| blob | e16dfb1d2b9802c5e2f246b9ea0209dead7134b3 |
1 /* Copyright (c) 2003-2004, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2016, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file compat.c
8 * \brief Wrappers to make calls more portable. This code defines
9 * functions such as tor_snprintf, get/set various data types,
10 * renaming, setting socket options, switching user IDs. It is basically
11 * where the non-portable items are conditionally included depending on
12 * the platform.
13 **/
15 #define COMPAT_PRIVATE
18 #ifdef _WIN32
19 #include <winsock2.h>
20 #include <windows.h>
21 #include <sys/locking.h>
22 #endif
24 #ifdef HAVE_UNAME
25 #include <sys/utsname.h>
26 #endif
27 #ifdef HAVE_SYS_TYPES_H
28 #include <sys/types.h>
29 #endif
30 #ifdef HAVE_SYS_SYSCTL_H
31 #include <sys/sysctl.h>
32 #endif
33 #ifdef HAVE_SYS_STAT_H
34 #include <sys/stat.h>
35 #endif
36 #ifdef HAVE_UTIME_H
37 #include <utime.h>
38 #endif
39 #ifdef HAVE_SYS_UTIME_H
40 #include <sys/utime.h>
41 #endif
42 #ifdef HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45 #ifdef HAVE_SYS_FCNTL_H
46 #include <sys/fcntl.h>
47 #endif
48 #ifdef HAVE_PWD_H
49 #include <pwd.h>
50 #endif
51 #ifdef HAVE_GRP_H
52 #include <grp.h>
53 #endif
54 #ifdef HAVE_FCNTL_H
55 #include <fcntl.h>
56 #endif
57 #ifdef HAVE_ERRNO_H
58 #include <errno.h>
59 #endif
60 #ifdef HAVE_ARPA_INET_H
61 #include <arpa/inet.h>
62 #endif
63 #ifdef HAVE_CRT_EXTERNS_H
64 #include <crt_externs.h>
65 #endif
66 #ifdef HAVE_SYS_STATVFS_H
67 #include <sys/statvfs.h>
68 #endif
69 #ifdef HAVE_SYS_CAPABILITY_H
70 #include <sys/capability.h>
71 #endif
73 #ifdef _WIN32
74 #include <conio.h>
75 #include <wchar.h>
76 /* Some mingw headers lack these. :p */
77 #if defined(HAVE_DECL__GETWCH) && !HAVE_DECL__GETWCH
79 #endif
80 #ifndef WEOF
81 #define WEOF (wchar_t)(0xFFFF)
82 #endif
83 #if defined(HAVE_DECL_SECUREZEROMEMORY) && !HAVE_DECL_SECUREZEROMEMORY
86 {
90 }
91 #endif
92 #elif defined(HAVE_READPASSPHRASE_H)
93 #include <readpassphrase.h>
94 #else
96 #endif
98 /* Includes for the process attaching prevention */
99 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
100 /* Only use the linux prctl; the IRIX prctl is totally different */
101 #include <sys/prctl.h>
102 #elif defined(__APPLE__)
103 #include <sys/types.h>
104 #include <sys/ptrace.h>
105 #endif
107 #ifdef HAVE_NETDB_H
108 #include <netdb.h>
109 #endif
110 #ifdef HAVE_SYS_PARAM_H
112 #endif
113 #include <stdio.h>
114 #include <stdlib.h>
115 #include <assert.h>
116 #ifdef HAVE_SIGNAL_H
117 #include <signal.h>
118 #endif
119 #ifdef HAVE_SYS_MMAN_H
120 #include <sys/mman.h>
121 #endif
122 #ifdef HAVE_SYS_SYSLIMITS_H
123 #include <sys/syslimits.h>
124 #endif
125 #ifdef HAVE_SYS_FILE_H
126 #include <sys/file.h>
127 #endif
135 /* Inline the strl functions if the platform doesn't have them. */
136 #ifndef HAVE_STRLCPY
138 #endif
139 #ifndef HAVE_STRLCAT
141 #endif
143 /* When set_max_file_descriptors() is called, update this with the max file
144 * descriptor value so we can use it to check the limit when opening a new
145 * socket. Default value is what Debian sets as the default hard limit. */
148 /** As open(path, flags, mode), but return an fd with the close-on-exec mode
149 * set. */
150 int
152 {
155 #ifdef O_CLOEXEC
159 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
160 * even though we were built on a system with O_CLOEXEC support, we
161 * are running on one without. */
164 #endif
168 #ifdef FD_CLOEXEC
174 }
175 }
176 #endif
178 }
180 /** As fopen(path,mode), but ensures that the O_CLOEXEC bit is set on the
181 * underlying file handle. */
184 {
186 #ifdef FD_CLOEXEC
192 }
193 }
194 #endif
196 }
198 /** As rename(), but work correctly with the sandbox. */
199 int
201 {
205 }
207 #if defined(HAVE_SYS_MMAN_H) || defined(RUNNING_DOXYGEN)
208 /** Try to create a memory mapping for <b>filename</b> and return it. On
209 * failure, return NULL. Sets errno properly, using ERANGE to mean
210 * "empty file". */
211 tor_mmap_t *
213 {
231 }
233 /* Get the size of the file */
243 }
245 /*
246 * Should we check for weird crap like mmapping a named pipe here,
247 * or just wait for if (!size) below to fail?
248 */
249 /* ensure page alignment */
254 /* Zero-length file. If we call mmap on it, it will succeed but
255 * return NULL, and bad things will happen. So just fail. */
260 }
270 }
278 }
279 /** Release storage held for a memory mapping; returns 0 on success,
280 * or -1 on failure (and logs a warning). */
281 int
283 {
291 /* munmap() succeeded */
297 }
300 }
301 #elif defined(_WIN32)
302 tor_mmap_t *
304 {
312 #ifdef UNICODE
314 #else
316 #endif
319 NULL,
320 OPEN_EXISTING,
321 FILE_ATTRIBUTE_NORMAL,
332 }
337 }
342 }
346 NULL,
347 PAGE_READONLY,
348 size_high,
349 size_low,
350 NULL);
354 FILE_MAP_READ,
361 win_err: {
370 else
372 }
373 err:
380 }
382 /* Unmap the file, and return 0 for success or -1 for failure */
383 int
385 {
390 /* This is an ugly cast, but without it, "data" in struct tor_mmap_t would
391 have to be redefined as non-const. */
396 }
397 }
404 }
405 #else
406 tor_mmap_t *
408 {
418 }
420 /** Unmap the file mapped with tor_mmap_file(), and return 0 for success
421 * or -1 for failure.
