6 #include "connections.h"
9 #include "configfile.h"
11 #include "network_backends.h"
13 #include "sys-socket.h"
15 #include <sys/types.h>
27 # include <openssl/ssl.h>
28 # include <openssl/err.h>
29 # include <openssl/rand.h>
30 # ifndef OPENSSL_NO_DH
31 # include <openssl/dh.h>
33 # include <openssl/bn.h>
35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
36 # ifndef OPENSSL_NO_ECDH
37 # include <openssl/ecdh.h>
43 static void ssl_info_callback(const SSL
*ssl
, int where
, int ret
) {
46 if (0 != (where
& SSL_CB_HANDSHAKE_START
)) {
47 connection
*con
= SSL_get_app_data(ssl
);
48 ++con
->renegotiations
;
54 network_accept_tcp_nagle_disable (const int fd
)
56 static int noinherit_tcpnodelay
= -1;
59 if (!noinherit_tcpnodelay
) /* TCP_NODELAY inherited from listen socket */
62 if (noinherit_tcpnodelay
< 0) {
63 socklen_t optlen
= sizeof(opt
);
64 if (0 == getsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &opt
, &optlen
)) {
65 noinherit_tcpnodelay
= !opt
;
66 if (opt
) /* TCP_NODELAY inherited from listen socket */
72 (void)setsockopt(fd
, IPPROTO_TCP
, TCP_NODELAY
, &opt
, sizeof(opt
));
75 static handler_t
network_server_handle_fdevent(server
*srv
, void *context
, int revents
) {
76 server_socket
*srv_socket
= (server_socket
*)context
;
82 if (0 == (revents
& FDEVENT_IN
)) {
83 log_error_write(srv
, __FILE__
, __LINE__
, "sdd",
84 "strange event for server socket",
90 /* accept()s at most 100 connections directly
92 * we jump out after 100 to give the waiting connections a chance */
93 for (loops
= 0; loops
< 100 && NULL
!= (con
= connection_accept(srv
, srv_socket
)); loops
++) {
94 connection_state_machine(srv
, con
);
99 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
100 static int network_ssl_servername_callback(SSL
*ssl
, int *al
, server
*srv
) {
101 const char *servername
;
102 connection
*con
= (connection
*) SSL_get_app_data(ssl
);
105 buffer_copy_string(con
->uri
.scheme
, "https");
107 if (NULL
== (servername
= SSL_get_servername(ssl
, TLSEXT_NAMETYPE_host_name
))) {
109 /* this "error" just means the client didn't support it */
110 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
111 "failed to get TLS server name");
113 return SSL_TLSEXT_ERR_NOACK
;
115 buffer_copy_string(con
->tlsext_server_name
, servername
);
116 buffer_to_lower(con
->tlsext_server_name
);
118 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
119 buffer_reset(con
->uri
.authority
);
121 config_cond_cache_reset(srv
, con
);
122 config_setup_connection(srv
, con
);
124 con
->conditional_is_valid
[COMP_SERVER_SOCKET
] = 1;
125 con
->conditional_is_valid
[COMP_HTTP_SCHEME
] = 1;
126 con
->conditional_is_valid
[COMP_HTTP_HOST
] = 1;
127 config_patch_connection(srv
, con
);
129 if (NULL
== con
->conf
.ssl_pemfile_x509
|| NULL
== con
->conf
.ssl_pemfile_pkey
) {
130 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
131 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
132 "no certificate/private key for TLS server name", con
->tlsext_server_name
);
133 return SSL_TLSEXT_ERR_ALERT_FATAL
;
136 /* first set certificate! setting private key checks whether certificate matches it */
137 if (!SSL_use_certificate(ssl
, con
->conf
.ssl_pemfile_x509
)) {
138 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
139 "failed to set certificate for TLS server name", con
->tlsext_server_name
,
140 ERR_error_string(ERR_get_error(), NULL
));
141 return SSL_TLSEXT_ERR_ALERT_FATAL
;
144 if (!SSL_use_PrivateKey(ssl
, con
->conf
.ssl_pemfile_pkey
)) {
145 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
146 "failed to set private key for TLS server name", con
->tlsext_server_name
,
147 ERR_error_string(ERR_get_error(), NULL
));
148 return SSL_TLSEXT_ERR_ALERT_FATAL
;
151 if (con
->conf
.ssl_verifyclient
) {
152 if (NULL
== con
->conf
.ssl_ca_file_cert_names
) {
