/* Copyright (c) 2001 Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file statefile.c
*
* \brief Handles parsing and encoding the persistent 'state' file that carries
* miscellaneous persistent state between Tor invocations.
*
* This 'state' file is a typed key-value store that allows multiple
* entries for the same key. It follows the same metaformat as described
* in confparse.c, and uses the same code to read and write itself.
*
* The state file is most suitable for small values that don't change too
* frequently. For values that become very large, we typically use a separate
* file -- for example, see how we handle microdescriptors, by storing them in
* a separate file with a journal.
*
* The current state is accessed via get_or_state(), which returns a singleton
* or_state_t object. Functions that change it should call
* or_state_mark_dirty() to ensure that it will get written to disk.
*
* The or_state_save() function additionally calls various functioens
* throughout Tor that might want to flush more state to the the disk,
* including some in rephist.c, entrynodes.c, circuitstats.c, hibernate.c.
*/
#define STATEFILE_PRIVATE
#include "or/or.h"
#include "or/circuitstats.h"
#include "or/config.h"
#include "or/confparse.h"
#include "or/connection.h"
#include "or/control.h"
#include "or/entrynodes.h"
#include "or/hibernate.h"
#include "or/main.h"
#include "or/rephist.h"
#include "or/router.h"
#include "lib/sandbox/sandbox.h"
#include "or/statefile.h"
/** A list of state-file "abbreviations," for compatibility. */
static config_abbrev_t state_abbrevs_[] = {
{ "AccountingBytesReadInterval", "AccountingBytesReadInInterval", 0, 0 },
{ "HelperNode", "EntryGuard", 0, 0 },
{ "HelperNodeDownSince", "EntryGuardDownSince", 0, 0 },
{ "HelperNodeUnlistedSince", "EntryGuardUnlistedSince", 0, 0 },
{ "EntryNode", "EntryGuard", 0, 0 },
{ "EntryNodeDownSince", "EntryGuardDownSince", 0, 0 },
{ "EntryNodeUnlistedSince", "EntryGuardUnlistedSince", 0, 0 },
{ NULL, NULL, 0, 0},
};
/** dummy instance of or_state_t, used for type-checking its
* members with CONF_CHECK_VAR_TYPE. */
DUMMY_TYPECHECK_INSTANCE(or_state_t);
/*XXXX these next two are duplicates or near-duplicates from config.c */
#define VAR(name,conftype,member,initvalue) \
{ name, CONFIG_TYPE_ ## conftype, offsetof(or_state_t, member), \
initvalue CONF_TEST_MEMBERS(or_state_t, conftype, member) }
/** As VAR, but the option name and member name are the same. */
#define V(member,conftype,initvalue) \
VAR(#member, conftype, member, initvalue)
/** Array of "state" variables saved to the ~/.tor/state file. */
static config_var_t state_vars_[] = {
/* Remember to document these in state-contents.txt ! */
V(AccountingBytesReadInInterval, MEMUNIT, NULL),
V(AccountingBytesWrittenInInterval, MEMUNIT, NULL),
V(AccountingExpectedUsage, MEMUNIT, NULL),
V(AccountingIntervalStart, ISOTIME, NULL),
V(AccountingSecondsActive, INTERVAL, NULL),
V(AccountingSecondsToReachSoftLimit,INTERVAL, NULL),
V(AccountingSoftLimitHitAt, ISOTIME, NULL),
V(AccountingBytesAtSoftLimit, MEMUNIT, NULL),
VAR("EntryGuard", LINELIST_S, EntryGuards, NULL),
VAR("EntryGuardDownSince", LINELIST_S, EntryGuards, NULL),
VAR("EntryGuardUnlistedSince", LINELIST_S, EntryGuards, NULL),
VAR("EntryGuardAddedBy", LINELIST_S, EntryGuards, NULL),
VAR("EntryGuardPathBias", LINELIST_S, EntryGuards, NULL),
VAR("EntryGuardPathUseBias", LINELIST_S, EntryGuards, NULL),
V(EntryGuards, LINELIST_V, NULL),
VAR("TransportProxy", LINELIST_S, TransportProxies, NULL),
V(TransportProxies, LINELIST_V, NULL),
V(HidServRevCounter, LINELIST, NULL),
V(BWHistoryReadEnds, ISOTIME, NULL),
V(BWHistoryReadInterval, UINT, "900"),
V(BWHistoryReadValues, CSV, ""),
V(BWHistoryReadMaxima, CSV, ""),
