search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[core] set REDIRECT_STATUS to error_handler_saved_status (fixes #1828)
[lighttpd.git] / src / network.c
blobd8526a645d651be414da7ec8f17f2b53e32a989f
1 #include "first.h"
2
3 #include "network.h"
4 #include "fdevent.h"
5 #include "log.h"
6 #include "connections.h"
7 #include "plugin.h"
8 #include "joblist.h"
9 #include "configfile.h"
10
11 #include "network_backends.h"
12 #include "sys-mmap.h"
13 #include "sys-socket.h"
14
15 #include <sys/types.h>
16 #include <sys/stat.h>
17 #include <sys/time.h>
18
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <stdlib.h>
24 #include <assert.h>
25
26 #ifdef USE_OPENSSL
27 # include <openssl/ssl.h>
28 # include <openssl/err.h>
29 # include <openssl/rand.h>
30 # ifndef OPENSSL_NO_DH
31 # include <openssl/dh.h>
32 # endif
33 # include <openssl/bn.h>
34
35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
36 # ifndef OPENSSL_NO_ECDH
37 # include <openssl/ecdh.h>
38 # endif
39 # endif
40 #endif
41
42 #ifdef USE_OPENSSL
43 static void ssl_info_callback(const SSL *ssl, int where, int ret) {
44 UNUSED(ret);
45
46 if (0 != (where & SSL_CB_HANDSHAKE_START)) {
47 connection *con = SSL_get_app_data(ssl);
48 ++con->renegotiations;
49 }
50 }
51 #endif
52
53 static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
54 server_socket *srv_socket = (server_socket *)context;
55 connection *con;
56 int loops = 0;
57
58 UNUSED(context);
59
60 if (0 == (revents & FDEVENT_IN)) {
61 log_error_write(srv, __FILE__, __LINE__, "sdd",
62 "strange event for server socket",
63 srv_socket->fd,
64 revents);
65 return HANDLER_ERROR;
66 }
67
68 /* accept()s at most 100 connections directly
69 *
70 * we jump out after 100 to give the waiting connections a chance */
71 for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) {
72 connection_state_machine(srv, con);
73 }
74 return HANDLER_GO_ON;
75 }
76
77 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
78 static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
79 const char *servername;
80 connection *con = (connection *) SSL_get_app_data(ssl);
81 UNUSED(al);
82
83 buffer_copy_string(con->uri.scheme, "https");
84
85 if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
86 #if 0
87 /* this "error" just means the client didn't support it */
88 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
89 "failed to get TLS server name");
90 #endif
91 return SSL_TLSEXT_ERR_NOACK;
92 }
93 buffer_copy_string(con->tlsext_server_name, servername);
94 buffer_to_lower(con->tlsext_server_name);
95
96 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
97 buffer_reset(con->uri.authority);
98
99 config_cond_cache_reset(srv, con);
100 config_setup_connection(srv, con);
101
102 con->conditional_is_valid[COMP_SERVER_SOCKET] = 1;
103 con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
104 con->conditional_is_valid[COMP_HTTP_HOST] = 1;
105 config_patch_connection(srv, con);
106
107 if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) {
108 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
109 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
110 "no certificate/private key for TLS server name", con->tlsext_server_name);
111 return SSL_TLSEXT_ERR_ALERT_FATAL;
112 }
113
114 /* first set certificate! setting private key checks whether certificate matches it */
115 if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) {
116 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
117 "failed to set certificate for TLS server name", con->tlsext_server_name,
118 ERR_error_string(ERR_get_error(), NULL));
119 return SSL_TLSEXT_ERR_ALERT_FATAL;
120 }
121
122 if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) {
123 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
124 "failed to set private key for TLS server name", con->tlsext_server_name,
125 ERR_error_string(ERR_get_error(), NULL));
126 return SSL_TLSEXT_ERR_ALERT_FATAL;
127 }
128
129 if (con->conf.ssl_verifyclient) {
130 if (NULL == con->conf.ssl_ca_file_cert_names) {
131 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