422 */
424 int
426 {
436 /* Can't fail in this mmap()/munmap()-free case */
438 }
439 #endif
441 /** Replacement for snprintf. Differs from platform snprintf in two
442 * ways: First, always NUL-terminates its output. Second, always
443 * returns -1 if the result is truncated. (Note that this return
444 * behavior does <i>not</i> conform to C99; it just happens to be
445 * easier to emulate "return -1" with conformant implementations than
446 * it is to emulate "return number that would be written" with
447 * non-conformant implementations.) */
448 int
450 {
457 }
459 /** Replacement for vsnprintf; behavior differs as tor_snprintf differs from
460 * snprintf.
461 */
462 int
464 {
470 #ifdef _WIN32
472 #else
474 #endif
479 }
481 /**
482 * Portable asprintf implementation. Does a printf() into a newly malloc'd
483 * string. Sets *<b>strp</b> to this string, and returns its length (not
484 * including the terminating NUL character).
485 *
486 * You can treat this function as if its implementation were something like
487 <pre>
488 char buf[_INFINITY_];
489 tor_snprintf(buf, sizeof(buf), fmt, args);
490 *strp = tor_strdup(buf);
491 return strlen(*strp):
492 </pre>
493 * Where _INFINITY_ is an imaginary constant so big that any string can fit
494 * into it.
495 */
496 int
498 {
505 /* LCOV_EXCL_START */
508 /* LCOV_EXCL_STOP */
509 }
511 }
513 /**
514 * Portable vasprintf implementation. Does a printf() into a newly malloc'd
515 * string. Differs from regular vasprintf in the same ways that
516 * tor_asprintf() differs from regular asprintf.
517 */
518 int
520 {
521 /* use a temporary variable in case *strp is in args. */
523 #ifdef HAVE_VASPRINTF
524 /* If the platform gives us one, use it. */
528 else
531 #elif defined(HAVE__VSCPRINTF)
532 /* On Windows, _vsnprintf won't tell us the length of the string if it
533 * overflows, so we need to use _vcsprintf to tell how much to allocate */
542 }
549 }
552 #else
553 /* Everywhere else, we have a decent vsnprintf that tells us how many
554 * characters we need. We give it a try on a short buffer first, since
555 * it might be nice to avoid the second vsnprintf call.
556 */
561 /* vsnprintf() was properly checked but tor_vsnprintf() available so
562 * why not use it? */
568 }
570 /* use of tor_vsnprintf() will ensure string is null terminated */
576 }
579 #endif
580 }
582 /** Given <b>hlen</b> bytes at <b>haystack</b> and <b>nlen</b> bytes at
583 * <b>needle</b>, return a pointer to the first occurrence of the needle
584 * within the haystack, or NULL if there is no such occurrence.
585 *
586 * This function is <em>not</em> timing-safe.
587 *
588 * Requires that <b>nlen</b> be greater than zero.
589 */
593 {
594 #if defined(HAVE_MEMMEM) && (!defined(__GNUC__) || __GNUC__ >= 2)
597 #else
598 /* This isn't as fast as the GLIBC implementation, but it doesn't need to
599 * be. */
610 /* Last position at which the needle could start. */
617 /* This comparison shouldn't be necessary, since if p was previously
618 * equal to last_possible_start, the next memchr call would be
619 * "memchr(p, first, 0)", which will return NULL. But it clarifies the
620 * logic. */
622 }
623 }
625 #endif
626 }
628 /**
629 * Tables to implement ctypes-replacement TOR_IS*() functions. Each table
630 * has 256 bits to look up whether a character is in some set or not. This
631 * fails on non-ASCII platforms, but it is hard to find a platform whose
632 * character set is not a superset of ASCII nowadays. */
634 /**@{*/
648 /** Upper-casing and lowercasing tables to map characters to upper/lowercase
649 * equivalents. Used by tor_toupper() and tor_tolower(). */
650 /**@{*/
668 };
686 };
687 /**@}*/
689 /** Helper for tor_strtok_r_impl: Advances cp past all characters in
690 * <b>sep</b>, and returns its new value. */
693 {
700 }
702 }
704 /** Implementation of strtok_r for platforms whose coders haven't figured out
705 * how to write one. Hey, retrograde libc developers! You can use this code
706 * here for free! */
709 {
721 }
728 }
735 }
737 }
739 #ifdef _WIN32
740 /** Take a filename and return a pointer to its final element. This
741 * function is called on __FILE__ to fix a MSVC nit where __FILE__
742 * contains the full path to the file. This is bad, because it
743 * confuses users to find the home directory of the person who
744 * compiled the binary in their warning messages.
745 */
748 {
760 }
762 }
763 #endif
765 /**
766 * Read a 16-bit value beginning at <b>cp</b>. Equivalent to
767 * *(uint16_t*)(cp), but will not cause segfaults on platforms that forbid
768 * unaligned memory access.
769 */
770 uint16_t
772 {
776 }
777 /**
778 * Read a 32-bit value beginning at <b>cp</b>. Equivalent to
779 * *(uint32_t*)(cp), but will not cause segfaults on platforms that forbid
780 * unaligned memory access.
781 */
782 uint32_t
784 {
788 }
789 /**
790 * Read a 64-bit value beginning at <b>cp</b>. Equivalent to
791 * *(uint64_t*)(cp), but will not cause segfaults on platforms that forbid
792 * unaligned memory access.
793 */
794 uint64_t
796 {
800 }
802 /**
803 * Set a 16-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
804 * *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
805 * unaligned memory access. */
806 void
808 {
810 }
811 /**
812 * Set a 32-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
813 * *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
814 * unaligned memory access. */
815 void
817 {
819 }
820 /**
821 * Set a 64-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
822 * *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
823 * unaligned memory access. */
824 void
826 {
828 }
830 /**
831 * Rename the file <b>from</b> to the file <b>to</b>. On Unix, this is
832 * the same as rename(2). On windows, this removes <b>to</b> first if
833 * it already exists.
834 * Returns 0 on success. Returns -1 and sets errno on failure.
835 */
836 int
838 {
839 #ifndef _WIN32
841 #else
843 {
855 }
857 #endif
858 }
860 /** Change <b>fname</b>'s modification time to now. */
861 int
863 {
867 }
869 /** Represents a lockfile on which we hold the lock. */
871 /** Name of the file */
873 /** File descriptor used to hold the file open */
875 };
877 /** Try to get a lock on the lockfile <b>filename</b>, creating it as
878 * necessary. If someone else has the lock and <b>blocking</b> is true,
879 * wait until the lock is available. Otherwise return immediately whether
880 * we succeeded or not.
