| blob | 693fca70ea4b907df2e546d802469040b79d0470 |
1 /* Copyright (c) 2003-2004, Roger Dingledine
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2017, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file compat.c
8 * \brief Wrappers to make calls more portable. This code defines
9 * functions such as tor_snprintf, get/set various data types,
10 * renaming, setting socket options, switching user IDs. It is basically
11 * where the non-portable items are conditionally included depending on
12 * the platform.
13 **/
15 #define COMPAT_PRIVATE
18 #ifdef _WIN32
19 #include <winsock2.h>
20 #include <windows.h>
21 #include <sys/locking.h>
22 #endif
24 #ifdef HAVE_UNAME
25 #include <sys/utsname.h>
26 #endif
27 #ifdef HAVE_SYS_TYPES_H
28 #include <sys/types.h>
29 #endif
30 #ifdef HAVE_SYS_SYSCTL_H
31 #include <sys/sysctl.h>
32 #endif
33 #ifdef HAVE_SYS_STAT_H
34 #include <sys/stat.h>
35 #endif
36 #ifdef HAVE_UTIME_H
37 #include <utime.h>
38 #endif
39 #ifdef HAVE_SYS_UTIME_H
40 #include <sys/utime.h>
41 #endif
42 #ifdef HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45 #ifdef HAVE_SYS_FCNTL_H
46 #include <sys/fcntl.h>
47 #endif
48 #ifdef HAVE_PWD_H
49 #include <pwd.h>
50 #endif
51 #ifdef HAVE_GRP_H
52 #include <grp.h>
53 #endif
54 #ifdef HAVE_FCNTL_H
55 #include <fcntl.h>
56 #endif
57 #ifdef HAVE_ERRNO_H
58 #include <errno.h>
59 #endif
60 #ifdef HAVE_ARPA_INET_H
61 #include <arpa/inet.h>
62 #endif
63 #ifdef HAVE_CRT_EXTERNS_H
64 #include <crt_externs.h>
65 #endif
66 #ifdef HAVE_SYS_STATVFS_H
67 #include <sys/statvfs.h>
68 #endif
69 #ifdef HAVE_SYS_CAPABILITY_H
70 #include <sys/capability.h>
71 #endif
73 #ifdef _WIN32
74 #include <conio.h>
75 #include <wchar.h>
76 /* Some mingw headers lack these. :p */
77 #if defined(HAVE_DECL__GETWCH) && !HAVE_DECL__GETWCH
79 #endif
80 #ifndef WEOF
81 #define WEOF (wchar_t)(0xFFFF)
82 #endif
83 #if defined(HAVE_DECL_SECUREZEROMEMORY) && !HAVE_DECL_SECUREZEROMEMORY
86 {
90 }
92 #elif defined(HAVE_READPASSPHRASE_H)
93 #include <readpassphrase.h>
94 #else
98 /* Includes for the process attaching prevention */
99 #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
100 /* Only use the linux prctl; the IRIX prctl is totally different */
101 #include <sys/prctl.h>
102 #elif defined(__APPLE__)
103 #include <sys/ptrace.h>
106 #ifdef HAVE_NETDB_H
107 #include <netdb.h>
108 #endif
109 #ifdef HAVE_SYS_PARAM_H
111 #endif
112 #include <stdio.h>
113 #include <stdlib.h>
114 #include <assert.h>
115 #ifdef HAVE_SIGNAL_H
116 #include <signal.h>
117 #endif
118 #ifdef HAVE_MMAP
119 #include <sys/mman.h>
120 #endif
121 #ifdef HAVE_SYS_SYSLIMITS_H
122 #include <sys/syslimits.h>
123 #endif
124 #ifdef HAVE_SYS_FILE_H
125 #include <sys/file.h>
126 #endif
134 /* Inline the strl functions if the platform doesn't have them. */
135 #ifndef HAVE_STRLCPY
137 #endif
138 #ifndef HAVE_STRLCAT
140 #endif
142 /* When set_max_file_descriptors() is called, update this with the max file
143 * descriptor value so we can use it to check the limit when opening a new
144 * socket. Default value is what Debian sets as the default hard limit. */
147 /** As open(path, flags, mode), but return an fd with the close-on-exec mode
148 * set. */
149 int
151 {
154 #ifdef O_CLOEXEC
158 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
159 * even though we were built on a system with O_CLOEXEC support, we
160 * are running on one without. */
167 #ifdef FD_CLOEXEC
173 }
174 }
177 }
179 /** As fopen(path,mode), but ensures that the O_CLOEXEC bit is set on the
180 * underlying file handle. */
183 {
185 #ifdef FD_CLOEXEC
191 }
192 }
195 }
197 /** As rename(), but work correctly with the sandbox. */
198 int
200 {
204 }
206 #if defined(HAVE_MMAP) || defined(RUNNING_DOXYGEN)
207 /** Try to create a memory mapping for <b>filename</b> and return it. On
208 * failure, return NULL. Sets errno properly, using ERANGE to mean
209 * "empty file". Must only be called on trusted Tor-owned files, as changing
210 * the underlying file's size causes unspecified behavior. */
211 tor_mmap_t *
213 {
231 }
233 /* Get the size of the file */
243 }
251 }
253 /* Zero-length file. If we call mmap on it, it will succeed but
254 * return NULL, and bad things will happen. So just fail. */
259 }
269 }
277 }
278 /** Release storage held for a memory mapping; returns 0 on success,
279 * or -1 on failure (and logs a warning). */
280 int
282 {
290 /* munmap() succeeded */
296 }
299 }
300 #elif defined(_WIN32)
301 tor_mmap_t *
303 {
311 #ifdef UNICODE
313 #else
315 #endif
318 NULL,
319 OPEN_EXISTING,
320 FILE_ATTRIBUTE_NORMAL,
331 }
336 }
341 }
345 NULL,
346 PAGE_READONLY,
347 size_high,
348 size_low,
349 NULL);
353 FILE_MAP_READ,
360 win_err: {
369 else
371 }
372 err:
379 }
381 /* Unmap the file, and return 0 for success or -1 for failure */
382 int
384 {
389 /* This is an ugly cast, but without it, "data" in struct tor_mmap_t would
390 have to be redefined as non-const. */
395 }
396 }
403 }
404 #else
408 /** Replacement for snprintf. Differs from platform snprintf in two
409 * ways: First, always NUL-terminates its output. Second, always
410 * returns -1 if the result is truncated. (Note that this return
411 * behavior does <i>not</i> conform to C99; it just happens to be
412 * easier to emulate "return -1" with conformant implementations than
413 * it is to emulate "return number that would be written" with
414 * non-conformant implementations.) */
415 int
417 {
424 }
426 /** Replacement for vsnprintf; behavior differs as tor_snprintf differs from
427 * snprintf.