153 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
154 "can't verify client without ssl.ca-file for TLS server name", con
->tlsext_server_name
,
155 ERR_error_string(ERR_get_error(), NULL
));
156 return SSL_TLSEXT_ERR_ALERT_FATAL
;
159 SSL_set_client_CA_list(ssl
, SSL_dup_CA_list(con
->conf
.ssl_ca_file_cert_names
));
160 /* forcing verification here is really not that useful - a client could just connect without SNI */
163 SSL_VERIFY_PEER
| (con
->conf
.ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
166 SSL_set_verify_depth(ssl
, con
->conf
.ssl_verifyclient_depth
);
168 SSL_set_verify(ssl
, SSL_VERIFY_NONE
, NULL
);
171 return SSL_TLSEXT_ERR_OK
;
175 static int network_server_init(server
*srv
, buffer
*host_token
, specific_config
*s
) {
178 server_socket
*srv_socket
;
179 unsigned int port
= 0;
185 WORD wVersionRequested
;
188 wVersionRequested
= MAKEWORD( 2, 2 );
190 err
= WSAStartup( wVersionRequested
, &wsaData
);
192 /* Tell the user that we could not find a usable */
199 srv_socket
= calloc(1, sizeof(*srv_socket
));
200 force_assert(NULL
!= srv_socket
);
201 srv_socket
->addr
.plain
.sa_family
= AF_INET
; /* default */
203 srv_socket
->fde_ndx
= -1;
205 srv_socket
->srv_token
= buffer_init();
206 buffer_copy_buffer(srv_socket
->srv_token
, host_token
);
209 buffer_copy_buffer(b
, host_token
);
213 if (host
[0] == '/') {
214 /* host is a unix-domain-socket */
216 srv_socket
->addr
.plain
.sa_family
= AF_UNIX
;
218 log_error_write(srv
, __FILE__
, __LINE__
, "s",
219 "ERROR: Unix Domain sockets are not supported.");
220 goto error_free_socket
;
226 size_t len
= buffer_string_length(b
);
229 log_error_write(srv
, __FILE__
, __LINE__
, "s", "value of $SERVER[\"socket\"] must not be empty");
230 goto error_free_socket
;
232 if ((b
->ptr
[0] == '[' && b
->ptr
[len
-1] == ']') || NULL
== (sp
= strrchr(b
->ptr
, ':'))) {
233 /* use server.port if set in config, or else default from config_set_defaults() */
234 port
= srv
->srvconf
.port
;
235 sp
= b
->ptr
+ len
; /* point to '\0' at end of string so end of IPv6 address can be found below */
237 /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
239 port
= strtol(sp
+1, NULL
, 10);
242 /* check for [ and ] */
243 if (b
->ptr
[0] == '[' && *(sp
-1) == ']') {
250 if (port
== 0 || port
> 65535) {
251 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "port not set or out of range:", port
);
253 goto error_free_socket
;
257 if (*host
== '\0') host
= NULL
;
261 srv_socket
->addr
.plain
.sa_family
= AF_INET6
;
265 switch(srv_socket
->addr
.plain
.sa_family
) {
268 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in6
));
269 srv_socket
->addr
.ipv6
.sin6_family
= AF_INET6
;
271 srv_socket
->addr
.ipv6
.sin6_addr
= in6addr_any
;
272 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
274 struct addrinfo hints
, *res
;
277 memset(&hints
, 0, sizeof(hints
));
279 hints
.ai_family
= AF_INET6
;
280 hints
.ai_socktype
= SOCK_STREAM
;
281 hints
.ai_protocol
= IPPROTO_TCP
;
283 if (0 != (r
= getaddrinfo(host
, NULL
, &hints
, &res
))) {
284 hints
.ai_family
= AF_INET
;
286 #ifdef EAI_ADDRFAMILY
287 EAI_ADDRFAMILY
== r
&&
289 0 == getaddrinfo(host
, NULL
, &hints
, &res
)) {
290 memcpy(&srv_socket
->addr
.ipv4
, res
->ai_addr
, res
->ai_addrlen
);
291 srv_socket
->addr
.ipv4
.sin_family
= AF_INET
;
292 srv_socket
->addr
.ipv4
.sin_port
= htons(port
);
293 addr_len
= sizeof(struct sockaddr_in
);
294 /*assert(addr_len == res->ai_addrlen);*/
299 log_error_write(srv
, __FILE__
, __LINE__
,
300 "sssss", "getaddrinfo failed: ",
301 gai_strerror(r
), "'", host
, "'");
303 goto error_free_socket
;
306 memcpy(&(srv_socket
->addr
), res
->ai_addr
, res
->ai_addrlen
);
310 srv_socket
->addr
.ipv6
.sin6_port
= htons(port
);
311 addr_len
= sizeof(struct sockaddr_in6
);
315 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in
