/* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.

 * Copyright (c) 2007-2021, The Tor Project, Inc. */

/* See LICENSE for licensing information */

/**

 * \file hibernate.c

 * \brief Functions to close listeners, stop allowing new circuits,

 * etc in preparation for closing down or going dormant; and to track

 * bandwidth and time intervals to know when to hibernate and when to

 * stop hibernating.

 *

 * Ordinarily a Tor relay is "Live".

 *

 * A live relay can stop accepting connections for one of two reasons: either

 * it is trying to conserve bandwidth because of bandwidth accounting rules

 * ("soft hibernation"), or it is about to shut down ("exiting").

 **/

/*

hibernating, phase 1:

  - send destroy in response to create cells

  - send end (policy failed) in response to begin cells

  - close an OR conn when it has no circuits

hibernating, phase 2:

  (entered when bandwidth hard limit reached)

  - close all OR/AP/exit conns)

*/

#define HIBERNATE_PRIVATE

#include "core/or/or.h"

#include "core/or/channel.h"

#include "core/or/channeltls.h"

#include "app/config/config.h"

#include "core/mainloop/connection.h"

#include "core/or/connection_edge.h"

#include "core/or/connection_or.h"

#include "feature/control/control_events.h"

#include "lib/crypt_ops/crypto_rand.h"

#include "lib/defs/time.h"

#include "feature/hibernate/hibernate.h"

#include "core/mainloop/mainloop.h"

#include "feature/relay/router.h"

#include "app/config/statefile.h"

#include "lib/evloop/compat_libevent.h"

#include "core/or/or_connection_st.h"

#include "app/config/or_state_st.h"

#ifdef HAVE_UNISTD_H

#include <unistd.h>

#endif

#ifdef HAVE_SYSTEMD

#  if defined(__COVERITY__) && !defined(__INCLUDE_LEVEL__)

/* Systemd's use of gcc's __INCLUDE_LEVEL__ extension macro appears to confuse

 * Coverity. Here's a kludge to unconfuse it.

 */

#   define __INCLUDE_LEVEL__ 2

#endif /* defined(__COVERITY__) && !defined(__INCLUDE_LEVEL__) */

#include <systemd/sd-daemon.h>

#endif /* defined(HAVE_SYSTEMD) */

/** Are we currently awake, asleep, running out of bandwidth, or shutting

 * down? */

static hibernate_state_t hibernate_state = HIBERNATE_STATE_INITIAL;

/** If are hibernating, when do we plan to wake up? Set to 0 if we

 * aren't hibernating. */

static time_t hibernate_end_time = 0;

/** If we are shutting down, when do we plan to finally exit? Set to 0 if we

 * aren't shutting down. (This is obsolete; scheduled shutdowns are supposed

 * to happen from mainloop_schedule_shutdown() now.) */

static time_t shutdown_time = 0;

/** A timed event that we'll use when it's time to wake up from

 * hibernation. */

static mainloop_event_t *wakeup_event = NULL;

/** Possible accounting periods. */

typedef enum {

  UNIT_MONTH=1, UNIT_WEEK=2, UNIT_DAY=3,

} time_unit_t;

/*

 * @file hibernate.c

 *

 * <h4>Accounting</h4>

 * Accounting is designed to ensure that no more than N bytes are sent in

 * either direction over a given interval (currently, one month, one week, or

 * one day) We could

 * try to do this by choking our bandwidth to a trickle, but that

 * would make our streams useless.  Instead, we estimate what our

 * bandwidth usage will be, and guess how long we'll be able to

 * provide that much bandwidth before hitting our limit.  We then

 * choose a random time within the accounting interval to come up (so

 * that we don't get 50 Tors running on the 1st of the month and none

 * on the 30th).

 *

 * Each interval runs as follows:

 *

 * <ol>

 * <li>We guess our bandwidth usage, based on how much we used

 *     last time.  We choose a "wakeup time" within the interval to come up.

 * <li>Until the chosen wakeup time, we hibernate.

 * <li> We come up at the wakeup time, and provide bandwidth until we are

 *    "very close" to running out.

 * <li> Then we go into low-bandwidth mode, and stop accepting new

 *    connections, but provide bandwidth until we run out.

 * <li> Then we hibernate until the end of the interval.

 *

 * If the interval ends before we run out of bandwidth, we go back to

 * step one.

