, &tm_year
,
1799 &tm_hour
, &tm_min
, &tm_sec
) == 6) {
1802 } else if (tor_sscanf(cp
, "%2u-%3s-%2u %2u:%2u:%2u GMT",
1803 &tm_mday
, month
, &tm_year
,
1804 &tm_hour
, &tm_min
, &tm_sec
) == 6) {
1810 /* No comma; possibly asctime() format. */
1811 if (tor_sscanf(date
, "%3s %3s %2u %2u:%2u:%2u %4u",
1812 wkday
, month
, &tm_mday
,
1813 &tm_hour
, &tm_min
, &tm_sec
, &tm_year
) == 7) {
1819 tm
->tm_mday
= (int)tm_mday
;
1820 tm
->tm_year
= (int)tm_year
;
1821 tm
->tm_hour
= (int)tm_hour
;
1822 tm
->tm_min
= (int)tm_min
;
1823 tm
->tm_sec
= (int)tm_sec
;
1826 /* Okay, now decode the month. */
1827 /* set tm->tm_mon to dummy value so the check below fails. */
1829 for (i
= 0; i
< 12; ++i
) {
1830 if (!strcasecmp(MONTH_NAMES
[i
], month
)) {
1835 if (tm
->tm_year
< 0 ||
1836 tm
->tm_mon
< 0 || tm
->tm_mon
> 11 ||
1837 tm
->tm_mday
< 1 || tm
->tm_mday
> 31 ||
1838 tm
->tm_hour
< 0 || tm
->tm_hour
> 23 ||
1839 tm
->tm_min
< 0 || tm
->tm_min
> 59 ||
1840 tm
->tm_sec
< 0 || tm
->tm_sec
> 60)
1841 return -1; /* Out of range, or bad month. */
1846 /** Given an <b>interval</b> in seconds, try to write it to the
1847 * <b>out_len</b>-byte buffer in <b>out</b> in a human-readable form.
1848 * Return 0 on success, -1 on failure.
1851 format_time_interval(char *out
, size_t out_len
, long interval
)
1853 /* We only report seconds if there's no hours. */
1854 long sec
= 0, min
= 0, hour
= 0, day
= 0;
1856 /* -LONG_MIN is LONG_MAX + 1, which causes signed overflow */
1857 if (interval
< -LONG_MAX
)
1858 interval
= LONG_MAX
;
1859 else if (interval
< 0)
1860 interval
= -interval
;
1862 if (interval
>= 86400) {
1863 day
= interval
/ 86400;
1866 if (interval
>= 3600) {
1867 hour
= interval
/ 3600;
1870 if (interval
>= 60) {
1871 min
= interval
/ 60;
1877 return tor_snprintf(out
, out_len
, "%ld days, %ld hours, %ld minutes",
1880 return tor_snprintf(out
, out_len
, "%ld hours, %ld minutes", hour
, min
);
1882 return tor_snprintf(out
, out_len
, "%ld minutes, %ld seconds", min
, sec
);
1884 return tor_snprintf(out
, out_len
, "%ld seconds", sec
);
1892 #ifndef TIME_IS_FAST
1893 /** Cached estimate of the current time. Updated around once per second;
1894 * may be a few seconds off if we are really busy. This is a hack to avoid
1895 * calling time(NULL) (which not everybody has optimized) on critical paths.
1897 static time_t cached_approx_time
= 0;
1899 /** Return a cached estimate of the current time from when
1900 * update_approx_time() was last called. This is a hack to avoid calling
1901 * time(NULL) on critical paths: please do not even think of calling it
1906 return cached_approx_time
;
1909 /** Update the cached estimate of the current time. This function SHOULD be
1910 * called once per second, and MUST be called before the first call to
1911 * get_approx_time. */
1913 update_approx_time(time_t now
)
1915 cached_approx_time
= now
;
1923 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return the number
1924 * of calls to rate_limit_is_ready (including this one!) since the last time
1925 * rate_limit_is_ready returned nonzero. Otherwise return 0. */
1927 rate_limit_is_ready(ratelim_t
*lim
, time_t now
)
1929 if (lim
->rate
+ lim
->last_allowed
<= now
) {
1930 int res
= lim
->n_calls_since_last_time
+ 1;
1931 lim
->last_allowed
= now
;
1932 lim
->n_calls_since_last_time
= 0;
1935 ++lim
->n_calls_since_last_time
;
1940 /** If the rate-limiter <b>lim</b> is ready at <b>now</b>, return a newly
1941 * allocated string indicating how many messages were suppressed, suitable to
1942 * append to a log message. Otherwise return NULL. */
1944 rate_limit_log(ratelim_t
*lim
, time_t now
)
1947 if ((n
= rate_limit_is_ready(lim
, now
))) {
1949 return tor_strdup("");
1953 " [%d similar message(s) suppressed in last %d seconds]",
1966 /** Write <b>count</b> bytes from <b>buf</b> to <b>fd</b>. <b>isSocket</b>
1967 * must be 1 if fd was returned by socket() or accept(), and 0 if fd
1968 * was returned by open(). Return the number of bytes written, or -1
1969 * on error. Only use if fd is a blocking fd. */
1971 write_all(tor_socket_t fd
, const char *buf
, size_t count
, int isSocket
)
1975 tor_assert(count
< SSIZE_MAX
);
1977 while (written
!= count
) {
1979 result
= tor_socket_send(fd
, buf
+written
, count
-written
, 0);
1981 result
= write((int)fd
, buf
+written
, count
-written
);
1986 return (ssize_t
)count
;
1989 /** Read from <b>fd</b> to <b>buf</b>, until we get <b>count</b> bytes
1990 * or reach the end of the file. <b>isSocket</b> must be 1 if fd
1991 * was returned by socket() or accept(), and 0 if fd was returned by
1992 * open(). Return the number of bytes read, or -1 on error. Only use
1993 * if fd is a blocking fd. */
1995 read_all(tor_socket_t fd
, char *buf
, size_t count
, int isSocket
)
2000 if (count
> SIZE_T_CEILING
|| count
> SSIZE_MAX
)
2003 while (numread
!= count
) {
2005 result
= tor_socket_recv(fd
, buf
+numread
, count
-numread
, 0);
2007 result
= read((int)fd
, buf
+numread
, count
-numread
);
2010 else if (result
== 0)
2014 return (ssize_t
)numread
;
2018 * Filesystem operations.
2021 /** Clean up <b>name</b> so that we can use it in a call to "stat". On Unix,
2022 * we do nothing. On Windows, we remove a trailing slash, unless the path is
2023 * the root of a disk. */
2025 clean_name_for_stat(char *name
)
2028 size_t len
= strlen(name
);
2031 if (name
[len
-1]=='\\' || name
[len
-1]=='/') {
2032 if (len
== 1 || (len
==3 && name
[1]==':'))
2042 * FN_ERROR if filename can't be read, is NULL, or is zero-length,
2043 * FN_NOENT if it doesn't exist,
2044 * FN_FILE if it is a non-empty regular file, or a FIFO on unix-like systems,
2045 * FN_EMPTY for zero-byte regular files,
2046 * FN_DIR if it's a directory, and
2047 * FN_ERROR for any other file type.
2048 * On FN_ERROR and FN_NOENT, sets errno. (errno is not set when FN_ERROR
2049 * is returned due to an unhandled file type.) */
2051 file_status(const char *fname
)
2056 if (!fname
|| strlen(fname
) == 0) {
2059 f
= tor_strdup(fname
);
2060 clean_name_for_stat(f
);
2061 log_debug(LD_FS
, "stat()ing %s", f
);
2062 r
= stat(sandbox_intern_string(f
), &st
);
2065 if (errno
== ENOENT
) {
2070 if (st
.st_mode
& S_IFDIR
) {
2072 } else if (st
.st_mode
& S_IFREG
) {
2073 if (st
.st_size
> 0) {
2075 } else if (st
.st_size
== 0) {
2081 } else if (st
.st_mode
& S_IFIFO
) {
2089 /** Check whether <b>dirname</b> exists and is private. If yes return 0. If
2090 * it does not exist, and <b>check</b>&CPD_CREATE is set, try to create it
2091 * and return 0 on success. If it does not exist, and
2092 * <b>check</b>&CPD_CHECK, and we think we can create it, return 0. Else
2093 * return -1. If CPD_GROUP_OK is set, then it's okay if the directory
2094 * is group-readable, but in all cases we create the directory mode 0700.
2095 * If CPD_GROUP_READ is set, existing directory behaves as CPD_GROUP_OK and
2096 * if the directory is created it will use mode 0750 with group read
2097 * permission. Group read privileges also assume execute permission
2098 * as norm for directories. If CPD_CHECK_MODE_ONLY is set, then we don't
2099 * alter the directory permissions if they are too permissive:
2100 * we just return -1.
2101 * When effective_user is not NULL, check permissions against the given user
2102 * and its primary group.
2105 check_private_dir(const char *dirname
, cpd_check_t check
,
2106 const char *effective_user
)
2112 unsigned unwanted_bits
= 0;
2113 const struct passwd
*pw
= NULL
;
2117 (void)effective_user
;
2120 tor_assert(dirname
);
2121 f
= tor_strdup(dirname
);
2122 clean_name_for_stat(f
);
2123 log_debug(LD_FS
, "stat()ing %s", f
);
2124 r
= stat(sandbox_intern_string(f
), &st
);
2127 if (errno
!= ENOENT
) {
2128 log_warn(LD_FS
, "Directory %s cannot be read: %s", dirname
,
2132 if (check
& CPD_CREATE
) {
2133 log_info(LD_GENERAL
, "Creating directory %s", dirname
);
2134 #if defined (_WIN32)
2137 if (check
& CPD_GROUP_READ
) {
2138 r
= mkdir(dirname
, 0750);
2140 r
= mkdir(dirname
, 0700);
2144 log_warn(LD_FS
, "Error creating directory %s: %s", dirname
,
2148 } else if (!(check
& CPD_CHECK
)) {
2149 log_warn(LD_FS
, "Directory %s does not exist.", dirname
);
2152 /* XXXX In the case where check==CPD_CHECK, we should look at the
2153 * parent directory a little harder. */
2156 if (!(st
.st_mode
& S_IFDIR
)) {
2157 log_warn(LD_FS
, "%s is not a directory", dirname
);
2161 if (effective_user
) {
2162 /* Look up the user and group information.
2163 * If we have a problem, bail out. */
2164 pw
= tor_getpwnam(effective_user
);
2166 log_warn(LD_CONFIG
, "Error setting configured user: %s not found",
2170 running_uid
= pw
->pw_uid
;
2171 running_gid
= pw
->pw_gid
;
2173 running_uid
= getuid();
2174 running_gid
= getgid();
2177 if (st
.st_uid
!= running_uid
) {
2178 const struct passwd
*pw
= NULL
;
2179 char *process_ownername
= NULL
;
2181 pw
= tor_getpwuid(running_uid
);
2182 process_ownername
= pw
? tor_strdup(pw
->pw_name
) : tor_strdup("<unknown>");
2184 pw
= tor_getpwuid(st
.st_uid
);
2186 log_warn(LD_FS
, "%s is not owned by this user (%s, %d) but by "
2187 "%s (%d). Perhaps you are running Tor as the wrong user?",
2188 dirname
, process_ownername
, (int)running_uid
,
2189 pw
? pw
->pw_name
: "<unknown>", (int)st
.st_uid
);
2191 tor_free(process_ownername
);
2194 if ( (check
& (CPD_GROUP_OK
|CPD_GROUP_READ
))
2195 && (st
.st_gid
!= running_gid
) ) {
2197 char *process_groupname
= NULL
;
2198 gr
= getgrgid(running_gid
);
2199 process_groupname
= gr
? tor_strdup(gr
->gr_name
) : tor_strdup("<unknown>");
2200 gr
= getgrgid(st
.st_gid
);
2202 log_warn(LD_FS
, "%s is not owned by this group (%s, %d) but by group "
2203 "%s (%d). Are you running Tor as the wrong user?",
2204 dirname
, process_groupname
, (int)running_gid
,
2205 gr
? gr
->gr_name
: "<unknown>", (int)st
.st_gid
);
2207 tor_free(process_groupname
);
2210 if (check
& (CPD_GROUP_OK
|CPD_GROUP_READ
)) {
2211 unwanted_bits
= 0027;
2213 unwanted_bits
= 0077;
2215 if ((st
.st_mode
& unwanted_bits
) != 0) {
2217 if (check
& CPD_CHECK_MODE_ONLY
) {
2218 log_warn(LD_FS
, "Permissions on directory %s are too permissive.",
2222 log_warn(LD_FS
, "Fixing permissions on directory %s", dirname
);
2223 new_mode
= st
.st_mode
;
2224 new_mode
|= 0700; /* Owner should have rwx */
2225 if (check
& CPD_GROUP_READ
) {
2226 new_mode
|= 0050; /* Group should have rx */
2228 new_mode
&= ~unwanted_bits
; /* Clear the bits that we didn't want set...*/
2229 if (chmod(dirname
, new_mode
)) {
2230 log_warn(LD_FS
, "Could not chmod directory %s: %s", dirname
,
2241 /** Create a file named <b>fname</b> with the contents <b>str</b>. Overwrite
2242 * the previous <b>fname</b> if possible. Return 0 on success, -1 on failure.
2244 * This function replaces the old file atomically, if possible. This
2245 * function, and all other functions in util.c that create files, create them
2249 write_str_to_file(const char *fname
, const char *str
, int bin
)
2252 if (!bin
&& strchr(str
, '\r')) {
2254 "We're writing a text string that already contains a CR to %s",
2258 return write_bytes_to_file(fname
, str
, strlen(str
), bin
);
2261 /** Represents a file that we're writing to, with support for atomic commit:
2262 * we can write into a temporary file, and either remove the file on
2263 * failure, or replace the original file on success. */
2264 struct open_file_t
{
2265 char *tempname
; /**< Name of the temporary file. */
2266 char *filename
; /**< Name of the original file. */
2267 unsigned rename_on_close
:1; /**< Are we using the temporary file or not? */
2268 unsigned binary
:1; /**< Did we open in binary mode? */
2269 int fd
; /**< fd for the open file. */
2270 FILE *stdio_file
; /**< stdio wrapper for <b>fd</b>. */
2273 /** Try to start writing to the file in <b>fname</b>, passing the flags
2274 * <b>open_flags</b> to the open() syscall, creating the file (if needed) with
2275 * access value <b>mode</b>. If the O_APPEND flag is set, we append to the
2276 * original file. Otherwise, we open a new temporary file in the same
2277 * directory, and either replace the original or remove the temporary file
2280 * Return the fd for the newly opened file, and store working data in
2281 * *<b>data_out</b>. The caller should not close the fd manually:
2282 * instead, call finish_writing_to_file() or abort_writing_to_file().