));
316 srv_socket
->addr
.ipv4
.sin_family
= AF_INET
;
318 srv_socket
->addr
.ipv4
.sin_addr
.s_addr
= htonl(INADDR_ANY
);
321 if (NULL
== (he
= gethostbyname(host
))) {
322 log_error_write(srv
, __FILE__
, __LINE__
,
323 "sds", "gethostbyname failed: ",
325 goto error_free_socket
;
328 if (he
->h_addrtype
!= AF_INET
) {
329 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-type != AF_INET: ", he
->h_addrtype
);
330 goto error_free_socket
;
333 if (he
->h_length
!= sizeof(struct in_addr
)) {
334 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-length != sizeof(in_addr): ", he
->h_length
);
335 goto error_free_socket
;
338 memcpy(&(srv_socket
->addr
.ipv4
.sin_addr
.s_addr
), he
->h_addr_list
[0], he
->h_length
);
340 srv_socket
->addr
.ipv4
.sin_port
= htons(port
);
341 addr_len
= sizeof(struct sockaddr_in
);
345 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_un
));
346 srv_socket
->addr
.un
.sun_family
= AF_UNIX
;
348 size_t hostlen
= strlen(host
) + 1;
349 if (hostlen
> sizeof(srv_socket
->addr
.un
.sun_path
)) {
350 log_error_write(srv
, __FILE__
, __LINE__
, "sS", "unix socket filename too long:", host
);
351 goto error_free_socket
;
353 memcpy(srv_socket
->addr
.un
.sun_path
, host
, hostlen
);
356 addr_len
= SUN_LEN(&srv_socket
->addr
.un
);
359 addr_len
= hostlen
+ sizeof(srv_socket
->addr
.un
.sun_family
);
366 goto error_free_socket
;
369 if (srv
->srvconf
.preflight_check
) {
371 goto error_free_socket
;
374 if (srv
->sockets_disabled
) { /* lighttpd -1 (one-shot mode) */
376 if (s
->ssl_enabled
) srv_socket
->ssl_ctx
= s
->ssl_ctx
;
378 goto srv_sockets_append
;
382 if (AF_UNIX
== srv_socket
->addr
.plain
.sa_family
) {
383 /* check if the socket exists and try to connect to it. */
384 force_assert(host
); /*(static analysis hint)*/
385 if (-1 == (srv_socket
->fd
= fdevent_socket_cloexec(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, 0))) {
386 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
387 goto error_free_socket
;
389 if (0 == connect(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
)) {
390 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
391 "server socket is still in use:",
395 goto error_free_socket
;
406 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
407 "testing socket failed:",
408 host
, strerror(errno
));
410 goto error_free_socket
;
413 fdevent_fcntl_set_nb(srv
->ev
, srv_socket
->fd
);
417 if (-1 == (srv_socket
->fd
= fdevent_socket_nb_cloexec(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, IPPROTO_TCP
))) {
418 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
419 goto error_free_socket
;
423 if (AF_INET6
== srv_socket
->addr
.plain
.sa_family
427 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &val
, sizeof(val
))) {
428 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno
));
429 goto error_free_socket
;
432 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
439 srv
->cur_fds
= srv_socket
->fd
;
442 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_REUSEADDR
, &val
, sizeof(val
)) < 0) {
443 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno
));
444 goto error_free_socket
;
447 if (srv_socket
->addr
.plain
.sa_family
!= AF_UNIX
) {
449 if (setsockopt(srv_socket
->fd
, IPPROTO_TCP
, TCP_NODELAY
, &val
, sizeof(val
)) < 0) {
450 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(TCP_NODELAY) failed:", strerror(errno
));
451 goto error_free_socket
;
455 if (0 != bind(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
)) {
456 switch(srv_socket
->addr
.plain
.sa_family
) {
458 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
459 "can't bind to socket:",
460 host
, strerror(errno
));
463 log_error_write(srv
, __FILE__
, __LINE__
, "ssds",
464 "can't bind to port:",
465 host
, port
, strerror(errno
));
468 goto error_free_socket
;
471 if (-1 == listen(srv_socket
