6 #include "connections.h"
9 #include "configfile.h"
11 #include "network_backends.h"
13 #include "sys-socket.h"
15 #include <sys/types.h>
27 # include <openssl/ssl.h>
28 # include <openssl/err.h>
29 # include <openssl/rand.h>
30 # ifndef OPENSSL_NO_DH
31 # include <openssl/dh.h>
33 # include <openssl/bn.h>
35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
36 # ifndef OPENSSL_NO_ECDH
37 # include <openssl/ecdh.h>
43 static void ssl_info_callback(const SSL
*ssl
, int where
, int ret
) {
46 if (0 != (where
& SSL_CB_HANDSHAKE_START
)) {
47 connection
*con
= SSL_get_app_data(ssl
);
48 ++con
->renegotiations
;
54 network_accept_tcp_nagle_disable (const int fd
)
56 static int noinherit_tcpnodelay
= -1;
59 if (!noinherit_tcpnodelay
) /* TCP_NODELAY inherited from listen socket */
62 if (noinherit_tcpnodelay
< 0) {
63 socklen_t optlen
= sizeof(opt
);
64 if (0 == getsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &opt
, &optlen
)) {
65 noinherit_tcpnodelay
= !opt
;
66 if (opt
) /* TCP_NODELAY inherited from listen socket */
72 (void)setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &opt
, sizeof(opt
));
75 static handler_t
network_server_handle_fdevent(server
*srv
, void *context
, int revents
) {
76 server_socket
*srv_socket
= (server_socket
*)context
;
82 if (0 == (revents
& FDEVENT_IN
)) {
83 log_error_write(srv
, __FILE__
, __LINE__
, "sdd",
84 "strange event for server socket",
90 /* accept()s at most 100 connections directly
92 * we jump out after 100 to give the waiting connections a chance */
93 for (loops
= 0; loops
< 100 && NULL
!= (con
= connection_accept(srv
, srv_socket
)); loops
++) {
94 connection_state_machine(srv
, con
);
99 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
100 static int network_ssl_servername_callback(SSL
*ssl
, int *al
, server
*srv
) {
101 const char *servername
;
102 connection
*con
= (connection
*) SSL_get_app_data(ssl
);
105 buffer_copy_string(con
->uri
.scheme
, "https");
107 if (NULL
== (servername
= SSL_get_servername(ssl
, TLSEXT_NAMETYPE_host_name
))) {
109 /* this "error" just means the client didn't support it */
110 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
111 "failed to get TLS server name");
113 return SSL_TLSEXT_ERR_NOACK
;
115 buffer_copy_string(con
->tlsext_server_name
, servername
);
116 buffer_to_lower(con
->tlsext_server_name
);
118 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
119 buffer_reset(con
->uri
.authority
);
121 config_cond_cache_reset(srv
, con
);
122 config_setup_connection(srv
, con
);
124 con
->conditional_is_valid
[COMP_SERVER_SOCKET
] = 1;
125 con
->conditional_is_valid
[COMP_HTTP_REMOTE_IP
] = 1;
126 con
->conditional_is_valid
[COMP_HTTP_SCHEME
] = 1;
127 con
->conditional_is_valid
[COMP_HTTP_HOST
] = 1;
128 config_patch_connection(srv
, con
);
130 if (NULL
== con
->conf
.ssl_pemfile_x509
|| NULL
== con
->conf
.ssl_pemfile_pkey
) {
131 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
132 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
133 "no certificate/private key for TLS server name", con
->tlsext_server_name
);
134 return SSL_TLSEXT_ERR_ALERT_FATAL
;
137 /* first set certificate! setting private key checks whether certificate matches it */
138 if (!SSL_use_certificate(ssl
, con
->conf
.ssl_pemfile_x509
)) {
139 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
140 "failed to set certificate for TLS server name", con
->tlsext_server_name
,
141 ERR_error_string(ERR_get_error(), NULL
));
142 return SSL_TLSEXT_ERR_ALERT_FATAL
;
145 if (!SSL_use_PrivateKey(ssl
, con
->conf
.ssl_pemfile_pkey
)) {
146 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
147 "failed to set private key for TLS server name", con
->tlsext_server_name
,
148 ERR_error_string(ERR_get_error(), NULL
));
149 return SSL_TLSEXT_ERR_ALERT_FATAL
;
152 if (con
->conf
.ssl_verifyclient
) {