428 */
429 int
431 {
437 #ifdef _WIN32
439 #else
441 #endif
446 }
448 /**
449 * Portable asprintf implementation. Does a printf() into a newly malloc'd
450 * string. Sets *<b>strp</b> to this string, and returns its length (not
451 * including the terminating NUL character).
452 *
453 * You can treat this function as if its implementation were something like
454 <pre>
455 char buf[_INFINITY_];
456 tor_snprintf(buf, sizeof(buf), fmt, args);
457 *strp = tor_strdup(buf);
458 return strlen(*strp):
459 </pre>
460 * Where _INFINITY_ is an imaginary constant so big that any string can fit
461 * into it.
462 */
463 int
465 {
472 /* LCOV_EXCL_START */
475 /* LCOV_EXCL_STOP */
476 }
478 }
480 /**
481 * Portable vasprintf implementation. Does a printf() into a newly malloc'd
482 * string. Differs from regular vasprintf in the same ways that
483 * tor_asprintf() differs from regular asprintf.
484 */
485 int
487 {
488 /* use a temporary variable in case *strp is in args. */
490 #ifdef HAVE_VASPRINTF
491 /* If the platform gives us one, use it. */
495 else
498 #elif defined(HAVE__VSCPRINTF)
499 /* On Windows, _vsnprintf won't tell us the length of the string if it
500 * overflows, so we need to use _vcsprintf to tell how much to allocate */
509 }
516 }
519 #else
520 /* Everywhere else, we have a decent vsnprintf that tells us how many
521 * characters we need. We give it a try on a short buffer first, since
522 * it might be nice to avoid the second vsnprintf call.
523 */
528 /* vsnprintf() was properly checked but tor_vsnprintf() available so
529 * why not use it? */
535 }
537 /* use of tor_vsnprintf() will ensure string is null terminated */
543 }
547 }
549 /** Given <b>hlen</b> bytes at <b>haystack</b> and <b>nlen</b> bytes at
550 * <b>needle</b>, return a pointer to the first occurrence of the needle
551 * within the haystack, or NULL if there is no such occurrence.
552 *
553 * This function is <em>not</em> timing-safe.
554 *
555 * Requires that <b>nlen</b> be greater than zero.
556 */
560 {
561 #if defined(HAVE_MEMMEM) && (!defined(__GNUC__) || __GNUC__ >= 2)
564 #else
565 /* This isn't as fast as the GLIBC implementation, but it doesn't need to
566 * be. */
577 /* Last position at which the needle could start. */
584 /* This comparison shouldn't be necessary, since if p was previously
585 * equal to last_possible_start, the next memchr call would be
586 * "memchr(p, first, 0)", which will return NULL. But it clarifies the
587 * logic. */
589 }
590 }
593 }
595 /**
596 * Tables to implement ctypes-replacement TOR_IS*() functions. Each table
597 * has 256 bits to look up whether a character is in some set or not. This
598 * fails on non-ASCII platforms, but it is hard to find a platform whose
599 * character set is not a superset of ASCII nowadays. */
601 /**@{*/
615 /** Upper-casing and lowercasing tables to map characters to upper/lowercase
616 * equivalents. Used by tor_toupper() and tor_tolower(). */
617 /**@{*/
635 };
653 };
654 /**@}*/
656 /** Helper for tor_strtok_r_impl: Advances cp past all characters in
657 * <b>sep</b>, and returns its new value. */
660 {
667 }
669 }
671 /** Implementation of strtok_r for platforms whose coders haven't figured out
672 * how to write one. Hey, retrograde libc developers! You can use this code
673 * here for free! */
676 {
688 }
695 }
702 }
704 }
706 #ifdef _WIN32
707 /** Take a filename and return a pointer to its final element. This
708 * function is called on __FILE__ to fix a MSVC nit where __FILE__
709 * contains the full path to the file. This is bad, because it
710 * confuses users to find the home directory of the person who
711 * compiled the binary in their warning messages.
712 */
715 {
727 }
729 }
732 /**
733 * Read a 16-bit value beginning at <b>cp</b>. Equivalent to
734 * *(uint16_t*)(cp), but will not cause segfaults on platforms that forbid
735 * unaligned memory access.
736 */
737 uint16_t
739 {
743 }
744 /**
745 * Read a 32-bit value beginning at <b>cp</b>. Equivalent to
746 * *(uint32_t*)(cp), but will not cause segfaults on platforms that forbid
747 * unaligned memory access.
748 */
749 uint32_t
751 {
755 }
756 /**
757 * Read a 64-bit value beginning at <b>cp</b>. Equivalent to
758 * *(uint64_t*)(cp), but will not cause segfaults on platforms that forbid
759 * unaligned memory access.
760 */
761 uint64_t
763 {
767 }
769 /**
770 * Set a 16-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
771 * *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
772 * unaligned memory access. */
773 void
775 {
777 }
778 /**
779 * Set a 32-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
780 * *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
781 * unaligned memory access. */
782 void
784 {
786 }
787 /**
788 * Set a 64-bit value beginning at <b>cp</b> to <b>v</b>. Equivalent to
789 * *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
790 * unaligned memory access. */
791 void
793 {
795 }
797 /**
798 * Rename the file <b>from</b> to the file <b>to</b>. On Unix, this is
799 * the same as rename(2). On windows, this removes <b>to</b> first if
800 * it already exists.
801 * Returns 0 on success. Returns -1 and sets errno on failure.
802 */
803 int
805 {
806 #ifndef _WIN32
808 #else
810 {
822 }
825 }
827 /** Change <b>fname</b>'s modification time to now. */
828 int
830 {
834 }
836 /** Represents a lockfile on which we hold the lock. */
838 /** Name of the file */
840 /** File descriptor used to hold the file open */
842 };
844 /** Try to get a lock on the lockfile <b>filename</b>, creating it as
845 * necessary. If someone else has the lock and <b>blocking</b> is true,
846 * wait until the lock is available. Otherwise return immediately whether
847 * we succeeded or not.
848 *
849 * Set *<b>locked_out</b> to true if somebody else had the lock, and to false
850 * otherwise.
851 *
852 * Return a <b>tor_lockfile_t</b> on success, NULL on failure.