881 *
882 * Set *<b>locked_out</b> to true if somebody else had the lock, and to false
883 * otherwise.
884 *
885 * Return a <b>tor_lockfile_t</b> on success, NULL on failure.
886 *
887 * (Implementation note: because we need to fall back to fcntl on some
888 * platforms, these locks are per-process, not per-thread. If you want
889 * to do in-process locking, use tor_mutex_t like a normal person.
890 * On Windows, when <b>blocking</b> is true, the maximum time that
891 * is actually waited is 10 seconds, after which NULL is returned
892 * and <b>locked_out</b> is set to 1.)
893 */
894 tor_lockfile_t *
896 {
907 }
909 #ifdef _WIN32
914 else
918 }
919 #elif defined(HAVE_FLOCK)
923 else
927 }
928 #else
929 {
937 else
941 }
942 }
943 #endif
949 }
951 /** Release the lock held as <b>lockfile</b>. */
952 void
954 {
958 #ifdef _WIN32
963 }
964 #elif defined(HAVE_FLOCK)
968 }
969 #else
970 /* Closing the lockfile is sufficient. */
971 #endif
977 }
979 /** @{ */
980 /** Some old versions of Unix didn't define constants for these values,
981 * and instead expect you to say 0, 1, or 2. */
982 #ifndef SEEK_SET
983 #define SEEK_SET 0
984 #endif
985 #ifndef SEEK_CUR
986 #define SEEK_CUR 1
987 #endif
988 #ifndef SEEK_END
989 #define SEEK_END 2
990 #endif
991 /** @} */
993 /** Return the position of <b>fd</b> with respect to the start of the file. */
994 off_t
996 {
997 #ifdef _WIN32
999 #else
1001 #endif
1002 }
1004 /** Move <b>fd</b> to the end of the file. Return -1 on error, 0 on success.
1005 * If the file is a pipe, do nothing and succeed.
1006 **/
1007 int
1009 {
1010 #ifdef _WIN32
1012 #else
1014 #ifdef ESPIPE
1015 /* If we get an error and ESPIPE, then it's a pipe or a socket of a fifo:
1016 * no need to worry. */
1019 #endif
1021 #endif
1022 }
1024 /** Move <b>fd</b> to position <b>pos</b> in the file. Return -1 on error, 0
1025 * on success. */
1026 int
1028 {
1029 #ifdef _WIN32
1031 #else
1033 #endif
1034 }
1036 /** Replacement for ftruncate(fd, 0): move to the front of the file and remove
1037 * all the rest of the file. Return -1 on error, 0 on success. */
1038 int
1040 {
1041 /* Rumor has it that some versions of ftruncate do not move the file pointer.
1042 */
1046 #ifdef _WIN32
1048 #else
1050 #endif
1051 }
1053 #undef DEBUG_SOCKET_COUNTING
1054 #ifdef DEBUG_SOCKET_COUNTING
1055 /** A bitarray of all fds that should be passed to tor_socket_close(). Only
1056 * used if DEBUG_SOCKET_COUNTING is defined. */
1058 /** The size of <b>open_sockets</b>, in bits. */
1060 #endif
1062 /** Count of number of sockets currently open. (Undercounts sockets opened by
1063 * eventdns and libevent.) */
1066 /** Mutex to protect open_sockets, max_socket, and n_sockets_open. */
1069 /** Helper: acquire the socket accounting lock. */
1072 {
1076 }
1078 /** Helper: release the socket accounting lock. */
1081 {
1083 }
1085 /** As close(), but guaranteed to work for sockets across platforms (including
1086 * Windows, where close()ing a socket doesn't work. Returns 0 on success and
1087 * the socket error code on failure. */
1088 int
1090 {
1093 /* On Windows, you have to call close() on fds returned by open(),
1094 * and closesocket() on fds returned by socket(). On Unix, everything
1095 * gets close()'d. We abstract this difference by always using
1096 * tor_close_socket to close sockets, and always using close() on
1097 * files.
1098 */
1099 #if defined(_WIN32)
1101 #else
1103 #endif
1109 }
1112 }
1114 /** As tor_close_socket_simple(), but keeps track of the number
1115 * of open sockets. Returns 0 on success, -1 on failure. */
1118 {
1122 #ifdef DEBUG_SOCKET_COUNTING
1129 }
1130 #endif
1134 #ifdef _WIN32
1137 #else
1140 #endif
1142 }
1147 }
1149 /** @{ */
1150 #ifdef DEBUG_SOCKET_COUNTING
1151 /** Helper: if DEBUG_SOCKET_COUNTING is enabled, remember that <b>s</b> is
1152 * now an open socket. */
1155 {
1156 /* XXXX This bitarray business will NOT work on windows: sockets aren't
1157 small ints there. */
1165 }
1166 }
1170 }
1172 }
1173 #else
1174 #define mark_socket_open(s) STMT_NIL
1175 #endif
1176 /** @} */
1178 /** As socket(), but counts the number of open sockets. */
1181 {
1183 }
1185 /** Mockable wrapper for connect(). */
1188 socklen_t address_len))
1189 {
1191 }
1193 /** As socket(), but creates a nonblocking socket and
1194 * counts the number of open sockets. */
1195 tor_socket_t
1197 {
1199 }
1201 /** As socket(), but counts the number of open sockets and handles
1202 * socket creation with either of SOCK_CLOEXEC and SOCK_NONBLOCK specified.
1203 * <b>cloexec</b> and <b>nonblock</b> should be either 0 or 1 to indicate
1204 * if the corresponding extension should be used.*/
1205 tor_socket_t
1208 {
1209 tor_socket_t s;
1211 /* We are about to create a new file descriptor so make sure we have
1212 * enough of them. */
1214 #ifdef _WIN32
1216 #else
1218 #endif
1220 }
1222 #if defined(SOCK_CLOEXEC) && defined(SOCK_NONBLOCK)
1228 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
1229 * even though we were built on a system with SOCK_CLOEXEC and SOCK_NONBLOCK
1230 * support, we are running on one without. */
1239 #if defined(FD_CLOEXEC)
1245 }
1246 }
1247 #else
1249 #endif
1255 }
1256 }
1260 socket_ok:
1266 }
1268 /** As accept(), but counts the number of open sockets. */
1269 tor_socket_t
1271 {
1273 }
1275 /** As accept(), but returns a nonblocking socket and
1276 * counts the number of open sockets. */
1277 tor_socket_t
1280 {
1282 }
1284 /** As accept(), but counts the number of open sockets and handles
1285 * socket creation with either of SOCK_CLOEXEC and SOCK_NONBLOCK specified.