153 if (NULL
== con
->conf
.ssl_ca_file_cert_names
) {
154 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
155 "can't verify client without ssl.ca-file for TLS server name", con
->tlsext_server_name
,
156 ERR_error_string(ERR_get_error(), NULL
));
157 return SSL_TLSEXT_ERR_ALERT_FATAL
;
160 SSL_set_client_CA_list(ssl
, SSL_dup_CA_list(con
->conf
.ssl_ca_file_cert_names
));
161 /* forcing verification here is really not that useful - a client could just connect without SNI */
164 SSL_VERIFY_PEER
| (con
->conf
.ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
167 SSL_set_verify_depth(ssl
, con
->conf
.ssl_verifyclient_depth
);
169 SSL_set_verify(ssl
, SSL_VERIFY_NONE
, NULL
);
172 return SSL_TLSEXT_ERR_OK
;
176 static int network_server_init(server
*srv
, buffer
*host_token
, specific_config
*s
) {
179 server_socket
*srv_socket
;
180 unsigned int port
= 0;
186 WORD wVersionRequested
;
189 wVersionRequested
= MAKEWORD( 2, 2 );
191 err
= WSAStartup( wVersionRequested
, &wsaData
);
193 /* Tell the user that we could not find a usable */
200 srv_socket
= calloc(1, sizeof(*srv_socket
));
201 force_assert(NULL
!= srv_socket
);
202 srv_socket
->addr
.plain
.sa_family
= AF_INET
; /* default */
204 srv_socket
->fde_ndx
= -1;
206 srv_socket
->srv_token
= buffer_init();
207 buffer_copy_buffer(srv_socket
->srv_token
, host_token
);
210 buffer_copy_buffer(b
, host_token
);
214 if (host
[0] == '/') {
215 /* host is a unix-domain-socket */
217 srv_socket
->addr
.plain
.sa_family
= AF_UNIX
;
219 log_error_write(srv
, __FILE__
, __LINE__
, "s",
220 "ERROR: Unix Domain sockets are not supported.");
221 goto error_free_socket
;
227 size_t len
= buffer_string_length(b
);
230 log_error_write(srv
, __FILE__
, __LINE__
, "s", "value of $SERVER[\"socket\"] must not be empty");
231 goto error_free_socket
;
233 if ((b
->ptr
[0] == '[' && b
->ptr
[len
-1] == ']') || NULL
== (sp
= strrchr(b
->ptr
, ':'))) {
234 /* use server.port if set in config, or else default from config_set_defaults() */
235 port
= srv
->srvconf
.port
;
236 sp
= b
->ptr
+ len
; /* point to '\0' at end of string so end of IPv6 address can be found below */
238 /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
240 port
= strtol(sp
+1, NULL
, 10);
243 /* check for [ and ] */
244 if (b
->ptr
[0] == '[' && *(sp
-1) == ']') {
251 if (port
== 0 || port
> 65535) {
252 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "port not set or out of range:", port
);
254 goto error_free_socket
;
258 if (*host
== '\0') host
= NULL
;
262 srv_socket
->addr
.plain
.sa_family
= AF_INET6
;
266 switch(srv_socket
->addr
.plain
.sa_family
) {
269 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in6
));
270 srv_socket
->addr
.ipv6
.sin6_family
= AF_INET6
;
272 srv_socket
->addr
.ipv6
.sin6_addr
= in6addr_any
;
273 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
275 struct addrinfo hints
, *res
;
278 memset(&hints
, 0, sizeof(hints
));
280 hints
.ai_family
= AF_INET6
;
281 hints
.ai_socktype
= SOCK_STREAM
;
282 hints
.ai_protocol
= IPPROTO_TCP
;
284 if (0 != (r
= getaddrinfo(host
, NULL
, &hints
, &res
))) {
285 hints
.ai_family
= AF_INET
;
287 #ifdef EAI_ADDRFAMILY
288 EAI_ADDRFAMILY
== r
&&
290 0 == getaddrinfo(host
, NULL
, &hints
, &res
)) {
291 memcpy(&srv_socket
->addr
.ipv4
, res
->ai_addr
, res
->ai_addrlen
);
292 srv_socket
->addr
.ipv4
.sin_family
= AF_INET
;
293 srv_socket
->addr
.ipv4
.sin_port
= htons(port
);
294 addr_len
= sizeof(struct sockaddr_in
);
295 /*assert(addr_len == res->ai_addrlen);*/
300 log_error_write(srv
, __FILE__
, __LINE__
,
301 "sssss", "getaddrinfo failed: ",
302 gai_strerror(r
), "'", host
, "'");
304 goto error_free_socket
;
307 memcpy(&(srv_socket
->addr
), res
->ai_addr
, res
->ai_addrlen
);
311 srv_socket
->addr
.ipv6
.sin6_port
= htons(port
);
312 addr_len
= sizeof(struct sockaddr_in6
);