2283 * Returns -1 on failure.
2285 * NOTE: When not appending, the flags O_CREAT and O_TRUNC are treated
2286 * as true and the flag O_EXCL is treated as false.
2288 * NOTE: Ordinarily, O_APPEND means "seek to the end of the file before each
2289 * write()". We don't do that.
2292 start_writing_to_file(const char *fname
, int open_flags
, int mode
,
2293 open_file_t
**data_out
)
2295 open_file_t
*new_file
= tor_malloc_zero(sizeof(open_file_t
));
2296 const char *open_name
;
2300 tor_assert(data_out
);
2301 #if (O_BINARY != 0 && O_TEXT != 0)
2302 tor_assert((open_flags
& (O_BINARY
|O_TEXT
)) != 0);
2305 new_file
->filename
= tor_strdup(fname
);
2306 if (open_flags
& O_APPEND
) {
2308 new_file
->rename_on_close
= 0;
2310 open_flags
&= ~O_APPEND
;
2312 tor_asprintf(&new_file
->tempname
, "%s.tmp", fname
);
2313 open_name
= new_file
->tempname
;
2314 /* We always replace an existing temporary file if there is one. */
2315 open_flags
|= O_CREAT
|O_TRUNC
;
2316 open_flags
&= ~O_EXCL
;
2317 new_file
->rename_on_close
= 1;
2320 if (open_flags
& O_BINARY
)
2321 new_file
->binary
= 1;
2324 new_file
->fd
= tor_open_cloexec(open_name
, open_flags
, mode
);
2325 if (new_file
->fd
< 0) {
2326 log_warn(LD_FS
, "Couldn't open \"%s\" (%s) for writing: %s",
2327 open_name
, fname
, strerror(errno
));
2331 if (tor_fd_seekend(new_file
->fd
) < 0) {
2332 log_warn(LD_FS
, "Couldn't seek to end of file \"%s\": %s", open_name
,
2338 *data_out
= new_file
;
2340 return new_file
->fd
;
2343 if (new_file
->fd
>= 0)
2344 close(new_file
->fd
);
2346 tor_free(new_file
->filename
);
2347 tor_free(new_file
->tempname
);
2352 /** Given <b>file_data</b> from start_writing_to_file(), return a stdio FILE*
2353 * that can be used to write to the same file. The caller should not mix
2354 * stdio calls with non-stdio calls. */
2356 fdopen_file(open_file_t
*file_data
)
2358 tor_assert(file_data
);
2359 if (file_data
->stdio_file
)
2360 return file_data
->stdio_file
;
2361 tor_assert(file_data
->fd
>= 0);
2362 if (!(file_data
->stdio_file
= fdopen(file_data
->fd
,
2363 file_data
->binary
?"ab":"a"))) {
2364 log_warn(LD_FS
, "Couldn't fdopen \"%s\" [%d]: %s", file_data
->filename
,
2365 file_data
->fd
, strerror(errno
));
2367 return file_data
->stdio_file
;
2370 /** Combines start_writing_to_file with fdopen_file(): arguments are as
2371 * for start_writing_to_file, but */
2373 start_writing_to_stdio_file(const char *fname
, int open_flags
, int mode
,
2374 open_file_t
**data_out
)
2377 if (start_writing_to_file(fname
, open_flags
, mode
, data_out
)<0)
2379 if (!(res
= fdopen_file(*data_out
))) {
2380 abort_writing_to_file(*data_out
);
2386 /** Helper function: close and free the underlying file and memory in
2387 * <b>file_data</b>. If we were writing into a temporary file, then delete
2388 * that file (if abort_write is true) or replaces the target file with
2389 * the temporary file (if abort_write is false). */
2391 finish_writing_to_file_impl(open_file_t
*file_data
, int abort_write
)
2395 tor_assert(file_data
&& file_data
->filename
);
2396 if (file_data
->stdio_file
) {
2397 if (fclose(file_data
->stdio_file
)) {
2398 log_warn(LD_FS
, "Error closing \"%s\": %s", file_data
->filename
,
2400 abort_write
= r
= -1;
2402 } else if (file_data
->fd
>= 0 && close(file_data
->fd
) < 0) {
2403 log_warn(LD_FS
, "Error flushing \"%s\": %s", file_data
->filename
,
2405 abort_write
= r
= -1;
2408 if (file_data
->rename_on_close
) {
2409 tor_assert(file_data
->tempname
&& file_data
->filename
);
2411 int res
= unlink(file_data
->tempname
);
2413 /* We couldn't unlink and we'll leave a mess behind */
2414 log_warn(LD_FS
, "Failed to unlink %s: %s",
2415 file_data
->tempname
, strerror(errno
));
2419 tor_assert(strcmp(file_data
->filename
, file_data
->tempname
));
2420 if (replace_file(file_data
->tempname
, file_data
->filename
)) {
2421 log_warn(LD_FS
, "Error replacing \"%s\": %s", file_data
->filename
,
2428 tor_free(file_data
->filename
);
2429 tor_free(file_data
->tempname
);
2430 tor_free(file_data
);
2435 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2436 * needed, and if using a temporary file, replace the original file with
2437 * the temporary file. */
2439 finish_writing_to_file(open_file_t
*file_data
)
2441 return finish_writing_to_file_impl(file_data
, 0);
2444 /** Finish writing to <b>file_data</b>: close the file handle, free memory as
2445 * needed, and if using a temporary file, delete it. */
2447 abort_writing_to_file(open_file_t
*file_data
)
2449 return finish_writing_to_file_impl(file_data
, 1);
2452 /** Helper: given a set of flags as passed to open(2), open the file
2453 * <b>fname</b> and write all the sized_chunk_t structs in <b>chunks</b> to
2454 * the file. Do so as atomically as possible e.g. by opening temp files and
2457 write_chunks_to_file_impl(const char *fname
, const smartlist_t
*chunks
,
2460 open_file_t
*file
= NULL
;
2463 fd
= start_writing_to_file(fname
, open_flags
, 0600, &file
);
2466 SMARTLIST_FOREACH(chunks
, sized_chunk_t
*, chunk
,
2468 result
= write_all(fd
, chunk
->bytes
, chunk
->len
, 0);
2470 log_warn(LD_FS
, "Error writing to \"%s\": %s", fname
,
2474 tor_assert((size_t)result
== chunk
->len
);
2477 return finish_writing_to_file(file
);
2479 abort_writing_to_file(file
);
2483 /** Given a smartlist of sized_chunk_t, write them to a file
2484 * <b>fname</b>, overwriting or creating the file as necessary.
2485 * If <b>no_tempfile</b> is 0 then the file will be written
2488 write_chunks_to_file(const char *fname
, const smartlist_t
*chunks
, int bin
,
2491 int flags
= OPEN_FLAGS_REPLACE
|(bin
?O_BINARY
:O_TEXT
);
2494 /* O_APPEND stops write_chunks_to_file from using tempfiles */
2497 return write_chunks_to_file_impl(fname
, chunks
, flags
);
2500 /** Write <b>len</b> bytes, starting at <b>str</b>, to <b>fname</b>
2501 using the open() flags passed in <b>flags</b>. */
2503 write_bytes_to_file_impl(const char *fname
, const char *str
, size_t len
,
2507 sized_chunk_t c
= { str
, len
};
2508 smartlist_t
*chunks
= smartlist_new();
2509 smartlist_add(chunks
, &c
);
2510 r
= write_chunks_to_file_impl(fname
, chunks
, flags
);
2511 smartlist_free(chunks
);
2515 /** As write_str_to_file, but does not assume a NUL-terminated
2516 * string. Instead, we write <b>len</b> bytes, starting at <b>str</b>. */
2518 write_bytes_to_file
,(const char *fname
, const char *str
, size_t len
,
2521 return write_bytes_to_file_impl(fname
, str
, len
,
2522 OPEN_FLAGS_REPLACE
|(bin
?O_BINARY
:O_TEXT
));
2525 /** As write_bytes_to_file, but if the file already exists, append the bytes
2526 * to the end of the file instead of overwriting it. */
2528 append_bytes_to_file(const char *fname
, const char *str
, size_t len
,
2531 return write_bytes_to_file_impl(fname
, str
, len
,
2532 OPEN_FLAGS_APPEND
|(bin
?O_BINARY
:O_TEXT
));
2535 /** Like write_str_to_file(), but also return -1 if there was a file
2536 already residing in <b>fname</b>. */
2538 write_bytes_to_new_file(const char *fname
, const char *str
, size_t len
,
2541 return write_bytes_to_file_impl(fname
, str
, len
,
2542 OPEN_FLAGS_DONT_REPLACE
|
2543 (bin
?O_BINARY
:O_TEXT
));
2547 * Read the contents of the open file <b>fd</b> presuming it is a FIFO
2548 * (or similar) file descriptor for which the size of the file isn't
2549 * known ahead of time. Return NULL on failure, and a NUL-terminated
2550 * string on success. On success, set <b>sz_out</b> to the number of
2554 read_file_to_str_until_eof(int fd
, size_t max_bytes_to_read
, size_t *sz_out
)
2558 char *string
= NULL
;
2559 size_t string_max
= 0;
2561 if (max_bytes_to_read
+1 >= SIZE_T_CEILING
)
2565 /* XXXX This "add 1K" approach is a little goofy; if we care about
2566 * performance here, we should be doubling. But in practice we shouldn't
2567 * be using this function on big files anyway. */
2568 string_max
= pos
+ 1024;
2569 if (string_max
> max_bytes_to_read
)
2570 string_max
= max_bytes_to_read
+ 1;
2571 string
= tor_realloc(string
, string_max
);
2572 r
= read(fd
, string
+ pos
, string_max
- pos
- 1);
2574 int save_errno
= errno
;
2581 } while (r
> 0 && pos
< max_bytes_to_read
);
2583 tor_assert(pos
< string_max
);
2589 /** Read the contents of <b>filename</b> into a newly allocated
2590 * string; return the string on success or NULL on failure.
2592 * If <b>stat_out</b> is provided, store the result of stat()ing the
2593 * file into <b>stat_out</b>.
2595 * If <b>flags</b> & RFTS_BIN, open the file in binary mode.
2596 * If <b>flags</b> & RFTS_IGNORE_MISSING, don't warn if the file
2600 * This function <em>may</em> return an erroneous result if the file
2601 * is modified while it is running, but must not crash or overflow.
2602 * Right now, the error case occurs when the file length grows between
2603 * the call to stat and the call to read_all: the resulting string will
2607 read_file_to_str(const char *filename
, int flags
, struct stat
*stat_out
)
2609 int fd
; /* router file */
2610 struct stat statbuf
;
2613 int bin
= flags
& RFTS_BIN
;
2615 tor_assert(filename
);
2617 fd
= tor_open_cloexec(filename
,O_RDONLY
|(bin
?O_BINARY
:O_TEXT
),0);
2619 int severity
= LOG_WARN
;
2620 int save_errno
= errno
;
2621 if (errno
== ENOENT
&& (flags
& RFTS_IGNORE_MISSING
))
2622 severity
= LOG_INFO
;
2623 log_fn(severity
, LD_FS
,"Could not open \"%s\": %s",filename
,
2629 if (fstat(fd
, &statbuf
)<0) {
2630 int save_errno
= errno
;
2632 log_warn(LD_FS
,"Could not fstat \"%s\".",filename
);
2638 /** When we detect that we're reading from a FIFO, don't read more than
2639 * this many bytes. It's insane overkill for most uses. */
2640 #define FIFO_READ_MAX (1024*1024)
2641 if (S_ISFIFO(statbuf
.st_mode
)) {
2643 string
= read_file_to_str_until_eof(fd
, FIFO_READ_MAX
, &sz
);
2644 int save_errno
= errno
;
2645 if (string
&& stat_out
) {
2646 statbuf
.st_size
= sz
;
2647 memcpy(stat_out
, &statbuf
, sizeof(struct stat
));
2656 if ((uint64_t)(statbuf
.st_size
)+1 >= SIZE_T_CEILING
) {
2661 string
= tor_malloc((size_t)(statbuf
.st_size
+1));
2663 r
= read_all(fd
,string
,(size_t)statbuf
.st_size
,0);
2665 int save_errno
= errno
;
2666 log_warn(LD_FS
,"Error reading from file \"%s\": %s", filename
,
2673 string
[r
] = '\0'; /* NUL-terminate the result. */
2675 #if defined(_WIN32) || defined(__CYGWIN__)
2676 if (!bin
&& strchr(string
, '\r')) {
2677 log_debug(LD_FS
, "We didn't convert CRLF to LF as well as we hoped "
2678 "when reading %s. Coping.",
2680 tor_strstrip(string
, "\r");
2684 statbuf
.st_size
= (size_t) r
;
2687 if (r
!= statbuf
.st_size
) {
2688 /* Unless we're using text mode on win32, we'd better have an exact
2689 * match for size. */
2690 int save_errno
= errno
;
2691 log_warn(LD_FS
,"Could read only %d of %ld bytes of file \"%s\".",
2692 (int)r
, (long)statbuf
.st_size
,filename
);
2700 memcpy(stat_out
, &statbuf
, sizeof(struct stat
));
2706 #define TOR_ISODIGIT(c) ('0' <= (c) && (c) <= '7')
2708 /** Given a c-style double-quoted escaped string in <b>s</b>, extract and
2709 * decode its contents into a newly allocated string. On success, assign this
2710 * string to *<b>result</b>, assign its length to <b>size_out</b> (if
2711 * provided), and return a pointer to the position in <b>s</b> immediately
2712 * after the string. On failure, return NULL.