1286 * <b>cloexec</b> and <b>nonblock</b> should be either 0 or 1 to indicate
1287 * if the corresponding extension should be used.*/
1288 tor_socket_t
1291 {
1292 tor_socket_t s;
1294 /* We are about to create a new file descriptor so make sure we have
1295 * enough of them. */
1297 #ifdef _WIN32
1299 #else
1301 #endif
1303 }
1305 #if defined(HAVE_ACCEPT4) && defined(SOCK_CLOEXEC) && defined(SOCK_NONBLOCK)
1311 /* If we got an error, see if it is ENOSYS. ENOSYS indicates that,
1312 * even though we were built on a system with accept4 support, we
1313 * are running on one without. Also, check for EINVAL, which indicates that
1314 * we are missing SOCK_CLOEXEC/SOCK_NONBLOCK support. */
1317 #endif
1323 #if defined(FD_CLOEXEC)
1329 }
1330 }
1331 #else
1333 #endif
1339 }
1340 }
1344 socket_ok:
1350 }
1352 /** Return the number of sockets we currently have opened. */
1353 int
1355 {
1361 }
1363 /** Mockable wrapper for getsockname(). */
1367 {
1369 }
1371 /** Turn <b>socket</b> into a nonblocking socket. Return 0 on success, -1
1372 * on failure.
1373 */
1374 int
1376 {
1377 #if defined(_WIN32)
1380 #else
1387 }
1392 }
1393 #endif
1396 }
1398 /**
1399 * Allocate a pair of connected sockets. (Like socketpair(family,
1400 * type,protocol,fd), but works on systems that don't have
1401 * socketpair.)
1402 *
1403 * Currently, only (AF_UNIX, SOCK_STREAM, 0) sockets are supported.
1404 *
1405 * Note that on systems without socketpair, this call will fail if
1406 * localhost is inaccessible (for example, if the networking
1407 * stack is down). And even if it succeeds, the socket pair will not
1408 * be able to read while localhost is down later (the socket pair may
1409 * even close, depending on OS-specific timeouts).
1410 *
1411 * Returns 0 on success and -errno on failure; do not rely on the value
1412 * of errno or WSAGetLastError().
1413 **/
1414 /* It would be nicer just to set errno, but that won't work for windows. */
1415 int
1417 {
1418 //don't use win32 socketpairs (they are always bad)
1419 #if defined(HAVE_SOCKETPAIR) && !defined(_WIN32)
1422 #ifdef SOCK_CLOEXEC
1426 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
1427 * even though we were built on a system with SOCK_CLOEXEC support, we
1428 * are running on one without. */
1431 #endif
1437 #if defined(FD_CLOEXEC)
1444 }
1445 }
1452 }
1453 }
1454 #endif
1457 sockets_ok:
1462 }
1466 }
1470 #else
1472 #endif
1473 }
1475 #ifdef NEED_ERSATZ_SOCKETPAIR
1479 {
1487 }
1488 }
1490 /**
1491 * Helper used to implement socketpair on systems that lack it, by
1492 * making a direct connection to localhost.
1493 */
1494 STATIC int
1496 {
1497 /* This socketpair does not work when localhost is down. So
1498 * it's really not the same thing at all. But it's close enough
1499 * for now, and really, when localhost is down sometimes, we
1500 * have other problems too.
1501 */
1505 tor_addr_t listen_tor_addr;
1509 tor_addr_t connect_tor_addr;
1512 socklen_t size;
1522 #ifdef AF_UNIX
1524 #endif
1525 ) {
1526 #ifdef _WIN32
1528 #else
1530 #endif
1531 }
1534 }
1541 /* Assume we're on an IPv6-only system */
1545 /* Keep the previous behaviour, which was to return the IPv4 error.
1546 * (This may be less informative on IPv6-only systems.)
1547 * XX/teor - is there a better way to decide which errno to return?
1548 * (I doubt we care much either way, once there is an error.)
1549 */
1551 }
1552 }
1553 }
1554 /* If there is no 127.0.0.1 or ::1, this will and must fail. Otherwise, we
1555 * risk exposing a socketpair on a routable IP address. (Some BSD jails
1556 * use a routable address for localhost. Fortunately, they have the real
1557 * AF_UNIX socketpair.) */
1562 }
1566 listen_addr,
1576 /* We want to find out the port number to connect to. */
1591 /* Now check we are talking to ourself by matching port and host on the
1592 two sockets. */
1595 /* Set *_tor_addr and *_port to the address and port that was used */
1602 }
1609 abort_tidy_up_and_fail:
1610 #ifdef _WIN32
1612 #else
1614 #endif
1615 tidy_up_and_fail:
1625 }
1627 #undef SIZEOF_SOCKADDR
1629 #endif
1631 /* Return the maximum number of allowed sockets. */
1632 int
1634 {
1636 }
1638 /** Number of extra file descriptors to keep in reserve beyond those that we
1639 * tell Tor it's allowed to use. */
1642 /** Learn the maximum allowed number of file descriptors, and tell the
1643 * system we want to use up to that number. (Some systems have a low soft
1644 * limit, and let us set it higher.) We compute this by finding the largest
1645 * number that we can use.
1646 *
1647 * If the limit is below the reserved file descriptor value (ULIMIT_BUFFER),
1648 * return -1 and <b>max_out</b> is untouched.
1649 *
1650 * If we can't find a number greater than or equal to <b>limit</b>, then we
1651 * fail by returning -1 and <b>max_out</b> is untouched.
1652 *
1653 * If we are unable to set the limit value because of setrlimit() failing,
1654 * return -1 and <b>max_out</b> is set to the current maximum value returned
1655 * by getrlimit().
1656 *
1657 * Otherwise, return 0 and store the maximum we found inside <b>max_out</b>
1658 * and set <b>max_sockets</b> with that value as well.*/
1659 int
1661 {
1666 }
1668 /* Define some maximum connections values for systems where we cannot
1669 * automatically determine a limit. Re Cygwin, see
1670 * http://archives.seul.org/or/talk/Aug-2006/msg00210.html
1671 * For an iPhone, 9999 should work. For Windows and all other unknown
1672 * systems we use 15000 as the default. */
1673 #ifndef HAVE_GETRLIMIT
1674 #if defined(CYGWIN) || defined(__CYGWIN__)
1677 #elif defined(_WIN32)
1680 #else
1683 #endif
1688 "We do not support more than %lu file descriptors "
1692 }
1701 }
1707 }
1712 }
1713 /* Set the current limit value so if the attempt to set the limit to the
1714 * max fails at least we'll have a valid value of maximum sockets. */
1720 #ifdef OPEN_MAX
1723 /* On some platforms, OPEN_MAX is the real limit, and getrlimit() is
1724 * full of nasty lies. I'm looking at you, OSX 10.5.... */
1729 "OPEN_MAX (%lu), and ConnLimit is %lu. Changing "
1735 "OPEN_MAX (%lu); Apparently, %lu was too high and rlimit "
1739 }
1741 }
1742 }
1748 }
1749 }
1750 /* leave some overhead for logs, etc, */
1759 }
1761 #ifndef _WIN32
1762 /** Log details of current user and group credentials. Return 0 on
1763 * success. Logs and return -1 on failure.
