gvisor/pkg/state/statefile/statefile.go

// Copyright 2018 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package statefile defines the state file data stream.
//
// This package currently does not include any details regarding the state
// encoding itself, only details regarding state metadata and data layout.
//
// The file format is defined as follows.
//
// /------------------------------------------------------\
// |                   header (8-bytes)                   |
// +------------------------------------------------------+
// |              metadata length (8-bytes)               |
// +------------------------------------------------------+
// |                       metadata                       |
// +------------------------------------------------------+
// |                         data                         |
// \------------------------------------------------------/
//
// First, it includes a 8-byte magic header which is the following
// sequence of bytes [0x67, 0x56, 0x69, 0x73, 0x6f, 0x72, 0x53, 0x46]
//
// This header is followed by an 8-byte length N (big endian), and an
// ASCII-encoded JSON map that is exactly N bytes long.
//
// This map includes only strings for keys and strings for values. Keys in the
// map that begin with "_" are for internal use only. They may be read, but may
// not be provided by the user. In the future, this metadata may contain some
// information relating to the state encoding itself.
//
// After the map, the remainder of the file is the state data.
package statefile

import (
	"bytes"
	"compress/flate"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/json"
	"fmt"
	"hash"
	"io"
	"strings"
	"time"

	"gvisor.dev/gvisor/pkg/binary"
	"gvisor.dev/gvisor/pkg/compressio"
)

// keySize is the AES-256 key length.
const keySize = 32

// compressionChunkSize is the chunk size for compression.
const compressionChunkSize = 1024 * 1024

// maxMetadataSize is the size limit of metadata section.
const maxMetadataSize = 16 * 1024 * 1024

// magicHeader is the byte sequence beginning each file.
var magicHeader = []byte("\x67\x56\x69\x73\x6f\x72\x53\x46")

// ErrBadMagic is returned if the header does not match.
var ErrBadMagic = fmt.Errorf("bad magic header")

// ErrMetadataMissing is returned if the state file is missing mandatory metadata.
var ErrMetadataMissing = fmt.Errorf("missing metadata")

// ErrInvalidMetadataLength is returned if the metadata length is too large.
var ErrInvalidMetadataLength = fmt.Errorf("metadata length invalid, maximum size is %d", maxMetadataSize)

// ErrMetadataInvalid is returned if passed metadata is invalid.
var ErrMetadataInvalid = fmt.Errorf("metadata invalid, can't start with _")

// NewWriter returns a state data writer for a statefile.
//
// Note that the returned WriteCloser must be closed.
func NewWriter(w io.Writer, key []byte, metadata map[string]string) (io.WriteCloser, error) {
	if metadata == nil {
		metadata = make(map[string]string)
	}
	for k := range metadata {
		if strings.HasPrefix(k, "_") {
			return nil, ErrMetadataInvalid
		}
	}

	// Create our HMAC function.
	h := hmac.New(sha256.New, key)
	mw := io.MultiWriter(w, h)

	// First, write the header.
	if _, err := mw.Write(magicHeader); err != nil {
		return nil, err
	}

	// Generate a timestamp, for convenience only.
	metadata["_timestamp"] = time.Now().UTC().String()
	defer delete(metadata, "_timestamp")

	// Write the metadata.
	b, err := json.Marshal(metadata)
	if err != nil {
		return nil, err
	}

	if len(b) > maxMetadataSize {
		return nil, ErrInvalidMetadataLength
	}

	// Metadata length.
	if err := binary.WriteUint64(mw, binary.BigEndian, uint64(len(b))); err != nil {
		return nil, err
	}
	// Metadata bytes; io.MultiWriter will return a short write error if
	// any of the writers returns < n.
	if _, err := mw.Write(b); err != nil {
		return nil, err
	}
	// Write the current hash.
	cur := h.Sum(nil)
	for done := 0; done < len(cur); {
		n, err := mw.Write(cur[done:])
		done += n
		if err != nil {
			return nil, err
		}
	}

	// Wrap in compression. We always use "best speed" mode here. When using
	// "best compression" mode, there is usually only a little gain in file
	// size reduction, which translate to even smaller gain in restore
	// latency reduction, while inccuring much more CPU usage at save time.
	return compressio.NewWriter(w, key, compressionChunkSize, flate.BestSpeed)
}