2715 unescape_string(const char *s
, char **result
, size_t *size_out
)
2730 if (cp
[1] == 'x' || cp
[1] == 'X') {
2731 if (!(TOR_ISXDIGIT(cp
[2]) && TOR_ISXDIGIT(cp
[3])))
2734 } else if (TOR_ISODIGIT(cp
[1])) {
2736 if (TOR_ISODIGIT(*cp
)) ++cp
;
2737 if (TOR_ISODIGIT(*cp
)) ++cp
;
2738 } else if (cp
[1] == 'n' || cp
[1] == 'r' || cp
[1] == 't' || cp
[1] == '"'
2739 || cp
[1] == '\\' || cp
[1] == '\'') {
2751 out
= *result
= tor_malloc(cp
-s
+ 1);
2758 if (size_out
) *size_out
= out
- *result
;
2761 tor_fragile_assert();
2767 case 'n': *out
++ = '\n'; cp
+= 2; break;
2768 case 'r': *out
++ = '\r'; cp
+= 2; break;
2769 case 't': *out
++ = '\t'; cp
+= 2; break;
2774 x1
= hex_decode_digit(cp
[2]);
2775 x2
= hex_decode_digit(cp
[3]);
2776 if (x1
== -1 || x2
== -1) {
2781 *out
++ = ((x1
<<4) + x2
);
2785 case '0': case '1': case '2': case '3': case '4': case '5':
2790 if (TOR_ISODIGIT(*cp
)) { n
= n
*8 + *cp
-'0'; cp
++; }
2791 if (TOR_ISODIGIT(*cp
)) { n
= n
*8 + *cp
-'0'; cp
++; }
2792 if (n
> 255) { tor_free(*result
); return NULL
; }
2804 tor_free(*result
); return NULL
;
2813 /** Given a string containing part of a configuration file or similar format,
2814 * advance past comments and whitespace and try to parse a single line. If we
2815 * parse a line successfully, set *<b>key_out</b> to a new string holding the
2816 * key portion and *<b>value_out</b> to a new string holding the value portion
2817 * of the line, and return a pointer to the start of the next line. If we run
2818 * out of data, return a pointer to the end of the string. If we encounter an
2819 * error, return NULL and set *<b>err_out</b> (if provided) to an error
2823 parse_config_line_from_str_verbose(const char *line
, char **key_out
,
2825 const char **err_out
)
2827 /* I believe the file format here is supposed to be:
2828 FILE = (EMPTYLINE | LINE)* (EMPTYLASTLINE | LASTLINE)?
2830 EMPTYLASTLINE = SPACE* | COMMENT
2831 EMPTYLINE = EMPTYLASTLINE NL
2832 SPACE = ' ' | '\r' | '\t'
2833 COMMENT = '#' NOT-NL*
2834 NOT-NL = Any character except '\n'
2837 LASTLINE = SPACE* KEY SPACE* VALUES
2840 KEYCHAR = Any character except ' ', '\r', '\n', '\t', '#', "\"
2842 VALUES = QUOTEDVALUE | NORMALVALUE
2843 QUOTEDVALUE = QUOTE QVCHAR* QUOTE EOLSPACE?
2845 QVCHAR = KEYCHAR | ESC ('n' | 't' | 'r' | '"' | ESC |'\'' | OCTAL | HEX)
2847 OCTAL = ODIGIT (ODIGIT ODIGIT?)?
2848 HEX = ('x' | 'X') HEXDIGIT HEXDIGIT
2850 HEXDIGIT = '0'..'9' | 'a' .. 'f' | 'A' .. 'F'
2851 EOLSPACE = SPACE* COMMENT?
2853 NORMALVALUE = (VALCHAR | ESC ESC_IGNORE | CONTINUATION)* EOLSPACE?
2854 VALCHAR = Any character except ESC, '#', and '\n'
2855 ESC_IGNORE = Any character except '#' or '\n'
2856 CONTINUATION = ESC NL ( COMMENT NL )*
2859 const char *key
, *val
, *cp
;
2860 int continuation
= 0;
2862 tor_assert(key_out
);
2863 tor_assert(value_out
);
2865 *key_out
= *value_out
= NULL
;
2867 /* Skip until the first keyword. */
2869 while (TOR_ISSPACE(*line
))
2872 while (*line
&& *line
!= '\n')
2879 if (!*line
) { /* End of string? */
2880 *key_out
= *value_out
= NULL
;
2884 /* Skip until the next space or \ followed by newline. */
2886 while (*line
&& !TOR_ISSPACE(*line
) && *line
!= '#' &&
2887 ! (line
[0] == '\\' && line
[1] == '\n'))
2889 *key_out
= tor_strndup(key
, line
-key
);
2891 /* Skip until the value. */
2892 while (*line
== ' ' || *line
== '\t')
2897 /* Find the end of the line. */
2898 if (*line
== '\"') { // XXX No continuation handling is done here
2899 if (!(line
= unescape_string(line
, value_out
, NULL
))) {
2901 *err_out
= "Invalid escape sequence in quoted string";
2904 while (*line
== ' ' || *line
== '\t')
2906 if (*line
&& *line
!= '#' && *line
!= '\n') {
2908 *err_out
= "Excess data after quoted string";
2912 /* Look for the end of the line. */
2913 while (*line
&& *line
!= '\n' && (*line
!= '#' || continuation
)) {
2914 if (*line
== '\\' && line
[1] == '\n') {
2917 } else if (*line
== '#') {
2920 } while (*line
&& *line
!= '\n');
2928 if (*line
== '\n') {
2933 /* Now back cp up to be the last nonspace character */
2934 while (cp
>val
&& TOR_ISSPACE(*(cp
-1)))
2937 tor_assert(cp
>= val
);
2939 /* Now copy out and decode the value. */
2940 *value_out
= tor_strndup(val
, cp
-val
);
2943 v_out
= v_in
= *value_out
;
2948 } while (*v_in
&& *v_in
!= '\n');
2951 } else if (v_in
[0] == '\\' && v_in
[1] == '\n') {
2964 } while (*line
&& *line
!= '\n');
2966 while (TOR_ISSPACE(*line
)) ++line
;
2971 /** Expand any homedir prefix on <b>filename</b>; return a newly allocated
2974 expand_filename(const char *filename
)
2976 tor_assert(filename
);
2978 return tor_strdup(filename
);
2980 if (*filename
== '~') {
2981 char *home
, *result
=NULL
;
2984 if (filename
[1] == '/' || filename
[1] == '\0') {
2985 home
= getenv("HOME");
2987 log_warn(LD_CONFIG
, "Couldn't find $HOME environment variable while "
2988 "expanding \"%s\"; defaulting to \"\".", filename
);
2989 home
= tor_strdup("");
2991 home
= tor_strdup(home
);
2993 rest
= strlen(filename
)>=2?(filename
+2):"";
2996 char *username
, *slash
;
2997 slash
= strchr(filename
, '/');
2999 username
= tor_strndup(filename
+1,slash
-filename
-1);
3001 username
= tor_strdup(filename
+1);
3002 if (!(home
= get_user_homedir(username
))) {
3003 log_warn(LD_CONFIG
,"Couldn't get homedir for \"%s\"",username
);
3008 rest
= slash
? (slash
+1) : "";
3010 log_warn(LD_CONFIG
, "Couldn't expand homedir on system without pwd.h");
3011 return tor_strdup(filename
);
3015 /* Remove trailing slash. */
3016 if (strlen(home
)>1 && !strcmpend(home
,PATH_SEPARATOR
)) {
3017 home
[strlen(home
)-1] = '\0';
3019 tor_asprintf(&result
,"%s"PATH_SEPARATOR
"%s",home
,rest
);
3023 return tor_strdup(filename
);
3028 #define MAX_SCANF_WIDTH 9999
3030 /** Helper: given an ASCII-encoded decimal digit, return its numeric value.
3031 * NOTE: requires that its input be in-bounds. */
3033 digit_to_num(char d
)
3035 int num
= ((int)d
) - (int)'0';
3036 tor_assert(num
<= 9 && num
>= 0);
3040 /** Helper: Read an unsigned int from *<b>bufp</b> of up to <b>width</b>
3041 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3042 * success, store the result in <b>out</b>, advance bufp to the next
3043 * character, and return 0. On failure, return -1. */
3045 scan_unsigned(const char **bufp
, unsigned long *out
, int width
, int base
)
3047 unsigned long result
= 0;
3048 int scanned_so_far
= 0;
3049 const int hex
= base
==16;
3050 tor_assert(base
== 10 || base
== 16);
3051 if (!bufp
|| !*bufp
|| !out
)
3054 width
=MAX_SCANF_WIDTH
;
3056 while (**bufp
&& (hex
?TOR_ISXDIGIT(**bufp
):TOR_ISDIGIT(**bufp
))
3057 && scanned_so_far
< width
) {
3058 int digit
= hex
?hex_decode_digit(*(*bufp
)++):digit_to_num(*(*bufp
)++);
3059 // Check for overflow beforehand, without actually causing any overflow
3060 // This preserves functionality on compilers that don't wrap overflow
3061 // (i.e. that trap or optimise away overflow)
3062 // result * base + digit > ULONG_MAX
3063 // result * base > ULONG_MAX - digit
3064 if (result
> (ULONG_MAX
- digit
)/base
)
3065 return -1; /* Processing this digit would overflow */
3066 result
= result
* base
+ digit
;
3070 if (!scanned_so_far
) /* No actual digits scanned */
3077 /** Helper: Read an signed int from *<b>bufp</b> of up to <b>width</b>
3078 * characters. (Handle arbitrary width if <b>width</b> is less than 0.) On
3079 * success, store the result in <b>out</b>, advance bufp to the next
3080 * character, and return 0. On failure, return -1. */
3082 scan_signed(const char **bufp
, long *out
, int width
)
3085 unsigned long result
= 0;
3087 if (!bufp
|| !*bufp
|| !out
)
3090 width
=MAX_SCANF_WIDTH
;
3092 if (**bufp
== '-') {
3098 if (scan_unsigned(bufp
, &result
, width
, 10) < 0)
3101 if (neg
&& result
> 0) {
3102 if (result
> ((unsigned long)LONG_MAX
) + 1)
3103 return -1; /* Underflow */
3104 // Avoid overflow on the cast to signed long when result is LONG_MIN
3105 // by subtracting 1 from the unsigned long positive value,
3106 // then, after it has been cast to signed and negated,
3107 // subtracting the original 1 (the double-subtraction is intentional).
3108 // Otherwise, the cast to signed could cause a temporary long
3109 // to equal LONG_MAX + 1, which is undefined.
3110 // We avoid underflow on the subtraction by treating -0 as positive.
3111 *out
= (-(long)(result
- 1)) - 1;
3113 if (result
> LONG_MAX
)
3114 return -1; /* Overflow */
3115 *out
= (long)result
;
3121 /** Helper: Read a decimal-formatted double from *<b>bufp</b> of up to
3122 * <b>width</b> characters. (Handle arbitrary width if <b>width</b> is less
3123 * than 0.) On success, store the result in <b>out</b>, advance bufp to the
3124 * next character, and return 0. On failure, return -1. */
3126 scan_double(const char **bufp
, double *out
, int width
)
3130 int scanned_so_far
= 0;
3132 if (!bufp
|| !*bufp
|| !out
)
3135 width
=MAX_SCANF_WIDTH
;
3137 if (**bufp
== '-') {
3142 while (**bufp
&& TOR_ISDIGIT(**bufp
) && scanned_so_far
< width
) {
3143 const int digit
= digit_to_num(*(*bufp
)++);
3144 result
= result
* 10 + digit
;
3147 if (**bufp
== '.') {
3148 double fracval
= 0, denominator
= 1;
3151 while (**bufp
&& TOR_ISDIGIT(**bufp
) && scanned_so_far
< width
) {
3152 const int digit
= digit_to_num(*(*bufp
)++);
3153 fracval
= fracval
* 10 + digit
;
3157 result
+= fracval
/ denominator
;
3160 if (!scanned_so_far
) /* No actual digits scanned */
3163 *out
= neg
? -result
: result
;
3167 /** Helper: copy up to <b>width</b> non-space characters from <b>bufp</b> to
3168 * <b>out</b>. Make sure <b>out</b> is nul-terminated. Advance <b>bufp</b>
3169 * to the next non-space character or the EOS. */
3171 scan_string(const char **bufp
, char *out
, int width
)
3173 int scanned_so_far
= 0;
3174 if (!bufp
|| !out
|| width
< 0)
3176 while (**bufp
&& ! TOR_ISSPACE(**bufp
) && scanned_so_far
< width
) {
3177 *out
++ = *(*bufp
)++;
3184 /** Locale-independent, minimal, no-surprises scanf variant, accepting only a
3185 * restricted pattern format. For more info on what it supports, see
3186 * tor_sscanf() documentation. */
3188 tor_vsscanf(const char *buf
, const char *pattern
, va_list ap
)
3193 if (*pattern
!= '%') {
3194 if (*buf
== *pattern
) {
3205 if (TOR_ISDIGIT(*pattern
)) {
3206 width
= digit_to_num(*pattern
++);
3207 while (TOR_ISDIGIT(*pattern
)) {
3209 width
+= digit_to_num(*pattern
++);
3210 if (width
> MAX_SCANF_WIDTH
)
3213 if (!width
) /* No zero-width things. */
3216 if (*pattern
== 'l') {
3220 if (*pattern
== 'u' || *pattern
== 'x') {
3222 const int base
= (*pattern
== 'u') ? 10 : 16;
3225 if (scan_unsigned(&buf
, &u
, width
, base
)<0)
3228 unsigned long *out
= va_arg(ap
, unsigned long *);
3231 unsigned *out
= va_arg(ap
, unsigned *);
3234 *out
= (unsigned) u
;
3238 } else if (*pattern
== 'f') {
3239 double *d
= va_arg(ap
, double *);
3241 return -1; /* float not supported */
3244 if (scan_double(&buf
, d
, width
)<0)
3248 } else if (*pattern
== 'd') {
3250 if (scan_signed(&buf
, &lng
, width
)<0)
3253 long *out
= va_arg(ap
, long *);
3256 int *out
= va_arg(ap
, int *);
3257 if (lng
< INT_MIN
|| lng
> INT_MAX
)
3263 } else if (*pattern
== 's') {
3264 char *s
= va_arg(ap
, char *);
3269 if (scan_string(&buf
, s
, width
)<0)
3273 } else if (*pattern
== 'c') {
3274 char *ch
= va_arg(ap
, char *);
3284 } else if (*pattern
== '%') {
3292 return -1; /* Unrecognized pattern component. */
3300 /** Minimal sscanf replacement: parse <b>buf</b> according to <b>pattern</b>
3301 * and store the results in the corresponding argument fields. Differs from
3303 * <ul><li>It only handles %u, %lu, %x, %lx, %[NUM]s, %d, %ld, %lf, and %c.
