6 #include "connections.h"
9 #include "configfile.h"
11 #include "network_backends.h"
13 #include "sys-socket.h"
15 #include <sys/types.h>
27 # include <openssl/ssl.h>
28 # include <openssl/err.h>
29 # include <openssl/rand.h>
30 # ifndef OPENSSL_NO_DH
31 # include <openssl/dh.h>
33 # include <openssl/bn.h>
35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
36 # ifndef OPENSSL_NO_ECDH
37 # include <openssl/ecdh.h>
43 static void ssl_info_callback(const SSL
*ssl
, int where
, int ret
) {
46 if (0 != (where
& SSL_CB_HANDSHAKE_START
)) {
47 connection
*con
= SSL_get_app_data(ssl
);
48 ++con
->renegotiations
;
53 static handler_t
network_server_handle_fdevent(server
*srv
, void *context
, int revents
) {
54 server_socket
*srv_socket
= (server_socket
*)context
;
60 if (0 == (revents
& FDEVENT_IN
)) {
61 log_error_write(srv
, __FILE__
, __LINE__
, "sdd",
62 "strange event for server socket",
68 /* accept()s at most 100 connections directly
70 * we jump out after 100 to give the waiting connections a chance */
71 for (loops
= 0; loops
< 100 && NULL
!= (con
= connection_accept(srv
, srv_socket
)); loops
++) {
74 connection_state_machine(srv
, con
);
76 switch(r
= plugins_call_handle_joblist(srv
, con
)) {
77 case HANDLER_FINISHED
:
81 log_error_write(srv
, __FILE__
, __LINE__
, "d", r
);
88 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
89 static int network_ssl_servername_callback(SSL
*ssl
, int *al
, server
*srv
) {
90 const char *servername
;
91 connection
*con
= (connection
*) SSL_get_app_data(ssl
);
94 buffer_copy_string(con
->uri
.scheme
, "https");
96 if (NULL
== (servername
= SSL_get_servername(ssl
, TLSEXT_NAMETYPE_host_name
))) {
98 /* this "error" just means the client didn't support it */
99 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
100 "failed to get TLS server name");
102 return SSL_TLSEXT_ERR_NOACK
;
104 buffer_copy_string(con
->tlsext_server_name
, servername
);
105 buffer_to_lower(con
->tlsext_server_name
);
107 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
108 buffer_reset(con
->uri
.authority
);
110 config_cond_cache_reset(srv
, con
);
111 config_setup_connection(srv
, con
);
113 con
->conditional_is_valid
[COMP_SERVER_SOCKET
] = 1;
114 con
->conditional_is_valid
[COMP_HTTP_SCHEME
] = 1;
115 con
->conditional_is_valid
[COMP_HTTP_HOST
] = 1;
116 config_patch_connection(srv
, con
);
118 if (NULL
== con
->conf
.ssl_pemfile_x509
|| NULL
== con
->conf
.ssl_pemfile_pkey
) {
119 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
120 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
121 "no certificate/private key for TLS server name", con
->tlsext_server_name
);
122 return SSL_TLSEXT_ERR_ALERT_FATAL
;
125 /* first set certificate! setting private key checks whether certificate matches it */
126 if (!SSL_use_certificate(ssl
, con
->conf
.ssl_pemfile_x509
)) {
127 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
128 "failed to set certificate for TLS server name", con
->tlsext_server_name
,
129 ERR_error_string(ERR_get_error(), NULL
));
130 return SSL_TLSEXT_ERR_ALERT_FATAL
;
133 if (!SSL_use_PrivateKey(ssl
, con
->conf
.ssl_pemfile_pkey
)) {
134 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
135 "failed to set private key for TLS server name", con
->tlsext_server_name
,
136 ERR_error_string(ERR_get_error(), NULL
));
137 return SSL_TLSEXT_ERR_ALERT_FATAL
;
140 if (con
->conf
.ssl_verifyclient
) {
141 if (NULL
== con
->conf
.ssl_ca_file_cert_names
) {
142 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
143 "can't verify client without ssl.ca-file for TLS server name", con
->tlsext_server_name
,
144 ERR_error_string(ERR_get_error(), NULL
));
145 return SSL_TLSEXT_ERR_ALERT_FATAL
;
148 SSL_set_client_CA_list(ssl
, SSL_dup_CA_list(con
->conf
.ssl_ca_file_cert_names
));
149 /* forcing verification here is really not that useful - a client could just connect without SNI */
152 SSL_VERIFY_PEER
| (con
->conf
.ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
155 SSL_set_verify_depth(ssl
, con
->conf
.ssl_verifyclient_depth
);
157 SSL_set_verify(ssl
, SSL_VERIFY_NONE
, NULL