853 *
854 * (Implementation note: because we need to fall back to fcntl on some
855 * platforms, these locks are per-process, not per-thread. If you want
856 * to do in-process locking, use tor_mutex_t like a normal person.
857 * On Windows, when <b>blocking</b> is true, the maximum time that
858 * is actually waited is 10 seconds, after which NULL is returned
859 * and <b>locked_out</b> is set to 1.)
860 */
861 tor_lockfile_t *
863 {
874 }
876 #ifdef _WIN32
881 else
885 }
886 #elif defined(HAVE_FLOCK)
890 else
894 }
895 #else
896 {
904 else
908 }
909 }
916 }
918 /** Release the lock held as <b>lockfile</b>. */
919 void
921 {
925 #ifdef _WIN32
930 }
931 #elif defined(HAVE_FLOCK)
935 }
936 #else
937 /* Closing the lockfile is sufficient. */
944 }
946 /** @{ */
947 /** Some old versions of Unix didn't define constants for these values,
948 * and instead expect you to say 0, 1, or 2. */
949 #ifndef SEEK_SET
950 #define SEEK_SET 0
951 #endif
952 #ifndef SEEK_CUR
953 #define SEEK_CUR 1
954 #endif
955 #ifndef SEEK_END
956 #define SEEK_END 2
957 #endif
958 /** @} */
960 /** Return the position of <b>fd</b> with respect to the start of the file. */
961 off_t
963 {
964 #ifdef _WIN32
966 #else
968 #endif
969 }
971 /** Move <b>fd</b> to the end of the file. Return -1 on error, 0 on success.
972 * If the file is a pipe, do nothing and succeed.
973 **/
974 int
976 {
977 #ifdef _WIN32
979 #else
981 #ifdef ESPIPE
982 /* If we get an error and ESPIPE, then it's a pipe or a socket of a fifo:
983 * no need to worry. */
989 }
991 /** Move <b>fd</b> to position <b>pos</b> in the file. Return -1 on error, 0
992 * on success. */
993 int
995 {
996 #ifdef _WIN32
998 #else
1000 #endif
1001 }
1003 /** Replacement for ftruncate(fd, 0): move to the front of the file and remove
1004 * all the rest of the file. Return -1 on error, 0 on success. */
1005 int
1007 {
1008 /* Rumor has it that some versions of ftruncate do not move the file pointer.
1009 */
1013 #ifdef _WIN32
1015 #else
1017 #endif
1018 }
1020 #undef DEBUG_SOCKET_COUNTING
1021 #ifdef DEBUG_SOCKET_COUNTING
1022 /** A bitarray of all fds that should be passed to tor_socket_close(). Only
1023 * used if DEBUG_SOCKET_COUNTING is defined. */
1025 /** The size of <b>open_sockets</b>, in bits. */
1029 /** Count of number of sockets currently open. (Undercounts sockets opened by
1030 * eventdns and libevent.) */
1033 /** Mutex to protect open_sockets, max_socket, and n_sockets_open. */
1036 /** Helper: acquire the socket accounting lock. */
1039 {
1043 }
1045 /** Helper: release the socket accounting lock. */
1048 {
1050 }
1052 /** As close(), but guaranteed to work for sockets across platforms (including
1053 * Windows, where close()ing a socket doesn't work. Returns 0 on success and
1054 * the socket error code on failure. */
1055 int
1057 {
1060 /* On Windows, you have to call close() on fds returned by open(),
1061 * and closesocket() on fds returned by socket(). On Unix, everything
1062 * gets close()'d. We abstract this difference by always using
1063 * tor_close_socket to close sockets, and always using close() on
1064 * files.
1065 */
1066 #if defined(_WIN32)
1068 #else
1070 #endif
1076 }
1079 }
1081 /** As tor_close_socket_simple(), but keeps track of the number
1082 * of open sockets. Returns 0 on success, -1 on failure. */
1085 {
1089 #ifdef DEBUG_SOCKET_COUNTING
1096 }
1101 #ifdef _WIN32
1104 #else
1109 }
1114 }
1116 /** @{ */
1117 #ifdef DEBUG_SOCKET_COUNTING
1118 /** Helper: if DEBUG_SOCKET_COUNTING is enabled, remember that <b>s</b> is
1119 * now an open socket. */
1122 {
1123 /* XXXX This bitarray business will NOT work on windows: sockets aren't
1124 small ints there. */
1132 }
1133 }
1137 }
1139 }
1141 #define mark_socket_open(s) ((void) (s))
1143 /** @} */
1145 /** As socket(), but counts the number of open sockets. */
1148 {
1150 }
1152 /** Mockable wrapper for connect(). */
1155 socklen_t address_len))
1156 {
1158 }
1160 /** As socket(), but creates a nonblocking socket and
1161 * counts the number of open sockets. */
1162 tor_socket_t
1164 {
1166 }
1168 /** As socket(), but counts the number of open sockets and handles
1169 * socket creation with either of SOCK_CLOEXEC and SOCK_NONBLOCK specified.
1170 * <b>cloexec</b> and <b>nonblock</b> should be either 0 or 1 to indicate
1171 * if the corresponding extension should be used.*/
1172 tor_socket_t
1175 {
1176 tor_socket_t s;
1178 /* We are about to create a new file descriptor so make sure we have
1179 * enough of them. */
1181 #ifdef _WIN32
1183 #else
1185 #endif
1187 }
1189 #if defined(SOCK_CLOEXEC) && defined(SOCK_NONBLOCK)
1195 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
1196 * even though we were built on a system with SOCK_CLOEXEC and SOCK_NONBLOCK
1197 * support, we are running on one without. */
1206 #if defined(FD_CLOEXEC)
1212 }
1213 }
1222 }
1223 }
1227 socket_ok:
1230 }
1232 /**
1233 * For socket accounting: remember that we are the owner of the socket
1234 * <b>s</b>. This will prevent us from overallocating sockets, and prevent us
1235 * from asserting later when we close the socket <b>s</b>.
1236 */
1237 void
1239 {
1244 }
1246 /** As accept(), but counts the number of open sockets. */
1247 tor_socket_t
1249 {
1251 }
1253 /** As accept(), but returns a nonblocking socket and
1254 * counts the number of open sockets. */
1255 tor_socket_t
1258 {
1260 }
1262 /** As accept(), but counts the number of open sockets and handles
1263 * socket creation with either of SOCK_CLOEXEC and SOCK_NONBLOCK specified.