132 "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
133 ERR_error_string(ERR_get_error(), NULL));
134 return SSL_TLSEXT_ERR_ALERT_FATAL;
135 }
136
137 SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names));
138 /* forcing verification here is really not that useful - a client could just connect without SNI */
139 SSL_set_verify(
140 ssl,
141 SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
142 NULL
143 );
144 SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
145 } else {
146 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
147 }
148
149 return SSL_TLSEXT_ERR_OK;
150 }
151 #endif
152
153 static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
154 int val;
155 socklen_t addr_len;
156 server_socket *srv_socket;
157 unsigned int port = 0;
158 const char *host;
159 buffer *b;
160 int is_unix_domain_socket = 0;
161 int fd;
162 int err;
163
164 #ifdef __WIN32
165 WORD wVersionRequested;
166 WSADATA wsaData;
167
168 wVersionRequested = MAKEWORD( 2, 2 );
169
170 err = WSAStartup( wVersionRequested, &wsaData );
171 if ( err != 0 ) {
172 /* Tell the user that we could not find a usable */
173 /* WinSock DLL. */
174 return -1;
175 }
176 #endif
177 err = -1;
178
179 srv_socket = calloc(1, sizeof(*srv_socket));
180 force_assert(NULL != srv_socket);
181 srv_socket->fd = -1;
182 srv_socket->fde_ndx = -1;
183
184 srv_socket->srv_token = buffer_init();
185 buffer_copy_buffer(srv_socket->srv_token, host_token);
186
187 b = buffer_init();
188 buffer_copy_buffer(b, host_token);
189
190 host = b->ptr;
191
192 if (host[0] == '/') {
193 /* host is a unix-domain-socket */
194 is_unix_domain_socket = 1;
195 } else {
196 /* ipv4:port
197 * [ipv6]:port
198 */
199 size_t len = buffer_string_length(b);
200 char *sp = NULL;
201 if (0 == len) {
202 log_error_write(srv, __FILE__, __LINE__, "s", "value of $SERVER[\"socket\"] must not be empty");
203 goto error_free_socket;
204 }
205 if ((b->ptr[0] == '[' && b->ptr[len-1] == ']') || NULL == (sp = strrchr(b->ptr, ':'))) {
206 /* use server.port if set in config, or else default from config_set_defaults() */
207 port = srv->srvconf.port;
208 sp = b->ptr + len; /* point to '\0' at end of string so end of IPv6 address can be found below */
209 } else {
210 /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
211 *(sp++) = '\0';
212 port = strtol(sp, NULL, 10);
213 }
214
215 /* check for [ and ] */
216 if (b->ptr[0] == '[' && *(sp-1) == ']') {
217 *(sp-1) = '\0';
218 host++;
219
220 s->use_ipv6 = 1;
221 }
222
223 if (port == 0 || port > 65535) {
224 log_error_write(srv, __FILE__, __LINE__, "sd", "port not set or out of range:", port);
225
226 goto error_free_socket;
227 }
228 }
229
230 if (*host == '\0') host = NULL;
231
232 if (is_unix_domain_socket) {
233 #ifdef HAVE_SYS_UN_H
234
235 srv_socket->addr.plain.sa_family = AF_UNIX;
236
237 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
238 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
239 goto error_free_socket;
240 }
241 #else
242 log_error_write(srv, __FILE__, __LINE__, "s",
243 "ERROR: Unix Domain sockets are not supported.");
244 goto error_free_socket;
245 #endif
246 }
247
248 #ifdef HAVE_IPV6
249 if (s->use_ipv6) {
250 srv_socket->addr.plain.sa_family = AF_INET6;
251
252 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
253 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
254 goto error_free_socket;
255 }
256 }
257 #endif
258
259 if (srv_socket->fd == -1) {
260 srv_socket->addr.plain.sa_family = AF_INET;
261 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
262 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
263 goto error_free_socket;
264 }
265 }
266
267 /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
268 fd_close_on_exec(srv_socket->fd);
269
270 /* */
271 srv->cur_fds = srv_socket->fd;
272
273 val = 1;
274 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
275 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno));
276 goto error_free_socket;
277 }
278
279 switch(srv_socket->addr.plain.sa_family) {
280 #ifdef HAVE_IPV6
281 case AF_INET6:
282 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in6));