316 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in
));
317 srv_socket
->addr
.ipv4
.sin_family
= AF_INET
;
319 srv_socket
->addr
.ipv4
.sin_addr
.s_addr
= htonl(INADDR_ANY
);
322 if (NULL
== (he
= gethostbyname(host
))) {
323 log_error_write(srv
, __FILE__
, __LINE__
,
324 "sds", "gethostbyname failed: ",
326 goto error_free_socket
;
329 if (he
->h_addrtype
!= AF_INET
) {
330 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-type != AF_INET: ", he
->h_addrtype
);
331 goto error_free_socket
;
334 if (he
->h_length
!= sizeof(struct in_addr
)) {
335 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-length != sizeof(in_addr): ", he
->h_length
);
336 goto error_free_socket
;
339 memcpy(&(srv_socket
->addr
.ipv4
.sin_addr
.s_addr
), he
->h_addr_list
[0], he
->h_length
);
341 srv_socket
->addr
.ipv4
.sin_port
= htons(port
);
342 addr_len
= sizeof(struct sockaddr_in
);
346 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_un
));
347 srv_socket
->addr
.un
.sun_family
= AF_UNIX
;
349 size_t hostlen
= strlen(host
) + 1;
350 if (hostlen
> sizeof(srv_socket
->addr
.un
.sun_path
)) {
351 log_error_write(srv
, __FILE__
, __LINE__
, "sS", "unix socket filename too long:", host
);
352 goto error_free_socket
;
354 memcpy(srv_socket
->addr
.un
.sun_path
, host
, hostlen
);
357 addr_len
= SUN_LEN(&srv_socket
->addr
.un
);
360 addr_len
= hostlen
+ sizeof(srv_socket
->addr
.un
.sun_family
);
367 goto error_free_socket
;
370 if (srv
->srvconf
.preflight_check
) {
372 goto error_free_socket
;
375 if (srv
->sockets_disabled
) { /* lighttpd -1 (one-shot mode) */
377 if (s
->ssl_enabled
) srv_socket
->ssl_ctx
= s
->ssl_ctx
;
379 goto srv_sockets_append
;
383 if (AF_UNIX
== srv_socket
->addr
.plain
.sa_family
) {
384 /* check if the socket exists and try to connect to it. */
385 force_assert(host
); /*(static analysis hint)*/
386 if (-1 == (srv_socket
->fd
= fdevent_socket_cloexec(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, 0))) {
387 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
388 goto error_free_socket
;
390 if (0 == connect(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
)) {
391 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
392 "server socket is still in use:",
396 goto error_free_socket
;
407 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
408 "testing socket failed:",
409 host
, strerror(errno
));
411 goto error_free_socket
;
414 fdevent_fcntl_set_nb(srv
->ev
, srv_socket
->fd
);
418 if (-1 == (srv_socket
->fd
= fdevent_socket_nb_cloexec(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, IPPROTO_TCP
))) {
419 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
420 goto error_free_socket
;
424 if (AF_INET6
== srv_socket
->addr
.plain
.sa_family
428 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &val
, sizeof(val
))) {
429 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno
));
430 goto error_free_socket
;
433 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
440 srv
->cur_fds
= srv_socket
->fd
;
443 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_REUSEADDR
, &val
, sizeof(val
)) < 0) {
444 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno
));
445 goto error_free_socket
;
448 if (srv_socket
->addr
.plain
.sa_family
!= AF_UNIX
) {
450 if (setsockopt(srv_socket
->fd
, IPPROTO_TCP
, TCP_NODELAY
, &val
, sizeof(val
)) < 0) {
451 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(TCP_NODELAY) failed:", strerror(errno
));
452 goto error_free_socket
;
456 if (0 != bind(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
)) {
457 switch(srv_socket
->addr
.plain
.sa_family
) {
459 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
460 "can't bind to socket:",
461 host
, strerror(errno
));
464 log_error_write(srv
, __FILE__
, __LINE__
, "ssds",
465 "can't bind to port:",
466 host
, port
, strerror(errno
));