3304 * <li>It only handles decimal inputs for %lf. (12.3, not 1.23e1)
3305 * <li>It does not handle arbitrarily long widths.
3306 * <li>Numbers do not consume any space characters.
3307 * <li>It is locale-independent.
3308 * <li>%u and %x do not consume any space.
3309 * <li>It returns -1 on malformed patterns.</ul>
3311 * (As with other locale-independent functions, we need this to parse data that
3312 * is in ASCII without worrying that the C library's locale-handling will make
3313 * miscellaneous characters look like numbers, spaces, and so on.)
3316 tor_sscanf(const char *buf
, const char *pattern
, ...)
3320 va_start(ap
, pattern
);
3321 r
= tor_vsscanf(buf
, pattern
, ap
);
3326 /** Append the string produced by tor_asprintf(<b>pattern</b>, <b>...</b>)
3329 smartlist_add_asprintf(struct smartlist_t
*sl
, const char *pattern
, ...)
3332 va_start(ap
, pattern
);
3333 smartlist_add_vasprintf(sl
, pattern
, ap
);
3337 /** va_list-based backend of smartlist_add_asprintf. */
3339 smartlist_add_vasprintf(struct smartlist_t
*sl
, const char *pattern
,
3344 tor_vasprintf(&str
, pattern
, args
);
3345 tor_assert(str
!= NULL
);
3347 smartlist_add(sl
, str
);
3350 /** Return a new list containing the filenames in the directory <b>dirname</b>.
3351 * Return NULL on error or if <b>dirname</b> is not a directory.
3354 tor_listdir(const char *dirname
)
3356 smartlist_t
*result
;
3359 TCHAR tpattern
[MAX_PATH
] = {0};
3360 char name
[MAX_PATH
*2+1] = {0};
3362 WIN32_FIND_DATA findData
;
3363 tor_asprintf(&pattern
, "%s\\*", dirname
);
3365 mbstowcs(tpattern
,pattern
,MAX_PATH
);
3367 strlcpy(tpattern
, pattern
, MAX_PATH
);
3369 if (INVALID_HANDLE_VALUE
== (handle
= FindFirstFile(tpattern
, &findData
))) {
3373 result
= smartlist_new();
3376 wcstombs(name
,findData
.cFileName
,MAX_PATH
);
3377 name
[sizeof(name
)-1] = '\0';
3379 strlcpy(name
,findData
.cFileName
,sizeof(name
));
3381 if (strcmp(name
, ".") &&
3382 strcmp(name
, "..")) {
3383 smartlist_add(result
, tor_strdup(name
));
3385 if (!FindNextFile(handle
, &findData
)) {
3387 if ((err
= GetLastError()) != ERROR_NO_MORE_FILES
) {
3388 char *errstr
= format_win32_error(err
);
3389 log_warn(LD_FS
, "Error reading directory '%s': %s", dirname
, errstr
);
3398 const char *prot_dname
= sandbox_intern_string(dirname
);
3401 if (!(d
= opendir(prot_dname
)))
3404 result
= smartlist_new();
3405 while ((de
= readdir(d
))) {
3406 if (!strcmp(de
->d_name
, ".") ||
3407 !strcmp(de
->d_name
, ".."))
3409 smartlist_add(result
, tor_strdup(de
->d_name
));
3416 /** Return true iff <b>filename</b> is a relative path. */
3418 path_is_relative(const char *filename
)
3420 if (filename
&& filename
[0] == '/')
3423 else if (filename
&& filename
[0] == '\\')
3425 else if (filename
&& strlen(filename
)>3 && TOR_ISALPHA(filename
[0]) &&
3426 filename
[1] == ':' && filename
[2] == '\\')
3438 /* Based on code contributed by christian grothoff */
3439 /** True iff we've called start_daemon(). */
3440 static int start_daemon_called
= 0;
3441 /** True iff we've called finish_daemon(). */
3442 static int finish_daemon_called
= 0;
3443 /** Socketpair used to communicate between parent and child process while
3445 static int daemon_filedes
[2];
3446 /** Start putting the process into daemon mode: fork and drop all resources
3447 * except standard fds. The parent process never returns, but stays around
3448 * until finish_daemon is called. (Note: it's safe to call this more
3449 * than once: calls after the first are ignored.)
3456 if (start_daemon_called
)
3458 start_daemon_called
= 1;
3460 if (pipe(daemon_filedes
)) {
3461 log_err(LD_GENERAL
,"pipe failed; exiting. Error was %s", strerror(errno
));
3466 log_err(LD_GENERAL
,"fork failed. Exiting.");
3469 if (pid
) { /* Parent */
3473 close(daemon_filedes
[1]); /* we only read */
3475 while (0 < read(daemon_filedes
[0], &c
, sizeof(char))) {
3483 exit(1); /* child reported error */
3484 } else { /* Child */
3485 close(daemon_filedes
[0]); /* we only write */
3487 pid
= setsid(); /* Detach from controlling terminal */
3489 * Fork one more time, so the parent (the session group leader) can exit.
3490 * This means that we, as a non-session group leader, can never regain a
3491 * controlling terminal. This part is recommended by Stevens's
3492 * _Advanced Programming in the Unix Environment_.
3497 set_main_thread(); /* We are now the main thread. */
3503 /** Finish putting the process into daemon mode: drop standard fds, and tell
3504 * the parent process to exit. (Note: it's safe to call this more than once:
3505 * calls after the first are ignored. Calls start_daemon first if it hasn't
3506 * been called already.)
3509 finish_daemon(const char *desired_cwd
)
3513 if (finish_daemon_called
)
3515 if (!start_daemon_called
)
3517 finish_daemon_called
= 1;
3521 /* Don't hold the wrong FS mounted */
3522 if (chdir(desired_cwd
) < 0) {
3523 log_err(LD_GENERAL
,"chdir to \"%s\" failed. Exiting.",desired_cwd
);
3527 nullfd
= tor_open_cloexec("/dev/null", O_RDWR
, 0);
3529 log_err(LD_GENERAL
,"/dev/null can't be opened. Exiting.");
3532 /* close fds linking to invoking terminal, but
3533 * close usual incoming fds, but redirect them somewhere
3534 * useful so the fds don't get reallocated elsewhere.
3536 if (dup2(nullfd
,0) < 0 ||
3537 dup2(nullfd
,1) < 0 ||
3538 dup2(nullfd
,2) < 0) {
3539 log_err(LD_GENERAL
,"dup2 failed. Exiting.");
3544 /* signal success */
3545 if (write(daemon_filedes
[1], &c
, sizeof(char)) != sizeof(char)) {
3546 log_err(LD_GENERAL
,"write failed. Exiting.");
3548 close(daemon_filedes
[1]);
3551 /* defined(_WIN32) */
3557 finish_daemon(const char *cp
)
3563 /** Write the current process ID, followed by NL, into <b>filename</b>.
3566 write_pidfile(const char *filename
)
3570 if ((pidfile
= fopen(filename
, "w")) == NULL
) {
3571 log_warn(LD_FS
, "Unable to open \"%s\" for writing: %s", filename
,
3575 fprintf(pidfile
, "%d\n", (int)_getpid());
3577 fprintf(pidfile
, "%d\n", (int)getpid());
3585 load_windows_system_library(const TCHAR
*library_name
)
3587 TCHAR path
[MAX_PATH
];
3589 n
= GetSystemDirectory(path
, MAX_PATH
);
3590 if (n
== 0 || n
+ _tcslen(library_name
) + 2 >= MAX_PATH
)
3592 _tcscat(path
, TEXT("\\"));
3593 _tcscat(path
, library_name
);
3594 return LoadLibrary(path
);
3598 /** Format a single argument for being put on a Windows command line.
3599 * Returns a newly allocated string */
3601 format_win_cmdline_argument(const char *arg
)
3603 char *formatted_arg
;
3608 /* Backslash we can point to when one is inserted into the string */
3609 const char backslash
= '\\';
3611 /* Smartlist of *char */
3612 smartlist_t
*arg_chars
;
3613 arg_chars
= smartlist_new();
3615 /* Quote string if it contains whitespace or is empty */
3616 need_quotes
= (strchr(arg
, ' ') || strchr(arg
, '\t') || '\0' == arg
[0]);
3618 /* Build up smartlist of *chars */
3619 for (c
=arg
; *c
!= '\0'; c
++) {
3621 /* Double up backslashes preceding a quote */
3622 for (i
=0; i
<(bs_counter
*2); i
++)
3623 smartlist_add(arg_chars
, (void*)&backslash
);
3625 /* Escape the quote */
3626 smartlist_add(arg_chars
, (void*)&backslash
);
3627 smartlist_add(arg_chars
, (void*)c
);
3628 } else if ('\\' == *c
) {
3629 /* Count backslashes until we know whether to double up */
3632 /* Don't double up slashes preceding a non-quote */
3633 for (i
=0; i
<bs_counter
; i
++)
3634 smartlist_add(arg_chars
, (void*)&backslash
);
3636 smartlist_add(arg_chars
, (void*)c
);
3639 /* Don't double up trailing backslashes */
3640 for (i
=0; i
<bs_counter
; i
++)
3641 smartlist_add(arg_chars
, (void*)&backslash
);
3643 /* Allocate space for argument, quotes (if needed), and terminator */
3644 const size_t formatted_arg_len
= smartlist_len(arg_chars
) +
3645 (need_quotes
? 2 : 0) + 1;
3646 formatted_arg
= tor_malloc_zero(formatted_arg_len
);
3648 /* Add leading quote */
3651 formatted_arg
[i
++] = '"';
3653 /* Add characters */
3654 SMARTLIST_FOREACH(arg_chars
, char*, c
,
3656 formatted_arg
[i
++] = *c
;
3659 /* Add trailing quote */
3661 formatted_arg
[i
++] = '"';
3662 formatted_arg
[i
] = '\0';
3664 smartlist_free(arg_chars
);
3665 return formatted_arg
;
3668 /** Format a command line for use on Windows, which takes the command as a
3669 * string rather than string array. Follows the rules from "Parsing C++
3670 * Command-Line Arguments" in MSDN. Algorithm based on list2cmdline in the
3671 * Python subprocess module. Returns a newly allocated string */
3673 tor_join_win_cmdline(const char *argv
[])
3675 smartlist_t
*argv_list
;
3679 /* Format each argument and put the result in a smartlist */
3680 argv_list
= smartlist_new();
3681 for (i
=0; argv
[i
] != NULL
; i
++) {
3682 smartlist_add(argv_list
, (void *)format_win_cmdline_argument(argv
[i
]));
3685 /* Join the arguments with whitespace */
3686 joined_argv
= smartlist_join_strings(argv_list
, " ", 0, NULL
);
3688 /* Free the newly allocated arguments, and the smartlist */
3689 SMARTLIST_FOREACH(argv_list
, char *, arg
,
3693 smartlist_free(argv_list
);
3698 /* As format_{hex,dex}_number_sigsafe, but takes a <b>radix</b> argument
3699 * in range 2..16 inclusive. */
3701 format_number_sigsafe(unsigned long x
, char *buf
, int buf_len
,
3708 /* NOT tor_assert. This needs to be safe to run from within a signal handler,
3709 * and from within the 'tor_assert() has failed' code. */
3710 if (radix
< 2 || radix
> 16)
3713 /* Count how many digits we need. */
3716 while (tmp
>= radix
) {
3721 /* Not long enough */
3722 if (!buf
|| len
>= buf_len
)
3728 unsigned digit
= (unsigned) (x
% radix
);
3729 tor_assert(cp
> buf
);
3731 *cp
= "0123456789ABCDEF"[digit
];
3735 /* NOT tor_assert; see above. */
3744 * Helper function to output hex numbers from within a signal handler.
3746 * Writes the nul-terminated hexadecimal digits of <b>x</b> into a buffer
3747 * <b>buf</b> of size <b>buf_len</b>, and return the actual number of digits
3748 * written, not counting the terminal NUL.
3750 * If there is insufficient space, write nothing and return 0.
3752 * This accepts an unsigned int because format_helper_exit_status() needs to
3753 * call it with a signed int and an unsigned char, and since the C standard
3754 * does not guarantee that an int is wider than a char (an int must be at
3755 * least 16 bits but it is permitted for a char to be that wide as well), we
3756 * can't assume a signed int is sufficient to accomodate an unsigned char.
3757 * Thus, format_helper_exit_status() will still need to emit any require '-'
3760 * For most purposes, you'd want to use tor_snprintf("%x") instead of this
3761 * function; it's designed to be used in code paths where you can't call
3762 * arbitrary C functions.
3765 format_hex_number_sigsafe(unsigned long x
, char *buf
, int buf_len
)
3767 return format_number_sigsafe(x
, buf
, buf_len
, 16);
3770 /** As format_hex_number_sigsafe, but format the number in base 10. */
3772 format_dec_number_sigsafe(unsigned long x
, char *buf
, int buf_len
)
3774 return format_number_sigsafe(x
, buf
, buf_len
, 10);
3778 /** Format <b>child_state</b> and <b>saved_errno</b> as a hex string placed in
3779 * <b>hex_errno</b>. Called between fork and _exit, so must be signal-handler
3782 * <b>hex_errno</b> must have at least HEX_ERRNO_SIZE+1 bytes available.