->fd
, s
->listen_backlog
)) {
472 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "listen failed: ", strerror(errno
));
473 goto error_free_socket
;
476 if (s
->ssl_enabled
) {
478 if (NULL
== (srv_socket
->ssl_ctx
= s
->ssl_ctx
)) {
479 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ssl.pemfile has to be set");
480 goto error_free_socket
;
484 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
485 "ssl requested but openssl support is not compiled in");
487 goto error_free_socket
;
489 #ifdef TCP_DEFER_ACCEPT
490 } else if (s
->defer_accept
) {
491 int v
= s
->defer_accept
;
492 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_TCP
, TCP_DEFER_ACCEPT
, &v
, sizeof(v
))) {
493 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno
));
496 #if defined(__FreeBSD__) || defined(__NetBSD__) \
497 || defined(__OpenBSD__) || defined(__DragonFly__)
498 } else if (!buffer_is_empty(s
->bsd_accept_filter
)
499 && (buffer_is_equal_string(s
->bsd_accept_filter
, CONST_STR_LEN("httpready"))
500 || buffer_is_equal_string(s
->bsd_accept_filter
, CONST_STR_LEN("dataready")))) {
501 #ifdef SO_ACCEPTFILTER
502 /* FreeBSD accf_http filter */
503 struct accept_filter_arg afa
;
504 memset(&afa
, 0, sizeof(afa
));
505 strncpy(afa
.af_name
, s
->bsd_accept_filter
->ptr
, sizeof(afa
.af_name
));
506 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_ACCEPTFILTER
, &afa
, sizeof(afa
)) < 0) {
507 if (errno
!= ENOENT
) {
508 log_error_write(srv
, __FILE__
, __LINE__
, "SBss", "can't set accept-filter '", s
->bsd_accept_filter
, "':", strerror(errno
));
516 srv_socket
->is_ssl
= s
->ssl_enabled
;
518 if (srv
->srv_sockets
.size
== 0) {
519 srv
->srv_sockets
.size
= 4;
520 srv
->srv_sockets
.used
= 0;
521 srv
->srv_sockets
.ptr
= malloc(srv
->srv_sockets
.size
* sizeof(server_socket
*));
522 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
523 } else if (srv
->srv_sockets
.used
== srv
->srv_sockets
.size
) {
524 srv
->srv_sockets
.size
+= 4;
525 srv
->srv_sockets
.ptr
= realloc(srv
->srv_sockets
.ptr
, srv
->srv_sockets
.size
* sizeof(server_socket
*));
526 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
529 srv
->srv_sockets
.ptr
[srv
->srv_sockets
.used
++] = srv_socket
;
536 if (srv_socket
->fd
!= -1) {
537 /* check if server fd are already registered */
538 if (srv_socket
->fde_ndx
!= -1) {
539 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
540 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
543 close(srv_socket
->fd
);
545 buffer_free(srv_socket
->srv_token
);
550 return err
; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
553 int network_close(server
*srv
) {
555 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
556 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
558 if (srv_socket
->fd
!= -1) {
559 /* check if server fd are already registered */
560 if (srv_socket
->fde_ndx
!= -1) {
561 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
562 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
565 close(srv_socket
->fd
);
568 buffer_free(srv_socket
->srv_token
);
573 free(srv
->srv_sockets
.ptr
);
579 NETWORK_BACKEND_UNSET
,
580 NETWORK_BACKEND_WRITE
,
581 NETWORK_BACKEND_WRITEV
,
582 NETWORK_BACKEND_SENDFILE
,
586 static X509
* x509_load_pem_file(server
*srv
, const char *file
) {
590 in
= BIO_new(BIO_s_file());
592 log_error_write(srv
, __FILE__
, __LINE__
, "S", "SSL: BIO_new(BIO_s_file()) failed");
596 if (BIO_read_filename(in
,file
) <= 0) {
597 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
600 x
= PEM_read_bio_X509(in
, NULL
, NULL
, NULL
);
603 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read X509 certificate from '", file
,"'");
611 if (NULL
!= in
) BIO_free(in
);
615 static EVP_PKEY
* evp_pkey_load_pem_file(server
*srv
, const char *file
) {
619 in
=BIO_new(BIO_s_file());