469 goto error_free_socket
;
472 if (-1 == listen(srv_socket
->fd
, s
->listen_backlog
)) {
473 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "listen failed: ", strerror(errno
));
474 goto error_free_socket
;
477 if (s
->ssl_enabled
) {
479 if (NULL
== (srv_socket
->ssl_ctx
= s
->ssl_ctx
)) {
480 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ssl.pemfile has to be set");
481 goto error_free_socket
;
485 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
486 "ssl requested but openssl support is not compiled in");
488 goto error_free_socket
;
490 #ifdef TCP_DEFER_ACCEPT
491 } else if (s
->defer_accept
) {
492 int v
= s
->defer_accept
;
493 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_TCP
, TCP_DEFER_ACCEPT
, &v
, sizeof(v
))) {
494 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno
));
497 #if defined(__FreeBSD__) || defined(__NetBSD__) \
498 || defined(__OpenBSD__) || defined(__DragonFly__)
499 } else if (!buffer_is_empty(s
->bsd_accept_filter
)
500 && (buffer_is_equal_string(s
->bsd_accept_filter
, CONST_STR_LEN("httpready"))
501 || buffer_is_equal_string(s
->bsd_accept_filter
, CONST_STR_LEN("dataready")))) {
502 #ifdef SO_ACCEPTFILTER
503 /* FreeBSD accf_http filter */
504 struct accept_filter_arg afa
;
505 memset(&afa
, 0, sizeof(afa
));
506 strncpy(afa
.af_name
, s
->bsd_accept_filter
->ptr
, sizeof(afa
.af_name
));
507 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_ACCEPTFILTER
, &afa
, sizeof(afa
)) < 0) {
508 if (errno
!= ENOENT
) {
509 log_error_write(srv
, __FILE__
, __LINE__
, "SBss", "can't set accept-filter '", s
->bsd_accept_filter
, "':", strerror(errno
));
517 srv_socket
->is_ssl
= s
->ssl_enabled
;
519 if (srv
->srv_sockets
.size
== 0) {
520 srv
->srv_sockets
.size
= 4;
521 srv
->srv_sockets
.used
= 0;
522 srv
->srv_sockets
.ptr
= malloc(srv
->srv_sockets
.size
* sizeof(server_socket
*));
523 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
524 } else if (srv
->srv_sockets
.used
== srv
->srv_sockets
.size
) {
525 srv
->srv_sockets
.size
+= 4;
526 srv
->srv_sockets
.ptr
= realloc(srv
->srv_sockets
.ptr
, srv
->srv_sockets
.size
* sizeof(server_socket
*));
527 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
530 srv
->srv_sockets
.ptr
[srv
->srv_sockets
.used
++] = srv_socket
;
537 if (srv_socket
->fd
!= -1) {
538 /* check if server fd are already registered */
539 if (srv_socket
->fde_ndx
!= -1) {
540 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
541 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
544 close(srv_socket
->fd
);
546 buffer_free(srv_socket
->srv_token
);
551 return err
; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
554 int network_close(server
*srv
) {
556 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
557 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
559 if (srv_socket
->fd
!= -1) {
560 /* check if server fd are already registered */
561 if (srv_socket
->fde_ndx
!= -1) {
562 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
563 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
566 close(srv_socket
->fd
);
569 buffer_free(srv_socket
->srv_token
);
574 free(srv
->srv_sockets
.ptr
);
580 NETWORK_BACKEND_UNSET
,
581 NETWORK_BACKEND_WRITE
,
582 NETWORK_BACKEND_WRITEV
,
583 NETWORK_BACKEND_SENDFILE
,
587 static X509
* x509_load_pem_file(server
*srv
, const char *file
) {
591 in
= BIO_new(BIO_s_file());
593 log_error_write(srv
, __FILE__
, __LINE__
, "S", "SSL: BIO_new(BIO_s_file()) failed");
597 if (BIO_read_filename(in
,file
) <= 0) {
598 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
601 x
= PEM_read_bio_X509(in
, NULL
, NULL
, NULL
);
604 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read X509 certificate from '", file
,"'");
612 if (NULL
!= in
) BIO_free(in
);
616 static EVP_PKEY
* evp_pkey_load_pem_file(server
*srv
, const char *file
) {
620 in