 *

 * Accounting is controlled by the AccountingMax, AccountingRule, and

 * AccountingStart options.

 */

/** How many bytes have we read in this accounting interval? */

static uint64_t n_bytes_read_in_interval = 0;

/** How many bytes have we written in this accounting interval? */

static uint64_t n_bytes_written_in_interval = 0;

/** How many seconds have we been running this interval? */

static uint32_t n_seconds_active_in_interval = 0;

/** How many seconds were we active in this interval before we hit our soft

 * limit? */

static int n_seconds_to_hit_soft_limit = 0;

/** When in this interval was the soft limit hit. */

static time_t soft_limit_hit_at = 0;

/** How many bytes had we read/written when we hit the soft limit? */

static uint64_t n_bytes_at_soft_limit = 0;

/** When did this accounting interval start? */

static time_t interval_start_time = 0;

/** When will this accounting interval end? */

static time_t interval_end_time = 0;

/** How far into the accounting interval should we hibernate? */

static time_t interval_wakeup_time = 0;

/** How much bandwidth do we 'expect' to use per minute?  (0 if we have no

 * info from the last period.) */

static uint64_t expected_bandwidth_usage = 0;

/** What unit are we using for our accounting? */

static time_unit_t cfg_unit = UNIT_MONTH;

/** How many days,hours,minutes into each unit does our accounting interval

 * start? */

/** @{ */

static int cfg_start_day = 0,

           cfg_start_hour = 0,

           cfg_start_min = 0;

/** @} */

static const char *hibernate_state_to_string(hibernate_state_t state);

static void reset_accounting(time_t now);

static int read_bandwidth_usage(void);

static time_t start_of_accounting_period_after(time_t now);

static time_t start_of_accounting_period_containing(time_t now);

static void accounting_set_wakeup_time(void);

static void on_hibernate_state_change(hibernate_state_t prev_state);

static void hibernate_schedule_wakeup_event(time_t now, time_t end_time);

static void wakeup_event_callback(mainloop_event_t *ev, void *data);

/**

 * Return the human-readable name for the hibernation state <b>state</b>

 */

static const char *

hibernate_state_to_string(hibernate_state_t state)

{

  static char buf[64];

  switch (state) {

    case HIBERNATE_STATE_EXITING: return "EXITING";

    case HIBERNATE_STATE_LOWBANDWIDTH: return "SOFT";

    case HIBERNATE_STATE_DORMANT: return "HARD";

    case HIBERNATE_STATE_INITIAL:

    case HIBERNATE_STATE_LIVE:

      return "AWAKE";

    default:

      log_warn(LD_BUG, "unknown hibernate state %d", state);

      tor_snprintf(buf, sizeof(buf), "unknown [%d]", state);

      return buf;

  }

}

/* ************

 * Functions for bandwidth accounting.

 * ************/

/** Configure accounting start/end time settings based on

 * options->AccountingStart.  Return 0 on success, -1 on failure. If

 * <b>validate_only</b> is true, do not change the current settings. */

int

accounting_parse_options(const or_options_t *options, int validate_only)

{

  time_unit_t unit;

  int ok, idx;

  long d,h,m;

  smartlist_t *items;

  const char *v = options->AccountingStart;

  const char *s;

  char *cp;

  if (!v) {

    if (!validate_only) {

      cfg_unit = UNIT_MONTH;

      cfg_start_day = 1;

      cfg_start_hour = 0;

      cfg_start_min = 0;

    }

    return 0;

  }

  items = smartlist_new();

  smartlist_split_string(items, v, NULL,

                         SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK,0);

  if (smartlist_len(items)<2) {

    log_warn(LD_CONFIG, "Too few arguments to AccountingStart");

    goto err;

  }

  s = smartlist_get(items,0);

  if (0==strcasecmp(s, "month")) {

    unit = UNIT_MONTH;

  } else if (0==strcasecmp(s, "week")) {

    unit = UNIT_WEEK;

  } else if (0==strcasecmp(s, "day")) {

    unit = UNIT_DAY;

  } else {

    log_warn(LD_CONFIG,

             "Unrecognized accounting unit '%s': only 'month', 'week',"

             " and 'day' are supported.", s);

    goto err;

  }

  switch (unit) {

  case UNIT_WEEK:

    d = tor_parse_long(smartlist_get(items,1), 10, 1, 7, &ok, NULL);

    if (!ok) {

      log_warn(LD_CONFIG, "Weekly accounting must begin on a day between "