621 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BIO_new(BIO_s_file()) failed");
625 if (BIO_read_filename(in
,file
) <= 0) {
626 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
629 x
= PEM_read_bio_PrivateKey(in
, NULL
, NULL
, NULL
);
632 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read private key from '", file
,"'");
640 if (NULL
!= in
) BIO_free(in
);
644 static int network_openssl_load_pemfile(server
*srv
, size_t ndx
) {
645 specific_config
*s
= srv
->config_storage
[ndx
];
647 #ifdef OPENSSL_NO_TLSEXT
649 data_config
*dc
= (data_config
*)srv
->config_context
->data
[ndx
];
650 if ((ndx
> 0 && (COMP_SERVER_SOCKET
!= dc
->comp
|| dc
->cond
!= CONFIG_COND_EQ
))
651 || !s
->ssl_enabled
) {
652 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
653 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
659 if (NULL
== (s
->ssl_pemfile_x509
= x509_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
660 if (NULL
== (s
->ssl_pemfile_pkey
= evp_pkey_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
662 if (!X509_check_private_key(s
->ssl_pemfile_x509
, s
->ssl_pemfile_pkey
)) {
663 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
664 "Private key does not match the certificate public key, reason:",
665 ERR_error_string(ERR_get_error(), NULL
),
674 int network_init(server
*srv
) {
677 network_backend_t backend
;
679 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
680 #ifndef OPENSSL_NO_ECDH
687 # ifndef OPENSSL_NO_DH
692 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
693 * -----BEGIN DH PARAMETERS-----
694 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
695 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
696 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
697 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
698 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
699 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
700 * -----END DH PARAMETERS-----
703 static const unsigned char dh1024_p
[]={
704 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
705 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
706 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
707 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
708 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
709 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
710 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
711 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
712 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
713 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
714 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
717 static const unsigned char dh1024_g
[]={
718 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
719 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
720 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
721 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
722 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
723 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
724 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
725 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
726 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
727 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
728 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
733 network_backend_t nb
;
735 } network_backends
[] = {
737 #if defined USE_SENDFILE
738 { NETWORK_BACKEND_SENDFILE
, "sendfile" },
740 #if defined USE_LINUX_SENDFILE
741 { NETWORK_BACKEND_SENDFILE
, "linux-sendfile" },
743 #if defined USE_FREEBSD_SENDFILE
744 { NETWORK_BACKEND_SENDFILE
, "freebsd-sendfile" },
746 #if defined USE_SOLARIS_SENDFILEV
747 { NETWORK_BACKEND_SENDFILE
, "solaris-sendfilev" },
749 #if defined USE_WRITEV
750 { NETWORK_BACKEND_WRITEV
, "writev" },
752 { NETWORK_BACKEND_WRITE
, "write" },