1264 * <b>cloexec</b> and <b>nonblock</b> should be either 0 or 1 to indicate
1265 * if the corresponding extension should be used.*/
1266 tor_socket_t
1269 {
1270 tor_socket_t s;
1272 /* We are about to create a new file descriptor so make sure we have
1273 * enough of them. */
1275 #ifdef _WIN32
1277 #else
1279 #endif
1281 }
1283 #if defined(HAVE_ACCEPT4) && defined(SOCK_CLOEXEC) \
1284 && defined(SOCK_NONBLOCK)
1290 /* If we got an error, see if it is ENOSYS. ENOSYS indicates that,
1291 * even though we were built on a system with accept4 support, we
1292 * are running on one without. Also, check for EINVAL, which indicates that
1293 * we are missing SOCK_CLOEXEC/SOCK_NONBLOCK support. */
1302 #if defined(FD_CLOEXEC)
1308 }
1309 }
1318 }
1319 }
1323 socket_ok:
1326 }
1328 /** Return the number of sockets we currently have opened. */
1329 int
1331 {
1337 }
1339 /** Mockable wrapper for getsockname(). */
1343 {
1345 }
1347 /**
1348 * Find the local address associated with the socket <b>sock</b>, and
1349 * place it in *<b>addr_out</b>. Return 0 on success, -1 on failure.
1350 *
1351 * (As tor_getsockname, but instead places the result in a tor_addr_t.) */
1352 int
1354 {
1363 }
1365 /** Turn <b>socket</b> into a nonblocking socket. Return 0 on success, -1
1366 * on failure.
1367 */
1368 int
1370 {
1371 #if defined(_WIN32)
1374 #else
1381 }
1386 }
1390 }
1392 /**
1393 * Allocate a pair of connected sockets. (Like socketpair(family,
1394 * type,protocol,fd), but works on systems that don't have
1395 * socketpair.)
1396 *
1397 * Currently, only (AF_UNIX, SOCK_STREAM, 0) sockets are supported.
1398 *
1399 * Note that on systems without socketpair, this call will fail if
1400 * localhost is inaccessible (for example, if the networking
1401 * stack is down). And even if it succeeds, the socket pair will not
1402 * be able to read while localhost is down later (the socket pair may
1403 * even close, depending on OS-specific timeouts).
1404 *
1405 * Returns 0 on success and -errno on failure; do not rely on the value
1406 * of errno or WSAGetLastError().
1407 **/
1408 /* It would be nicer just to set errno, but that won't work for windows. */
1409 int
1411 {
1412 //don't use win32 socketpairs (they are always bad)
1413 #if defined(HAVE_SOCKETPAIR) && !defined(_WIN32)
1416 #ifdef SOCK_CLOEXEC
1420 /* If we got an error, see if it is EINVAL. EINVAL might indicate that,
1421 * even though we were built on a system with SOCK_CLOEXEC support, we
1422 * are running on one without. */
1431 #if defined(FD_CLOEXEC)
1438 }
1439 }
1446 }
1447 }
1451 sockets_ok:
1456 }
1460 }
1467 }
1469 #ifdef NEED_ERSATZ_SOCKETPAIR
1473 {
1481 }
1482 }
1484 /**
1485 * Helper used to implement socketpair on systems that lack it, by
1486 * making a direct connection to localhost.
1487 */
1488 STATIC int
1490 {
1491 /* This socketpair does not work when localhost is down. So
1492 * it's really not the same thing at all. But it's close enough
1493 * for now, and really, when localhost is down sometimes, we
1494 * have other problems too.
1495 */
1499 tor_addr_t listen_tor_addr;
1503 tor_addr_t connect_tor_addr;
1506 socklen_t size;
1516 #ifdef AF_UNIX
1518 #endif
1519 ) {
1520 #ifdef _WIN32
1522 #else
1524 #endif
1525 }
1528 }
1535 /* Assume we're on an IPv6-only system */
1539 /* Keep the previous behaviour, which was to return the IPv4 error.
1540 * (This may be less informative on IPv6-only systems.)
1541 * XX/teor - is there a better way to decide which errno to return?
1542 * (I doubt we care much either way, once there is an error.)
1543 */
1545 }
1546 }
1547 }
1548 /* If there is no 127.0.0.1 or ::1, this will and must fail. Otherwise, we
1549 * risk exposing a socketpair on a routable IP address. (Some BSD jails
1550 * use a routable address for localhost. Fortunately, they have the real
1551 * AF_UNIX socketpair.) */
1556 }
1560 listen_addr,
1570 /* We want to find out the port number to connect to. */
1585 /* Now check we are talking to ourself by matching port and host on the
1586 two sockets. */
1589 /* Set *_tor_addr and *_port to the address and port that was used */
1596 }
1603 abort_tidy_up_and_fail:
1604 #ifdef _WIN32
1606 #else
1608 #endif
1609 tidy_up_and_fail:
1619 }
1621 #undef SIZEOF_SOCKADDR
1625 /* Return the maximum number of allowed sockets. */
1626 int
1628 {
1630 }
1632 /** Number of extra file descriptors to keep in reserve beyond those that we
1633 * tell Tor it's allowed to use. */
1636 /** Learn the maximum allowed number of file descriptors, and tell the
1637 * system we want to use up to that number. (Some systems have a low soft
1638 * limit, and let us set it higher.) We compute this by finding the largest
1639 * number that we can use.
1640 *
1641 * If the limit is below the reserved file descriptor value (ULIMIT_BUFFER),
1642 * return -1 and <b>max_out</b> is untouched.
1643 *
1644 * If we can't find a number greater than or equal to <b>limit</b>, then we
1645 * fail by returning -1 and <b>max_out</b> is untouched.
1646 *
1647 * If we are unable to set the limit value because of setrlimit() failing,
1648 * return 0 and <b>max_out</b> is set to the current maximum value returned
1649 * by getrlimit().