               "1 (Monday) and 7 (Sunday)");

      goto err;

    }

    break;

  case UNIT_MONTH:

    d = tor_parse_long(smartlist_get(items,1), 10, 1, 28, &ok, NULL);

    if (!ok) {

      log_warn(LD_CONFIG, "Monthly accounting must begin on a day between "

               "1 and 28");

      goto err;

    }

    break;

  case UNIT_DAY:

    d = 0;

    break;

    /* Coverity dislikes unreachable default cases; some compilers warn on

     * switch statements missing a case.  Tell Coverity not to worry. */

    /* coverity[dead_error_begin] */

  default:

    tor_assert(0);

  }

  idx = unit==UNIT_DAY?1:2;

  if (smartlist_len(items) != (idx+1)) {

    log_warn(LD_CONFIG,"Accounting unit '%s' requires %d argument%s.",

             s, idx, (idx>1)?"s":"");

    goto err;

  }

  s = smartlist_get(items, idx);

  h = tor_parse_long(s, 10, 0, 23, &ok, &cp);

  if (!ok) {

    log_warn(LD_CONFIG,"Accounting start time not parseable: bad hour.");

    goto err;

  }

  if (!cp || *cp!=':') {

    log_warn(LD_CONFIG,

             "Accounting start time not parseable: not in HH:MM format");

    goto err;

  }

  m = tor_parse_long(cp+1, 10, 0, 59, &ok, &cp);

  if (!ok) {

    log_warn(LD_CONFIG, "Accounting start time not parseable: bad minute");

    goto err;

  }

  if (!cp || *cp!='\0') {

    log_warn(LD_CONFIG,

             "Accounting start time not parseable: not in HH:MM format");

    goto err;

  }

  if (!validate_only) {

    cfg_unit = unit;

    cfg_start_day = (int)d;

    cfg_start_hour = (int)h;

    cfg_start_min = (int)m;

  }

  SMARTLIST_FOREACH(items, char *, item, tor_free(item));

  smartlist_free(items);

  return 0;

 err:

  SMARTLIST_FOREACH(items, char *, item, tor_free(item));

  smartlist_free(items);

  return -1;

}

/** If we want to manage the accounting system and potentially

 * hibernate, return 1, else return 0.

 */

MOCK_IMPL(int,

accounting_is_enabled,(const or_options_t *options))

{

  if (options->AccountingMax)

    return 1;

  return 0;

}

/** If accounting is enabled, return how long (in seconds) this

 * interval lasts. */

int

accounting_get_interval_length(void)

{

  return (int)(interval_end_time - interval_start_time);

}

/** Return the time at which the current accounting interval will end. */

MOCK_IMPL(time_t,

accounting_get_end_time,(void))

{

  return interval_end_time;

}

/** Called from connection.c to tell us that <b>seconds</b> seconds have

 * passed, <b>n_read</b> bytes have been read, and <b>n_written</b>

 * bytes have been written. */

void

accounting_add_bytes(size_t n_read, size_t n_written, int seconds)

{

  n_bytes_read_in_interval += n_read;

  n_bytes_written_in_interval += n_written;

  /* If we haven't been called in 10 seconds, we're probably jumping

   * around in time. */

  n_seconds_active_in_interval += (seconds < 10) ? seconds : 0;

}

/** If get_end, return the end of the accounting period that contains

 * the time <b>now</b>.  Else, return the start of the accounting

 * period that contains the time <b>now</b> */

static time_t

edge_of_accounting_period_containing(time_t now, int get_end)

{

  int before;

  struct tm tm;

  tor_localtime_r(&now, &tm);

  /* Set 'before' to true iff the current time is before the hh:mm

   * changeover time for today. */

  before = tm.tm_hour < cfg_start_hour ||

    (tm.tm_hour == cfg_start_hour && tm.tm_min < cfg_start_min);

  /* Dispatch by unit.  First, find the start day of the given period;

   * then, if get_end is true, increment to the end day. */

  switch (cfg_unit)

    {

    case UNIT_MONTH: {

      /* If this is before the Nth, we want the Nth of last month. */

      if (tm.tm_mday < cfg_start_day ||

          (tm.tm_mday == cfg_start_day && before)) {

        --tm.tm_mon;

      }

      /* Otherwise, the month is correct. */

      tm.tm_mday = cfg_start_day;

      if (get_end)