1764 */
1765 static int
1767 {
1768 /** Log level to use when describing non-error UID/GID status. */
1769 #define CREDENTIAL_LOG_LEVEL LOG_INFO
1770 /* Real, effective and saved UIDs */
1772 /* Read, effective and saved GIDs */
1774 /* Supplementary groups */
1777 /* Number of supplementary groups */
1780 /* log UIDs */
1781 #ifdef HAVE_GETRESUID
1789 }
1790 #else
1791 /* getresuid is not present on MacOS X, so we can't get the saved (E)UID */
1799 #endif
1801 /* log GIDs */
1802 #ifdef HAVE_GETRESGID
1810 }
1811 #else
1812 /* getresgid is not present on MacOS X, so we can't get the saved (E)GID */
1819 #endif
1821 /* log supplementary groups */
1829 }
1843 }
1855 }
1858 }
1859 #endif
1861 #ifndef _WIN32
1862 /** Cached struct from the last getpwname() call we did successfully. */
1865 /** Helper: copy a struct passwd object.
1866 *
1867 * We only copy the fields pw_uid, pw_gid, pw_name, pw_dir. Tor doesn't use
1868 * any others, and I don't want to run into incompatibilities.
1869 */
1872 {
1882 }
1884 /** Helper: free one of our cached 'struct passwd' values. */
1885 static void
1887 {
1894 }
1896 /** Wrapper around getpwnam() that caches result. Used so that we don't need
1897 * to give the sandbox access to /etc/passwd.
1898 *
1899 * The following fields alone will definitely be copied in the output: pw_uid,
1900 * pw_gid, pw_name, pw_dir. Other fields are not present in cached values.
1901 *
1902 * When called with a NULL argument, this function clears storage associated
1903 * with static variables it uses.
1904 **/
1907 {
1914 }
1922 }
1924 /* Lookup failed */
1932 }
1934 /** Wrapper around getpwnam() that can use cached result from
1935 * tor_getpwnam(). Used so that we don't need to give the sandbox access to
1936 * /etc/passwd.
1937 *
1938 * The following fields alone will definitely be copied in the output: pw_uid,
1939 * pw_gid, pw_name, pw_dir. Other fields are not present in cached values.
1940 */
1943 {
1948 }
1950 /* Lookup failed */
1958 }
1959 #endif
1961 /** Return true iff we were compiled with capability support, and capabilities
1962 * seem to work. **/
1963 int
1965 {
1966 #ifdef HAVE_LINUX_CAPABILITIES
1972 #else
1974 #endif
1975 }
1977 #ifdef HAVE_LINUX_CAPABILITIES
1978 /** Helper. Drop all capabilities but a small set, and set PR_KEEPCAPS as
1979 * appropriate.
1980 *
1981 * If pre_setuid, retain only CAP_NET_BIND_SERVICE, CAP_SETUID, and
1982 * CAP_SETGID, and use PR_KEEPCAPS to ensure that capabilities persist across
1983 * setuid().
1984 *
1985 * If not pre_setuid, retain only CAP_NET_BIND_SERVICE, and disable
1986 * PR_KEEPCAPS.
1987 *
1988 * Return 0 on success, and -1 on failure.
1989 */
1990 static int
1992 {
1993 /* We keep these three capabilities, and these only, as we setuid.
1994 * After we setuid, we drop all but the first. */
1997 };
2004 /* Sets whether we keep capabilities across a setuid. */
2009 }
2016 }
2029 }
2032 }
2033 #endif
2035 /** Call setuid and setgid to run as <b>user</b> and switch to their
2036 * primary group. Return 0 on success. On failure, log and return -1.
2037 *
2038 * If SWITCH_ID_KEEP_BINDLOW is set in 'flags', try to use the capability
2039 * system to retain the abilitity to bind low ports.
2040 *
2041 * If SWITCH_ID_WARN_IF_NO_CAPS is set in flags, also warn if we have
2042 * don't have capability support.
2043 */
2044 int
2046 {
2047 #ifndef _WIN32
2049 uid_t old_uid;
2050 gid_t old_gid;
2060 /* Log the initial credential state */
2066 /* Get old UID/GID to check if we changed correctly */
2070 /* Lookup the user and group information, if we have a problem, bail out. */
2075 }
2077 #ifdef HAVE_LINUX_CAPABILITIES
2082 }
2083 #else
2088 }
2089 #endif
2091 /* Properly switch egid,gid,euid,uid here or bail out */
2098 "you want to be. (If you did not set the User option in your "
2099 "torrc, check whether it was specified on the command line "
2104 }
2106 }
2112 }
2118 }
2124 }
2130 }
2132 /* This is how OpenBSD rolls:
2133 if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) ||
2134 setgid(pw->pw_gid) || setuid(pw->pw_uid) || seteuid(pw->pw_uid)) {
2135 setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) {
2136 log_warn(LD_GENERAL, "Error setting configured UID/GID: %s",
2137 strerror(errno));
2138 return -1;
2139 }
2140 */
2142 /* We've properly switched egid, gid, euid, uid, and supplementary groups if
2143 * we're here. */
2144 #ifdef HAVE_LINUX_CAPABILITIES
2148 }
2149 #endif
2151 #if !defined(CYGWIN) && !defined(__CYGWIN__)
2152 /* If we tried to drop privilege to a group/user other than root, attempt to
2153 * restore root (E)(U|G)ID, and abort if the operation succeeds */
2155 /* Only check for privilege dropping if we were asked to be non-root */
2157 /* Try changing GID/EGID */
2163 }
2165 /* Try changing UID/EUID */
2171 }
2172 }
2173 #endif
2175 /* Check what really happened */
2178 }
2182 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && defined(HAVE_PRCTL)
2183 #ifdef PR_SET_DUMPABLE
2185 /* Re-enable core dumps if we're not running as root. */
2189 }
2190 }
2191 #endif
2192 #endif
2195 #else
2201 #endif
2202 }
2204 /* We only use the linux prctl for now. There is no Win32 support; this may
2205 * also work on various BSD systems and Mac OS X - send testing feedback!