1650 *
1651 * Otherwise, return 0 and store the maximum we found inside <b>max_out</b>
1652 * and set <b>max_sockets</b> with that value as well.*/
1653 int
1655 {
1660 }
1662 /* Define some maximum connections values for systems where we cannot
1663 * automatically determine a limit. Re Cygwin, see
1664 * http://archives.seul.org/or/talk/Aug-2006/msg00210.html
1665 * For an iPhone, 9999 should work. For Windows and all other unknown
1666 * systems we use 15000 as the default. */
1667 #ifndef HAVE_GETRLIMIT
1668 #if defined(CYGWIN) || defined(__CYGWIN__)
1671 #elif defined(_WIN32)
1674 #else
1682 "We do not support more than %lu file descriptors "
1686 }
1695 }
1701 }
1706 }
1707 /* Set the current limit value so if the attempt to set the limit to the
1708 * max fails at least we'll have a valid value of maximum sockets. */
1715 #ifdef OPEN_MAX
1718 /* On some platforms, OPEN_MAX is the real limit, and getrlimit() is
1719 * full of nasty lies. I'm looking at you, OSX 10.5.... */
1724 "OPEN_MAX (%lu), and ConnLimit is %lu. Changing "
1730 "OPEN_MAX (%lu); Apparently, %lu was too high and rlimit "
1734 }
1736 }
1737 }
1742 }
1743 }
1744 /* leave some overhead for logs, etc, */
1753 }
1755 #ifndef _WIN32
1756 /** Log details of current user and group credentials. Return 0 on
1757 * success. Logs and return -1 on failure.
1758 */
1759 static int
1761 {
1762 /** Log level to use when describing non-error UID/GID status. */
1763 #define CREDENTIAL_LOG_LEVEL LOG_INFO
1764 /* Real, effective and saved UIDs */
1766 /* Read, effective and saved GIDs */
1768 /* Supplementary groups */
1771 /* Number of supplementary groups */
1774 /* log UIDs */
1775 #ifdef HAVE_GETRESUID
1783 }
1785 /* getresuid is not present on MacOS X, so we can't get the saved (E)UID */
1795 /* log GIDs */
1796 #ifdef HAVE_GETRESGID
1804 }
1806 /* getresgid is not present on MacOS X, so we can't get the saved (E)GID */
1815 /* log supplementary groups */
1823 }
1837 }
1849 }
1852 }
1855 #ifndef _WIN32
1856 /** Cached struct from the last getpwname() call we did successfully. */
1859 /** Helper: copy a struct passwd object.
1860 *
1861 * We only copy the fields pw_uid, pw_gid, pw_name, pw_dir. Tor doesn't use
1862 * any others, and I don't want to run into incompatibilities.
1863 */
1866 {
1876 }
1878 #define tor_passwd_free(pw) \
1879 FREE_AND_NULL(struct passwd, tor_passwd_free_, (pw))
1881 /** Helper: free one of our cached 'struct passwd' values. */
1882 static void
1884 {
1891 }
1893 /** Wrapper around getpwnam() that caches result. Used so that we don't need
1894 * to give the sandbox access to /etc/passwd.
1895 *
1896 * The following fields alone will definitely be copied in the output: pw_uid,
1897 * pw_gid, pw_name, pw_dir. Other fields are not present in cached values.
1898 *
1899 * When called with a NULL argument, this function clears storage associated
1900 * with static variables it uses.
1901 **/
1904 {
1911 }
1919 }
1921 /* Lookup failed */
1929 }
1931 /** Wrapper around getpwnam() that can use cached result from
1932 * tor_getpwnam(). Used so that we don't need to give the sandbox access to
1933 * /etc/passwd.
1934 *
1935 * The following fields alone will definitely be copied in the output: pw_uid,
1936 * pw_gid, pw_name, pw_dir. Other fields are not present in cached values.
1937 */
1940 {
1945 }
1947 /* Lookup failed */
1955 }
1958 /** Return true iff we were compiled with capability support, and capabilities
1959 * seem to work. **/
1960 int
1962 {
1963 #ifdef HAVE_LINUX_CAPABILITIES
1972 }
1974 #ifdef HAVE_LINUX_CAPABILITIES
1975 /** Helper. Drop all capabilities but a small set, and set PR_KEEPCAPS as
1976 * appropriate.
1977 *
1978 * If pre_setuid, retain only CAP_NET_BIND_SERVICE, CAP_SETUID, and
1979 * CAP_SETGID, and use PR_KEEPCAPS to ensure that capabilities persist across
1980 * setuid().
1981 *
1982 * If not pre_setuid, retain only CAP_NET_BIND_SERVICE, and disable
1983 * PR_KEEPCAPS.
1984 *
1985 * Return 0 on success, and -1 on failure.
1986 */
1987 static int
1989 {
1990 /* We keep these three capabilities, and these only, as we setuid.
1991 * After we setuid, we drop all but the first. */
1994 };
2001 /* Sets whether we keep capabilities across a setuid. */
2006 }
2013 }
2026 }
2029 }
2032 /** Call setuid and setgid to run as <b>user</b> and switch to their
2033 * primary group. Return 0 on success. On failure, log and return -1.
2034 *
2035 * If SWITCH_ID_KEEP_BINDLOW is set in 'flags', try to use the capability
2036 * system to retain the abilitity to bind low ports.
2037 *
2038 * If SWITCH_ID_WARN_IF_NO_CAPS is set in flags, also warn if we have
2039 * don't have capability support.
2040 */
2041 int
2043 {
2044 #ifndef _WIN32
2046 uid_t old_uid;
2047 gid_t old_gid;
2057 /* Log the initial credential state */
2063 /* Get old UID/GID to check if we changed correctly */
2067 /* Lookup the user and group information, if we have a problem, bail out. */
2072 }
2074 #ifdef HAVE_LINUX_CAPABILITIES
2079 }
2085 }
2088 /* Properly switch egid,gid,euid,uid here or bail out */
2095 "you want to be. (If you did not set the User option in your "
2096 "torrc, check whether it was specified on the command line "
2101 }
2103 }
2109 }
2115 }
2121 }
2127 }
2129 /* This is how OpenBSD rolls:
2130 if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) ||
2131 setgid(pw->pw_gid) || setuid(pw->pw_uid) || seteuid(pw->pw_uid)) {
2132 setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) {
2133 log_warn(LD_GENERAL, "Error setting configured UID/GID: %s",
2134 strerror(errno));
2135 return -1;
2136 }
2137 */
2139 /* We've properly switched egid, gid, euid, uid, and supplementary groups if
2140 * we're here. */
2141 #ifdef HAVE_LINUX_CAPABILITIES
2145 }
2148 #if !defined(CYGWIN) && !defined(__CYGWIN__)
2149 /* If we tried to drop privilege to a group/user other than root, attempt to
2150 * restore root (E)(U|G)ID, and abort if the operation succeeds */
2152 /* Only check for privilege dropping if we were asked to be non-root */
2154 /* Try changing GID/EGID */
2160 }
2162 /* Try changing UID/EUID */
2168 }
2169 }
2172 /* Check what really happened */
2175 }
2179 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && \
2180 defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
2182 /* Re-enable core dumps if we're not running as root. */
2186 }
2187 }
2198 }
2200 /* We only use the linux prctl for now. There is no Win32 support; this may
2201 * also work on various BSD systems and Mac OS X - send testing feedback!