3784 * The format of <b>hex_errno</b> is: "CHILD_STATE/ERRNO\n", left-padded
3785 * with spaces. CHILD_STATE indicates where
3786 * in the processs of starting the child process did the failure occur (see
3787 * CHILD_STATE_* macros for definition), and SAVED_ERRNO is the value of
3788 * errno when the failure occurred.
3790 * On success return the number of characters added to hex_errno, not counting
3791 * the terminating NUL; return -1 on error.
3794 format_helper_exit_status(unsigned char child_state
, int saved_errno
,
3797 unsigned int unsigned_errno
;
3803 /* Fill hex_errno with spaces, and a trailing newline (memset may
3804 not be signal handler safe, so we can't use it) */
3805 for (i
= 0; i
< (HEX_ERRNO_SIZE
- 1); i
++)
3807 hex_errno
[HEX_ERRNO_SIZE
- 1] = '\n';
3809 /* Convert errno to be unsigned for hex conversion */
3810 if (saved_errno
< 0) {
3811 // Avoid overflow on the cast to unsigned int when result is INT_MIN
3812 // by adding 1 to the signed int negative value,
3813 // then, after it has been negated and cast to unsigned,
3814 // adding the original 1 back (the double-addition is intentional).
3815 // Otherwise, the cast to signed could cause a temporary int
3816 // to equal INT_MAX + 1, which is undefined.
3817 unsigned_errno
= ((unsigned int) -(saved_errno
+ 1)) + 1;
3819 unsigned_errno
= (unsigned int) saved_errno
;
3823 * Count how many chars of space we have left, and keep a pointer into the
3824 * current point in the buffer.
3826 left
= HEX_ERRNO_SIZE
+1;
3829 /* Emit child_state */
3830 written
= format_hex_number_sigsafe(child_state
, cur
, left
);
3835 /* Adjust left and cur */
3844 /* Adjust left and cur */
3851 if (saved_errno
< 0) {
3859 /* Emit unsigned_errno */
3860 written
= format_hex_number_sigsafe(unsigned_errno
, cur
, left
);
3865 /* Adjust left and cur */
3869 /* Check that we have enough space left for a newline and a NUL */
3873 /* Emit the newline and NUL */
3877 res
= (int)(cur
- hex_errno
- 1);
3883 * In error exit, just write a '\0' in the first char so whatever called
3884 * this at least won't fall off the end.
3893 /* Maximum number of file descriptors, if we cannot get it via sysconf() */
3894 #define DEFAULT_MAX_FD 256
3896 /** Terminate the process of <b>process_handle</b>.
3897 * Code borrowed from Python's os.kill. */
3899 tor_terminate_process(process_handle_t
*process_handle
)
3902 if (tor_get_exit_code(process_handle
, 0, NULL
) == PROCESS_EXIT_RUNNING
) {
3903 HANDLE handle
= process_handle
->pid
.hProcess
;
3905 if (!TerminateProcess(handle
, 0))
3911 if (process_handle
->waitpid_cb
) {
3912 /* We haven't got a waitpid yet, so we can just kill off the process. */
3913 return kill(process_handle
->pid
, SIGTERM
);
3920 /** Return the Process ID of <b>process_handle</b>. */
3922 tor_process_get_pid(process_handle_t
*process_handle
)
3925 return (int) process_handle
->pid
.dwProcessId
;
3927 return (int) process_handle
->pid
;
3933 tor_process_get_stdout_pipe(process_handle_t
*process_handle
)
3935 return process_handle
->stdout_pipe
;
3938 /* DOCDOC tor_process_get_stdout_pipe */
3940 tor_process_get_stdout_pipe(process_handle_t
*process_handle
)
3942 return process_handle
->stdout_handle
;
3946 /* DOCDOC process_handle_new */
3947 static process_handle_t
*
3948 process_handle_new(void)
3950 process_handle_t
*out
= tor_malloc_zero(sizeof(process_handle_t
));
3953 out
->stdin_pipe
= INVALID_HANDLE_VALUE
;
3954 out
->stdout_pipe
= INVALID_HANDLE_VALUE
;
3955 out
->stderr_pipe
= INVALID_HANDLE_VALUE
;
3957 out
->stdin_pipe
= -1;
3958 out
->stdout_pipe
= -1;
3959 out
->stderr_pipe
= -1;
3966 /** Invoked when a process that we've launched via tor_spawn_background() has
3967 * been found to have terminated.
3970 process_handle_waitpid_cb(int status
, void *arg
)
3972 process_handle_t
*process_handle
= arg
;
3974 process_handle
->waitpid_exit_status
= status
;
3975 clear_waitpid_callback(process_handle
->waitpid_cb
);
3976 if (process_handle
->status
== PROCESS_STATUS_RUNNING
)
3977 process_handle
->status
= PROCESS_STATUS_NOTRUNNING
;
3978 process_handle
->waitpid_cb
= 0;
3983 * @name child-process states
3985 * Each of these values represents a possible state that a child process can
3986 * be in. They're used to determine what to say when telling the parent how
3987 * far along we were before failure.
3991 #define CHILD_STATE_INIT 0
3992 #define CHILD_STATE_PIPE 1
3993 #define CHILD_STATE_MAXFD 2
3994 #define CHILD_STATE_FORK 3
3995 #define CHILD_STATE_DUPOUT 4
3996 #define CHILD_STATE_DUPERR 5
3997 #define CHILD_STATE_DUPIN 6
3998 #define CHILD_STATE_CLOSEFD 7
3999 #define CHILD_STATE_EXEC 8
4000 #define CHILD_STATE_FAILEXEC 9
4002 /** Start a program in the background. If <b>filename</b> contains a '/', then
4003 * it will be treated as an absolute or relative path. Otherwise, on
4004 * non-Windows systems, the system path will be searched for <b>filename</b>.
4005 * On Windows, only the current directory will be searched. Here, to search the
4006 * system path (as well as the application directory, current working
4007 * directory, and system directories), set filename to NULL.
4009 * The strings in <b>argv</b> will be passed as the command line arguments of
4010 * the child program (following convention, argv[0] should normally be the
4011 * filename of the executable, and this must be the case if <b>filename</b> is
4012 * NULL). The last element of argv must be NULL. A handle to the child process
4013 * will be returned in process_handle (which must be non-NULL). Read
4014 * process_handle.status to find out if the process was successfully launched.
4015 * For convenience, process_handle.status is returned by this function.
4017 * Some parts of this code are based on the POSIX subprocess module from
4018 * Python, and example code from
4019 * http://msdn.microsoft.com/en-us/library/ms682499%28v=vs.85%29.aspx.
4022 tor_spawn_background(const char *const filename
, const char **argv
,
4023 process_environment_t
*env
,
4024 process_handle_t
**process_handle_out
)
4027 HANDLE stdout_pipe_read
= NULL
;
4028 HANDLE stdout_pipe_write
= NULL
;
4029 HANDLE stderr_pipe_read
= NULL
;
4030 HANDLE stderr_pipe_write
= NULL
;
4031 HANDLE stdin_pipe_read
= NULL
;
4032 HANDLE stdin_pipe_write
= NULL
;
4033 process_handle_t
*process_handle
;
4036 STARTUPINFOA siStartInfo
;
4037 BOOL retval
= FALSE
;
4039 SECURITY_ATTRIBUTES saAttr
;
4042 saAttr
.nLength
= sizeof(SECURITY_ATTRIBUTES
);
4043 saAttr
.bInheritHandle
= TRUE
;
4044 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4045 saAttr
.lpSecurityDescriptor
= NULL
;
4047 /* Assume failure to start process */
4048 status
= PROCESS_STATUS_ERROR
;
4050 /* Set up pipe for stdout */
4051 if (!CreatePipe(&stdout_pipe_read
, &stdout_pipe_write
, &saAttr
, 0)) {
4052 log_warn(LD_GENERAL
,
4053 "Failed to create pipe for stdout communication with child process: %s",
4054 format_win32_error(GetLastError()));
4057 if (!SetHandleInformation(stdout_pipe_read
, HANDLE_FLAG_INHERIT
, 0)) {
4058 log_warn(LD_GENERAL
,
4059 "Failed to configure pipe for stdout communication with child "
4060 "process: %s", format_win32_error(GetLastError()));
4064 /* Set up pipe for stderr */
4065 if (!CreatePipe(&stderr_pipe_read
, &stderr_pipe_write
, &saAttr
, 0)) {
4066 log_warn(LD_GENERAL
,
4067 "Failed to create pipe for stderr communication with child process: %s",
4068 format_win32_error(GetLastError()));
4071 if (!SetHandleInformation(stderr_pipe_read
, HANDLE_FLAG_INHERIT
, 0)) {
4072 log_warn(LD_GENERAL
,
4073 "Failed to configure pipe for stderr communication with child "
4074 "process: %s", format_win32_error(GetLastError()));
4078 /* Set up pipe for stdin */
4079 if (!CreatePipe(&stdin_pipe_read
, &stdin_pipe_write
, &saAttr
, 0)) {
4080 log_warn(LD_GENERAL
,
4081 "Failed to create pipe for stdin communication with child process: %s",
4082 format_win32_error(GetLastError()));
4085 if (!SetHandleInformation(stdin_pipe_write
, HANDLE_FLAG_INHERIT
, 0)) {
4086 log_warn(LD_GENERAL
,
4087 "Failed to configure pipe for stdin communication with child "
4088 "process: %s", format_win32_error(GetLastError()));
4092 /* Create the child process */
4094 /* Windows expects argv to be a whitespace delimited string, so join argv up
4096 joined_argv
= tor_join_win_cmdline(argv
);
4098 process_handle
= process_handle_new();
4099 process_handle
->status
= status
;
4101 ZeroMemory(&(process_handle
->pid
), sizeof(PROCESS_INFORMATION
));
4102 ZeroMemory(&siStartInfo
, sizeof(STARTUPINFO
));
4103 siStartInfo
.cb
= sizeof(STARTUPINFO
);
4104 siStartInfo
.hStdError
= stderr_pipe_write
;
4105 siStartInfo
.hStdOutput
= stdout_pipe_write
;
4106 siStartInfo
.hStdInput
= stdin_pipe_read
;
4107 siStartInfo
.dwFlags
|= STARTF_USESTDHANDLES
;
4109 /* Create the child process */
4111 retval
= CreateProcessA(filename
, // module name
4112 joined_argv
, // command line
4113 /* TODO: should we set explicit security attributes? (#2046, comment 5) */
4114 NULL
, // process security attributes
4115 NULL
, // primary thread security attributes
4116 TRUE
, // handles are inherited
4117 /*(TODO: set CREATE_NEW CONSOLE/PROCESS_GROUP to make GetExitCodeProcess()
4119 CREATE_NO_WINDOW
, // creation flags
4120 (env
==NULL
) ? NULL
: env
->windows_environment_block
,
4121 NULL
, // use parent's current directory
4122 &siStartInfo
, // STARTUPINFO pointer
4123 &(process_handle
->pid
)); // receives PROCESS_INFORMATION
4125 tor_free(joined_argv
);
4128 log_warn(LD_GENERAL
,
4129 "Failed to create child process %s: %s", filename
?filename
:argv
[0],
4130 format_win32_error(GetLastError()));
4131 tor_free(process_handle
);
4133 /* TODO: Close hProcess and hThread in process_handle->pid? */
4134 process_handle
->stdout_pipe
= stdout_pipe_read
;
4135 process_handle
->stderr_pipe
= stderr_pipe_read
;
4136 process_handle
->stdin_pipe
= stdin_pipe_write
;
4137 status
= process_handle
->status
= PROCESS_STATUS_RUNNING
;
4140 /* TODO: Close pipes on exit */
4141 *process_handle_out
= process_handle
;
4150 process_handle_t
*process_handle
;
4153 const char *error_message
= SPAWN_ERROR_MESSAGE
;
4154 size_t error_message_length
;
4156 /* Represents where in the process of spawning the program is;
4157 this is used for printing out the error message */
4158 unsigned char child_state
= CHILD_STATE_INIT
;
4160 char hex_errno
[HEX_ERRNO_SIZE
+ 2]; /* + 1 should be sufficient actually */
4162 static int max_fd
= -1;
4164 status
= PROCESS_STATUS_ERROR
;
4166 /* We do the strlen here because strlen() is not signal handler safe,
4167 and we are not allowed to use unsafe functions between fork and exec */
4168 error_message_length
= strlen(error_message
);
4170 child_state
= CHILD_STATE_PIPE
;
4172 /* Set up pipe for redirecting stdout, stderr, and stdin of child */
4173 retval
= pipe(stdout_pipe
);
4175 log_warn(LD_GENERAL
,
4176 "Failed to set up pipe for stdout communication with child process: %s",
4181 retval
= pipe(stderr_pipe
);
4183 log_warn(LD_GENERAL
,
4184 "Failed to set up pipe for stderr communication with child process: %s",
4187 close(stdout_pipe
[0]);
4188 close(stdout_pipe
[1]);
4193 retval
= pipe(stdin_pipe
);
4195 log_warn(LD_GENERAL
,
4196 "Failed to set up pipe for stdin communication with child process: %s",
4199 close(stdout_pipe
[0]);
4200 close(stdout_pipe
[1]);
4201 close(stderr_pipe
[0]);
4202 close(stderr_pipe
[1]);
4207 child_state
= CHILD_STATE_MAXFD
;
4211 max_fd
= (int) sysconf(_SC_OPEN_MAX
);
4213 max_fd
= DEFAULT_MAX_FD
;