);
160 return SSL_TLSEXT_ERR_OK
;
164 static int network_server_init(server
*srv
, buffer
*host_token
, specific_config
*s
) {
167 server_socket
*srv_socket
;
168 unsigned int port
= 0;
171 int is_unix_domain_socket
= 0;
176 WORD wVersionRequested
;
179 wVersionRequested
= MAKEWORD( 2, 2 );
181 err
= WSAStartup( wVersionRequested
, &wsaData
);
183 /* Tell the user that we could not find a usable */
190 srv_socket
= calloc(1, sizeof(*srv_socket
));
191 force_assert(NULL
!= srv_socket
);
193 srv_socket
->fde_ndx
= -1;
195 srv_socket
->srv_token
= buffer_init();
196 buffer_copy_buffer(srv_socket
->srv_token
, host_token
);
199 buffer_copy_buffer(b
, host_token
);
203 if (host
[0] == '/') {
204 /* host is a unix-domain-socket */
205 is_unix_domain_socket
= 1;
210 size_t len
= buffer_string_length(b
);
213 log_error_write(srv
, __FILE__
, __LINE__
, "s", "value of $SERVER[\"socket\"] must not be empty");
214 goto error_free_socket
;
216 if ((b
->ptr
[0] == '[' && b
->ptr
[len
-1] == ']') || NULL
== (sp
= strrchr(b
->ptr
, ':'))) {
217 /* use server.port if set in config, or else default from config_set_defaults() */
218 port
= srv
->srvconf
.port
;
219 sp
= b
->ptr
+ len
; /* point to '\0' at end of string so end of IPv6 address can be found below */
221 /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
223 port
= strtol(sp
, NULL
, 10);
226 /* check for [ and ] */
227 if (b
->ptr
[0] == '[' && *(sp
-1) == ']') {
234 if (port
== 0 || port
> 65535) {
235 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "port not set or out of range:", port
);
237 goto error_free_socket
;
241 if (*host
== '\0') host
= NULL
;
243 if (is_unix_domain_socket
) {
246 srv_socket
->addr
.plain
.sa_family
= AF_UNIX
;
248 if (-1 == (srv_socket
->fd
= socket(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, 0))) {
249 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
250 goto error_free_socket
;
253 log_error_write(srv
, __FILE__
, __LINE__
, "s",
254 "ERROR: Unix Domain sockets are not supported.");
255 goto error_free_socket
;
261 srv_socket
->addr
.plain
.sa_family
= AF_INET6
;
263 if (-1 == (srv_socket
->fd
= socket(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, IPPROTO_TCP
))) {
264 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
265 goto error_free_socket
;
270 if (srv_socket
->fd
== -1) {
271 srv_socket
->addr
.plain
.sa_family
= AF_INET
;
272 if (-1 == (srv_socket
->fd
= socket(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, IPPROTO_TCP
))) {
273 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
274 goto error_free_socket
;
278 /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
279 fd_close_on_exec(srv_socket
->fd
);
282 srv
->cur_fds
= srv_socket
->fd
;
285 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_REUSEADDR
, &val
, sizeof(val
)) < 0) {
286 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno
));
287 goto error_free_socket
;
290 switch(srv_socket
->addr
.plain
.sa_family
) {
293 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in6
));
294 srv_socket
->addr
.ipv6
.sin6_family
= AF_INET6
;
296 srv_socket
->addr
.ipv6
.sin6_addr
= in6addr_any
;
297 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
299 struct addrinfo hints
, *res
;
304 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &val
, sizeof(val
))) {
305 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno
));
306 goto error_free_socket
;
309 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
312 memset(&hints
, 0, sizeof(hints
));
314 hints
.ai_family
= AF_INET6
;
315 hints
.ai_socktype
= SOCK_STREAM
;
316 hints
.ai_protocol
= IPPROTO_TCP
;
318 if (0 != (r
= getaddrinfo(host
, NULL
, &hints
, &res
))) {
319 log_error_write(srv
, __FILE__
, __LINE__
,
320 "sssss", "getaddrinfo failed: ",
321 gai_strerror(r
), "'", host
, "'");
323 goto error_free_socket
;
326 memcpy(&(srv_socket
->addr
), res
->ai_addr
, res
->ai_addrlen
);
330 srv_socket
->addr
.ipv6
.sin6_port
= htons(port
);
331 addr_len
= sizeof(struct sockaddr_in6
);
335 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in
));
336 srv_socket
->addr
.ipv4