// MetadataUnsafe reads out the metadata from a state file without verifying any
// HMAC. This function shouldn't be called for untrusted input files.
func MetadataUnsafe(r io.Reader) (map[string]string, error) {
	return metadata(r, nil)
}

// metadata validates the magic header and reads out the metadata from a state
// data stream.
func metadata(r io.Reader, h hash.Hash) (map[string]string, error) {
	if h != nil {
		r = io.TeeReader(r, h)
	}

	// Read and validate magic header.
	b := make([]byte, len(magicHeader))
	if _, err := r.Read(b); err != nil {
		return nil, err
	}
	if !bytes.Equal(b, magicHeader) {
		return nil, ErrBadMagic
	}

	// Read and validate metadata.
	b, err := func() (b []byte, err error) {
		defer func() {
			if r := recover(); r != nil {
				b = nil
				err = fmt.Errorf("%v", r)
			}
		}()

		metadataLen, err := binary.ReadUint64(r, binary.BigEndian)
		if err != nil {
			return nil, err
		}
		if metadataLen > maxMetadataSize {
			return nil, ErrInvalidMetadataLength
		}
		b = make([]byte, int(metadataLen))
		if _, err := io.ReadFull(r, b); err != nil {
			return nil, err
		}
		return b, nil
	}()
	if err != nil {
		return nil, err
	}

	if h != nil {
		// Check the hash prior to decoding.
		cur := h.Sum(nil)
		buf := make([]byte, len(cur))
		if _, err := io.ReadFull(r, buf); err != nil {
			return nil, err
		}
		if !hmac.Equal(cur, buf) {
			return nil, compressio.ErrHashMismatch
		}
	}

	// Decode the metadata.
	metadata := make(map[string]string)
	if err := json.Unmarshal(b, &metadata); err != nil {
		return nil, err
	}

	return metadata, nil
}

// NewReader returns a reader for a statefile.
func NewReader(r io.Reader, key []byte) (io.Reader, map[string]string, error) {
	// Read the metadata with the hash.
	h := hmac.New(sha256.New, key)
	metadata, err := metadata(r, h)
	if err != nil {
		return nil, nil, err
	}

	// Wrap in compression.
	rc, err := compressio.NewReader(r, key)
	if err != nil {
		return nil, nil, err
	}
	return rc, metadata, nil
}
Change copyright notice to "The gVisor Authors" Based on the guidelines at https://opensource.google.com/docs/releasing/authors/. 1. $ rg -l "Google LLC" \| xargs sed -i 's/Google LLC.*/The gVisor Authors./' 2. Manual fixup of "Google Inc" references. 3. Add AUTHORS file. Authors may request to be added to this file. 4. Point netstack AUTHORS to gVisor AUTHORS. Drop CONTRIBUTORS. Fixes #209 PiperOrigin-RevId: 245823212 Change-Id: I64530b24ad021a7d683137459cafc510f5ee1de9 2019-04-29 21:25:05 +00:00			`// Copyright 2018 The gVisor Authors.`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`// Package statefile defines the state file data stream.`
			`//`
			`// This package currently does not include any details regarding the state`
			`// encoding itself, only details regarding state metadata and data layout.`
			`//`
			`// The file format is defined as follows.`
			`//`
			`// /------------------------------------------------------\`
			`// \| header (8-bytes) \|`
			`// +------------------------------------------------------+`
			`// \| metadata length (8-bytes) \|`
			`// +------------------------------------------------------+`
			`// \| metadata \|`
			`// +------------------------------------------------------+`
			`// \| data \|`
			`// \------------------------------------------------------/`
			`//`
			`// First, it includes a 8-byte magic header which is the following`
			`// sequence of bytes [0x67, 0x56, 0x69, 0x73, 0x6f, 0x72, 0x53, 0x46]`
			`//`
			`// This header is followed by an 8-byte length N (big endian), and an`
			`// ASCII-encoded JSON map that is exactly N bytes long.`
			`//`
			`// This map includes only strings for keys and strings for values. Keys in the`
			`// map that begin with "_" are for internal use only. They may be read, but may`
			`// not be provided by the user. In the future, this metadata may contain some`
			`// information relating to the state encoding itself.`
			`//`
			`// After the map, the remainder of the file is the state data.`
			`package statefile`