=BIO_new(BIO_s_file());
622 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BIO_new(BIO_s_file()) failed");
626 if (BIO_read_filename(in
,file
) <= 0) {
627 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
630 x
= PEM_read_bio_PrivateKey(in
, NULL
, NULL
, NULL
);
633 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read private key from '", file
,"'");
641 if (NULL
!= in
) BIO_free(in
);
645 static int network_openssl_load_pemfile(server
*srv
, size_t ndx
) {
646 specific_config
*s
= srv
->config_storage
[ndx
];
648 #ifdef OPENSSL_NO_TLSEXT
650 data_config
*dc
= (data_config
*)srv
->config_context
->data
[ndx
];
651 if ((ndx
> 0 && (COMP_SERVER_SOCKET
!= dc
->comp
|| dc
->cond
!= CONFIG_COND_EQ
))
652 || !s
->ssl_enabled
) {
653 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
654 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
660 if (NULL
== (s
->ssl_pemfile_x509
= x509_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
661 if (NULL
== (s
->ssl_pemfile_pkey
= evp_pkey_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
663 if (!X509_check_private_key(s
->ssl_pemfile_x509
, s
->ssl_pemfile_pkey
)) {
664 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
665 "Private key does not match the certificate public key, reason:",
666 ERR_error_string(ERR_get_error(), NULL
),
675 int network_init(server
*srv
) {
678 network_backend_t backend
;
680 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
681 #ifndef OPENSSL_NO_ECDH
688 # ifndef OPENSSL_NO_DH
693 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
694 * -----BEGIN DH PARAMETERS-----
695 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
696 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
697 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
698 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
699 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
700 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
701 * -----END DH PARAMETERS-----
704 static const unsigned char dh1024_p
[]={
705 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
706 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
707 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
708 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
709 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
710 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
711 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
712 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
713 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
714 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
715 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
718 static const unsigned char dh1024_g
[]={
719 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
720 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
721 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
722 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
723 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
724 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
725 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
726 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
727 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
728 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
729 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
734 network_backend_t nb
;
736 } network_backends
[] = {
738 #if defined USE_SENDFILE
739 { NETWORK_BACKEND_SENDFILE
, "sendfile" },
741 #if defined USE_LINUX_SENDFILE
742 { NETWORK_BACKEND_SENDFILE
, "linux-sendfile" },
744 #if defined USE_FREEBSD_SENDFILE
745 { NETWORK_BACKEND_SENDFILE
, "freebsd-sendfile" },
747 #if defined USE_SOLARIS_SENDFILEV
748 { NETWORK_BACKEND_SENDFILE
, "solaris-sendfilev" },
750 #if defined USE_WRITEV
751 { NETWORK_BACKEND_WRITEV
, "writev" },
753 { NETWORK_BACKEND_WRITE