.sin_family
= AF_INET
;
338 srv_socket
->addr
.ipv4
.sin_addr
.s_addr
= htonl(INADDR_ANY
);
341 if (NULL
== (he
= gethostbyname(host
))) {
342 log_error_write(srv
, __FILE__
, __LINE__
,
343 "sds", "gethostbyname failed: ",
345 goto error_free_socket
;
348 if (he
->h_addrtype
!= AF_INET
) {
349 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-type != AF_INET: ", he
->h_addrtype
);
350 goto error_free_socket
;
353 if (he
->h_length
!= sizeof(struct in_addr
)) {
354 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-length != sizeof(in_addr): ", he
->h_length
);
355 goto error_free_socket
;
358 memcpy(&(srv_socket
->addr
.ipv4
.sin_addr
.s_addr
), he
->h_addr_list
[0], he
->h_length
);
360 srv_socket
->addr
.ipv4
.sin_port
= htons(port
);
362 addr_len
= sizeof(struct sockaddr_in
);
366 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_un
));
367 srv_socket
->addr
.un
.sun_family
= AF_UNIX
;
369 size_t hostlen
= strlen(host
) + 1;
370 if (hostlen
> sizeof(srv_socket
->addr
.un
.sun_path
)) {
371 log_error_write(srv
, __FILE__
, __LINE__
, "sS", "unix socket filename too long:", host
);
372 goto error_free_socket
;
374 memcpy(srv_socket
->addr
.un
.sun_path
, host
, hostlen
);
377 addr_len
= SUN_LEN(&srv_socket
->addr
.un
);
380 addr_len
= hostlen
+ sizeof(srv_socket
->addr
.un
.sun_family
);
384 if (srv
->srvconf
.preflight_check
) break;
386 /* check if the socket exists and try to connect to it. */
387 if (-1 != (fd
= connect(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
))) {
390 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
391 "server socket is still in use:",
395 goto error_free_socket
;
406 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
407 "testing socket failed:",
408 host
, strerror(errno
));
410 goto error_free_socket
;
415 goto error_free_socket
;
418 if (srv
->srvconf
.preflight_check
) {
420 goto error_free_socket
;
423 if (0 != bind(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
)) {
424 switch(srv_socket
->addr
.plain
.sa_family
) {
426 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
427 "can't bind to socket:",
428 host
, strerror(errno
));
431 log_error_write(srv
, __FILE__
, __LINE__
, "ssds",
432 "can't bind to port:",
433 host
, port
, strerror(errno
));
436 goto error_free_socket
;
439 if (-1 == listen(srv_socket
->fd
, 128 * 8)) {
440 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "listen failed: ", strerror(errno
));
441 goto error_free_socket
;
444 if (s
->ssl_enabled
) {
446 if (NULL
== (srv_socket
->ssl_ctx
= s
->ssl_ctx
)) {
447 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ssl.pemfile has to be set");
448 goto error_free_socket
;
452 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
453 "ssl requested but openssl support is not compiled in");
455 goto error_free_socket
;
457 #ifdef TCP_DEFER_ACCEPT
458 } else if (s
->defer_accept
) {
459 int v
= s
->defer_accept
;
460 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_TCP
, TCP_DEFER_ACCEPT
, &v
, sizeof(v
))) {
461 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno
));
465 #ifdef SO_ACCEPTFILTER
466 /* FreeBSD accf_http filter */
467 struct accept_filter_arg afa
;
468 memset(&afa
, 0, sizeof(afa
));
469 strcpy(afa
.af_name
, "httpready");
470 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_ACCEPTFILTER
, &afa
, sizeof(afa
)) < 0) {
471 if (errno
!= ENOENT
) {
472 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "can't set accept-filter 'httpready': ", strerror(errno
));
478 srv_socket
->is_ssl
= s
->ssl_enabled
;
480 if (srv
->srv_sockets
.size
== 0) {
481 srv
->srv_sockets
.size
= 4;
482 srv
->srv_sockets
.used
= 0;
483 srv
->srv_sockets
.ptr
= malloc(srv
->srv_sockets
.size
* sizeof(server_socket
*));
484 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
485 } else if (srv
->srv_sockets
.used
== srv
->srv_sockets
.size
) {
486 srv
->srv_sockets
.size
+= 4;
487 srv
->srv_sockets
.ptr
= realloc(srv
->srv_sockets
.ptr
, srv
->srv_sockets
.size
* sizeof(server_socket
*));
488 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
491 srv
->srv_sockets
.ptr
[srv
->srv_sockets