2202 *
2203 * On recent Gnu/Linux kernels it is possible to create a system-wide policy
2204 * that will prevent non-root processes from attaching to other processes
2205 * unless they are the parent process; thus gdb can attach to programs that
2206 * they execute but they cannot attach to other processes running as the same
2207 * user. The system wide policy may be set with the sysctl
2208 * kernel.yama.ptrace_scope or by inspecting
2209 * /proc/sys/kernel/yama/ptrace_scope and it is 1 by default on Ubuntu 11.04.
2210 *
2211 * This ptrace scope will be ignored on Gnu/Linux for users with
2212 * CAP_SYS_PTRACE and so it is very likely that root will still be able to
2213 * attach to the Tor process.
2214 */
2215 /** Attempt to disable debugger attachment: return 1 on success, -1 on
2216 * failure, and 0 if we don't know how to try on this platform. */
2217 int
2219 {
2222 "Attemping to disable debugger attachment to Tor for "
2224 #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) \
2225 && defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
2226 #define TRIED_TO_DISABLE
2228 #elif defined(__APPLE__) && defined(PT_DENY_ATTACH)
2229 #define TRIED_TO_ATTACH
2233 // XXX: TODO - Mac OS X has dtrace and this may be disabled.
2234 // XXX: TODO - Windows probably has something similar
2235 #ifdef TRIED_TO_DISABLE
2243 }
2245 #undef TRIED_TO_DISABLE
2247 }
2249 #ifdef HAVE_PWD_H
2250 /** Allocate and return a string containing the home directory for the
2251 * user <b>username</b>. Only works on posix-like systems. */
2254 {
2261 }
2263 }
2266 /** Modify <b>fname</b> to contain the name of its parent directory. Doesn't
2267 * actually examine the filesystem; does a purely syntactic modification.
2268 *
2269 * The parent of the root director is considered to be iteself.
2270 *
2271 * Path separators are the forward slash (/) everywhere and additionally
2272 * the backslash (\) on Win32.
2273 *
2274 * Cuts off any number of trailing path separators but otherwise ignores
2275 * them for purposes of finding the parent directory.
2276 *
2277 * Returns 0 if a parent directory was successfully found, -1 otherwise (fname
2278 * did not have any path separators or only had them at the end).
2279 * */
2280 int
2282 {
2286 #ifdef _WIN32
2287 /* If we start with, say, c:, then don't consider that the start of the path
2288 */
2291 }
2293 /* Now we want to remove all path-separators at the end of the string,
2294 * and to remove the end of the string starting with the path separator
2295 * before the last non-path-separator. In perl, this would be
2296 * s#[/]*$##; s#/[^/]*$##;
2297 * on a unixy platform.
2298 */
2303 #ifdef _WIN32
2305 #endif
2306 );
2309 /* This is the first separator in the file name; don't remove it! */
2312 }
2318 }
2319 }
2321 }
2323 #ifndef _WIN32
2324 /** Return a newly allocated string containing the output of getcwd(). Return
2325 * NULL on failure. (We can't just use getcwd() into a PATH_MAX buffer, since
2326 * Hurd hasn't got a PATH_MAX.)
2327 */
2330 {
2331 #ifdef HAVE_GET_CURRENT_DIR_NAME
2332 /* Glibc makes this nice and simple for us. */
2336 /* We make a copy here, in case tor_malloc() is not malloc(). */
2339 }
2353 }
2356 }
2359 }
2362 /** Expand possibly relative path <b>fname</b> to an absolute path.
2363 * Return a newly allocated string, possibly equal to <b>fname</b>. */
2366 {
2367 #ifdef _WIN32
2370 /* We don't want to assume that tor_free can free a string allocated
2371 * with malloc. On failure, return fname (it's better than nothing). */
2389 /* LCOV_EXCL_START Can't make getcwd fail. */
2390 /* If getcwd failed, the best we can do here is keep using the
2391 * relative path. (Perhaps / isn't readable by this UID/GID.) */
2395 /* LCOV_EXCL_STOP */
2396 }
2397 }
2400 }
2402 #ifndef HAVE__NSGETENVIRON
2403 #ifndef HAVE_EXTERN_ENVIRON_DECLARED
2404 /* Some platforms declare environ under some circumstances, others don't. */
2405 #ifndef RUNNING_DOXYGEN
2407 #endif
2411 /** Return the current environment. This is a portable replacement for
2412 * 'environ'. */
2415 {
2416 #ifdef HAVE__NSGETENVIRON
2417 /* This is for compatibility between OSX versions. Otherwise (for example)
2418 * when we do a mostly-static build on OSX 10.7, the resulting binary won't
2419 * work on OSX 10.6. */
2424 }
2426 /** Get name of current host and write it to <b>name</b> array, whose
2427 * length is specified by <b>namelen</b> argument. Return 0 upon
2428 * successful completion; otherwise return return -1. (Currently,
2429 * this function is merely a mockable wrapper for POSIX gethostname().)
2430 */
2433 {
2435 }
2437 /** Set *addr to the IP address (in dotted-quad notation) stored in *str.
2438 * Return 1 on success, 0 if *str is badly formatted.
2439 * (Like inet_aton(str,addr), but works on Windows and Solaris.)
2440 */
2441 int
2443 {
2454 }
2456 /** Given <b>af</b>==AF_INET and <b>src</b> a struct in_addr, or
2457 * <b>af</b>==AF_INET6 and <b>src</b> a struct in6_addr, try to format the
2458 * address and store it in the <b>len</b>-byte buffer <b>dst</b>. Returns
2459 * <b>dst</b> on success, NULL on failure.
2460 *
2461 * (Like inet_ntop(af,src,dst,len), but works on platforms that don't have it:
2462 * Tor sometimes needs to format ipv6 addresses even on platforms without ipv6
2463 * support.) */
2466 {
2470 else
2480 }
2484 /* This is an IPv4 address. */
2493 }
2498 }
2506 }
2510 }
2513 }
2514 }
2532 }
2533 }
2541 }
2542 }
2544 /** Given <b>af</b>==AF_INET or <b>af</b>==AF_INET6, and a string <b>src</b>
2545 * encoding an IPv4 address or IPv6 address correspondingly, try to parse the
2546 * address and store the result in <b>dst</b> (which must have space for a
2547 * struct in_addr or a struct in6_addr, as appropriate). Return 1 on success,
2548 * 0 on a bad parse, and -1 on a bad <b>af</b>.