4214 log_warn(LD_GENERAL
,
4215 "Cannot find maximum file descriptor, assuming %d", max_fd
);
4219 max_fd
= DEFAULT_MAX_FD
;
4222 child_state
= CHILD_STATE_FORK
;
4228 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
4229 /* Attempt to have the kernel issue a SIGTERM if the parent
4230 * goes away. Certain attributes of the binary being execve()ed
4231 * will clear this during the execve() call, but it's better
4234 prctl(PR_SET_PDEATHSIG
, SIGTERM
);
4237 child_state
= CHILD_STATE_DUPOUT
;
4239 /* Link child stdout to the write end of the pipe */
4240 retval
= dup2(stdout_pipe
[1], STDOUT_FILENO
);
4244 child_state
= CHILD_STATE_DUPERR
;
4246 /* Link child stderr to the write end of the pipe */
4247 retval
= dup2(stderr_pipe
[1], STDERR_FILENO
);
4251 child_state
= CHILD_STATE_DUPIN
;
4253 /* Link child stdin to the read end of the pipe */
4254 retval
= dup2(stdin_pipe
[0], STDIN_FILENO
);
4258 child_state
= CHILD_STATE_CLOSEFD
;
4260 close(stderr_pipe
[0]);
4261 close(stderr_pipe
[1]);
4262 close(stdout_pipe
[0]);
4263 close(stdout_pipe
[1]);
4264 close(stdin_pipe
[0]);
4265 close(stdin_pipe
[1]);
4267 /* Close all other fds, including the read end of the pipe */
4268 /* XXX: We should now be doing enough FD_CLOEXEC setting to make
4270 for (fd
= STDERR_FILENO
+ 1; fd
< max_fd
; fd
++) {
4274 child_state
= CHILD_STATE_EXEC
;
4276 /* Call the requested program. We need the cast because
4277 execvp doesn't define argv as const, even though it
4278 does not modify the arguments */
4280 execve(filename
, (char *const *) argv
, env
->unixoid_environment_block
);
4282 static char *new_env
[] = { NULL
};
4283 execve(filename
, (char *const *) argv
, new_env
);
4286 /* If we got here, the exec or open(/dev/null) failed */
4288 child_state
= CHILD_STATE_FAILEXEC
;
4292 /* XXX: are we leaking fds from the pipe? */
4295 n
= format_helper_exit_status(child_state
, errno
, hex_errno
);
4298 /* Write the error message. GCC requires that we check the return
4299 value, but there is nothing we can do if it fails */
4300 /* TODO: Don't use STDOUT, use a pipe set up just for this purpose */
4301 nbytes
= write(STDOUT_FILENO
, error_message
, error_message_length
);
4302 nbytes
= write(STDOUT_FILENO
, hex_errno
, n
);
4309 /* Never reached, but avoids compiler warning */
4316 log_warn(LD_GENERAL
, "Failed to fork child process: %s", strerror(errno
));
4317 close(stdin_pipe
[0]);
4318 close(stdin_pipe
[1]);
4319 close(stdout_pipe
[0]);
4320 close(stdout_pipe
[1]);
4321 close(stderr_pipe
[0]);
4322 close(stderr_pipe
[1]);
4326 process_handle
= process_handle_new();
4327 process_handle
->status
= status
;
4328 process_handle
->pid
= pid
;
4330 /* TODO: If the child process forked but failed to exec, waitpid it */
4332 /* Return read end of the pipes to caller, and close write end */
4333 process_handle
->stdout_pipe
= stdout_pipe
[0];
4334 retval
= close(stdout_pipe
[1]);
4337 log_warn(LD_GENERAL
,
4338 "Failed to close write end of stdout pipe in parent process: %s",
4342 process_handle
->waitpid_cb
= set_waitpid_callback(pid
,
4343 process_handle_waitpid_cb
,
4346 process_handle
->stderr_pipe
= stderr_pipe
[0];
4347 retval
= close(stderr_pipe
[1]);
4350 log_warn(LD_GENERAL
,
4351 "Failed to close write end of stderr pipe in parent process: %s",
4355 /* Return write end of the stdin pipe to caller, and close the read end */
4356 process_handle
->stdin_pipe
= stdin_pipe
[1];
4357 retval
= close(stdin_pipe
[0]);
4360 log_warn(LD_GENERAL
,
4361 "Failed to close read end of stdin pipe in parent process: %s",
4365 status
= process_handle
->status
= PROCESS_STATUS_RUNNING
;
4366 /* Set stdin/stdout/stderr pipes to be non-blocking */
4367 if (fcntl(process_handle
->stdout_pipe
, F_SETFL
, O_NONBLOCK
) < 0 ||
4368 fcntl(process_handle
->stderr_pipe
, F_SETFL
, O_NONBLOCK
) < 0 ||
4369 fcntl(process_handle
->stdin_pipe
, F_SETFL
, O_NONBLOCK
) < 0) {
4370 log_warn(LD_GENERAL
, "Failed to set stderror/stdout/stdin pipes "
4371 "nonblocking in parent process: %s", strerror(errno
));
4373 /* Open the buffered IO streams */
4374 process_handle
->stdout_handle
= fdopen(process_handle
->stdout_pipe
, "r");
4375 process_handle
->stderr_handle
= fdopen(process_handle
->stderr_pipe
, "r");
4376 process_handle
->stdin_handle
= fdopen(process_handle
->stdin_pipe
, "r");
4378 *process_handle_out
= process_handle
;
4379 return process_handle
->status
;
4383 /** Destroy all resources allocated by the process handle in
4384 * <b>process_handle</b>.
4385 * If <b>also_terminate_process</b> is true, also terminate the
4386 * process of the process handle. */
4388 tor_process_handle_destroy
,(process_handle_t
*process_handle
,
4389 int also_terminate_process
))
4391 if (!process_handle
)
4394 if (also_terminate_process
) {
4395 if (tor_terminate_process(process_handle
) < 0) {
4396 const char *errstr
=
4398 format_win32_error(GetLastError());
4402 log_notice(LD_GENERAL
, "Failed to terminate process with "
4403 "PID '%d' ('%s').", tor_process_get_pid(process_handle
),
4406 log_info(LD_GENERAL
, "Terminated process with PID '%d'.",
4407 tor_process_get_pid(process_handle
));
4411 process_handle
->status
= PROCESS_STATUS_NOTRUNNING
;
4414 if (process_handle
->stdout_pipe
)
4415 CloseHandle(process_handle
->stdout_pipe
);
4417 if (process_handle
->stderr_pipe
)
4418 CloseHandle(process_handle
->stderr_pipe
);
4420 if (process_handle
->stdin_pipe
)
4421 CloseHandle(process_handle
->stdin_pipe
);
4423 if (process_handle
->stdout_handle
)
4424 fclose(process_handle
->stdout_handle
);
4426 if (process_handle
->stderr_handle
)
4427 fclose(process_handle
->stderr_handle
);
4429 if (process_handle
->stdin_handle
)
4430 fclose(process_handle
->stdin_handle
);
4432 clear_waitpid_callback(process_handle
->waitpid_cb
);
4435 memset(process_handle
, 0x0f, sizeof(process_handle_t
));
4436 tor_free(process_handle
);
4439 /** Get the exit code of a process specified by <b>process_handle</b> and store
4440 * it in <b>exit_code</b>, if set to a non-NULL value. If <b>block</b> is set
4441 * to true, the call will block until the process has exited. Otherwise if
4442 * the process is still running, the function will return
4443 * PROCESS_EXIT_RUNNING, and exit_code will be left unchanged. Returns
4444 * PROCESS_EXIT_EXITED if the process did exit. If there is a failure,
4445 * PROCESS_EXIT_ERROR will be returned and the contents of exit_code (if
4446 * non-NULL) will be undefined. N.B. Under *nix operating systems, this will
4447 * probably not work in Tor, because waitpid() is called in main.c to reap any
4448 * terminated child processes.*/
4450 tor_get_exit_code(process_handle_t
*process_handle
,
4451 int block
, int *exit_code
)
4458 /* Wait for the process to exit */
4459 retval
= WaitForSingleObject(process_handle
->pid
.hProcess
, INFINITE
);
4460 if (retval
!= WAIT_OBJECT_0
) {
4461 log_warn(LD_GENERAL
, "WaitForSingleObject() failed (%d): %s",
4462 (int)retval
, format_win32_error(GetLastError()));
4463 return PROCESS_EXIT_ERROR
;
4466 retval
= WaitForSingleObject(process_handle
->pid
.hProcess
, 0);
4467 if (WAIT_TIMEOUT
== retval
) {
4468 /* Process has not exited */
4469 return PROCESS_EXIT_RUNNING
;
4470 } else if (retval
!= WAIT_OBJECT_0
) {
4471 log_warn(LD_GENERAL
, "WaitForSingleObject() failed (%d): %s",
4472 (int)retval
, format_win32_error(GetLastError()));
4473 return PROCESS_EXIT_ERROR
;
4477 if (exit_code
!= NULL
) {
4478 success
= GetExitCodeProcess(process_handle
->pid
.hProcess
,
4481 log_warn(LD_GENERAL
, "GetExitCodeProcess() failed: %s",
4482 format_win32_error(GetLastError()));
4483 return PROCESS_EXIT_ERROR
;
4490 if (process_handle
->waitpid_cb
) {
4491 /* We haven't processed a SIGCHLD yet. */
4492 retval
= waitpid(process_handle
->pid
, &stat_loc
, block
?0:WNOHANG
);
4493 if (retval
== process_handle
->pid
) {
4494 clear_waitpid_callback(process_handle
->waitpid_cb
);
4495 process_handle
->waitpid_cb
= NULL
;
4496 process_handle
->waitpid_exit_status
= stat_loc
;
4499 /* We already got a SIGCHLD for this process, and handled it. */
4500 retval
= process_handle
->pid
;
4501 stat_loc
= process_handle
->waitpid_exit_status
;
4504 if (!block
&& 0 == retval
) {
4505 /* Process has not exited */
4506 return PROCESS_EXIT_RUNNING
;
4507 } else if (retval
!= process_handle
->pid
) {
4508 log_warn(LD_GENERAL
, "waitpid() failed for PID %d: %s",
4509 process_handle
->pid
, strerror(errno
));
4510 return PROCESS_EXIT_ERROR
;
4513 if (!WIFEXITED(stat_loc
)) {
4514 log_warn(LD_GENERAL
, "Process %d did not exit normally",
4515 process_handle
->pid
);
4516 return PROCESS_EXIT_ERROR
;
4519 if (exit_code
!= NULL
)
4520 *exit_code
= WEXITSTATUS(stat_loc
);
4523 return PROCESS_EXIT_EXITED
;
4526 /** Helper: return the number of characters in <b>s</b> preceding the first
4527 * occurrence of <b>ch</b>. If <b>ch</b> does not occur in <b>s</b>, return
4528 * the length of <b>s</b>. Should be equivalent to strspn(s, "ch"). */
4529 static INLINE
size_t
4530 str_num_before(const char *s
, char ch
)
4532 const char *cp
= strchr(s
, ch
);
4539 /** Return non-zero iff getenv would consider <b>s1</b> and <b>s2</b>
4540 * to have the same name as strings in a process's environment. */
4542 environment_variable_names_equal(const char *s1
, const char *s2
)
4544 size_t s1_name_len
= str_num_before(s1
, '=');
4545 size_t s2_name_len
= str_num_before(s2
, '=');
4547 return (s1_name_len
== s2_name_len
&&
4548 tor_memeq(s1
, s2
, s1_name_len
));
4551 /** Free <b>env</b> (assuming it was produced by
4552 * process_environment_make). */
4554 process_environment_free(process_environment_t
*env
)
4556 if (env
== NULL
) return;
4558 /* As both an optimization hack to reduce consing on Unixoid systems
4559 * and a nice way to ensure that some otherwise-Windows-specific
4560 * code will always get tested before changes to it get merged, the
4561 * strings which env->unixoid_environment_block points to are packed
4562 * into env->windows_environment_block. */
4563 tor_free(env
->unixoid_environment_block
);
4564 tor_free(env
->windows_environment_block
);
4569 /** Make a process_environment_t containing the environment variables
4570 * specified in <b>env_vars</b> (as C strings of the form
4572 process_environment_t
*
4573 process_environment_make(struct smartlist_t
*env_vars
)
4575 process_environment_t
*env
= tor_malloc_zero(sizeof(process_environment_t
));
4576 size_t n_env_vars
= smartlist_len(env_vars
);
4578 size_t total_env_length
;
4579 smartlist_t
*env_vars_sorted
;
4581 tor_assert(n_env_vars
+ 1 != 0);
4582 env
->unixoid_environment_block
= tor_calloc(n_env_vars
+ 1, sizeof(char *));
4583 /* env->unixoid_environment_block is already NULL-terminated,
4584 * because we assume that NULL == 0 (and check that during compilation). */
4586 total_env_length
= 1; /* terminating NUL of terminating empty string */
4587 for (i
= 0; i
< n_env_vars
; ++i
) {
4588 const char *s
= smartlist_get(env_vars
, i
);
4589 size_t slen
= strlen(s
);
4591 tor_assert(slen
+ 1 != 0);
4592 tor_assert(slen
+ 1 < SIZE_MAX
- total_env_length
);
4593 total_env_length
+= slen
+ 1;
4596 env
->windows_environment_block
= tor_malloc_zero(total_env_length
);
4597 /* env->windows_environment_block is already
4598 * (NUL-terminated-empty-string)-terminated. */
4600 /* Some versions of Windows supposedly require that environment
4601 * blocks be sorted. Or maybe some Windows programs (or their
4602 * runtime libraries) fail to look up strings in non-sorted
4603 * environment blocks.