753 { NETWORK_BACKEND_UNSET
, NULL
}
757 /* load SSL certificates */
758 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
759 specific_config
*s
= srv
->config_storage
[i
];
760 #ifndef SSL_OP_NO_COMPRESSION
761 # define SSL_OP_NO_COMPRESSION 0
763 #ifndef SSL_MODE_RELEASE_BUFFERS /* OpenSSL >= 1.0.0 */
764 #define SSL_MODE_RELEASE_BUFFERS 0
767 SSL_OP_ALL
| SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
| SSL_OP_NO_COMPRESSION
;
769 if (buffer_string_is_empty(s
->ssl_pemfile
) && buffer_string_is_empty(s
->ssl_ca_file
)) continue;
771 if (srv
->ssl_is_init
== 0) {
772 SSL_load_error_strings();
774 OpenSSL_add_all_algorithms();
775 srv
->ssl_is_init
= 1;
777 if (0 == RAND_status()) {
778 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
779 "not enough entropy in the pool");
784 if (!buffer_string_is_empty(s
->ssl_pemfile
)) {
785 #ifdef OPENSSL_NO_TLSEXT
786 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
787 if (COMP_HTTP_HOST
== dc
->comp
) {
788 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
789 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
793 if (network_openssl_load_pemfile(srv
, i
)) return -1;
797 if (!buffer_string_is_empty(s
->ssl_ca_file
)) {
798 s
->ssl_ca_file_cert_names
= SSL_load_client_CA_file(s
->ssl_ca_file
->ptr
);
799 if (NULL
== s
->ssl_ca_file_cert_names
) {
800 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
801 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_ca_file
);
805 if (buffer_string_is_empty(s
->ssl_pemfile
) || !s
->ssl_enabled
) continue;
807 if (NULL
== (s
->ssl_ctx
= SSL_CTX_new(SSLv23_server_method()))) {
808 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
809 ERR_error_string(ERR_get_error(), NULL
));
813 /* completely useless identifier; required for client cert verification to work with sessions */
814 if (0 == SSL_CTX_set_session_id_context(s
->ssl_ctx
, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
815 log_error_write(srv
, __FILE__
, __LINE__
, "ss:s", "SSL:",
816 "failed to set session context",
817 ERR_error_string(ERR_get_error(), NULL
));
821 if (s
->ssl_empty_fragments
) {
822 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
823 ssloptions
&= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
;
825 ssloptions
&= ~0x00000800L
; /* hardcode constant */
826 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "WARNING: SSL:",
827 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
831 SSL_CTX_set_options(s
->ssl_ctx
, ssloptions
);
832 SSL_CTX_set_info_callback(s
->ssl_ctx
, ssl_info_callback
);
834 if (!s
->ssl_use_sslv2
) {
836 if ((SSL_OP_NO_SSLv2
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv2
)) != SSL_OP_NO_SSLv2
) {
837 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
838 ERR_error_string(ERR_get_error(), NULL
));
843 if (!s
->ssl_use_sslv3
) {
845 if ((SSL_OP_NO_SSLv3
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv3
)) != SSL_OP_NO_SSLv3
) {
846 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
847 ERR_error_string(ERR_get_error(), NULL
));
852 if (!buffer_string_is_empty(s
->ssl_cipher_list
)) {
853 /* Disable support for low encryption ciphers */
854 if (SSL_CTX_set_cipher_list(s
->ssl_ctx
, s
->ssl_cipher_list
->ptr
) != 1) {
855 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
856 ERR_error_string(ERR_get_error(), NULL
));
860 if (s
->ssl_honor_cipher_order
) {
861 SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_CIPHER_SERVER_PREFERENCE
);
865 #ifndef OPENSSL_NO_DH
866 /* Support for Diffie-Hellman key exchange */
867 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
868 /* DH parameters from file */
869 bio
= BIO_new_file((char *) s
->ssl_dh_file
->ptr
, "r");
871 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to open file", s
->ssl_dh_file
->ptr
);
874 dh
= PEM_read_bio_DHparams(bio
, NULL
, NULL
, NULL
);