283 srv_socket->addr.ipv6.sin6_family = AF_INET6;
284 if (host == NULL) {
285 srv_socket->addr.ipv6.sin6_addr = in6addr_any;
286 log_error_write(srv, __FILE__, __LINE__, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
287 } else {
288 struct addrinfo hints, *res;
289 int r;
290
291 if (s->set_v6only) {
292 val = 1;
293 if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) {
294 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno));
295 goto error_free_socket;
296 }
297 } else {
298 log_error_write(srv, __FILE__, __LINE__, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
299 }
300
301 memset(&hints, 0, sizeof(hints));
302
303 hints.ai_family = AF_INET6;
304 hints.ai_socktype = SOCK_STREAM;
305 hints.ai_protocol = IPPROTO_TCP;
306
307 if (0 != (r = getaddrinfo(host, NULL, &hints, &res))) {
308 log_error_write(srv, __FILE__, __LINE__,
309 "sssss", "getaddrinfo failed: ",
310 gai_strerror(r), "'", host, "'");
311
312 goto error_free_socket;
313 }
314
315 memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen);
316
317 freeaddrinfo(res);
318 }
319 srv_socket->addr.ipv6.sin6_port = htons(port);
320 addr_len = sizeof(struct sockaddr_in6);
321 break;
322 #endif
323 case AF_INET:
324 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in));
325 srv_socket->addr.ipv4.sin_family = AF_INET;
326 if (host == NULL) {
327 srv_socket->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY);
328 } else {
329 struct hostent *he;
330 if (NULL == (he = gethostbyname(host))) {
331 log_error_write(srv, __FILE__, __LINE__,
332 "sds", "gethostbyname failed: ",
333 h_errno, host);
334 goto error_free_socket;
335 }
336
337 if (he->h_addrtype != AF_INET) {
338 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype);
339 goto error_free_socket;
340 }
341
342 if (he->h_length != sizeof(struct in_addr)) {
343 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length);
344 goto error_free_socket;
345 }
346
347 memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length);
348 }
349 srv_socket->addr.ipv4.sin_port = htons(port);
350
351 addr_len = sizeof(struct sockaddr_in);
352
353 break;
354 case AF_UNIX:
355 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_un));
356 srv_socket->addr.un.sun_family = AF_UNIX;
357 {
358 size_t hostlen = strlen(host) + 1;
359 if (hostlen > sizeof(srv_socket->addr.un.sun_path)) {
360 log_error_write(srv, __FILE__, __LINE__, "sS", "unix socket filename too long:", host);
361 goto error_free_socket;
362 }
363 memcpy(srv_socket->addr.un.sun_path, host, hostlen);
364
365 #if defined(SUN_LEN)
366 addr_len = SUN_LEN(&srv_socket->addr.un);
367 #else
368 /* stevens says: */
369 addr_len = hostlen + sizeof(srv_socket->addr.un.sun_family);
370 #endif
371 }
372
373 if (srv->srvconf.preflight_check) break;
374
375 /* check if the socket exists and try to connect to it. */
376 if (-1 != (fd = connect(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len))) {
377 close(fd);
378
379 log_error_write(srv, __FILE__, __LINE__, "ss",
380 "server socket is still in use:",
381 host);
382
383
384 goto error_free_socket;
385 }
386
387 /* connect failed */
388 switch(errno) {
389 case ECONNREFUSED:
390 unlink(host);
391 break;
392 case ENOENT:
393 break;
394 default:
395 log_error_write(srv, __FILE__, __LINE__, "sds",
396 "testing socket failed:",
397 host, strerror(errno));
398
399 goto error_free_socket;
400 }
401
402 break;
403 default:
404 goto error_free_socket;
405 }
406
407 if (srv->srvconf.preflight_check) {
408 err = 0;
409 goto error_free_socket;
410 }
411
412 if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
413 switch(srv_socket->addr.plain.sa_family) {
414 case AF_UNIX:
415 log_error_write(srv, __FILE__, __LINE__, "sds",
416 "can't bind to socket:",
417 host, strerror(errno));
418 break;
419 default:
420 log_error_write(srv, __FILE__, __LINE__, "ssds",
421 "can't bind to port:",
422 host, port, strerror(errno));
423 break;
424 }
425 goto error_free_socket;
426 }
427
428 if (-1 == listen(srv_socket->fd, s->listen_backlog)) {
429 log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