4605 * Also, sorting strings makes it easy to find duplicate environment
4606 * variables and environment-variable strings without an '=' on all
4607 * OSes, and they can cause badness. Let's complain about those. */
4608 env_vars_sorted
= smartlist_new();
4609 smartlist_add_all(env_vars_sorted
, env_vars
);
4610 smartlist_sort_strings(env_vars_sorted
);
4612 /* Now copy the strings into the environment blocks. */
4614 char *cp
= env
->windows_environment_block
;
4615 const char *prev_env_var
= NULL
;
4617 for (i
= 0; i
< n_env_vars
; ++i
) {
4618 const char *s
= smartlist_get(env_vars_sorted
, i
);
4619 size_t slen
= strlen(s
);
4620 size_t s_name_len
= str_num_before(s
, '=');
4622 if (s_name_len
== slen
) {
4623 log_warn(LD_GENERAL
,
4624 "Preparing an environment containing a variable "
4625 "without a value: %s",
4628 if (prev_env_var
!= NULL
&&
4629 environment_variable_names_equal(s
, prev_env_var
)) {
4630 log_warn(LD_GENERAL
,
4631 "Preparing an environment containing two variables "
4632 "with the same name: %s and %s",
4638 /* Actually copy the string into the environment. */
4639 memcpy(cp
, s
, slen
+1);
4640 env
->unixoid_environment_block
[i
] = cp
;
4644 tor_assert(cp
== env
->windows_environment_block
+ total_env_length
- 1);
4647 smartlist_free(env_vars_sorted
);
4652 /** Return a newly allocated smartlist containing every variable in
4653 * this process's environment, as a NUL-terminated string of the form
4654 * "NAME=VALUE". Note that on some/many/most/all OSes, the parent
4655 * process can put strings not of that form in our environment;
4656 * callers should try to not get crashed by that.
4658 * The returned strings are heap-allocated, and must be freed by the
4660 struct smartlist_t
*
4661 get_current_process_environment_variables(void)
4663 smartlist_t
*sl
= smartlist_new();
4665 char **environ_tmp
; /* Not const char ** ? Really? */
4666 for (environ_tmp
= get_environment(); *environ_tmp
; ++environ_tmp
) {
4667 smartlist_add(sl
, tor_strdup(*environ_tmp
));
4673 /** For each string s in <b>env_vars</b> such that
4674 * environment_variable_names_equal(s, <b>new_var</b>), remove it; if
4675 * <b>free_p</b> is non-zero, call <b>free_old</b>(s). If
4676 * <b>new_var</b> contains '=', insert it into <b>env_vars</b>. */
4678 set_environment_variable_in_smartlist(struct smartlist_t
*env_vars
,
4679 const char *new_var
,
4680 void (*free_old
)(void*),
4683 SMARTLIST_FOREACH_BEGIN(env_vars
, const char *, s
) {
4684 if (environment_variable_names_equal(s
, new_var
)) {
4685 SMARTLIST_DEL_CURRENT(env_vars
, s
);
4687 free_old((void *)s
);
4690 } SMARTLIST_FOREACH_END(s
);
4692 if (strchr(new_var
, '=') != NULL
) {
4693 smartlist_add(env_vars
, (void *)new_var
);
4698 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4699 * <b>hProcess</b> is NULL, the function will return immediately if there is
4700 * nothing more to read. Otherwise <b>hProcess</b> should be set to the handle
4701 * to the process owning the <b>h</b>. In this case, the function will exit
4702 * only once the process has exited, or <b>count</b> bytes are read. Returns
4703 * the number of bytes read, or -1 on error. */
4705 tor_read_all_handle(HANDLE h
, char *buf
, size_t count
,
4706 const process_handle_t
*process
)
4711 BOOL process_exited
= FALSE
;
4713 if (count
> SIZE_T_CEILING
|| count
> SSIZE_MAX
)
4716 while (numread
!= count
) {
4717 /* Check if there is anything to read */
4718 retval
= PeekNamedPipe(h
, NULL
, 0, NULL
, &byte_count
, NULL
);
4720 log_warn(LD_GENERAL
,
4721 "Failed to peek from handle: %s",
4722 format_win32_error(GetLastError()));
4724 } else if (0 == byte_count
) {
4725 /* Nothing available: process exited or it is busy */
4727 /* Exit if we don't know whether the process is running */
4728 if (NULL
== process
)
4731 /* The process exited and there's nothing left to read from it */
4735 /* If process is not running, check for output one more time in case
4736 it wrote something after the peek was performed. Otherwise keep on
4737 waiting for output */
4738 tor_assert(process
!= NULL
);
4739 byte_count
= WaitForSingleObject(process
->pid
.hProcess
, 0);
4740 if (WAIT_TIMEOUT
!= byte_count
)
4741 process_exited
= TRUE
;
4746 /* There is data to read; read it */
4747 retval
= ReadFile(h
, buf
+numread
, count
-numread
, &byte_count
, NULL
);
4748 tor_assert(byte_count
+ numread
<= count
);
4750 log_warn(LD_GENERAL
, "Failed to read from handle: %s",
4751 format_win32_error(GetLastError()));
4753 } else if (0 == byte_count
) {
4757 numread
+= byte_count
;
4759 return (ssize_t
)numread
;
4762 /** Read from a handle <b>h</b> into <b>buf</b>, up to <b>count</b> bytes. If
4763 * <b>process</b> is NULL, the function will return immediately if there is
4764 * nothing more to read. Otherwise data will be read until end of file, or
4765 * <b>count</b> bytes are read. Returns the number of bytes read, or -1 on
4766 * error. Sets <b>eof</b> to true if <b>eof</b> is not NULL and the end of the
4767 * file has been reached. */
4769 tor_read_all_handle(FILE *h
, char *buf
, size_t count
,
4770 const process_handle_t
*process
,
4779 if (count
> SIZE_T_CEILING
|| count
> SSIZE_MAX
)
4782 while (numread
!= count
) {
4783 /* Use fgets because that is what we use in log_from_pipe() */
4784 retval
= fgets(buf
+numread
, (int)(count
-numread
), h
);
4785 if (NULL
== retval
) {
4787 log_debug(LD_GENERAL
, "fgets() reached end of file");
4792 if (EAGAIN
== errno
) {
4798 log_warn(LD_GENERAL
, "fgets() from handle failed: %s",
4804 tor_assert(retval
!= NULL
);
4805 tor_assert(strlen(retval
) + numread
<= count
);
4806 numread
+= strlen(retval
);
4809 log_debug(LD_GENERAL
, "fgets() read %d bytes from handle", (int)numread
);
4810 return (ssize_t
)numread
;
4814 /** Read from stdout of a process until the process exits. */
4816 tor_read_all_from_process_stdout(const process_handle_t
*process_handle
,
4817 char *buf
, size_t count
)
4820 return tor_read_all_handle(process_handle
->stdout_pipe
, buf
, count
,
4823 return tor_read_all_handle(process_handle
->stdout_handle
, buf
, count
,
4824 process_handle
, NULL
);
4828 /** Read from stdout of a process until the process exits. */
4830 tor_read_all_from_process_stderr(const process_handle_t
*process_handle
,
4831 char *buf
, size_t count
)
4834 return tor_read_all_handle(process_handle
->stderr_pipe
, buf
, count
,
4837 return tor_read_all_handle(process_handle
->stderr_handle
, buf
, count
,
4838 process_handle
, NULL
);
4842 /** Split buf into lines, and add to smartlist. The buffer <b>buf</b> will be
4843 * modified. The resulting smartlist will consist of pointers to buf, so there
4844 * is no need to free the contents of sl. <b>buf</b> must be a NUL-terminated
4845 * string. <b>len</b> should be set to the length of the buffer excluding the
4846 * NUL. Non-printable characters (including NUL) will be replaced with "." */
4848 tor_split_lines(smartlist_t
*sl
, char *buf
, int len
)
4850 /* Index in buf of the start of the current line */
4852 /* Index in buf of the current character being processed */
4854 /* Are we currently in a line */
4857 /* Loop over string */
4859 /* Loop until end of line or end of string */
4860 for (; cur
< len
; cur
++) {
4862 if ('\r' == buf
[cur
] || '\n' == buf
[cur
]) {
4865 /* Point cur to the next line */
4867 /* Line starts at start and ends with a nul */
4870 if (!TOR_ISPRINT(buf
[cur
]))
4874 if ('\r' == buf
[cur
] || '\n' == buf
[cur
]) {
4875 /* Skip leading vertical space */
4880 if (!TOR_ISPRINT(buf
[cur
]))
4885 /* We are at the end of the line or end of string. If in_line is true there
4886 * is a line which starts at buf+start and ends at a NUL. cur points to
4887 * the character after the NUL. */
4889 smartlist_add(sl
, (void *)(buf
+start
));
4892 return smartlist_len(sl
);
4895 /** Return a string corresponding to <b>stream_status</b>. */
4897 stream_status_to_string(enum stream_status stream_status
)
4899 switch (stream_status
) {
4900 case IO_STREAM_OKAY
:
4902 case IO_STREAM_EAGAIN
:
4903 return "temporarily unavailable";
4904 case IO_STREAM_TERM
:
4905 return "terminated";
4906 case IO_STREAM_CLOSED
:
4909 tor_fragile_assert();
4916 log_portfw_spawn_error_message(const char *buf
,
4917 const char *executable
, int *child_status
)
4919 /* Parse error message */
4920 int retval
, child_state
, saved_errno
;
4921 retval
= tor_sscanf(buf
, SPAWN_ERROR_MESSAGE
"%x/%x",
4922 &child_state
, &saved_errno
);
4924 log_warn(LD_GENERAL
,
4925 "Failed to start child process \"%s\" in state %d: %s",
4926 executable
, child_state
, strerror(saved_errno
));
4930 /* Failed to parse message from child process, log it as a
4932 log_warn(LD_GENERAL
,
4933 "Unexpected message from port forwarding helper \"%s\": %s",
4940 /** Return a smartlist containing lines outputted from
4941 * <b>handle</b>. Return NULL on error, and set
4942 * <b>stream_status_out</b> appropriately. */
4943 MOCK_IMPL(smartlist_t
*,
4944 tor_get_lines_from_handle
, (HANDLE
*handle
,
4945 enum stream_status
*stream_status_out
))
4948 char stdout_buf
[600] = {0};
4949 smartlist_t
*lines
= NULL
;
4951 tor_assert(stream_status_out
);
4953 *stream_status_out
= IO_STREAM_TERM
;
4955 pos
= tor_read_all_handle(handle
, stdout_buf
, sizeof(stdout_buf
) - 1, NULL
);
4957 *stream_status_out
= IO_STREAM_TERM
;
4961 *stream_status_out
= IO_STREAM_EAGAIN
;
4965 /* End with a null even if there isn't a \r\n at the end */
4966 /* TODO: What if this is a partial line? */
4967 stdout_buf
[pos
] = '\0';
4969 /* Split up the buffer */
4970 lines
= smartlist_new();
4971 tor_split_lines(lines
, stdout_buf
, pos
);
4973 /* Currently 'lines' is populated with strings residing on the
4974 stack. Replace them with their exact copies on the heap: */
4975 SMARTLIST_FOREACH(lines
, char *, line
,
4976 SMARTLIST_REPLACE_CURRENT(lines
, line
, tor_strdup(line
)));
4978 *stream_status_out
= IO_STREAM_OKAY
;
4983 /** Read from stream, and send lines to log at the specified log level.
4984 * Returns -1 if there is a error reading, and 0 otherwise.
4985 * If the generated stream is flushed more often than on new lines, or
4986 * a read exceeds 256 bytes, lines will be truncated. This should be fixed,
4987 * along with the corresponding problem on *nix (see bug #2045).
4990 log_from_handle(HANDLE
*pipe
, int severity
)
4996 pos
= tor_read_all_handle(pipe
, buf
, sizeof(buf
) - 1, NULL
);
4999 log_warn(LD_GENERAL
, "Failed to read data from subprocess");
5004 /* There's nothing to read (process is busy or has exited) */
5005 log_debug(LD_GENERAL
, "Subprocess had nothing to say");
5009 /* End with a null even if there isn't a \r\n at the end */
5010 /* TODO: What if this is a partial line? */
5012 log_debug(LD_GENERAL
, "Subprocess had %d bytes to say", pos
);
5014 /* Split up the buffer */
5015 lines
= smartlist_new();
5016 tor_split_lines(lines
, buf
, pos
);
5019 SMARTLIST_FOREACH(lines
, char *, line
,
5021 log_fn(severity
, LD_GENERAL
, "Port forwarding helper says: %s", line
);
5023 smartlist_free(lines
);
5030 /** Return a smartlist containing lines outputted from
5031 * <b>handle</b>. Return NULL on error, and set
5032 * <b>stream_status_out</b> appropriately. */
5033 MOCK_IMPL(smartlist_t
*,
5034 tor_get_lines_from_handle
, (FILE *handle
,
5035 enum stream_status
*stream_status_out
))
5037 enum stream_status stream_status
;
5038 char stdout_buf
[400];
5039 smartlist_t
*lines
= NULL
;
5042 memset(stdout_buf
, 0, sizeof(stdout_buf
));
5044 stream_status
= get_string_from_pipe(handle
,
5045 stdout_buf
, sizeof(stdout_buf
) - 1);
5046 if (stream_status
!= IO_STREAM_OKAY
)
5049 if (!lines
) lines
= smartlist_new();
5050 smartlist_add(lines
, tor_strdup(stdout_buf
));
5054 *stream_status_out
= stream_status
;
5058 /** Read from stream, and send lines to log at the specified log level.
5059 * Returns 1 if stream is closed normally, -1 if there is a error reading, and
5060 * 0 otherwise. Handles lines from tor-fw-helper and
5061 * tor_spawn_background() specially.
5064 log_from_pipe(FILE *stream
, int severity
, const char *executable
,
5068 enum stream_status r
;
5071 r
= get_string_from_pipe(stream
, buf
, sizeof(buf
) - 1);
5073 if (r
== IO_STREAM_CLOSED
) {
5075 } else if (r
== IO_STREAM_EAGAIN
) {
5077 } else if (r
== IO_STREAM_TERM
) {
5081 tor_assert(r
== IO_STREAM_OKAY
);
5083 /* Check if buf starts with SPAWN_ERROR_MESSAGE */
5084 if (strcmpstart(buf
, SPAWN_ERROR_MESSAGE
) == 0) {
5085 log_portfw_spawn_error_message(buf
, executable
, child_status
);
5087 log_fn(severity
, LD_GENERAL
, "Port forwarding helper says: %s", buf
);
5091 /* We should never get here */
5096 /** Reads from <b>stream</b> and stores input in <b>buf_out</b> making
5097 * sure it's below <b>count</b> bytes.