2206 *
2207 * On recent Gnu/Linux kernels it is possible to create a system-wide policy
2208 * that will prevent non-root processes from attaching to other processes
2209 * unless they are the parent process; thus gdb can attach to programs that
2210 * they execute but they cannot attach to other processes running as the same
2211 * user. The system wide policy may be set with the sysctl
2212 * kernel.yama.ptrace_scope or by inspecting
2213 * /proc/sys/kernel/yama/ptrace_scope and it is 1 by default on Ubuntu 11.04.
2214 *
2215 * This ptrace scope will be ignored on Gnu/Linux for users with
2216 * CAP_SYS_PTRACE and so it is very likely that root will still be able to
2217 * attach to the Tor process.
2218 */
2219 /** Attempt to disable debugger attachment: return 1 on success, -1 on
2220 * failure, and 0 if we don't know how to try on this platform. */
2221 int
2223 {
2228 "Attemping to disable debugger attachment to Tor for "
2230 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && defined(HAVE_PRCTL)
2231 #ifdef PR_SET_DUMPABLE
2234 #endif
2235 #endif
2236 #if defined(__APPLE__) && defined(PT_DENY_ATTACH)
2240 }
2241 #endif
2243 // XXX: TODO - Mac OS X has dtrace and this may be disabled.
2244 // XXX: TODO - Windows probably has something similar
2252 }
2254 }
2256 #ifdef HAVE_PWD_H
2257 /** Allocate and return a string containing the home directory for the
2258 * user <b>username</b>. Only works on posix-like systems. */
2261 {
2268 }
2270 }
2271 #endif
2273 /** Modify <b>fname</b> to contain the name of its parent directory. Doesn't
2274 * actually examine the filesystem; does a purely syntactic modification.
2275 *
2276 * The parent of the root director is considered to be iteself.
2277 *
2278 * Path separators are the forward slash (/) everywhere and additionally
2279 * the backslash (\) on Win32.
2280 *
2281 * Cuts off any number of trailing path separators but otherwise ignores
2282 * them for purposes of finding the parent directory.
2283 *
2284 * Returns 0 if a parent directory was successfully found, -1 otherwise (fname
2285 * did not have any path separators or only had them at the end).
2286 * */
2287 int
2289 {
2293 #ifdef _WIN32
2294 /* If we start with, say, c:, then don't consider that the start of the path
2295 */
2298 }
2299 #endif
2300 /* Now we want to remove all path-separators at the end of the string,
2301 * and to remove the end of the string starting with the path separator
2302 * before the last non-path-separator. In perl, this would be
2303 * s#[/]*$##; s#/[^/]*$##;
2304 * on a unixy platform.
2305 */
2310 #ifdef _WIN32
2312 #endif
2313 );
2316 /* This is the first separator in the file name; don't remove it! */
2319 }
2325 }
2326 }
2328 }
2330 #ifndef _WIN32
2331 /** Return a newly allocated string containing the output of getcwd(). Return
2332 * NULL on failure. (We can't just use getcwd() into a PATH_MAX buffer, since
2333 * Hurd hasn't got a PATH_MAX.)
2334 */
2337 {
2338 #ifdef PATH_MAX
2339 #define MAX_CWD PATH_MAX
2340 #else
2341 #define MAX_CWD 4096
2342 #endif
2347 }
2348 #endif
2350 /** Expand possibly relative path <b>fname</b> to an absolute path.
2351 * Return a newly allocated string, possibly equal to <b>fname</b>. */
2354 {
2355 #ifdef _WIN32
2358 /* We don't want to assume that tor_free can free a string allocated
2359 * with malloc. On failure, return fname (it's better than nothing). */
2364 #else
2377 /* LCOV_EXCL_START Can't make getcwd fail. */
2378 /* If getcwd failed, the best we can do here is keep using the
2379 * relative path. (Perhaps / isn't readable by this UID/GID.) */
2383 /* LCOV_EXCL_STOP */
2384 }
2385 }
2387 #endif
2388 }
2390 #ifndef HAVE__NSGETENVIRON
2391 #ifndef HAVE_EXTERN_ENVIRON_DECLARED
2392 /* Some platforms declare environ under some circumstances, others don't. */
2393 #ifndef RUNNING_DOXYGEN
2395 #endif
2396 #endif
2397 #endif
2399 /** Return the current environment. This is a portable replacement for
2400 * 'environ'. */
2403 {
2404 #ifdef HAVE__NSGETENVIRON
2405 /* This is for compatibility between OSX versions. Otherwise (for example)
2406 * when we do a mostly-static build on OSX 10.7, the resulting binary won't
2407 * work on OSX 10.6. */
2409 #else
2411 #endif
2412 }
2414 /** Get name of current host and write it to <b>name</b> array, whose
2415 * length is specified by <b>namelen</b> argument. Return 0 upon
2416 * successfull completion; otherwise return return -1. (Currently,
2417 * this function is merely a mockable wrapper for POSIX gethostname().)
2418 */
2421 {
2423 }
2425 /** Set *addr to the IP address (in dotted-quad notation) stored in *str.
2426 * Return 1 on success, 0 if *str is badly formatted.
2427 * (Like inet_aton(str,addr), but works on Windows and Solaris.)
2428 */
2429 int
2431 {
2442 }
2444 /** Given <b>af</b>==AF_INET and <b>src</b> a struct in_addr, or
2445 * <b>af</b>==AF_INET6 and <b>src</b> a struct in6_addr, try to format the
2446 * address and store it in the <b>len</b>-byte buffer <b>dst</b>. Returns
2447 * <b>dst</b> on success, NULL on failure.
2448 *
2449 * (Like inet_ntop(af,src,dst,len), but works on platforms that don't have it:
2450 * Tor sometimes needs to format ipv6 addresses even on platforms without ipv6
2451 * support.) */
2454 {
2458 else
2468 }
2472 /* This is an IPv4 address. */
2481 }
2486 }
2494 }
2498 }
2501 }
2502 }
2520 }
2521 }
2529 }
2530 }
2532 /** Given <b>af</b>==AF_INET or <b>af</b>==AF_INET6, and a string <b>src</b>
2533 * encoding an IPv4 address or IPv6 address correspondingly, try to parse the
2534 * address and store the result in <b>dst</b> (which must have space for a
2535 * struct in_addr or a struct in6_addr, as appropriate). Return 1 on success,
2536 * 0 on a bad parse, and -1 on a bad <b>af</b>.