.used
++] = srv_socket
;
498 if (srv_socket
->fd
!= -1) {
499 /* check if server fd are already registered */
500 if (srv_socket
->fde_ndx
!= -1) {
501 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
502 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
505 close(srv_socket
->fd
);
507 buffer_free(srv_socket
->srv_token
);
512 return err
; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
515 int network_close(server
*srv
) {
517 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
518 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
520 if (srv_socket
->fd
!= -1) {
521 /* check if server fd are already registered */
522 if (srv_socket
->fde_ndx
!= -1) {
523 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
524 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
527 close(srv_socket
->fd
);
530 buffer_free(srv_socket
->srv_token
);
535 free(srv
->srv_sockets
.ptr
);
541 NETWORK_BACKEND_UNSET
,
542 NETWORK_BACKEND_WRITE
,
543 NETWORK_BACKEND_WRITEV
,
544 NETWORK_BACKEND_SENDFILE
,
548 static X509
* x509_load_pem_file(server
*srv
, const char *file
) {
552 in
= BIO_new(BIO_s_file());
554 log_error_write(srv
, __FILE__
, __LINE__
, "S", "SSL: BIO_new(BIO_s_file()) failed");
558 if (BIO_read_filename(in
,file
) <= 0) {
559 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
562 x
= PEM_read_bio_X509(in
, NULL
, NULL
, NULL
);
565 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read X509 certificate from '", file
,"'");
573 if (NULL
!= in
) BIO_free(in
);
577 static EVP_PKEY
* evp_pkey_load_pem_file(server
*srv
, const char *file
) {
581 in
=BIO_new(BIO_s_file());
583 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BIO_new(BIO_s_file()) failed");
587 if (BIO_read_filename(in
,file
) <= 0) {
588 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
591 x
= PEM_read_bio_PrivateKey(in
, NULL
, NULL
, NULL
);
594 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read private key from '", file
,"'");
602 if (NULL
!= in
) BIO_free(in
);
606 static int network_openssl_load_pemfile(server
*srv
, size_t ndx
) {
607 specific_config
*s
= srv
->config_storage
[ndx
];
609 #ifdef OPENSSL_NO_TLSEXT
611 data_config
*dc
= (data_config
*)srv
->config_context
->data
[ndx
];
612 if ((ndx
> 0 && (COMP_SERVER_SOCKET
!= dc
->comp
|| dc
->cond
!= CONFIG_COND_EQ
))
613 || !s
->ssl_enabled
) {
614 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
615 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
621 if (NULL
== (s
->ssl_pemfile_x509
= x509_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
622 if (NULL
== (s
->ssl_pemfile_pkey
= evp_pkey_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
624 if (!X509_check_private_key(s
->ssl_pemfile_x509
, s
->ssl_pemfile_pkey
)) {
625 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
626 "Private key does not match the certificate public key, reason:",
627 ERR_error_string(ERR_get_error(), NULL
),
636 int network_init(server
*srv
) {
639 network_backend_t backend
;
641 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
642 #ifndef OPENSSL_NO_ECDH
649 # ifndef OPENSSL_NO_DH
654 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
655 * -----BEGIN DH PARAMETERS-----
656 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
657 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
658 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
659 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
660 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
661 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
662 * -----END DH PARAMETERS-----
665 static const unsigned char dh1024_p
[]={
666 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
667 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
668 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
669 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
670 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
671 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
672 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
673 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