        ++tm.tm_mon;

      break;

    }

    case UNIT_WEEK: {

      /* What is the 'target' day of the week in struct tm format? (We

         say Sunday==7; struct tm says Sunday==0.) */

      int wday = cfg_start_day % 7;

      /* How many days do we subtract from today to get to the right day? */

      int delta = (7+tm.tm_wday-wday)%7;

      /* If we are on the right day, but the changeover hasn't happened yet,

       * then subtract a whole week. */

      if (delta == 0 && before)

        delta = 7;

      tm.tm_mday -= delta;

      if (get_end)

        tm.tm_mday += 7;

      break;

    }

    case UNIT_DAY:

      if (before)

        --tm.tm_mday;

      if (get_end)

        ++tm.tm_mday;

      break;

    default:

      tor_assert(0);

  }

  tm.tm_hour = cfg_start_hour;

  tm.tm_min = cfg_start_min;

  tm.tm_sec = 0;

  tm.tm_isdst = -1; /* Autodetect DST */

  return mktime(&tm);

}

/** Return the start of the accounting period containing the time

 * <b>now</b>. */

static time_t

start_of_accounting_period_containing(time_t now)

{

  return edge_of_accounting_period_containing(now, 0);

}

/** Return the start of the accounting period that comes after the one

 * containing the time <b>now</b>. */

static time_t

start_of_accounting_period_after(time_t now)

{

  return edge_of_accounting_period_containing(now, 1);

}

/** Return the length of the accounting period containing the time

 * <b>now</b>. */

static long

length_of_accounting_period_containing(time_t now)

{

  return edge_of_accounting_period_containing(now, 1) -

    edge_of_accounting_period_containing(now, 0);

}

/** Initialize the accounting subsystem. */

void

configure_accounting(time_t now)

{

  time_t s_now;

  /* Try to remember our recorded usage. */

  if (!interval_start_time)

    read_bandwidth_usage(); /* If we fail, we'll leave values at zero, and

                             * reset below.*/

  s_now = start_of_accounting_period_containing(now);

  if (!interval_start_time) {

    /* We didn't have recorded usage; Start a new interval. */

    log_info(LD_ACCT, "Starting new accounting interval.");

    reset_accounting(now);

  } else if (s_now == interval_start_time) {

    log_info(LD_ACCT, "Continuing accounting interval.");

    /* We are in the interval we thought we were in. Do nothing.*/

    interval_end_time = start_of_accounting_period_after(interval_start_time);

  } else {

    long duration =

      length_of_accounting_period_containing(interval_start_time);

    double delta = ((double)(s_now - interval_start_time)) / duration;

    if (-0.50 <= delta && delta <= 0.50) {

      /* The start of the period is now a little later or earlier than we

       * remembered.  That's fine; we might lose some bytes we could otherwise

       * have written, but better to err on the side of obeying accounting

       * settings. */

      log_info(LD_ACCT, "Accounting interval moved by %.02f%%; "

               "that's fine.", delta*100);

      interval_end_time = start_of_accounting_period_after(now);

    } else if (delta >= 0.99) {

      /* This is the regular time-moved-forward case; don't be too noisy

       * about it or people will complain */

      log_info(LD_ACCT, "Accounting interval elapsed; starting a new one");

      reset_accounting(now);

    } else {

      log_warn(LD_ACCT,

               "Mismatched accounting interval: moved by %.02f%%. "

               "Starting a fresh one.", delta*100);

      reset_accounting(now);

    }

  }

  accounting_set_wakeup_time();

}

/** Return the relevant number of bytes sent/received this interval

 * based on the set AccountingRule */

uint64_t

get_accounting_bytes(void)

{

  if (get_options()->AccountingRule == ACCT_SUM)

    return n_bytes_read_in_interval+n_bytes_written_in_interval;

  else if (get_options()->AccountingRule == ACCT_IN)

    return n_bytes_read_in_interval;

  else if (get_options()->AccountingRule == ACCT_OUT)

    return n_bytes_written_in_interval;

  else

    return MAX(n_bytes_read_in_interval, n_bytes_written_in_interval);

}

/** Set expected_bandwidth_usage based on how much we sent/received

 * per minute last interval (if we were up for at least 30 minutes),

 * or based on our declared bandwidth otherwise. */

static void

update_expected_bandwidth(void)

{

  uint64_t expected;

  const or_options_t *options= get_options();

  uint64_t max_configured = (options->RelayBandwidthRate > 0 ?