V(BWHistoryWriteEnds, ISOTIME, NULL),
V(BWHistoryWriteInterval, UINT, "900"),
V(BWHistoryWriteValues, CSV, ""),
V(BWHistoryWriteMaxima, CSV, ""),
V(BWHistoryDirReadEnds, ISOTIME, NULL),
V(BWHistoryDirReadInterval, UINT, "900"),
V(BWHistoryDirReadValues, CSV, ""),
V(BWHistoryDirReadMaxima, CSV, ""),
V(BWHistoryDirWriteEnds, ISOTIME, NULL),
V(BWHistoryDirWriteInterval, UINT, "900"),
V(BWHistoryDirWriteValues, CSV, ""),
V(BWHistoryDirWriteMaxima, CSV, ""),
V(Guard, LINELIST, NULL),
V(TorVersion, STRING, NULL),
V(LastRotatedOnionKey, ISOTIME, NULL),
V(LastWritten, ISOTIME, NULL),
V(TotalBuildTimes, UINT, NULL),
V(CircuitBuildAbandonedCount, UINT, "0"),
VAR("CircuitBuildTimeBin", LINELIST_S, BuildtimeHistogram, NULL),
VAR("BuildtimeHistogram", LINELIST_V, BuildtimeHistogram, NULL),
END_OF_CONFIG_VARS
};
#undef VAR
#undef V
static int or_state_validate(or_state_t *state, char **msg);
static int or_state_validate_cb(void *old_options, void *options,
void *default_options,
int from_setconf, char **msg);
/** Magic value for or_state_t. */
#define OR_STATE_MAGIC 0x57A73f57
/** "Extra" variable in the state that receives lines we can't parse. This
* lets us preserve options from versions of Tor newer than us. */
static config_var_t state_extra_var = {
"__extra", CONFIG_TYPE_LINELIST, offsetof(or_state_t, ExtraLines), NULL
CONF_TEST_MEMBERS(or_state_t, LINELIST, ExtraLines)
};
/** Configuration format for or_state_t. */
static const config_format_t state_format = {
sizeof(or_state_t),
OR_STATE_MAGIC,
offsetof(or_state_t, magic_),
state_abbrevs_,
NULL,
state_vars_,
or_state_validate_cb,
&state_extra_var,
};
/** Persistent serialized state. */
static or_state_t *global_state = NULL;
/** Return the persistent state struct for this Tor. */
MOCK_IMPL(or_state_t *,
get_or_state, (void))
{
tor_assert(global_state);
return global_state;
}
/** Return true iff we have loaded the global state for this Tor */
int
or_state_loaded(void)
{
return global_state != NULL;
}
/** Return true if line is a valid state TransportProxy line.
* Return false otherwise. */
static int
state_transport_line_is_valid(const char *line)
{
smartlist_t *items = NULL;
char *addrport=NULL;
tor_addr_t addr;
uint16_t port = 0;
int r;
items = smartlist_new();
smartlist_split_string(items, line, NULL,
SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
if (smartlist_len(items) != 2) {
log_warn(LD_CONFIG, "state: Not enough arguments in TransportProxy line.");
goto err;
}
addrport = smartlist_get(items, 1);
if (tor_addr_port_lookup(addrport, &addr, &port) < 0) {
log_warn(LD_CONFIG, "state: Could not parse addrport.");
goto err;
}
if (!port) {
log_warn(LD_CONFIG, "state: Transport line did not contain port.");
goto err;
}
r = 1;
goto done;
err:
r = 0;
done:
SMARTLIST_FOREACH(items, char*, s, tor_free(s));
smartlist_free(items);
return r;
}
/** Return 0 if all TransportProxy lines in state are well
* formed. Otherwise, return -1. */
static int
validate_transports_in_state(or_state_t *state)
{
int broken = 0;
config_line_t *line;
for (line = state->TransportProxies ; line ; line = line->next) {
tor_assert(!strcmp(line->key, "TransportProxy"));
if (!state_transport_line_is_valid(line->value))
broken = 1;
}
if (broken)
log_warn(LD_CONFIG, "state: State file seems to be broken.");
return 0;
}
static int
or_state_validate_cb(void *old_state, void *state, void *default_state,
int from_setconf, char **msg)
{
/* We don't use these; only options do. Still, we need to match that
* signature. */
(void) from_setconf;
(void) default_state;
(void) old_state;
return or_state_validate(state, msg);
}
/** Return 0 if every setting in state is reasonable, and a
* permissible transition from old_state. Else warn and return -1.