430 goto error_free_socket;
431 }
432
433 if (s->ssl_enabled) {
434 #ifdef USE_OPENSSL
435 if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
436 log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
437 goto error_free_socket;
438 }
439 #else
440
441 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
442 "ssl requested but openssl support is not compiled in");
443
444 goto error_free_socket;
445 #endif
446 #ifdef TCP_DEFER_ACCEPT
447 } else if (s->defer_accept) {
448 int v = s->defer_accept;
449 if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
450 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
451 }
452 #endif
453 } else {
454 #ifdef SO_ACCEPTFILTER
455 /* FreeBSD accf_http filter */
456 struct accept_filter_arg afa;
457 memset(&afa, 0, sizeof(afa));
458 strcpy(afa.af_name, "httpready");
459 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
460 if (errno != ENOENT) {
461 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set accept-filter 'httpready': ", strerror(errno));
462 }
463 }
464 #endif
465 }
466
467 srv_socket->is_ssl = s->ssl_enabled;
468
469 if (srv->srv_sockets.size == 0) {
470 srv->srv_sockets.size = 4;
471 srv->srv_sockets.used = 0;
472 srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket*));
473 force_assert(NULL != srv->srv_sockets.ptr);
474 } else if (srv->srv_sockets.used == srv->srv_sockets.size) {
475 srv->srv_sockets.size += 4;
476 srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket*));
477 force_assert(NULL != srv->srv_sockets.ptr);
478 }
479
480 srv->srv_sockets.ptr[srv->srv_sockets.used++] = srv_socket;
481
482 buffer_free(b);
483
484 return 0;
485
486 error_free_socket:
487 if (srv_socket->fd != -1) {
488 /* check if server fd are already registered */
489 if (srv_socket->fde_ndx != -1) {
490 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
491 fdevent_unregister(srv->ev, srv_socket->fd);
492 }
493
494 close(srv_socket->fd);
495 }
496 buffer_free(srv_socket->srv_token);
497 free(srv_socket);
498
499 buffer_free(b);
500
501 return err; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
502 }
503
504 int network_close(server *srv) {
505 size_t i;
506 for (i = 0; i < srv->srv_sockets.used; i++) {
507 server_socket *srv_socket = srv->srv_sockets.ptr[i];
508
509 if (srv_socket->fd != -1) {
510 /* check if server fd are already registered */
511 if (srv_socket->fde_ndx != -1) {
512 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
513 fdevent_unregister(srv->ev, srv_socket->fd);
514 }
515
516 close(srv_socket->fd);
517 }
518
519 buffer_free(srv_socket->srv_token);
520
521 free(srv_socket);
522 }
523
524 free(srv->srv_sockets.ptr);
525
526 return 0;
527 }
528
529 typedef enum {
530 NETWORK_BACKEND_UNSET,
531 NETWORK_BACKEND_WRITE,
532 NETWORK_BACKEND_WRITEV,
533 NETWORK_BACKEND_SENDFILE,
534 } network_backend_t;
535
536 #ifdef USE_OPENSSL
537 static X509* x509_load_pem_file(server *srv, const char *file) {
538 BIO *in;
539 X509 *x = NULL;
540
541 in = BIO_new(BIO_s_file());
542 if (NULL == in) {
543 log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed");
544 goto error;
545 }
546
547 if (BIO_read_filename(in,file) <= 0) {
548 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
549 goto error;
550 }
551 x = PEM_read_bio_X509(in, NULL, NULL, NULL);
552
553 if (NULL == x) {
554 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'");
555 goto error;
556 }
557
558 BIO_free(in);
559 return x;
560
561 error:
562 if (NULL != in) BIO_free(in);
563 return NULL;
564 }
565
566 static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
567 BIO *in;
568 EVP_PKEY *x = NULL;
569
570 in=BIO_new(BIO_s_file());
571 if (NULL == in) {
572 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed");
573 goto error;
574 }
575
576 if (BIO_read_filename(in,file) <= 0) {
577 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
578 goto error;
579 }
580 x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
581
582 if (NULL == x) {
583 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'");
584 goto error;
585 }
586
587 BIO_free(in);
588 return x;
589
590 error:
591 if (NULL != in) BIO_free(in);
592 return NULL;
593 }
594
595 static int network_openssl_load_pemfile(server *srv, size_t ndx) {
596 specific_config *s = srv->config_storage[ndx];
597
598 #ifdef OPENSSL_NO_TLSEXT
599 {
600 data_config *dc = (data_config *)srv->config_context->data[ndx];
601 if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ))
602 || !s->ssl_enabled) {
603 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
604 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
605 return -1;
606 }
607 }
608 #endif
609
610 if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
611 if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
612
613 if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
614 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
615 "Private key does not match the certificate public key, reason:",
616 ERR_error_string(ERR_get_error(), NULL),
617 s->ssl_pemfile);
618 return -1;
619 }
620
621 return 0;
622 }
623 #endif
624
625 int network_init(server *srv) {
626 buffer *b;
627 size_t i, j;
628 network_backend_t backend;
629
630 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
631 #ifndef OPENSSL_NO_ECDH
632 EC_KEY *ecdh;
633 int nid;
634 #endif
635 #endif
636
637 #ifdef USE_OPENSSL
638 # ifndef OPENSSL_NO_DH
639 DH *dh;
640 # endif
641 BIO *bio;
642
643 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
644 * -----BEGIN DH PARAMETERS-----
645 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
646 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
647 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
648 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
649 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
650 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
651 * -----END DH PARAMETERS-----
652 */
653
654 static const unsigned char dh1024_p[]={
655 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
656 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
657 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
658 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
659 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
660 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
661 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
662 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
663 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
664 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
665 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
666 };
667
668 static const unsigned char dh1024_g[]={
669 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
670 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
671 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
672 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
673 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
674 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
675 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
676 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
677 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
678 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
679 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
680 };
681 #endif
682
683 struct nb_map {
684 network_backend_t nb;
685 const char *name;
686 } network_backends[] = {
687 /* lowest id wins */
688 #if defined USE_SENDFILE
689 { NETWORK_BACKEND_SENDFILE, "sendfile" },
690 #endif
691 #if defined USE_LINUX_SENDFILE
692 { NETWORK_BACKEND_SENDFILE, "linux-sendfile" },
693 #endif
694 #if defined USE_FREEBSD_SENDFILE
695 { NETWORK_BACKEND_SENDFILE, "freebsd-sendfile" },
696 #endif
697 #if defined USE_SOLARIS_SENDFILEV
698 { NETWORK_BACKEND_SENDFILE, "solaris-sendfilev" },
699 #endif
700 #if defined USE_WRITEV
701 { NETWORK_BACKEND_WRITEV, "writev" },
702 #endif
703 { NETWORK_BACKEND_WRITE, "write" },
704 { NETWORK_BACKEND_UNSET, NULL }
705 };
706
707 #ifdef USE_OPENSSL
708 /* load SSL certificates */
709 for (i = 0; i < srv->config_context->used; i++) {
710 specific_config *s = srv->config_storage[i];
711 #ifndef SSL_OP_NO_COMPRESSION
712 # define SSL_OP_NO_COMPRESSION 0