2549 *
2550 * (Like inet_pton(af,src,dst) but works on platforms that don't have it: Tor
2551 * sometimes needs to format ipv6 addresses even on platforms without ipv6
2552 * support.) */
2553 int
2555 {
2573 ;
2578 /* We use "scanf" because some platform inet_aton()s are too lax
2579 * about IPv4 addresses of the form "1.2.3" */
2590 }
2598 ssize_t len;
2601 /* The 'next == src' error case can happen on versions of openbsd
2602 * which treat "0xfoo" as an error, rather than as "0" followed by
2603 * "xfoo". */
2605 }
2616 setWords++;
2630 }
2631 }
2645 }
2649 }
2654 }
2655 }
2657 /** Similar behavior to Unix gethostbyname: resolve <b>name</b>, and set
2658 * *<b>addr</b> to the proper IP address, in host byte order. Returns 0
2659 * on success, -1 on failure; 1 on transient failure.
2660 *
2661 * (This function exists because standard windows gethostbyname
2662 * doesn't treat raw IP addresses properly.)
2663 */
2667 {
2668 tor_addr_t myaddr;
2677 }
2680 }
2682 /** Hold the result of our call to <b>uname</b>. */
2684 /** True iff uname_result is set. */
2687 /** Return a pointer to a description of our platform.
2688 */
2691 {
2692 #ifdef HAVE_UNAME
2694 #endif
2696 #ifdef HAVE_UNAME
2698 /* (Linux says 0 is success, Solaris says 1 is success) */
2702 {
2703 #ifdef _WIN32
2704 OSVERSIONINFOEX info;
2716 /* { 4, 0, "Windows NT 4.0" }, */
2719 /* { 4, 0, "Windows 95" } */
2722 };
2730 }
2734 else
2742 }
2743 }
2744 }
2753 else
2757 }
2758 #ifdef VER_NT_SERVER
2762 }
2765 /* LCOV_EXCL_START -- can't provoke uname failure */
2767 /* LCOV_EXCL_STOP */
2769 }
2771 }
2773 }
2775 /*
2776 * Process control
2777 */
2779 /** Implementation logic for compute_num_cpus(). */
2780 static int
2782 {
2783 #ifdef _WIN32
2784 SYSTEM_INFO info;
2789 else
2791 #elif defined(HAVE_SYSCONF)
2792 #ifdef _SC_NPROCESSORS_CONF
2794 #else
2796 #endif
2797 #ifdef _SC_NPROCESSORS_ONLN
2799 #else
2801 #endif
2811 "are available. Telling Tor to only use %ld. You can over"
2814 }
2816 }
2820 else
2822 #else
2825 }
2827 #define MAX_DETECTABLE_CPUS 16
2829 /** Return how many CPUs we are running with. We assume that nobody is
2830 * using hot-swappable CPUs, so we don't recompute this after the first
2831 * time. Return -1 if we don't know how to tell the number of CPUs on this
2832 * system.
2833 */
2834 int
2836 {
2842 /* LCOV_EXCL_START */
2844 "will not autodetect any more than %d, though. If you "
2848 /* LCOV_EXCL_STOP */
2849 }
2850 }
2852 }
2854 #if !defined(_WIN32)
2855 /** Defined iff we need to add locks when defining fake versions of reentrant
2856 * versions of time-related functions. */
2857 #define TIME_FNS_NEED_LOCKS
2858 #endif
2860 /** Helper: Deal with confused or out-of-bounds values from localtime_r and
2861 * friends. (On some platforms, they can give out-of-bounds values or can
2862 * return NULL.) If <b>islocal</b>, this is a localtime result; otherwise
2863 * it's from gmtime. The function returns <b>r</b>, when given <b>timep</b>
2864 * as its input. If we need to store new results, store them in
2865 * <b>resultbuf</b>. */
2869 {
2873 /* We can't strftime dates after 9999 CE, and we want to avoid dates
2874 * before 1 CE (avoiding the year 0 issue and negative years). */
2893 }
2895 }
2897 /* If we get here, gmtime or localtime returned NULL. It might have done
2898 * this because of overrun or underrun, or it might have done it because of
2899 * some other weird issue. */
2914 /* Rounding down to INT32_MAX isn't so great, but keep in mind that we
2915 * only do it if gmtime/localtime tells us NULL. */
2927 }
2928 }
2930 /* If we get here, then gmtime/localtime failed without getting an extreme
2931 * value for *timep */
2932 /* LCOV_EXCL_START */
2937 /* LCOV_EXCL_STOP */
2938 done:
2943 outcome);
2945 }
2947 /** @{ */
2948 /** As localtime_r, but defined for platforms that don't have it:
2949 *
2950 * Convert *<b>timep</b> to a struct tm in local time, and store the value in
2951 * *<b>result</b>. Return the result on success, or NULL on failure.
2952 */
2953 #ifdef HAVE_LOCALTIME_R
2956 {
2960 }
2961 #elif defined(TIME_FNS_NEED_LOCKS)
2964 {
2975 }
2976 #else
2979 {
2986 }
2988 /** @} */
2990 /** @{ */
2991 /** As gmtime_r, but defined for platforms that don't have it:
2992 *
2993 * Convert *<b>timep</b> to a struct tm in UTC, and store the value in
2994 * *<b>result</b>. Return the result on success, or NULL on failure.
2995 */
2996 #ifdef HAVE_GMTIME_R
2999 {
3003 }
3004 #elif defined(TIME_FNS_NEED_LOCKS)
3007 {
3018 }
3019 #else
3022 {
3029 }
3032 #if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
3033 #define HAVE_UNIX_MLOCKALL
3034 #endif
3036 #ifdef HAVE_UNIX_MLOCKALL
3037 /** Attempt to raise the current and max rlimit to infinity for our process.
3038 * This only needs to be done once and can probably only be done when we have
3039 * not already dropped privileges.
3040 */
3041 static int
3043 {
3044 /* Future consideration for Windows is probably SetProcessWorkingSetSize
3045 * This is similar to setting the memory rlimit of RLIMIT_MEMLOCK
3046 * http://msdn.microsoft.com/en-us/library/ms686234(VS.85).aspx
3047 */
3051 /* RLIM_INFINITY is -1 on some platforms. */
3059 }
3063 }
3066 }
3069 /** Attempt to lock all current and all future memory pages.
3070 * This should only be called once and while we're privileged.
3071 * Like mlockall() we return 0 when we're successful and -1 when we're not.