* Should have no side effects, except for normalizing the contents of
* state.
*/
static int
or_state_validate(or_state_t *state, char **msg)
{
if (entry_guards_parse_state(state, 0, msg)<0)
return -1;
if (validate_transports_in_state(state)<0)
return -1;
return 0;
}
/** Replace the current persistent state with new_state */
static int
or_state_set(or_state_t *new_state)
{
char *err = NULL;
int ret = 0;
tor_assert(new_state);
config_free(&state_format, global_state);
global_state = new_state;
if (entry_guards_parse_state(global_state, 1, &err)<0) {
log_warn(LD_GENERAL,"%s",err);
tor_free(err);
ret = -1;
}
if (rep_hist_load_state(global_state, &err)<0) {
log_warn(LD_GENERAL,"Unparseable bandwidth history state: %s",err);
tor_free(err);
ret = -1;
}
if (circuit_build_times_parse_state(
get_circuit_build_times_mutable(),global_state) < 0) {
ret = -1;
}
return ret;
}
/**
* Save a broken state file to a backup location.
*/
static void
or_state_save_broken(char *fname)
{
int i, res;
file_status_t status;
char *fname2 = NULL;
for (i = 0; i < 100; ++i) {
tor_asprintf(&fname2, "%s.%d", fname, i);
status = file_status(fname2);
if (status == FN_NOENT)
break;
tor_free(fname2);
}
if (i == 100) {
log_warn(LD_BUG, "Unable to parse state in \"%s\"; too many saved bad "
"state files to move aside. Discarding the old state file.",
fname);
res = unlink(fname);
if (res != 0) {
log_warn(LD_FS,
"Also couldn't discard old state file \"%s\" because "
"unlink() failed: %s",
fname, strerror(errno));
}
} else {
log_warn(LD_BUG, "Unable to parse state in \"%s\". Moving it aside "
"to \"%s\". This could be a bug in Tor; please tell "
"the developers.", fname, fname2);
if (tor_rename(fname, fname2) < 0) {//XXXX sandbox prohibits
log_warn(LD_BUG, "Weirdly, I couldn't even move the state aside. The "
"OS gave an error of %s", strerror(errno));
}
}
tor_free(fname2);
}
STATIC or_state_t *
or_state_new(void)
{
or_state_t *new_state = tor_malloc_zero(sizeof(or_state_t));
new_state->magic_ = OR_STATE_MAGIC;
config_init(&state_format, new_state);
return new_state;
}
/** Reload the persistent state from disk, generating a new state as needed.
* Return 0 on success, less than 0 on failure.
*/
int
or_state_load(void)
{
or_state_t *new_state = NULL;
char *contents = NULL, *fname;
char *errmsg = NULL;
int r = -1, badstate = 0;
fname = get_datadir_fname("state");
switch (file_status(fname)) {
case FN_FILE:
if (!(contents = read_file_to_str(fname, 0, NULL))) {
log_warn(LD_FS, "Unable to read state file \"%s\"", fname);
goto done;
}
break;
/* treat empty state files as if the file doesn't exist, and generate
* a new state file, overwriting the empty file in or_state_save() */
case FN_NOENT:
case FN_EMPTY:
break;
case FN_ERROR:
case FN_DIR:
default:
log_warn(LD_GENERAL,"State file \"%s\" is not a file? Failing.", fname);
goto done;
}
new_state = or_state_new();
if (contents) {
config_line_t *lines=NULL;
int assign_retval;
if (config_get_lines(contents, &lines, 0)<0)
goto done;
assign_retval = config_assign(&state_format, new_state,
lines, 0, &errmsg);
config_free_lines(lines);
if (assign_retval<0)
badstate = 1;
if (errmsg) {
log_warn(LD_GENERAL, "%s", errmsg);
tor_free(errmsg);
}
}
if (!badstate && or_state_validate(new_state, &errmsg) < 0)
badstate = 1;
if (errmsg) {
log_warn(LD_GENERAL, "%s", errmsg);
tor_free(errmsg);
}
if (badstate && !contents) {
log_warn(LD_BUG, "Uh oh. We couldn't even validate our own default state."