2537 *
2538 * (Like inet_pton(af,src,dst) but works on platforms that don't have it: Tor
2539 * sometimes needs to format ipv6 addresses even on platforms without ipv6
2540 * support.) */
2541 int
2543 {
2560 ;
2565 /* We use "scanf" because some platform inet_aton()s are too lax
2566 * about IPv4 addresses of the form "1.2.3" */
2577 }
2585 ssize_t len;
2588 /* The 'next == src' error case can happen on versions of openbsd
2589 * where treats "0xfoo" as an error, rather than as "0" followed by
2590 * "xfoo". */
2592 }
2603 setWords++;
2617 }
2618 }
2632 }
2636 }
2641 }
2642 }
2644 /** Similar behavior to Unix gethostbyname: resolve <b>name</b>, and set
2645 * *<b>addr</b> to the proper IP address, in host byte order. Returns 0
2646 * on success, -1 on failure; 1 on transient failure.
2647 *
2648 * (This function exists because standard windows gethostbyname
2649 * doesn't treat raw IP addresses properly.)
2650 */
2654 {
2655 tor_addr_t myaddr;
2664 }
2667 }
2669 /** Hold the result of our call to <b>uname</b>. */
2671 /** True iff uname_result is set. */
2674 /** Return a pointer to a description of our platform.
2675 */
2677 {
2678 #ifdef HAVE_UNAME
2680 #endif
2682 #ifdef HAVE_UNAME
2684 /* (Linux says 0 is success, Solaris says 1 is success) */
2687 #endif
2688 {
2689 #ifdef _WIN32
2690 OSVERSIONINFOEX info;
2702 /* { 4, 0, "Windows NT 4.0" }, */
2705 /* { 4, 0, "Windows 95" } */
2708 };
2716 }
2720 else
2728 }
2729 }
2730 }
2739 else
2743 }
2744 #ifdef VER_NT_SERVER
2748 }
2749 #endif
2750 #else
2751 /* LCOV_EXCL_START -- can't provoke uname failure */
2753 /* LCOV_EXCL_STOP */
2754 #endif
2755 }
2757 }
2759 }
2761 /*
2762 * Process control
2763 */
2765 /** Implementation logic for compute_num_cpus(). */
2766 static int
2768 {
2769 #ifdef _WIN32
2770 SYSTEM_INFO info;
2775 else
2777 #elif defined(HAVE_SYSCONF)
2778 #ifdef _SC_NPROCESSORS_CONF
2780 #else
2782 #endif
2783 #ifdef _SC_NPROCESSORS_ONLN
2785 #else
2787 #endif
2797 "are available. Telling Tor to only use %ld. You can over"
2800 }
2802 }
2806 else
2808 #else
2810 #endif
2811 }
2813 #define MAX_DETECTABLE_CPUS 16
2815 /** Return how many CPUs we are running with. We assume that nobody is
2816 * using hot-swappable CPUs, so we don't recompute this after the first
2817 * time. Return -1 if we don't know how to tell the number of CPUs on this
2818 * system.
2819 */
2820 int
2822 {
2828 /* LCOV_EXCL_START */
2830 "will not autodetect any more than %d, though. If you "
2834 /* LCOV_EXCL_STOP */
2835 }
2836 }
2838 }
2840 #if !defined(_WIN32)
2841 /** Defined iff we need to add locks when defining fake versions of reentrant
2842 * versions of time-related functions. */
2843 #define TIME_FNS_NEED_LOCKS
2844 #endif
2846 /** Helper: Deal with confused or out-of-bounds values from localtime_r and
2847 * friends. (On some platforms, they can give out-of-bounds values or can
2848 * return NULL.) If <b>islocal</b>, this is a localtime result; otherwise
2849 * it's from gmtime. The function returned <b>r</b>, when given <b>timep</b>
2850 * as its input. If we need to store new results, store them in
2851 * <b>resultbuf</b>. */
2855 {
2859 /* We can't strftime dates after 9999 CE, and we want to avoid dates
2860 * before 1 CE (avoiding the year 0 issue and negative years). */
2879 }
2881 }
2883 /* If we get here, gmtime or localtime returned NULL. It might have done
2884 * this because of overrun or underrun, or it might have done it because of
2885 * some other weird issue. */
2900 /* Rounding down to INT32_MAX isn't so great, but keep in mind that we
2901 * only do it if gmtime/localtime tells us NULL. */
2913 }
2914 }
2916 /* If we get here, then gmtime/localtime failed without getting an extreme
2917 * value for *timep */
2918 /* LCOV_EXCL_START */
2923 /* LCOV_EXCL_STOP */
2924 done:
2929 outcome);
2931 }
2933 /** @{ */
2934 /** As localtime_r, but defined for platforms that don't have it:
2935 *
2936 * Convert *<b>timep</b> to a struct tm in local time, and store the value in
2937 * *<b>result</b>. Return the result on success, or NULL on failure.
2938 */
2939 #ifdef HAVE_LOCALTIME_R
2942 {
2946 }
2947 #elif defined(TIME_FNS_NEED_LOCKS)
2950 {
2961 }
2962 #else
2965 {
2972 }
2973 #endif
2974 /** @} */
2976 /** @{ */
2977 /** As gmtime_r, but defined for platforms that don't have it:
2978 *
2979 * Convert *<b>timep</b> to a struct tm in UTC, and store the value in
2980 * *<b>result</b>. Return the result on success, or NULL on failure.
2981 */
2982 #ifdef HAVE_GMTIME_R
2985 {
2989 }
2990 #elif defined(TIME_FNS_NEED_LOCKS)
2993 {
3004 }
3005 #else
3008 {
3015 }
3016 #endif
3018 #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
3019 /** Attempt to raise the current and max rlimit to infinity for our process.
3020 * This only needs to be done once and can probably only be done when we have
3021 * not already dropped privileges.
3022 */
3023 static int
3025 {
3026 /* Future consideration for Windows is probably SetProcessWorkingSetSize
3027 * This is similar to setting the memory rlimit of RLIMIT_MEMLOCK
3028 * http://msdn.microsoft.com/en-us/library/ms686234(VS.85).aspx
3029 */
3033 /* RLIM_INFINITY is -1 on some platforms. */
3041 }
3045 }
3048 }
3049 #endif
3051 /** Attempt to lock all current and all future memory pages.
3052 * This should only be called once and while we're privileged.
3053 * Like mlockall() we return 0 when we're successful and -1 when we're not.
3054 * Unlike mlockall() we return 1 if we've already attempted to lock memory.