, "write" },
754 { NETWORK_BACKEND_UNSET
, NULL
}
758 /* load SSL certificates */
759 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
760 specific_config
*s
= srv
->config_storage
[i
];
761 #ifndef SSL_OP_NO_COMPRESSION
762 # define SSL_OP_NO_COMPRESSION 0
764 #ifndef SSL_MODE_RELEASE_BUFFERS /* OpenSSL >= 1.0.0 */
765 #define SSL_MODE_RELEASE_BUFFERS 0
768 SSL_OP_ALL
| SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
| SSL_OP_NO_COMPRESSION
;
770 if (buffer_string_is_empty(s
->ssl_pemfile
) && buffer_string_is_empty(s
->ssl_ca_file
)) continue;
772 if (srv
->ssl_is_init
== 0) {
773 SSL_load_error_strings();
775 OpenSSL_add_all_algorithms();
776 srv
->ssl_is_init
= 1;
778 if (0 == RAND_status()) {
779 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
780 "not enough entropy in the pool");
785 if (!buffer_string_is_empty(s
->ssl_pemfile
)) {
786 #ifdef OPENSSL_NO_TLSEXT
787 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
788 if (COMP_HTTP_HOST
== dc
->comp
) {
789 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
790 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
794 if (network_openssl_load_pemfile(srv
, i
)) return -1;
798 if (!buffer_string_is_empty(s
->ssl_ca_file
)) {
799 s
->ssl_ca_file_cert_names
= SSL_load_client_CA_file(s
->ssl_ca_file
->ptr
);
800 if (NULL
== s
->ssl_ca_file_cert_names
) {
801 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
802 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_ca_file
);
806 if (buffer_string_is_empty(s
->ssl_pemfile
) || !s
->ssl_enabled
) continue;
808 if (NULL
== (s
->ssl_ctx
= SSL_CTX_new(SSLv23_server_method()))) {
809 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
810 ERR_error_string(ERR_get_error(), NULL
));
814 /* completely useless identifier; required for client cert verification to work with sessions */
815 if (0 == SSL_CTX_set_session_id_context(s
->ssl_ctx
, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
816 log_error_write(srv
, __FILE__
, __LINE__
, "ss:s", "SSL:",
817 "failed to set session context",
818 ERR_error_string(ERR_get_error(), NULL
));
822 if (s
->ssl_empty_fragments
) {
823 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
824 ssloptions
&= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
;
826 ssloptions
&= ~0x00000800L
; /* hardcode constant */
827 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "WARNING: SSL:",
828 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
832 SSL_CTX_set_options(s
->ssl_ctx
, ssloptions
);
833 SSL_CTX_set_info_callback(s
->ssl_ctx
, ssl_info_callback
);
835 if (!s
->ssl_use_sslv2
) {
837 if ((SSL_OP_NO_SSLv2
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv2
)) != SSL_OP_NO_SSLv2
) {
838 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
839 ERR_error_string(ERR_get_error(), NULL
));
844 if (!s
->ssl_use_sslv3
) {
846 if ((SSL_OP_NO_SSLv3
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv3
)) != SSL_OP_NO_SSLv3
) {
847 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
848 ERR_error_string(ERR_get_error(), NULL
));
853 if (!buffer_string_is_empty(s
->ssl_cipher_list
)) {
854 /* Disable support for low encryption ciphers */
855 if (SSL_CTX_set_cipher_list(s
->ssl_ctx
, s
->ssl_cipher_list
->ptr
) != 1) {
856 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
857 ERR_error_string(ERR_get_error(), NULL
));
861 if (s
->ssl_honor_cipher_order
) {
862 SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_CIPHER_SERVER_PREFERENCE
);
866 #ifndef OPENSSL_NO_DH
867 /* Support for Diffie-Hellman key exchange */
868 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
869 /* DH parameters from file */
870 bio
= BIO_new_file((char *) s
->ssl_dh_file
->ptr
, "r");
872 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to open file", s
->ssl_dh_file
->ptr
);
875 dh
= PEM_read_bio_DHparams(bio
, NULL