674 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
675 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
676 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
679 static const unsigned char dh1024_g
[]={
680 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
681 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
682 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
683 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
684 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
685 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
686 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
687 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
688 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
689 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
690 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
695 network_backend_t nb
;
697 } network_backends
[] = {
699 #if defined USE_SENDFILE
700 { NETWORK_BACKEND_SENDFILE
, "sendfile" },
702 #if defined USE_LINUX_SENDFILE
703 { NETWORK_BACKEND_SENDFILE
, "linux-sendfile" },
705 #if defined USE_FREEBSD_SENDFILE
706 { NETWORK_BACKEND_SENDFILE
, "freebsd-sendfile" },
708 #if defined USE_SOLARIS_SENDFILEV
709 { NETWORK_BACKEND_SENDFILE
, "solaris-sendfilev" },
711 #if defined USE_WRITEV
712 { NETWORK_BACKEND_WRITEV
, "writev" },
714 { NETWORK_BACKEND_WRITE
, "write" },
715 { NETWORK_BACKEND_UNSET
, NULL
}
719 /* load SSL certificates */
720 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
721 specific_config
*s
= srv
->config_storage
[i
];
722 #ifndef SSL_OP_NO_COMPRESSION
723 # define SSL_OP_NO_COMPRESSION 0
726 SSL_OP_ALL
| SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
| SSL_OP_NO_COMPRESSION
;
728 if (buffer_string_is_empty(s
->ssl_pemfile
) && buffer_string_is_empty(s
->ssl_ca_file
)) continue;
730 if (srv
->ssl_is_init
== 0) {
731 SSL_load_error_strings();
733 OpenSSL_add_all_algorithms();
734 srv
->ssl_is_init
= 1;
736 if (0 == RAND_status()) {
737 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
738 "not enough entropy in the pool");
743 if (!buffer_string_is_empty(s
->ssl_pemfile
)) {
744 #ifdef OPENSSL_NO_TLSEXT
745 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
746 if (COMP_HTTP_HOST
== dc
->comp
) {
747 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
748 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
752 if (network_openssl_load_pemfile(srv
, i
)) return -1;
756 if (!buffer_string_is_empty(s
->ssl_ca_file
)) {
757 s
->ssl_ca_file_cert_names
= SSL_load_client_CA_file(s
->ssl_ca_file
->ptr
);
758 if (NULL
== s
->ssl_ca_file_cert_names
) {
759 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
760 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_ca_file
);
764 if (buffer_string_is_empty(s
->ssl_pemfile
) || !s
->ssl_enabled
) continue;
766 if (NULL
== (s
->ssl_ctx
= SSL_CTX_new(SSLv23_server_method()))) {
767 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
768 ERR_error_string(ERR_get_error(), NULL
));
772 /* completely useless identifier; required for client cert verification to work with sessions */
773 if (0 == SSL_CTX_set_session_id_context(s
->ssl_ctx
, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
774 log_error_write(srv
, __FILE__
, __LINE__
, "ss:s", "SSL:",
775 "failed to set session context",
776 ERR_error_string(ERR_get_error(), NULL
));
780 if (s
->ssl_empty_fragments
) {
781 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
782 ssloptions
&= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
;
784 ssloptions
&= ~0x00000800L
; /* hardcode constant */
785 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "WARNING: SSL:",
786 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
790 SSL_CTX_set_options(s
->ssl_ctx
, ssloptions
);
791 SSL_CTX_set_info_callback(s
->ssl_ctx
, ssl_info_callback
);
793 if (!s
->ssl_use_sslv2
) {
795 if (!(SSL_OP_NO_SSLv2
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv2
))) {
796 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
797 ERR_error_string(ERR_get_error(), NULL
));
802 if (!s
->ssl_use_sslv3
) {
804 if (!(SSL_OP_NO_SSLv3