713 #endif
714 long ssloptions =
715 SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
716
717 if (buffer_string_is_empty(s->ssl_pemfile) && buffer_string_is_empty(s->ssl_ca_file)) continue;
718
719 if (srv->ssl_is_init == 0) {
720 SSL_load_error_strings();
721 SSL_library_init();
722 OpenSSL_add_all_algorithms();
723 srv->ssl_is_init = 1;
724
725 if (0 == RAND_status()) {
726 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
727 "not enough entropy in the pool");
728 return -1;
729 }
730 }
731
732 if (!buffer_string_is_empty(s->ssl_pemfile)) {
733 #ifdef OPENSSL_NO_TLSEXT
734 data_config *dc = (data_config *)srv->config_context->data[i];
735 if (COMP_HTTP_HOST == dc->comp) {
736 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
737 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
738 return -1;
739 }
740 #endif
741 if (network_openssl_load_pemfile(srv, i)) return -1;
742 }
743
744
745 if (!buffer_string_is_empty(s->ssl_ca_file)) {
746 s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
747 if (NULL == s->ssl_ca_file_cert_names) {
748 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
749 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
750 }
751 }
752
753 if (buffer_string_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
754
755 if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
756 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
757 ERR_error_string(ERR_get_error(), NULL));
758 return -1;
759 }
760
761 /* completely useless identifier; required for client cert verification to work with sessions */
762 if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
763 log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
764 "failed to set session context",
765 ERR_error_string(ERR_get_error(), NULL));
766 return -1;
767 }
768
769 if (s->ssl_empty_fragments) {
770 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
771 ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
772 #else
773 ssloptions &= ~0x00000800L; /* hardcode constant */
774 log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:",
775 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
776 #endif
777 }
778
779 SSL_CTX_set_options(s->ssl_ctx, ssloptions);
780 SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
781
782 if (!s->ssl_use_sslv2) {
783 /* disable SSLv2 */
784 if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
785 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
786 ERR_error_string(ERR_get_error(), NULL));
787 return -1;
788 }
789 }
790
791 if (!s->ssl_use_sslv3) {
792 /* disable SSLv3 */
793 if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
794 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
795 ERR_error_string(ERR_get_error(), NULL));
796 return -1;
797 }
798 }
799
800 if (!buffer_string_is_empty(s->ssl_cipher_list)) {
801 /* Disable support for low encryption ciphers */
802 if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
803 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
804 ERR_error_string(ERR_get_error(), NULL));
805 return -1;
806 }
807
808 if (s->ssl_honor_cipher_order) {
809 SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
810 }
811 }
812
813 #ifndef OPENSSL_NO_DH
814 /* Support for Diffie-Hellman key exchange */
815 if (!buffer_string_is_empty(s->ssl_dh_file)) {
816 /* DH parameters from file */
817 bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
818 if (bio == NULL) {
819 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr);
820 return -1;
821 }
822 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
823 BIO_free(bio);
824 if (dh == NULL) {
825 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr);
826 return -1;
827 }
828 } else {
829 BIGNUM *dh_p, *dh_g;
830 /* Default DH parameters from RFC5114 */
831 dh = DH_new();
832 if (dh == NULL) {
833 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
834 return -1;
835 }
836 dh_p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
837 dh_g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
838 if ((dh_p == NULL) || (dh_g == NULL)) {
839 DH_free(dh);