, NULL
, NULL
);
878 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: PEM_read_bio_DHparams failed", s
->ssl_dh_file
->ptr
);
883 /* Default DH parameters from RFC5114 */
886 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: DH_new () failed");
889 dh_p
= BN_bin2bn(dh1024_p
,sizeof(dh1024_p
), NULL
);
890 dh_g
= BN_bin2bn(dh1024_g
,sizeof(dh1024_g
), NULL
);
891 if ((dh_p
== NULL
) || (dh_g
== NULL
)) {
893 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BN_bin2bn () failed");
896 #if OPENSSL_VERSION_NUMBER < 0x10100000L \
897 || defined(LIBRESSL_VERSION_NUMBER)
902 DH_set0_pqg(dh
, dh_p
, NULL
, dh_g
);
903 DH_set_length(dh
, 160);
906 SSL_CTX_set_tmp_dh(s
->ssl_ctx
,dh
);
907 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_DH_USE
);
910 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
911 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s
->ssl_dh_file
->ptr
);
915 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
916 #ifndef OPENSSL_NO_ECDH
917 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
918 if (!buffer_string_is_empty(s
->ssl_ec_curve
)) {
919 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
920 nid
= OBJ_sn2nid((char *) s
->ssl_ec_curve
->ptr
);
922 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unknown curve name", s
->ssl_ec_curve
->ptr
);
927 nid
= OBJ_sn2nid("prime256v1");
929 ecdh
= EC_KEY_new_by_curve_name(nid
);
931 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to create curve", s
->ssl_ec_curve
->ptr
);
934 SSL_CTX_set_tmp_ecdh(s
->ssl_ctx
,ecdh
);
935 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_ECDH_USE
);
940 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
941 for (j
= 0; j
< srv
->config_context
->used
; j
++) {
942 specific_config
*s1
= srv
->config_storage
[j
];
944 if (!buffer_string_is_empty(s1
->ssl_ca_file
)) {
945 if (1 != SSL_CTX_load_verify_locations(s
->ssl_ctx
, s1
->ssl_ca_file
->ptr
, NULL
)) {
946 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
947 ERR_error_string(ERR_get_error(), NULL
), s1
->ssl_ca_file
);
953 if (s
->ssl_verifyclient
) {
954 if (NULL
== s
->ssl_ca_file_cert_names
) {
955 log_error_write(srv
, __FILE__
, __LINE__
, "s",
956 "SSL: You specified ssl.verifyclient.activate but no ca_file"
960 SSL_CTX_set_client_CA_list(s
->ssl_ctx
, SSL_dup_CA_list(s
->ssl_ca_file_cert_names
));
963 SSL_VERIFY_PEER
| (s
->ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
966 SSL_CTX_set_verify_depth(s
->ssl_ctx
, s
->ssl_verifyclient_depth
);
969 if (1 != SSL_CTX_use_certificate(s
->ssl_ctx
, s
->ssl_pemfile_x509
)) {
970 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
971 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
975 if (1 != SSL_CTX_use_PrivateKey(s
->ssl_ctx
, s
->ssl_pemfile_pkey
)) {
976 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
977 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
981 if (SSL_CTX_check_private_key(s
->ssl_ctx
) != 1) {
982 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
983 "Private key does not match the certificate public key, reason:",
984 ERR_error_string(ERR_get_error(), NULL
),
988 SSL_CTX_set_default_read_ahead(s
->ssl_ctx
, 1);
989 SSL_CTX_set_mode(s
->ssl_ctx
, SSL_CTX_get_mode(s
->ssl_ctx
)
990 | SSL_MODE_ENABLE_PARTIAL_WRITE
991 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
992 | SSL_MODE_RELEASE_BUFFERS
);
994 # ifndef OPENSSL_NO_TLSEXT
995 if (!SSL_CTX_set_tlsext_servername_callback(s
->ssl_ctx
, network_ssl_servername_callback
) ||
996 !SSL_CTX_set_tlsext_servername_arg(s
->ssl_ctx
, srv
)) {
997 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
998 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
1007 buffer_copy_buffer(b
, srv
->srvconf
.bindhost
);
1008 buffer_append_string_len(b
, CONST_STR_LEN(":"));
1009 buffer_append_int(b
, srv
->srvconf
.port
);