" This is a bug in Tor.");
goto done;
} else if (badstate && contents) {
or_state_save_broken(fname);
tor_free(contents);
config_free(&state_format, new_state);
new_state = or_state_new();
} else if (contents) {
log_info(LD_GENERAL, "Loaded state from \"%s\"", fname);
/* Warn the user if their clock has been set backwards,
* they could be tricked into using old consensuses */
time_t apparent_skew = time(NULL) - new_state->LastWritten;
if (apparent_skew < 0) {
/* Initialize bootstrap event reporting because we might call
* clock_skew_warning() before the bootstrap state is
* initialized, causing an assertion failure. */
control_event_bootstrap(BOOTSTRAP_STATUS_STARTING, 0);
clock_skew_warning(NULL, (long)apparent_skew, 1, LD_GENERAL,
"local state file", fname);
}
} else {
log_info(LD_GENERAL, "Initialized state");
}
if (or_state_set(new_state) == -1) {
or_state_save_broken(fname);
}
new_state = NULL;
if (!contents) {
global_state->next_write = 0;
or_state_save(time(NULL));
}
r = 0;
done:
tor_free(fname);
tor_free(contents);
if (new_state)
config_free(&state_format, new_state);
return r;
}
/** Did the last time we tried to write the state file fail? If so, we
* should consider disabling such features as preemptive circuit generation
* to compute circuit-build-time. */
static int last_state_file_write_failed = 0;
/** Return whether the state file failed to write last time we tried. */
int
did_last_state_file_write_fail(void)
{
return last_state_file_write_failed;
}
/** If writing the state to disk fails, try again after this many seconds. */
#define STATE_WRITE_RETRY_INTERVAL 3600
/** If we're a relay, how often should we checkpoint our state file even
* if nothing else dirties it? This will checkpoint ongoing stats like
* bandwidth used, per-country user stats, etc. */
#define STATE_RELAY_CHECKPOINT_INTERVAL (12*60*60)
/** Write the persistent state to disk. Return 0 for success, <0 on failure. */
int
or_state_save(time_t now)
{
char *state, *contents;
char tbuf[ISO_TIME_LEN+1];
char *fname;
tor_assert(global_state);
if (global_state->next_write > now)
return 0;
/* Call everything else that might dirty the state even more, in order
* to avoid redundant writes. */
entry_guards_update_state(global_state);
rep_hist_update_state(global_state);
circuit_build_times_update_state(get_circuit_build_times(), global_state);
if (accounting_is_enabled(get_options()))
accounting_run_housekeeping(now);
global_state->LastWritten = now;
tor_free(global_state->TorVersion);
tor_asprintf(&global_state->TorVersion, "Tor %s", get_version());
state = config_dump(&state_format, NULL, global_state, 1, 0);
format_local_iso_time(tbuf, now);
tor_asprintf(&contents,
"# Tor state file last generated on %s local time\n"
"# Other times below are in UTC\n"
"# You *do not* need to edit this file.\n\n%s",
tbuf, state);
tor_free(state);
fname = get_datadir_fname("state");
if (write_str_to_file(fname, contents, 0)<0) {
log_warn(LD_FS, "Unable to write state to file \"%s\"; "
"will try again later", fname);
last_state_file_write_failed = 1;
tor_free(fname);
tor_free(contents);
/* Try again after STATE_WRITE_RETRY_INTERVAL (or sooner, if the state
* changes sooner). */
global_state->next_write = now + STATE_WRITE_RETRY_INTERVAL;
return -1;
}
last_state_file_write_failed = 0;
log_info(LD_GENERAL, "Saved state to \"%s\"", fname);
tor_free(fname);
tor_free(contents);
if (server_mode(get_options()))
global_state->next_write = now + STATE_RELAY_CHECKPOINT_INTERVAL;
else
global_state->next_write = TIME_MAX;
return 0;
}
/** Return the config line for transport transport in the current state.
* Return NULL if there is no config line for transport. */
STATIC config_line_t *
get_transport_in_state_by_name(const char *transport)
{
or_state_t *or_state = get_or_state();
config_line_t *line;
config_line_t *ret = NULL;
smartlist_t *items = NULL;
for (line = or_state->TransportProxies ; line ; line = line->next) {
tor_assert(!strcmp(line->key, "TransportProxy"));
items = smartlist_new();
smartlist_split_string(items, line->value, NULL,
SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
if (smartlist_len(items) != 2) /* broken state */
goto done;
if (!strcmp(smartlist_get(items, 0), transport)) {
ret = line;
goto done;
}
SMARTLIST_FOREACH(items, char*, s, tor_free(s));
smartlist_free(items);
items = NULL;
}
done:
if (items) {
SMARTLIST_FOREACH(items, char*, s, tor_free(s));
smartlist_free(items);
}
return ret;
}
/** Return string containing the address:port part of the
* TransportProxy line for transport transport.