840 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
841 return -1;
842 }
843 #if OPENSSL_VERSION_NUMBER < 0x10100000L
844 dh->p = dh_p;
845 dh->g = dh_g;
846 dh->length = 160;
847 #else
848 DH_set0_pqg(dh, dh_p, NULL, dh_g);
849 DH_set_length(dh, 160);
850 #endif
851 }
852 SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
853 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
854 DH_free(dh);
855 #else
856 if (!buffer_string_is_empty(s->ssl_dh_file)) {
857 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s->ssl_dh_file->ptr);
858 }
859 #endif
860
861 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
862 #ifndef OPENSSL_NO_ECDH
863 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
864 if (!buffer_string_is_empty(s->ssl_ec_curve)) {
865 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
866 nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
867 if (nid == 0) {
868 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr);
869 return -1;
870 }
871 } else {
872 /* Default curve */
873 nid = OBJ_sn2nid("prime256v1");
874 }
875 ecdh = EC_KEY_new_by_curve_name(nid);
876 if (ecdh == NULL) {
877 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
878 return -1;
879 }
880 SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
881 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
882 EC_KEY_free(ecdh);
883 #endif
884 #endif
885
886 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
887 for (j = 0; j < srv->config_context->used; j++) {
888 specific_config *s1 = srv->config_storage[j];
889
890 if (!buffer_string_is_empty(s1->ssl_ca_file)) {
891 if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) {
892 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
893 ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file);
894 return -1;
895 }
896 }
897 }
898
899 if (s->ssl_verifyclient) {
900 if (NULL == s->ssl_ca_file_cert_names) {
901 log_error_write(srv, __FILE__, __LINE__, "s",
902 "SSL: You specified ssl.verifyclient.activate but no ca_file"
903 );
904 return -1;
905 }
906 SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
907 SSL_CTX_set_verify(
908 s->ssl_ctx,
909 SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
910 NULL
911 );
912 SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
913 }
914
915 if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
916 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
917 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
918 return -1;
919 }
920
921 if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) {
922 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
923 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
924 return -1;
925 }
926
927 if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
928 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
929 "Private key does not match the certificate public key, reason:",
930 ERR_error_string(ERR_get_error(), NULL),
931 s->ssl_pemfile);
932 return -1;
933 }
934 SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
935 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
936
937 # ifndef OPENSSL_NO_TLSEXT
938 if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
939 !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
940 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
941 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
942 return -1;
943 }
944 # endif
945 }
946 #endif
947
948 b = buffer_init();
949
950 buffer_copy_buffer(b, srv->srvconf.bindhost);
951 buffer_append_string_len(b, CONST_STR_LEN(":"));
952 buffer_append_int(b, srv->srvconf.port);
953
954 if (0 != network_server_init(srv, b, srv->config_storage[0])) {
955 buffer_free(b);
956 return -1;
957 }
958 buffer_free(b);
959
960 #ifdef USE_OPENSSL
961 srv->network_ssl_backend_write = network_write_chunkqueue_openssl;
962 #endif
963
964 /* get a usefull default */
965 backend = network_backends[0].nb;
966
967 /* match name against known types */
968 if (!buffer_string_is_empty(srv->srvconf.network_backend)) {
969 for (i = 0; network_backends[i].name; i++) {
970 /**/