3055 */
3056 int
3058 {
3063 }
3067 /*
3068 * Future consideration for Windows may be VirtualLock
3069 * VirtualLock appears to implement mlock() but not mlockall()
3070 *
3071 * http://msdn.microsoft.com/en-us/library/aa366895(VS.85).aspx
3072 */
3074 #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
3077 }
3084 /* Apple - it's 2009! I'm looking at you. Grrr. */
3090 }
3094 }
3095 #else
3098 #endif
3099 }
3101 /**
3102 * On Windows, WSAEWOULDBLOCK is not always correct: when you see it,
3103 * you need to ask the socket for its actual errno. Also, you need to
3104 * get your errors from WSAGetLastError, not errno. (If you supply a
3105 * socket of -1, we check WSAGetLastError, but don't correct
3106 * WSAEWOULDBLOCKs.)
3107 *
3108 * The upshot of all of this is that when a socket call fails, you
3109 * should call tor_socket_errno <em>at most once</em> on the failing
3110 * socket to get the error.
3111 */
3112 #if defined(_WIN32)
3113 int
3115 {
3123 }
3125 }
3126 #endif
3128 #if defined(_WIN32)
3146 /* What's the difference between NOTSUPP and NOSUPPORT? :) */
3166 /* Yes, some of these start with WSA, not WSAE. No, I don't know why. */
3171 #ifdef WSATYPE_NOT_FOUND
3173 #endif
3179 /* There are some more error codes whose numeric values are marked
3180 * <b>OS dependent</b>. They start with WSA_, apparently for the same
3181 * reason that practitioners of some craft traditions deliberately
3182 * introduce imperfections into their baskets and rugs "to allow the
3183 * evil spirits to escape." If we catch them, then our binaries
3184 * might not report consistent results across versions of Windows.
3185 * Thus, I'm going to let them all fall through.
3186 */
3188 };
3189 /** There does not seem to be a strerror equivalent for Winsock errors.
3190 * Naturally, we have to roll our own.
3191 */
3194 {
3199 }
3201 }
3202 #endif
3204 /** Called before we make any calls to network-related functions.
3205 * (Some operating systems require their network libraries to be
3206 * initialized.) */
3207 int
3209 {
3210 #ifdef _WIN32
3211 /* This silly exercise is necessary before windows will allow
3212 * gethostbyname to work. */
3213 WSADATA WSAData;
3219 }
3224 }
3225 /* WSAData.iMaxSockets might show the max sockets we're allowed to use.
3226 * We might use it to complain if we're trying to be a server but have
3227 * too few sockets available. */
3228 #endif
3230 }
3232 #ifdef _WIN32
3233 /** Return a newly allocated string describing the windows system error code
3234 * <b>err</b>. Note that error codes are different from errno. Error codes
3235 * come from GetLastError() when a winapi call fails. errno is set only when
3236 * ANSI functions fail. Whee. */
3239 {
3242 DWORD n;
3244 /* Somebody once decided that this interface was better than strerror(). */
3246 FORMAT_MESSAGE_FROM_SYSTEM |
3247 FORMAT_MESSAGE_IGNORE_INSERTS,
3254 #ifdef UNICODE
3258 * make sure. */
3259 else
3264 #else
3266 #endif
3269 }
3272 }
3274 }
3275 #endif
3277 #if defined(HW_PHYSMEM64)
3278 /* This appears to be an OpenBSD thing */
3279 #define INT64_HW_MEM HW_PHYSMEM64
3280 #elif defined(HW_MEMSIZE)
3281 /* OSX defines this one */
3282 #define INT64_HW_MEM HW_MEMSIZE
3283 #endif
3285 /**
3286 * Helper: try to detect the total system memory, and return it. On failure,
3287 * return 0.
3288 */
3289 static uint64_t
3291 {
3292 #if defined(__linux__)
3293 /* On linux, sysctl is deprecated. Because proc is so awesome that you
3294 * shouldn't _want_ to write portable code, I guess? */
3308 /* Use the system sscanf so that space will match a wider number of space */
3316 err:
3317 /* LCOV_EXCL_START Can't reach this unless proc is broken. */
3321 /* LCOV_EXCL_STOP */
3322 #elif defined (_WIN32)
3323 /* Windows has MEMORYSTATUSEX; pretty straightforward. */
3324 MEMORYSTATUSEX ms;
3332 #elif defined(HAVE_SYSCTL) && defined(INT64_HW_MEM)
3333 /* On many systems, HW_PYHSMEM is clipped to 32 bits; let's use a better
3334 * variant if we know about it. */
3343 #elif defined(HAVE_SYSCTL) && defined(HW_PHYSMEM)
3344 /* On some systems (like FreeBSD I hope) you can use a size_t with
3345 * HW_PHYSMEM. */
3354 #else
3355 /* I have no clue. */
3357 #endif
3358 }
3360 /**
3361 * Try to find out how much physical memory the system has. On success,
3362 * return 0 and set *<b>mem_out</b> to that value. On failure, return -1.
3363 */
3364 int
3366 {
3370 /* LCOV_EXCL_START -- can't make this happen without mocking. */
3371 /* We couldn't find our memory total */
3373 /* We have no cached value either */
3376 }
3380 /* LCOV_EXCL_STOP */
3381 }
3383 #if SIZE_MAX != UINT64_MAX
3385 /* I think this could happen if we're a 32-bit Tor running on a 64-bit
3386 * system: we could have more system memory than would fit in a
3387 * size_t. */
3389 }
3390 #endif
3395 }
3397 /** Emit the password prompt <b>prompt</b>, then read up to <b>buflen</b>
3398 * bytes of passphrase into <b>output</b>. Return the number of bytes in
3399 * the passphrase, excluding terminating NUL.
3400 */
3401 ssize_t
3403 {
3406 #if defined(HAVE_READPASSPHRASE)
3411 #elif defined(_WIN32)
3415 }
3441 }
3442 }
3443 done_reading:
3444 ;
3446 #ifndef WC_ERR_INVALID_CHARS
3447 #define WC_ERR_INVALID_CHARS 0x80
3448 #endif
3450 /* Now convert it to UTF-8 */
3459 }
3465 done:
3469 #else
3471 #endif
3472 }
3474 /** Return the amount of free disk space we have permission to use, in
3475 * bytes. Return -1 if the amount of free space can't be determined. */
3476 int64_t
3478 {
3479 #ifdef HAVE_STATVFS
3495 }
3498 #elif defined(_WIN32)
3499 ULARGE_INTEGER freeBytesAvail;
3500 BOOL ok;
3505 }
3507 #else
3511 #endif
3512 }