                             options->RelayBandwidthRate :

                             options->BandwidthRate) * 60;

  /* max_configured is the larger of bytes read and bytes written

   * If we are accounting based on sum, worst case is both are

   * at max, doubling the expected sum of bandwidth */

  if (get_options()->AccountingRule == ACCT_SUM)

    max_configured *= 2;

#define MIN_TIME_FOR_MEASUREMENT (1800)

  if (soft_limit_hit_at > interval_start_time && n_bytes_at_soft_limit &&

      (soft_limit_hit_at - interval_start_time) > MIN_TIME_FOR_MEASUREMENT) {

    /* If we hit our soft limit last time, only count the bytes up to that

     * time. This is a better predictor of our actual bandwidth than

     * considering the entirety of the last interval, since we likely started

     * using bytes very slowly once we hit our soft limit. */

    expected = n_bytes_at_soft_limit /

      (soft_limit_hit_at - interval_start_time);

    expected /= 60;

  } else if (n_seconds_active_in_interval >= MIN_TIME_FOR_MEASUREMENT) {

    /* Otherwise, we either measured enough time in the last interval but

     * never hit our soft limit, or we're using a state file from a Tor that

     * doesn't know to store soft-limit info.  Just take rate at which

     * we were reading/writing in the last interval as our expected rate.

     */

    uint64_t used = get_accounting_bytes();

    expected = used / (n_seconds_active_in_interval / 60);

  } else {

    /* If we haven't gotten enough data last interval, set 'expected'

     * to 0.  This will set our wakeup to the start of the interval.

     * Next interval, we'll choose our starting time based on how much

     * we sent this interval.

     */

    expected = 0;

  }

  if (expected > max_configured)

    expected = max_configured;

  expected_bandwidth_usage = expected;

}

/** Called at the start of a new accounting interval: reset our

 * expected bandwidth usage based on what happened last time, set up

 * the start and end of the interval, and clear byte/time totals.

 */

static void

reset_accounting(time_t now)

{

  log_info(LD_ACCT, "Starting new accounting interval.");

  update_expected_bandwidth();

  interval_start_time = start_of_accounting_period_containing(now);

  interval_end_time = start_of_accounting_period_after(interval_start_time);

  n_bytes_read_in_interval = 0;

  n_bytes_written_in_interval = 0;

  n_seconds_active_in_interval = 0;

  n_bytes_at_soft_limit = 0;

  soft_limit_hit_at = 0;

  n_seconds_to_hit_soft_limit = 0;

}

/** Return true iff we should save our bandwidth usage to disk. */

static inline int

time_to_record_bandwidth_usage(time_t now)

{

  /* Note every 600 sec */

#define NOTE_INTERVAL (600)

  /* Or every 20 megabytes */

#define NOTE_BYTES (20*1024*1024)

  static uint64_t last_read_bytes_noted = 0;

  static uint64_t last_written_bytes_noted = 0;

  static time_t last_time_noted = 0;

  if (last_time_noted + NOTE_INTERVAL <= now ||

      last_read_bytes_noted + NOTE_BYTES <= n_bytes_read_in_interval ||

      last_written_bytes_noted + NOTE_BYTES <= n_bytes_written_in_interval ||

      (interval_end_time && interval_end_time <= now)) {

    last_time_noted = now;

    last_read_bytes_noted = n_bytes_read_in_interval;

    last_written_bytes_noted = n_bytes_written_in_interval;

    return 1;

  }

  return 0;

}

/** Invoked once per second.  Checks whether it is time to hibernate,

 * record bandwidth used, etc.  */

void

accounting_run_housekeeping(time_t now)

{

  if (now >= interval_end_time) {

    configure_accounting(now);

  }

  if (time_to_record_bandwidth_usage(now)) {

    if (accounting_record_bandwidth_usage(now, get_or_state())) {

      log_warn(LD_FS, "Couldn't record bandwidth usage to disk.");

    }

  }

}

/** Based on our interval and our estimated bandwidth, choose a

 * deterministic (but random-ish) time to wake up. */

static void

accounting_set_wakeup_time(void)