877 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: PEM_read_bio_DHparams failed", s
->ssl_dh_file
->ptr
);
882 /* Default DH parameters from RFC5114 */
885 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: DH_new () failed");
888 dh_p
= BN_bin2bn(dh1024_p
,sizeof(dh1024_p
), NULL
);
889 dh_g
= BN_bin2bn(dh1024_g
,sizeof(dh1024_g
), NULL
);
890 if ((dh_p
== NULL
) || (dh_g
== NULL
)) {
892 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BN_bin2bn () failed");
895 #if OPENSSL_VERSION_NUMBER < 0x10100000L \
896 || defined(LIBRESSL_VERSION_NUMBER)
901 DH_set0_pqg(dh
, dh_p
, NULL
, dh_g
);
902 DH_set_length(dh
, 160);
905 SSL_CTX_set_tmp_dh(s
->ssl_ctx
,dh
);
906 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_DH_USE
);
909 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
910 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s
->ssl_dh_file
->ptr
);
914 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
915 #ifndef OPENSSL_NO_ECDH
916 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
917 if (!buffer_string_is_empty(s
->ssl_ec_curve
)) {
918 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
919 nid
= OBJ_sn2nid((char *) s
->ssl_ec_curve
->ptr
);
921 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unknown curve name", s
->ssl_ec_curve
->ptr
);
926 nid
= OBJ_sn2nid("prime256v1");
928 ecdh
= EC_KEY_new_by_curve_name(nid
);
930 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to create curve", s
->ssl_ec_curve
->ptr
);
933 SSL_CTX_set_tmp_ecdh(s
->ssl_ctx
,ecdh
);
934 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_ECDH_USE
);
939 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
940 for (j
= 0; j
< srv
->config_context
->used
; j
++) {
941 specific_config
*s1
= srv
->config_storage
[j
];
943 if (!buffer_string_is_empty(s1
->ssl_ca_file
)) {
944 if (1 != SSL_CTX_load_verify_locations(s
->ssl_ctx
, s1
->ssl_ca_file
->ptr
, NULL
)) {
945 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
946 ERR_error_string(ERR_get_error(), NULL
), s1
->ssl_ca_file
);
952 if (s
->ssl_verifyclient
) {
953 if (NULL
== s
->ssl_ca_file_cert_names
) {
954 log_error_write(srv
, __FILE__
, __LINE__
, "s",
955 "SSL: You specified ssl.verifyclient.activate but no ca_file"
959 SSL_CTX_set_client_CA_list(s
->ssl_ctx
, SSL_dup_CA_list(s
->ssl_ca_file_cert_names
));
962 SSL_VERIFY_PEER
| (s
->ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
965 SSL_CTX_set_verify_depth(s
->ssl_ctx
, s
->ssl_verifyclient_depth
);
968 if (1 != SSL_CTX_use_certificate(s
->ssl_ctx
, s
->ssl_pemfile_x509
)) {
969 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
970 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
974 if (1 != SSL_CTX_use_PrivateKey(s
->ssl_ctx
, s
->ssl_pemfile_pkey
)) {
975 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
976 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
980 if (SSL_CTX_check_private_key(s
->ssl_ctx
) != 1) {
981 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
982 "Private key does not match the certificate public key, reason:",
983 ERR_error_string(ERR_get_error(), NULL
),
987 SSL_CTX_set_default_read_ahead(s
->ssl_ctx
, 1);
988 SSL_CTX_set_mode(s
->ssl_ctx
, SSL_CTX_get_mode(s
->ssl_ctx
)
989 | SSL_MODE_ENABLE_PARTIAL_WRITE
990 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
991 | SSL_MODE_RELEASE_BUFFERS
);
993 # ifndef OPENSSL_NO_TLSEXT
994 if (!SSL_CTX_set_tlsext_servername_callback(s
->ssl_ctx
, network_ssl_servername_callback
) ||
995 !SSL_CTX_set_tlsext_servername_arg(s
->ssl_ctx
, srv
)) {
996 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
997 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
1006 buffer_copy_buffer(b
, srv
->srvconf
.bindhost
);
1007 buffer_append_string_len(b
, CONST_STR_LEN(":"));
1008 buffer_append_int(b
, srv
->srvconf
.port
);
1010 if (0 != network_server_init(srv