3072 * Unlike mlockall() we return 1 if we've already attempted to lock memory.
3073 */
3074 int
3076 {
3081 }
3085 /*
3086 * Future consideration for Windows may be VirtualLock
3087 * VirtualLock appears to implement mlock() but not mlockall()
3088 *
3089 * http://msdn.microsoft.com/en-us/library/aa366895(VS.85).aspx
3090 */
3092 #ifdef HAVE_UNIX_MLOCKALL
3095 }
3102 /* Apple - it's 2009! I'm looking at you. Grrr. */
3108 }
3112 }
3117 }
3119 /**
3120 * On Windows, WSAEWOULDBLOCK is not always correct: when you see it,
3121 * you need to ask the socket for its actual errno. Also, you need to
3122 * get your errors from WSAGetLastError, not errno. (If you supply a
3123 * socket of -1, we check WSAGetLastError, but don't correct
3124 * WSAEWOULDBLOCKs.)
3125 *
3126 * The upshot of all of this is that when a socket call fails, you
3127 * should call tor_socket_errno <em>at most once</em> on the failing
3128 * socket to get the error.
3129 */
3130 #if defined(_WIN32)
3131 int
3133 {
3141 }
3143 }
3146 #if defined(_WIN32)
3164 /* What's the difference between NOTSUPP and NOSUPPORT? :) */
3184 /* Yes, some of these start with WSA, not WSAE. No, I don't know why. */
3189 #ifdef WSATYPE_NOT_FOUND
3191 #endif
3197 /* There are some more error codes whose numeric values are marked
3198 * <b>OS dependent</b>. They start with WSA_, apparently for the same
3199 * reason that practitioners of some craft traditions deliberately
3200 * introduce imperfections into their baskets and rugs "to allow the
3201 * evil spirits to escape." If we catch them, then our binaries
3202 * might not report consistent results across versions of Windows.
3203 * Thus, I'm going to let them all fall through.
3204 */
3206 };
3207 /** There does not seem to be a strerror equivalent for Winsock errors.
3208 * Naturally, we have to roll our own.
3209 */
3212 {
3217 }
3219 }
3222 /** Called before we make any calls to network-related functions.
3223 * (Some operating systems require their network libraries to be
3224 * initialized.) */
3225 int
3227 {
3228 #ifdef _WIN32
3229 /* This silly exercise is necessary before windows will allow
3230 * gethostbyname to work. */
3231 WSADATA WSAData;
3237 }
3242 }
3243 /* WSAData.iMaxSockets might show the max sockets we're allowed to use.
3244 * We might use it to complain if we're trying to be a server but have
3245 * too few sockets available. */
3248 }
3250 #ifdef _WIN32
3251 /** Return a newly allocated string describing the windows system error code
3252 * <b>err</b>. Note that error codes are different from errno. Error codes
3253 * come from GetLastError() when a winapi call fails. errno is set only when
3254 * ANSI functions fail. Whee. */
3257 {
3260 DWORD n;
3262 /* Somebody once decided that this interface was better than strerror(). */
3264 FORMAT_MESSAGE_FROM_SYSTEM |
3265 FORMAT_MESSAGE_IGNORE_INSERTS,
3272 #ifdef UNICODE
3276 * make sure. */
3277 else
3287 }
3290 }
3292 }
3295 #if defined(HW_PHYSMEM64)
3296 /* This appears to be an OpenBSD thing */
3297 #define INT64_HW_MEM HW_PHYSMEM64
3298 #elif defined(HW_MEMSIZE)
3299 /* OSX defines this one */
3300 #define INT64_HW_MEM HW_MEMSIZE
3303 /**
3304 * Helper: try to detect the total system memory, and return it. On failure,
3305 * return 0.
3306 */
3307 static uint64_t
3309 {
3310 #if defined(__linux__)
3311 /* On linux, sysctl is deprecated. Because proc is so awesome that you
3312 * shouldn't _want_ to write portable code, I guess? */
3326 /* Use the system sscanf so that space will match a wider number of space */
3334 /* LCOV_EXCL_START Can't reach this unless proc is broken. */
3335 err:
3339 /* LCOV_EXCL_STOP */
3340 #elif defined (_WIN32)
3341 /* Windows has MEMORYSTATUSEX; pretty straightforward. */
3342 MEMORYSTATUSEX ms;
3350 #elif defined(HAVE_SYSCTL) && defined(INT64_HW_MEM)
3351 /* On many systems, HW_PYHSMEM is clipped to 32 bits; let's use a better
3352 * variant if we know about it. */
3361 #elif defined(HAVE_SYSCTL) && defined(HW_PHYSMEM)
3362 /* On some systems (like FreeBSD I hope) you can use a size_t with
3363 * HW_PHYSMEM. */
3372 #else
3373 /* I have no clue. */
3376 }
3378 /**
3379 * Try to find out how much physical memory the system has. On success,
3380 * return 0 and set *<b>mem_out</b> to that value. On failure, return -1.
3381 */
3382 int
3384 {
3388 /* LCOV_EXCL_START -- can't make this happen without mocking. */
3389 /* We couldn't find our memory total */
3391 /* We have no cached value either */
3394 }
3398 /* LCOV_EXCL_STOP */
3399 }
3401 #if SIZE_MAX != UINT64_MAX
3403 /* I think this could happen if we're a 32-bit Tor running on a 64-bit
3404 * system: we could have more system memory than would fit in a
3405 * size_t. */
3407 }
3413 }
3415 /** Emit the password prompt <b>prompt</b>, then read up to <b>buflen</b>
3416 * bytes of passphrase into <b>output</b>. Return the number of bytes in
3417 * the passphrase, excluding terminating NUL.
3418 */
3419 ssize_t
3421 {
3424 #if defined(HAVE_READPASSPHRASE)
3429 #elif defined(_WIN32)
3433 }
3459 }
3460 }
3461 done_reading:
3462 ;
3464 #ifndef WC_ERR_INVALID_CHARS
3465 #define WC_ERR_INVALID_CHARS 0x80
3466 #endif
3468 /* Now convert it to UTF-8 */
3477 }
3483 done:
3487 #else
3490 }
3492 /** Return the amount of free disk space we have permission to use, in
3493 * bytes. Return -1 if the amount of free space can't be determined. */
3494 int64_t
3496 {
3497 #ifdef HAVE_STATVFS
3513 }
3516 #elif defined(_WIN32)
3517 ULARGE_INTEGER freeBytesAvail;
3518 BOOL ok;
3523 }
3525 #else
3530 }