{

  char digest[DIGEST_LEN];

  crypto_digest_t *d_env;

  uint64_t time_to_exhaust_bw;

  int time_to_consider;

  if (! server_identity_key_is_set()) {

    if (init_keys() < 0) {

      log_err(LD_BUG, "Error initializing keys");

      tor_assert(0);

    }

  }

  if (server_identity_key_is_set()) {

    char buf[ISO_TIME_LEN+1];

    format_iso_time(buf, interval_start_time);

    if (crypto_pk_get_digest(get_server_identity_key(), digest) < 0) {

      log_err(LD_BUG, "Error getting our key's digest.");

      tor_assert(0);

    }

    d_env = crypto_digest_new();

    crypto_digest_add_bytes(d_env, buf, ISO_TIME_LEN);

    crypto_digest_add_bytes(d_env, digest, DIGEST_LEN);

    crypto_digest_get_digest(d_env, digest, DIGEST_LEN);

    crypto_digest_free(d_env);

  } else {

    crypto_rand(digest, DIGEST_LEN);

  }

  if (!expected_bandwidth_usage) {

    char buf1[ISO_TIME_LEN+1];

    char buf2[ISO_TIME_LEN+1];

    format_local_iso_time(buf1, interval_start_time);

    format_local_iso_time(buf2, interval_end_time);

    interval_wakeup_time = interval_start_time;

    log_notice(LD_ACCT,

           "Configured hibernation. This interval begins at %s "

           "and ends at %s. We have no prior estimate for bandwidth, so "

           "we will start out awake and hibernate when we exhaust our quota.",

           buf1, buf2);

    return;

  }

  time_to_exhaust_bw =

    (get_options()->AccountingMax/expected_bandwidth_usage)*60;

  if (time_to_exhaust_bw > INT_MAX) {

    time_to_exhaust_bw = INT_MAX;

    time_to_consider = 0;

  } else {

    time_to_consider = accounting_get_interval_length() -

                       (int)time_to_exhaust_bw;

  }

  if (time_to_consider<=0) {

    interval_wakeup_time = interval_start_time;

  } else {

    /* XXX can we simplify this just by picking a random (non-deterministic)

     * time to be up? If we go down and come up, then we pick a new one. Is

     * that good enough? -RD */

    /* This is not a perfectly unbiased conversion, but it is good enough:

     * in the worst case, the first half of the day is 0.06 percent likelier

     * to be chosen than the last half. */

    interval_wakeup_time = interval_start_time +

      (get_uint32(digest) % time_to_consider);

  }

  {

    char buf1[ISO_TIME_LEN+1];

    char buf2[ISO_TIME_LEN+1];

    char buf3[ISO_TIME_LEN+1];

    char buf4[ISO_TIME_LEN+1];

    time_t down_time;

    if (interval_wakeup_time+time_to_exhaust_bw > TIME_MAX)

      down_time = TIME_MAX;

    else

      down_time = (time_t)(interval_wakeup_time+time_to_exhaust_bw);

    if (down_time>interval_end_time)

      down_time = interval_end_time;

    format_local_iso_time(buf1, interval_start_time);

    format_local_iso_time(buf2, interval_wakeup_time);

    format_local_iso_time(buf3, down_time);

    format_local_iso_time(buf4, interval_end_time);

    log_notice(LD_ACCT,

           "Configured hibernation.  This interval began at %s; "

           "the scheduled wake-up time %s %s; "

           "we expect%s to exhaust our quota for this interval around %s; "

           "the next interval begins at %s (all times local)",

           buf1,

           time(NULL)<interval_wakeup_time?"is":"was", buf2,

           time(NULL)<down_time?"":"ed", buf3,

           buf4);

  }

}

/* This rounds 0 up to 1000, but that's actually a feature. */

#define ROUND_UP(x) (((x) + 0x3ff) & ~0x3ff)

/** Save all our bandwidth tracking information to disk. Return 0 on

 * success, -1 on failure. */

int

accounting_record_bandwidth_usage(time_t now, or_state_t *state)

{

  /* Just update the state */

  state->AccountingIntervalStart = interval_start_time;

  state->AccountingBytesReadInInterval = ROUND_UP(n_bytes_read_in_interval);

  state->AccountingBytesWrittenInInterval =

    ROUND_UP(n_bytes_written_in_interval);

  state->AccountingSecondsActive = n_seconds_active_in_interval;

  state->AccountingExpectedUsage = expected_bandwidth_usage;

  state->AccountingSecondsToReachSoftLimit = n_seconds_to_hit_soft_limit;

  state->AccountingSoftLimitHitAt = soft_limit_hit_at;

  state->AccountingBytesAtSoftLimit = n_bytes_at_soft_limit;

  or_state_mark_dirty(state,

                      now+(get_options()->AvoidDiskWrites ? 7200 : 60));

  return 0;