			`import (`
			`"bytes"`
Sentry: always use "best speed" compression for save and remove the option. PiperOrigin-RevId: 195835861 Change-Id: Ib696b1b571a6b061725a33c535cd7215fe518b97 2018-05-08 17:06:14 +00:00			`"compress/flate"`
Internal Change PiperOrigin-RevId: 226542979 Change-Id: Ife11ebd0a85b8a63078e6daa71b4a99a82080ac9 2018-12-21 22:28:20 +00:00			`"crypto/hmac"`
			`"crypto/sha256"`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`"encoding/json"`
			`"fmt"`
			`"hash"`
			`"io"`
			`"strings"`
			`"time"`

Update canonical repository. This can be merged after: https://github.com/google/gvisor-website/pull/77 or https://github.com/google/gvisor-website/pull/78 PiperOrigin-RevId: 253132620 2019-06-13 23:49:09 +00:00			`"gvisor.dev/gvisor/pkg/binary"`
			`"gvisor.dev/gvisor/pkg/compressio"`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`)`

			`// keySize is the AES-256 key length.`
			`const keySize = 32`

			`// compressionChunkSize is the chunk size for compression.`
			`const compressionChunkSize = 1024 * 1024`

			`// maxMetadataSize is the size limit of metadata section.`
			`const maxMetadataSize = 16 * 1024 * 1024`

			`// magicHeader is the byte sequence beginning each file.`
			`var magicHeader = []byte("\x67\x56\x69\x73\x6f\x72\x53\x46")`

			`// ErrBadMagic is returned if the header does not match.`
			`var ErrBadMagic = fmt.Errorf("bad magic header")`

			`// ErrMetadataMissing is returned if the state file is missing mandatory metadata.`
			`var ErrMetadataMissing = fmt.Errorf("missing metadata")`

			`// ErrInvalidMetadataLength is returned if the metadata length is too large.`
			`var ErrInvalidMetadataLength = fmt.Errorf("metadata length invalid, maximum size is %d", maxMetadataSize)`

			`// ErrMetadataInvalid is returned if passed metadata is invalid.`
			`var ErrMetadataInvalid = fmt.Errorf("metadata invalid, can't start with _")`

			`// NewWriter returns a state data writer for a statefile.`
			`//`
			`// Note that the returned WriteCloser must be closed.`
Sentry: always use "best speed" compression for save and remove the option. PiperOrigin-RevId: 195835861 Change-Id: Ib696b1b571a6b061725a33c535cd7215fe518b97 2018-05-08 17:06:14 +00:00			`func NewWriter(w io.Writer, key []byte, metadata map[string]string) (io.WriteCloser, error) {`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`if metadata == nil {`
			`metadata = make(map[string]string)`
			`}`
			`for k := range metadata {`
			`if strings.HasPrefix(k, "_") {`
			`return nil, ErrMetadataInvalid`
			`}`
			`}`

			`// Create our HMAC function.`
			`h := hmac.New(sha256.New, key)`
			`mw := io.MultiWriter(w, h)`

			`// First, write the header.`
			`if _, err := mw.Write(magicHeader); err != nil {`
			`return nil, err`
			`}`

			`// Generate a timestamp, for convenience only.`
			`metadata["_timestamp"] = time.Now().UTC().String()`
			`defer delete(metadata, "_timestamp")`

			`// Write the metadata.`
			`b, err := json.Marshal(metadata)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if len(b) > maxMetadataSize {`
			`return nil, ErrInvalidMetadataLength`
			`}`

			`// Metadata length.`
			`if err := binary.WriteUint64(mw, binary.BigEndian, uint64(len(b))); err != nil {`
			`return nil, err`
			`}`
			`// Metadata bytes; io.MultiWriter will return a short write error if`
			`// any of the writers returns < n.`
			`if _, err := mw.Write(b); err != nil {`
			`return nil, err`
			`}`
			`// Write the current hash.`
			`cur := h.Sum(nil)`
			`for done := 0; done < len(cur); {`
			`n, err := mw.Write(cur[done:])`
			`done += n`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`