971 if (buffer_is_equal_string(srv->srvconf.network_backend, network_backends[i].name, strlen(network_backends[i].name))) {
972 backend = network_backends[i].nb;
973 break;
974 }
975 }
976 if (NULL == network_backends[i].name) {
977 /* we don't know it */
978
979 log_error_write(srv, __FILE__, __LINE__, "sb",
980 "server.network-backend has a unknown value:",
981 srv->srvconf.network_backend);
982
983 return -1;
984 }
985 }
986
987 switch(backend) {
988 case NETWORK_BACKEND_WRITE:
989 srv->network_backend_write = network_write_chunkqueue_write;
990 break;
991 #if defined(USE_WRITEV)
992 case NETWORK_BACKEND_WRITEV:
993 srv->network_backend_write = network_write_chunkqueue_writev;
994 break;
995 #endif
996 #if defined(USE_SENDFILE)
997 case NETWORK_BACKEND_SENDFILE:
998 srv->network_backend_write = network_write_chunkqueue_sendfile;
999 break;
1000 #endif
1001 default:
1002 return -1;
1003 }
1004
1005 /* check for $SERVER["socket"] */
1006 for (i = 1; i < srv->config_context->used; i++) {
1007 data_config *dc = (data_config *)srv->config_context->data[i];
1008 specific_config *s = srv->config_storage[i];
1009
1010 /* not our stage */
1011 if (COMP_SERVER_SOCKET != dc->comp) continue;
1012
1013 if (dc->cond != CONFIG_COND_EQ) continue;
1014
1015 /* check if we already know this socket,
1016 * if yes, don't init it */
1017 for (j = 0; j < srv->srv_sockets.used; j++) {
1018 if (buffer_is_equal(srv->srv_sockets.ptr[j]->srv_token, dc->string)) {
1019 break;
1020 }
1021 }
1022
1023 if (j == srv->srv_sockets.used) {
1024 if (0 != network_server_init(srv, dc->string, s)) return -1;
1025 }
1026 }
1027
1028 return 0;
1029 }
1030
1031 int network_register_fdevents(server *srv) {
1032 size_t i;
1033
1034 if (-1 == fdevent_reset(srv->ev)) {
1035 return -1;
1036 }
1037
1038 /* register fdevents after reset */
1039 for (i = 0; i < srv->srv_sockets.used; i++) {
1040 server_socket *srv_socket = srv->srv_sockets.ptr[i];
1041
1042 fdevent_register(srv->ev, srv_socket->fd, network_server_handle_fdevent, srv_socket);
1043 fdevent_event_set(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd, FDEVENT_IN);
1044 }
1045 return 0;
1046 }
1047
1048 int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
1049 int ret = -1;
1050 off_t written = 0;
1051 #ifdef TCP_CORK
1052 int corked = 0;
1053 #endif
1054 server_socket *srv_socket = con->srv_socket;
1055
1056 if (con->conf.global_kbytes_per_second) {
1057 off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
1058 if (limit <= 0) {
1059 /* we reached the global traffic limit */
1060
1061 con->traffic_limit_reached = 1;
1062 joblist_append(srv, con);
1063
1064 return 1;
1065 } else {
1066 if (max_bytes > limit) max_bytes = limit;
1067 }
1068 }
1069
1070 if (con->conf.kbytes_per_second) {
1071 off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
1072 if (limit <= 0) {
1073 /* we reached the traffic limit */
1074
1075 con->traffic_limit_reached = 1;
1076 joblist_append(srv, con);
1077
1078 return 1;
1079 } else {
1080 if (max_bytes > limit) max_bytes = limit;
1081 }
1082 }
1083
1084 written = cq->bytes_out;
1085
1086 #ifdef TCP_CORK
1087 /* Linux: put a cork into the socket as we want to combine the write() calls
1088 * but only if we really have multiple chunks
1089 */
1090 if (cq->first && cq->first->next) {
1091 corked = 1;
1092 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1093 }
1094 #endif
1095
1096 if (srv_socket->is_ssl) {
1097 #ifdef USE_OPENSSL
1098 ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
1099 #endif
1100 } else {
1101 ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
1102 }
1103
1104 if (ret >= 0) {
1105 chunkqueue_remove_finished_chunks(cq);
1106 ret = chunkqueue_is_empty(cq) ? 0 : 1;
1107 }
1108
1109 #ifdef TCP_CORK
1110 if (corked) {
1111 corked = 0;
1112 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1113 }
1114 #endif
1115
1116 written = cq->bytes_out - written;
1117 con->bytes_written += written;
1118 con->bytes_written_cur_second += written;
1119
1120 *(con->conf.global_bytes_per_second_cnt_ptr) += written;
1121
1122 return ret;
1123 }
A fast webserver with minimal memory-footprint (lighttpd)