}

#undef ROUND_UP

/** Read stored accounting information from disk. Return 0 on success;

 * return -1 and change nothing on failure. */

static int

read_bandwidth_usage(void)

{

  or_state_t *state = get_or_state();

  {

    char *fname = get_datadir_fname("bw_accounting");

    int res;

    res = unlink(fname);

    if (res != 0 && errno != ENOENT) {

      log_warn(LD_FS,

               "Failed to unlink %s: %s",

               fname, strerror(errno));

    }

    tor_free(fname);

  }

  if (!state)

    return -1;

  log_info(LD_ACCT, "Reading bandwidth accounting data from state file");

  n_bytes_read_in_interval = state->AccountingBytesReadInInterval;

  n_bytes_written_in_interval = state->AccountingBytesWrittenInInterval;

  n_seconds_active_in_interval = state->AccountingSecondsActive;

  interval_start_time = state->AccountingIntervalStart;

  expected_bandwidth_usage = state->AccountingExpectedUsage;

  /* Older versions of Tor (before 0.2.2.17-alpha or so) didn't generate these

   * fields. If you switch back and forth, you might get an

   * AccountingSoftLimitHitAt value from long before the most recent

   * interval_start_time.  If that's so, then ignore the softlimit-related

   * values. */

  if (state->AccountingSoftLimitHitAt > interval_start_time) {

    soft_limit_hit_at =  state->AccountingSoftLimitHitAt;

    n_bytes_at_soft_limit = state->AccountingBytesAtSoftLimit;

    n_seconds_to_hit_soft_limit = state->AccountingSecondsToReachSoftLimit;

  } else {

    soft_limit_hit_at = 0;

    n_bytes_at_soft_limit = 0;

    n_seconds_to_hit_soft_limit = 0;

  }

  {

    char tbuf1[ISO_TIME_LEN+1];

    char tbuf2[ISO_TIME_LEN+1];

    format_iso_time(tbuf1, state->LastWritten);

    format_iso_time(tbuf2, state->AccountingIntervalStart);

    log_info(LD_ACCT,

       "Successfully read bandwidth accounting info from state written at %s "

       "for interval starting at %s.  We have been active for %lu seconds in "

       "this interval.  At the start of the interval, we expected to use "

       "about %lu KB per second. (%"PRIu64" bytes read so far, "

       "%"PRIu64" bytes written so far)",

       tbuf1, tbuf2,

       (unsigned long)n_seconds_active_in_interval,

       (unsigned long)(expected_bandwidth_usage*1024/60),

       (n_bytes_read_in_interval),

       (n_bytes_written_in_interval));

  }

  return 0;

}

/** Return true iff we have sent/received all the bytes we are willing

 * to send/receive this interval. */

static int

hibernate_hard_limit_reached(void)

{

  uint64_t hard_limit = get_options()->AccountingMax;

  if (!hard_limit)

    return 0;

  return get_accounting_bytes() >= hard_limit;

}

/** Return true iff we have sent/received almost all the bytes we are willing

 * to send/receive this interval. */

static int

hibernate_soft_limit_reached(void)

{

  const uint64_t acct_max = get_options()->AccountingMax;

#define SOFT_LIM_PCT (.95)

#define SOFT_LIM_BYTES (500*1024*1024)

#define SOFT_LIM_MINUTES (3*60)

  /* The 'soft limit' is a fair bit more complicated now than once it was.

   * We want to stop accepting connections when ALL of the following are true:

   *   - We expect to use up the remaining bytes in under 3 hours

   *   - We have used up 95% of our bytes.

   *   - We have less than 500MBytes left.