1011 if (0 != network_server_init(srv
, b
, srv
->config_storage
[0])) {
1018 srv
->network_ssl_backend_write
= network_write_chunkqueue_openssl
;
1021 /* get a usefull default */
1022 backend
= network_backends
[0].nb
;
1024 /* match name against known types */
1025 if (!buffer_string_is_empty(srv
->srvconf
.network_backend
)) {
1026 for (i
= 0; network_backends
[i
].name
; i
++) {
1028 if (buffer_is_equal_string(srv
->srvconf
.network_backend
, network_backends
[i
].name
, strlen(network_backends
[i
].name
))) {
1029 backend
= network_backends
[i
].nb
;
1033 if (NULL
== network_backends
[i
].name
) {
1034 /* we don't know it */
1036 log_error_write(srv
, __FILE__
, __LINE__
, "sb",
1037 "server.network-backend has a unknown value:",
1038 srv
->srvconf
.network_backend
);
1045 case NETWORK_BACKEND_WRITE
:
1046 srv
->network_backend_write
= network_write_chunkqueue_write
;
1048 #if defined(USE_WRITEV)
1049 case NETWORK_BACKEND_WRITEV
:
1050 srv
->network_backend_write
= network_write_chunkqueue_writev
;
1053 #if defined(USE_SENDFILE)
1054 case NETWORK_BACKEND_SENDFILE
:
1055 srv
->network_backend_write
= network_write_chunkqueue_sendfile
;
1062 /* check for $SERVER["socket"] */
1063 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
1064 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
1065 specific_config
*s
= srv
->config_storage
[i
];
1068 if (COMP_SERVER_SOCKET
!= dc
->comp
) continue;
1070 if (dc
->cond
!= CONFIG_COND_EQ
) continue;
1072 /* check if we already know this socket,
1073 * if yes, don't init it */
1074 for (j
= 0; j
< srv
->srv_sockets
.used
; j
++) {
1075 if (buffer_is_equal(srv
->srv_sockets
.ptr
[j
]->srv_token
, dc
->string
)) {
1080 if (j
== srv
->srv_sockets
.used
) {
1081 if (0 != network_server_init(srv
, dc
->string
, s
)) return -1;
1088 int network_register_fdevents(server
*srv
) {
1091 if (-1 == fdevent_reset(srv
->ev
)) {
1095 if (srv
->sockets_disabled
) return 0; /* lighttpd -1 (one-shot mode) */
1097 /* register fdevents after reset */
1098 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
1099 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
1101 fdevent_register(srv
->ev
, srv_socket
->fd
, network_server_handle_fdevent
, srv_socket
);
1102 fdevent_event_set(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
, FDEVENT_IN
);
1107 int network_write_chunkqueue(server
*srv
, connection
*con
, chunkqueue
*cq
, off_t max_bytes
) {
1113 server_socket
*srv_socket
= con
->srv_socket
;
1115 if (con
->conf
.global_kbytes_per_second
) {
1116 off_t limit
= con
->conf
.global_kbytes_per_second
* 1024 - *(con
->conf
.global_bytes_per_second_cnt_ptr
);
1118 /* we reached the global traffic limit */
1119 con
->traffic_limit_reached
= 1;
1123 if (max_bytes
> limit
) max_bytes
= limit
;
1127 if (con
->conf
.kbytes_per_second
) {
1128 off_t limit
= con
->conf
.kbytes_per_second
* 1024 - con
->bytes_written_cur_second
;
1130 /* we reached the traffic limit */
1131 con
->traffic_limit_reached
= 1;
1135 if (max_bytes
> limit
) max_bytes
= limit
;
1139 written
= cq
->bytes_out
;
1142 /* Linux: put a cork into the socket as we want to combine the write() calls
1143 * but only if we really have multiple chunks
1145 if (cq
->first
&& cq
->first
->next
) {
1147 (void)setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1151 if (srv_socket
->is_ssl
) {
1153 ret
= srv
->network_ssl_backend_write(srv
, con
, con
->ssl
, cq
, max_bytes
);
1156 ret
= srv
->network_backend_write(srv
, con
, con
->fd
, cq
, max_bytes
);
1160 chunkqueue_remove_finished_chunks(cq
);
1161 ret
= chunkqueue_is_empty(cq
) ? 0 : 1;
1167 (void)setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1171 written
= cq
->bytes_out
- written
;
1172 con
->bytes_written
+= written
;
1173 con
->bytes_written_cur_second
+= written
;
1175 *(con
->conf
.global_bytes_per_second_cnt_ptr
) += written
;