* If the line is corrupted, return NULL. */
static const char *
get_transport_bindaddr(const char *line, const char *transport)
{
char *line_tmp = NULL;
if (strlen(line) < strlen(transport) + 2) {
goto broken_state;
} else {
/* line should start with the name of the transport and a space.
(for example, "obfs2 127.0.0.1:47245") */
tor_asprintf(&line_tmp, "%s ", transport);
if (strcmpstart(line, line_tmp))
goto broken_state;
tor_free(line_tmp);
return (line+strlen(transport)+1);
}
broken_state:
tor_free(line_tmp);
return NULL;
}
/** Return a string containing the address:port that a proxy transport
* should bind on. The string is stored on the heap and must be freed
* by the caller of this function. */
char *
get_stored_bindaddr_for_server_transport(const char *transport)
{
char *default_addrport = NULL;
const char *stored_bindaddr = NULL;
config_line_t *line = NULL;
{
/* See if the user explicitly asked for a specific listening
address for this transport. */
char *conf_bindaddr = get_transport_bindaddr_from_config(transport);
if (conf_bindaddr)
return conf_bindaddr;
}
line = get_transport_in_state_by_name(transport);
if (!line) /* Found no references in state for this transport. */
goto no_bindaddr_found;
stored_bindaddr = get_transport_bindaddr(line->value, transport);
if (stored_bindaddr) /* found stored bindaddr in state file. */
return tor_strdup(stored_bindaddr);
no_bindaddr_found:
/** If we didn't find references for this pluggable transport in the
state file, we should instruct the pluggable transport proxy to
listen on INADDR_ANY on a random ephemeral port. */
tor_asprintf(&default_addrport, "%s:%s", fmt_addr32(INADDR_ANY), "0");
return default_addrport;
}
/** Save transport listening on addr:port to
state */
void
save_transport_to_state(const char *transport,
const tor_addr_t *addr, uint16_t port)
{
or_state_t *state = get_or_state();
char *transport_addrport=NULL;
/** find where to write on the state */
config_line_t **next, *line;
/* see if this transport is already stored in state */
config_line_t *transport_line =
get_transport_in_state_by_name(transport);
if (transport_line) { /* if transport already exists in state... */
const char *prev_bindaddr = /* get its addrport... */
get_transport_bindaddr(transport_line->value, transport);
transport_addrport = tor_strdup(fmt_addrport(addr, port));
/* if transport in state has the same address as this one, life is good */
if (!strcmp(prev_bindaddr, transport_addrport)) {
log_info(LD_CONFIG, "Transport seems to have spawned on its usual "
"address:port.");
goto done;
} else { /* if addrport in state is different than the one we got */
log_info(LD_CONFIG, "Transport seems to have spawned on different "
"address:port. Let's update the state file with the new "
"address:port");
tor_free(transport_line->value); /* free the old line */
/* replace old addrport line with new line */
tor_asprintf(&transport_line->value, "%s %s", transport,
fmt_addrport(addr, port));
}
} else { /* never seen this one before; save it in state for next time */
log_info(LD_CONFIG, "It's the first time we see this transport. "
"Let's save its address:port");
next = &state->TransportProxies;
/* find the last TransportProxy line in the state and point 'next'
right after it */
line = state->TransportProxies;
while (line) {
next = &(line->next);
line = line->next;
}
/* allocate space for the new line and fill it in */
*next = line = tor_malloc_zero(sizeof(config_line_t));
line->key = tor_strdup("TransportProxy");
tor_asprintf(&line->value, "%s %s", transport, fmt_addrport(addr, port));
}
if (!get_options()->AvoidDiskWrites)
or_state_mark_dirty(state, 0);
done:
tor_free(transport_addrport);
}
/** Change the next_write time of state to when, unless the
* state is already scheduled to be written to disk earlier than when.
*/
void
or_state_mark_dirty(or_state_t *state, time_t when)
{
if (state->next_write > when) {
state->next_write = when;
reschedule_or_state_save();
}
}
STATIC void
or_state_free_(or_state_t *state)
{
if (!state)
return;
config_free(&state_format, state);
}
void
or_state_free_all(void)
{
or_state_free(global_state);
global_state = NULL;
}