5098 * If the string has a trailing newline, we strip it off.
5100 * This function is specifically created to handle input from managed
5101 * proxies, according to the pluggable transports spec. Make sure it
5102 * fits your needs before using it.
5105 * IO_STREAM_CLOSED: If the stream is closed.
5106 * IO_STREAM_EAGAIN: If there is nothing to read and we should check back
5108 * IO_STREAM_TERM: If something is wrong with the stream.
5109 * IO_STREAM_OKAY: If everything went okay and we got a string
5110 * in <b>buf_out</b>. */
5112 get_string_from_pipe(FILE *stream
, char *buf_out
, size_t count
)
5117 tor_assert(count
<= INT_MAX
);
5119 retval
= fgets(buf_out
, (int)count
, stream
);
5123 /* Program has closed stream (probably it exited) */
5124 /* TODO: check error */
5125 return IO_STREAM_CLOSED
;
5127 if (EAGAIN
== errno
) {
5128 /* Nothing more to read, try again next time */
5129 return IO_STREAM_EAGAIN
;
5131 /* There was a problem, abandon this child process */
5132 return IO_STREAM_TERM
;
5136 len
= strlen(buf_out
);
5138 /* this probably means we got a NUL at the start of the string. */
5139 return IO_STREAM_EAGAIN
;
5142 if (buf_out
[len
- 1] == '\n') {
5143 /* Remove the trailing newline */
5144 buf_out
[len
- 1] = '\0';
5146 /* No newline; check whether we overflowed the buffer */
5148 log_info(LD_GENERAL
,
5149 "Line from stream was truncated: %s", buf_out
);
5150 /* TODO: What to do with this error? */
5153 return IO_STREAM_OKAY
;
5156 /* We should never get here */
5157 return IO_STREAM_TERM
;
5160 /** Parse a <b>line</b> from tor-fw-helper and issue an appropriate
5161 * log message to our user. */
5163 handle_fw_helper_line(const char *executable
, const char *line
)
5165 smartlist_t
*tokens
= smartlist_new();
5166 char *message
= NULL
;
5167 char *message_for_log
= NULL
;
5168 const char *external_port
= NULL
;
5169 const char *internal_port
= NULL
;
5170 const char *result
= NULL
;
5174 if (strcmpstart(line
, SPAWN_ERROR_MESSAGE
) == 0) {
5175 /* We need to check for SPAWN_ERROR_MESSAGE again here, since it's
5176 * possible that it got sent after we tried to read it in log_from_pipe.
5178 * XXX Ideally, we should be using one of stdout/stderr for the real
5179 * output, and one for the output of the startup code. We used to do that
5180 * before cd05f35d2c.
5183 log_portfw_spawn_error_message(line
, executable
, &child_status
);
5187 smartlist_split_string(tokens
, line
, NULL
,
5188 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, -1);
5190 if (smartlist_len(tokens
) < 5)
5193 if (strcmp(smartlist_get(tokens
, 0), "tor-fw-helper") ||
5194 strcmp(smartlist_get(tokens
, 1), "tcp-forward"))
5197 external_port
= smartlist_get(tokens
, 2);
5198 internal_port
= smartlist_get(tokens
, 3);
5199 result
= smartlist_get(tokens
, 4);
5201 if (smartlist_len(tokens
) > 5) {
5202 /* If there are more than 5 tokens, they are part of [<message>].
5203 Let's use a second smartlist to form the whole message;
5204 strncat loops suck. */
5206 int message_words_n
= smartlist_len(tokens
) - 5;
5207 smartlist_t
*message_sl
= smartlist_new();
5208 for (i
= 0; i
< message_words_n
; i
++)
5209 smartlist_add(message_sl
, smartlist_get(tokens
, 5+i
));
5211 tor_assert(smartlist_len(message_sl
) > 0);
5212 message
= smartlist_join_strings(message_sl
, " ", 0, NULL
);
5214 /* wrap the message in log-friendly wrapping */
5215 tor_asprintf(&message_for_log
, " ('%s')", message
);
5217 smartlist_free(message_sl
);
5220 port
= atoi(external_port
);
5221 if (port
< 1 || port
> 65535)
5224 port
= atoi(internal_port
);
5225 if (port
< 1 || port
> 65535)
5228 if (!strcmp(result
, "SUCCESS"))
5230 else if (!strcmp(result
, "FAIL"))
5236 log_warn(LD_GENERAL
, "Tor was unable to forward TCP port '%s' to '%s'%s. "
5237 "Please make sure that your router supports port "
5238 "forwarding protocols (like NAT-PMP). Note that if '%s' is "
5239 "your ORPort, your relay will be unable to receive inbound "
5240 "traffic.", external_port
, internal_port
,
5241 message_for_log
? message_for_log
: "",
5244 log_info(LD_GENERAL
,
5245 "Tor successfully forwarded TCP port '%s' to '%s'%s.",
5246 external_port
, internal_port
,
5247 message_for_log
? message_for_log
: "");
5253 log_warn(LD_GENERAL
, "tor-fw-helper sent us a string we could not "
5254 "parse (%s).", line
);
5257 SMARTLIST_FOREACH(tokens
, char *, cp
, tor_free(cp
));
5258 smartlist_free(tokens
);
5260 tor_free(message_for_log
);
5263 /** Read what tor-fw-helper has to say in its stdout and handle it
5266 handle_fw_helper_output(const char *executable
,
5267 process_handle_t
*process_handle
)
5269 smartlist_t
*fw_helper_output
= NULL
;
5270 enum stream_status stream_status
= 0;
5273 tor_get_lines_from_handle(tor_process_get_stdout_pipe(process_handle
),
5275 if (!fw_helper_output
) { /* didn't get any output from tor-fw-helper */
5276 /* if EAGAIN we should retry in the future */
5277 return (stream_status
== IO_STREAM_EAGAIN
) ? 0 : -1;
5280 /* Handle the lines we got: */
5281 SMARTLIST_FOREACH_BEGIN(fw_helper_output
, char *, line
) {
5282 handle_fw_helper_line(executable
, line
);
5284 } SMARTLIST_FOREACH_END(line
);
5286 smartlist_free(fw_helper_output
);
5291 /** Spawn tor-fw-helper and ask it to forward the ports in
5292 * <b>ports_to_forward</b>. <b>ports_to_forward</b> contains strings
5293 * of the form "<external port>:<internal port>", which is the format
5294 * that tor-fw-helper expects. */
5296 tor_check_port_forwarding(const char *filename
,
5297 smartlist_t
*ports_to_forward
,
5300 /* When fw-helper succeeds, how long do we wait until running it again */
5301 #define TIME_TO_EXEC_FWHELPER_SUCCESS 300
5302 /* When fw-helper failed to start, how long do we wait until running it again
5304 #define TIME_TO_EXEC_FWHELPER_FAIL 60
5306 /* Static variables are initialized to zero, so child_handle.status=0
5307 * which corresponds to it not running on startup */
5308 static process_handle_t
*child_handle
=NULL
;
5310 static time_t time_to_run_helper
= 0;
5311 int stderr_status
, retval
;
5312 int stdout_status
= 0;
5314 tor_assert(filename
);
5316 /* Start the child, if it is not already running */
5317 if ((!child_handle
|| child_handle
->status
!= PROCESS_STATUS_RUNNING
) &&
5318 time_to_run_helper
< now
) {
5319 /*tor-fw-helper cli looks like this: tor_fw_helper -p :5555 -p 4555:1111 */
5320 const char **argv
; /* cli arguments */
5322 int argv_index
= 0; /* index inside 'argv' */
5324 tor_assert(smartlist_len(ports_to_forward
) > 0);
5326 /* check for overflow during 'argv' allocation:
5327 (len(ports_to_forward)*2 + 2)*sizeof(char*) > SIZE_MAX ==
5328 len(ports_to_forward) > (((SIZE_MAX/sizeof(char*)) - 2)/2) */
5329 if ((size_t) smartlist_len(ports_to_forward
) >
5330 (((SIZE_MAX
/sizeof(char*)) - 2)/2)) {
5331 log_warn(LD_GENERAL
,
5332 "Overflow during argv allocation. This shouldn't happen.");
5335 /* check for overflow during 'argv_index' increase:
5336 ((len(ports_to_forward)*2 + 2) > INT_MAX) ==
5337 len(ports_to_forward) > (INT_MAX - 2)/2 */
5338 if (smartlist_len(ports_to_forward
) > (INT_MAX
- 2)/2) {
5339 log_warn(LD_GENERAL
,
5340 "Overflow during argv_index increase. This shouldn't happen.");
5344 /* Calculate number of cli arguments: one for the filename, two
5345 for each smartlist element (one for "-p" and one for the
5346 ports), and one for the final NULL. */
5347 args_n
= 1 + 2*smartlist_len(ports_to_forward
) + 1;
5348 argv
= tor_calloc(args_n
, sizeof(char *));
5350 argv
[argv_index
++] = filename
;
5351 SMARTLIST_FOREACH_BEGIN(ports_to_forward
, const char *, port
) {
5352 argv
[argv_index
++] = "-p";
5353 argv
[argv_index
++] = port
;
5354 } SMARTLIST_FOREACH_END(port
);
5355 argv
[argv_index
] = NULL
;
5357 /* Assume tor-fw-helper will succeed, start it later*/
5358 time_to_run_helper
= now
+ TIME_TO_EXEC_FWHELPER_SUCCESS
;
5361 tor_process_handle_destroy(child_handle
, 1);
5362 child_handle
= NULL
;
5366 /* Passing NULL as lpApplicationName makes Windows search for the .exe */
5367 status
= tor_spawn_background(NULL
, argv
, NULL
, &child_handle
);
5369 status
= tor_spawn_background(filename
, argv
, NULL
, &child_handle
);
5372 tor_free_((void*)argv
);
5375 if (PROCESS_STATUS_ERROR
== status
) {
5376 log_warn(LD_GENERAL
, "Failed to start port forwarding helper %s",
5378 time_to_run_helper
= now
+ TIME_TO_EXEC_FWHELPER_FAIL
;
5382 log_info(LD_GENERAL
,
5383 "Started port forwarding helper (%s) with pid '%d'",
5384 filename
, tor_process_get_pid(child_handle
));
5387 /* If child is running, read from its stdout and stderr) */
5388 if (child_handle
&& PROCESS_STATUS_RUNNING
== child_handle
->status
) {
5389 /* Read from stdout/stderr and log result */
5392 stderr_status
= log_from_handle(child_handle
->stderr_pipe
, LOG_INFO
);
5394 stderr_status
= log_from_pipe(child_handle
->stderr_handle
,
5395 LOG_INFO
, filename
, &retval
);
5397 if (handle_fw_helper_output(filename
, child_handle
) < 0) {
5398 log_warn(LD_GENERAL
, "Failed to handle fw helper output.");
5404 /* There was a problem in the child process */
5405 time_to_run_helper
= now
+ TIME_TO_EXEC_FWHELPER_FAIL
;
5408 /* Combine the two statuses in order of severity */
5409 if (-1 == stdout_status
|| -1 == stderr_status
)
5410 /* There was a failure */
5413 else if (!child_handle
|| tor_get_exit_code(child_handle
, 0, NULL
) !=
5414 PROCESS_EXIT_RUNNING
) {
5415 /* process has exited or there was an error */
5416 /* TODO: Do something with the process return value */
5417 /* TODO: What if the process output something since
5418 * between log_from_handle and tor_get_exit_code? */
5422 else if (1 == stdout_status
|| 1 == stderr_status
)
5423 /* stdout or stderr was closed, the process probably
5424 * exited. It will be reaped by waitpid() in main.c */
5425 /* TODO: Do something with the process return value */
5432 /* If either pipe indicates a failure, act on it */
5435 log_info(LD_GENERAL
, "Port forwarding helper terminated");
5436 child_handle
->status
= PROCESS_STATUS_NOTRUNNING
;
5438 log_warn(LD_GENERAL
, "Failed to read from port forwarding helper");
5439 child_handle
->status
= PROCESS_STATUS_ERROR
;
5442 /* TODO: The child might not actually be finished (maybe it failed or
5443 closed stdout/stderr), so maybe we shouldn't start another? */
5448 /** Initialize the insecure RNG <b>rng</b> from a seed value <b>seed</b>. */
5450 tor_init_weak_random(tor_weak_rng_t
*rng
, unsigned seed
)
5452 rng
->state
= (uint32_t)(seed
& 0x7fffffff);
5455 /** Return a randomly chosen value in the range 0..TOR_WEAK_RANDOM_MAX based
5456 * on the RNG state of <b>rng</b>. This entropy will not be cryptographically
5457 * strong; do not rely on it for anything an adversary should not be able to
5460 tor_weak_random(tor_weak_rng_t
*rng
)
5462 /* Here's a linear congruential generator. OpenBSD and glibc use these
5463 * parameters; they aren't too bad, and should have maximal period over the
5464 * range 0..INT32_MAX. We don't want to use the platform rand() or random(),
5465 * since some platforms have bad weak RNGs that only return values in the
5466 * range 0..INT16_MAX, which just isn't enough. */
5467 rng
->state
= (rng
->state
* 1103515245 + 12345) & 0x7fffffff;
5468 return (int32_t) rng
->state
;
5471 /** Return a random number in the range [0 , <b>top</b>). {That is, the range
5472 * of integers i such that 0 <= i < top.} Chooses uniformly. Requires that
5473 * top is greater than 0. This randomness is not cryptographically strong; do
5474 * not rely on it for anything an adversary should not be able to predict. */
5476 tor_weak_random_range(tor_weak_rng_t
*rng
, int32_t top
)
5478 /* We don't want to just do tor_weak_random() % top, since random() is often
5479 * implemented with an LCG whose modulus is a power of 2, and those are
5480 * cyclic in their low-order bits. */
5481 int divisor
, result
;
5482 tor_assert(top
> 0);
5483 divisor
= TOR_WEAK_RANDOM_MAX
/ top
;
5485 result
= (int32_t)(tor_weak_random(rng
) / divisor
);
5486 } while (result
>= top
);