, b
, srv
->config_storage
[0])) {
1017 srv
->network_ssl_backend_write
= network_write_chunkqueue_openssl
;
1020 /* get a usefull default */
1021 backend
= network_backends
[0].nb
;
1023 /* match name against known types */
1024 if (!buffer_string_is_empty(srv
->srvconf
.network_backend
)) {
1025 for (i
= 0; network_backends
[i
].name
; i
++) {
1027 if (buffer_is_equal_string(srv
->srvconf
.network_backend
, network_backends
[i
].name
, strlen(network_backends
[i
].name
))) {
1028 backend
= network_backends
[i
].nb
;
1032 if (NULL
== network_backends
[i
].name
) {
1033 /* we don't know it */
1035 log_error_write(srv
, __FILE__
, __LINE__
, "sb",
1036 "server.network-backend has a unknown value:",
1037 srv
->srvconf
.network_backend
);
1044 case NETWORK_BACKEND_WRITE
:
1045 srv
->network_backend_write
= network_write_chunkqueue_write
;
1047 #if defined(USE_WRITEV)
1048 case NETWORK_BACKEND_WRITEV
:
1049 srv
->network_backend_write
= network_write_chunkqueue_writev
;
1052 #if defined(USE_SENDFILE)
1053 case NETWORK_BACKEND_SENDFILE
:
1054 srv
->network_backend_write
= network_write_chunkqueue_sendfile
;
1061 /* check for $SERVER["socket"] */
1062 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
1063 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
1064 specific_config
*s
= srv
->config_storage
[i
];
1067 if (COMP_SERVER_SOCKET
!= dc
->comp
) continue;
1069 if (dc
->cond
!= CONFIG_COND_EQ
) continue;
1071 /* check if we already know this socket,
1072 * if yes, don't init it */
1073 for (j
= 0; j
< srv
->srv_sockets
.used
; j
++) {
1074 if (buffer_is_equal(srv
->srv_sockets
.ptr
[j
]->srv_token
, dc
->string
)) {
1079 if (j
== srv
->srv_sockets
.used
) {
1080 if (0 != network_server_init(srv
, dc
->string
, s
)) return -1;
1087 int network_register_fdevents(server
*srv
) {
1090 if (-1 == fdevent_reset(srv
->ev
)) {
1094 if (srv
->sockets_disabled
) return 0; /* lighttpd -1 (one-shot mode) */
1096 /* register fdevents after reset */
1097 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
1098 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
1100 fdevent_register(srv
->ev
, srv_socket
->fd
, network_server_handle_fdevent
, srv_socket
);
1101 fdevent_event_set(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
, FDEVENT_IN
);
1106 int network_write_chunkqueue(server
*srv
, connection
*con
, chunkqueue
*cq
, off_t max_bytes
) {
1112 server_socket
*srv_socket
= con
->srv_socket
;
1114 if (con
->conf
.global_kbytes_per_second
) {
1115 off_t limit
= con
->conf
.global_kbytes_per_second
* 1024 - *(con
->conf
.global_bytes_per_second_cnt_ptr
);
1117 /* we reached the global traffic limit */
1118 con
->traffic_limit_reached
= 1;
1122 if (max_bytes
> limit
) max_bytes
= limit
;
1126 if (con
->conf
.kbytes_per_second
) {
1127 off_t limit
= con
->conf
.kbytes_per_second
* 1024 - con
->bytes_written_cur_second
;
1129 /* we reached the traffic limit */
1130 con
->traffic_limit_reached
= 1;
1134 if (max_bytes
> limit
) max_bytes
= limit
;
1138 written
= cq
->bytes_out
;
1141 /* Linux: put a cork into the socket as we want to combine the write() calls
1142 * but only if we really have multiple chunks
1144 if (cq
->first
&& cq
->first
->next
) {
1146 (void)setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1150 if (srv_socket
->is_ssl
) {
1152 ret
= srv
->network_ssl_backend_write(srv
, con
, con
->ssl
, cq
, max_bytes
);
1155 ret
= srv
->network_backend_write(srv
, con
, con
->fd
, cq
, max_bytes
);
1159 chunkqueue_remove_finished_chunks(cq
);
1160 ret
= chunkqueue_is_empty(cq
) ? 0 : 1;
1166 (void)setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1170 written
= cq
->bytes_out
- written
;
1171 con
->bytes_written
+= written
;
1172 con
->bytes_written_cur_second
+= written
;
1174 *(con
->conf
.global_bytes_per_second_cnt_ptr
) += written
;