Sentry: always use "best speed" compression for save and remove the option. PiperOrigin-RevId: 195835861 Change-Id: Ib696b1b571a6b061725a33c535cd7215fe518b97 2018-05-08 17:06:14 +00:00			`// Wrap in compression. We always use "best speed" mode here. When using`
			`// "best compression" mode, there is usually only a little gain in file`
			`// size reduction, which translate to even smaller gain in restore`
			`// latency reduction, while inccuring much more CPU usage at save time.`
compressio: support optional hashing and eliminate hashio. Compared to previous compressio / hashio nesting, there is up to 100% speedup. PiperOrigin-RevId: 210161269 Change-Id: I481aa9fe980bb817fe465fe34d32ea33fc8abf1c 2018-08-24 21:52:23 +00:00			`return compressio.NewWriter(w, key, compressionChunkSize, flate.BestSpeed)`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`}`

			`// MetadataUnsafe reads out the metadata from a state file without verifying any`
			`// HMAC. This function shouldn't be called for untrusted input files.`
			`func MetadataUnsafe(r io.Reader) (map[string]string, error) {`
			`return metadata(r, nil)`
			`}`

			`// metadata validates the magic header and reads out the metadata from a state`
			`// data stream.`
			`func metadata(r io.Reader, h hash.Hash) (map[string]string, error) {`
			`if h != nil {`
			`r = io.TeeReader(r, h)`
			`}`

			`// Read and validate magic header.`
			`b := make([]byte, len(magicHeader))`
			`if _, err := r.Read(b); err != nil {`
			`return nil, err`
			`}`
			`if !bytes.Equal(b, magicHeader) {`
			`return nil, ErrBadMagic`
			`}`

			`// Read and validate metadata.`
			`b, err := func() (b []byte, err error) {`
			`defer func() {`
			`if r := recover(); r != nil {`
			`b = nil`
			`err = fmt.Errorf("%v", r)`
			`}`
			`}()`

			`metadataLen, err := binary.ReadUint64(r, binary.BigEndian)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if metadataLen > maxMetadataSize {`
			`return nil, ErrInvalidMetadataLength`
			`}`
			`b = make([]byte, int(metadataLen))`
			`if _, err := io.ReadFull(r, b); err != nil {`
			`return nil, err`
			`}`
			`return b, nil`
			`}()`
			`if err != nil {`
			`return nil, err`
			`}`

			`if h != nil {`
			`// Check the hash prior to decoding.`
			`cur := h.Sum(nil)`
			`buf := make([]byte, len(cur))`
			`if _, err := io.ReadFull(r, buf); err != nil {`
			`return nil, err`
			`}`
			`if !hmac.Equal(cur, buf) {`
compressio: support optional hashing and eliminate hashio. Compared to previous compressio / hashio nesting, there is up to 100% speedup. PiperOrigin-RevId: 210161269 Change-Id: I481aa9fe980bb817fe465fe34d32ea33fc8abf1c 2018-08-24 21:52:23 +00:00			`return nil, compressio.ErrHashMismatch`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`}`
			`}`

			`// Decode the metadata.`
			`metadata := make(map[string]string)`
			`if err := json.Unmarshal(b, &metadata); err != nil {`
			`return nil, err`
			`}`

			`return metadata, nil`
			`}`

			`// NewReader returns a reader for a statefile.`
			`func NewReader(r io.Reader, key []byte) (io.Reader, map[string]string, error) {`
			`// Read the metadata with the hash.`
			`h := hmac.New(sha256.New, key)`
			`metadata, err := metadata(r, h)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`// Wrap in compression.`
compressio: support optional hashing and eliminate hashio. Compared to previous compressio / hashio nesting, there is up to 100% speedup. PiperOrigin-RevId: 210161269 Change-Id: I481aa9fe980bb817fe465fe34d32ea33fc8abf1c 2018-08-24 21:52:23 +00:00			`rc, err := compressio.NewReader(r, key)`
Check in gVisor. PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463 2018-04-27 17:37:02 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`return rc, metadata, nil`
			`}`