   */

  uint64_t soft_limit = (uint64_t) (acct_max * SOFT_LIM_PCT);

  if (acct_max > SOFT_LIM_BYTES && acct_max - SOFT_LIM_BYTES > soft_limit) {

    soft_limit = acct_max - SOFT_LIM_BYTES;

  }

  if (expected_bandwidth_usage) {

    const uint64_t expected_usage =

      expected_bandwidth_usage * SOFT_LIM_MINUTES;

    if (acct_max > expected_usage && acct_max - expected_usage > soft_limit)

      soft_limit = acct_max - expected_usage;

  }

  if (!soft_limit)

    return 0;

  return get_accounting_bytes() >= soft_limit;

}

/** Called when we get a SIGINT, or when bandwidth soft limit is

 * reached. Puts us into "loose hibernation": we don't accept new

 * connections, but we continue handling old ones. */

static void

hibernate_begin(hibernate_state_t new_state, time_t now)

{

  const or_options_t *options = get_options();

  if (new_state == HIBERNATE_STATE_EXITING &&

      hibernate_state != HIBERNATE_STATE_LIVE) {

    log_notice(LD_GENERAL,"SIGINT received %s; exiting now.",

               hibernate_state == HIBERNATE_STATE_EXITING ?

               "a second time" : "while hibernating");

    tor_shutdown_event_loop_and_exit(0);

    return;

  }

  if (new_state == HIBERNATE_STATE_LOWBANDWIDTH &&

      hibernate_state == HIBERNATE_STATE_LIVE) {

    soft_limit_hit_at = now;

    n_seconds_to_hit_soft_limit = n_seconds_active_in_interval;

    n_bytes_at_soft_limit = get_accounting_bytes();

  }

  /* close listeners. leave control listener(s). */

  connection_mark_all_noncontrol_listeners();

  /* XXX kill intro point circs */

  /* XXX upload rendezvous service descriptors with no intro points */

  if (new_state == HIBERNATE_STATE_EXITING) {

    log_notice(LD_GENERAL,"Interrupt: we have stopped accepting new "

               "connections, and will shut down in %d seconds. Interrupt "

               "again to exit now.", options->ShutdownWaitLength);

    /* We add an arbitrary delay here so that even if something goes wrong

     * with the mainloop shutdown code, we can still shutdown from

     * consider_hibernation() if we call it... but so that the

     * mainloop_schedule_shutdown() mechanism will be the first one called.

     */

    shutdown_time = time(NULL) + options->ShutdownWaitLength + 5;

    mainloop_schedule_shutdown(options->ShutdownWaitLength);

#ifdef HAVE_SYSTEMD

    /* tell systemd that we may need more than the default 90 seconds to shut

     * down so they don't kill us. add some extra time to actually finish

     * shutting down, otherwise systemd will kill us immediately after the

     * EXTEND_TIMEOUT_USEC expires. this is an *upper* limit; tor will probably

     * only take one or two more seconds, but assume that maybe we got swapped

     * out and it takes a little while longer.

     *

     * as of writing, this is a no-op with all-defaults: ShutdownWaitLength is

     * 30 seconds, so this will extend the timeout to 60 seconds.

     * default systemd DefaultTimeoutStopSec is 90 seconds, so systemd will

     * wait (up to) 90 seconds anyways.

     *

     * 2^31 usec = ~2147 sec = ~35 min. probably nobody will actually set

     * ShutdownWaitLength to more than that, but use a longer type so we don't

     * need to think about UB on overflow

     */

    sd_notifyf(0, "EXTEND_TIMEOUT_USEC=%" PRIu64,

            ((uint64_t)(options->ShutdownWaitLength) + 30) * TOR_USEC_PER_SEC);

#endif /* defined(HAVE_SYSTEMD) */

  } else { /* soft limit reached */

    hibernate_end_time = interval_end_time;

  }

  hibernate_state = new_state;

  accounting_record_bandwidth_usage(now, get_or_state());

  or_state_mark_dirty(get_or_state(),

                      get_options()->AvoidDiskWrites ? now+600 : 0);

}

/** Called when we've been hibernating and our timeout is reached. */

static void

hibernate_end(hibernate_state_t new_state)

{

  tor_assert(hibernate_state == HIBERNATE_STATE_LOWBANDWIDTH ||

             hibernate_state == HIBERNATE_STATE_DORMANT ||

             hibernate_state == HIBERNATE_STATE_INITIAL);

  /* listeners will be relaunched in run_scheduled_events() in main.c */

  if (hibernate_state != HIBERNATE_STATE_INITIAL)

    log_notice(LD_ACCT,"Hibernation period ended. Resuming normal activity.");

  hibernate_state = new_state;

  hibernate_end_time = 0; /* no longer hibernating */

  reset_uptime(); /* reset published uptime */

}