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv3
))) {
805 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
806 ERR_error_string(ERR_get_error(), NULL
));
811 if (!buffer_string_is_empty(s
->ssl_cipher_list
)) {
812 /* Disable support for low encryption ciphers */
813 if (SSL_CTX_set_cipher_list(s
->ssl_ctx
, s
->ssl_cipher_list
->ptr
) != 1) {
814 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
815 ERR_error_string(ERR_get_error(), NULL
));
819 if (s
->ssl_honor_cipher_order
) {
820 SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_CIPHER_SERVER_PREFERENCE
);
824 #ifndef OPENSSL_NO_DH
825 /* Support for Diffie-Hellman key exchange */
826 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
827 /* DH parameters from file */
828 bio
= BIO_new_file((char *) s
->ssl_dh_file
->ptr
, "r");
830 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to open file", s
->ssl_dh_file
->ptr
);
833 dh
= PEM_read_bio_DHparams(bio
, NULL
, NULL
, NULL
);
836 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: PEM_read_bio_DHparams failed", s
->ssl_dh_file
->ptr
);
840 /* Default DH parameters from RFC5114 */
843 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: DH_new () failed");
846 dh
->p
= BN_bin2bn(dh1024_p
,sizeof(dh1024_p
), NULL
);
847 dh
->g
= BN_bin2bn(dh1024_g
,sizeof(dh1024_g
), NULL
);
849 if ((dh
->p
== NULL
) || (dh
->g
== NULL
)) {
851 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BN_bin2bn () failed");
855 SSL_CTX_set_tmp_dh(s
->ssl_ctx
,dh
);
856 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_DH_USE
);
859 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
860 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s
->ssl_dh_file
->ptr
);
864 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
865 #ifndef OPENSSL_NO_ECDH
866 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
867 if (!buffer_string_is_empty(s
->ssl_ec_curve
)) {
868 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
869 nid
= OBJ_sn2nid((char *) s
->ssl_ec_curve
->ptr
);
871 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unknown curve name", s
->ssl_ec_curve
->ptr
);
876 nid
= OBJ_sn2nid("prime256v1");
878 ecdh
= EC_KEY_new_by_curve_name(nid
);
880 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to create curve", s
->ssl_ec_curve
->ptr
);
883 SSL_CTX_set_tmp_ecdh(s
->ssl_ctx
,ecdh
);
884 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_ECDH_USE
);
889 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
890 for (j
= 0; j
< srv
->config_context
->used
; j
++) {
891 specific_config
*s1
= srv
->config_storage
[j
];
893 if (!buffer_string_is_empty(s1
->ssl_ca_file
)) {
894 if (1 != SSL_CTX_load_verify_locations(s
->ssl_ctx
, s1
->ssl_ca_file
->ptr
, NULL
)) {
895 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
896 ERR_error_string(ERR_get_error(), NULL
), s1
->ssl_ca_file
);
902 if (s
->ssl_verifyclient
) {
903 if (NULL
== s
->ssl_ca_file_cert_names
) {
904 log_error_write(srv
, __FILE__
, __LINE__
, "s",
905 "SSL: You specified ssl.verifyclient.activate but no ca_file"
909 SSL_CTX_set_client_CA_list(s
->ssl_ctx
, SSL_dup_CA_list(s
->ssl_ca_file_cert_names
));
912 SSL_VERIFY_PEER
| (s
->ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
915 SSL_CTX_set_verify_depth(s
->ssl_ctx
, s
->ssl_verifyclient_depth
);
918 if (SSL_CTX_use_certificate(s
->ssl_ctx
, s
->ssl_pemfile_x509
) < 0) {
919 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
920 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
924 if (SSL_CTX_use_PrivateKey(s
->ssl_ctx
, s
->ssl_pemfile_pkey
) < 0) {
925 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
926 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
930 if (SSL_CTX_check_private_key(s
->ssl_ctx
) != 1) {
931 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
932 "Private key does not match the certificate public key, reason:",
933 ERR_error_string(ERR_get_error(), NULL
),
937 SSL_CTX_set_default_read_ahead(s
->ssl_ctx
, 1);
938 SSL_CTX_set_mode(s
->ssl_ctx
, SSL_CTX_get_mode(s
->ssl_ctx
) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
);
940 # ifndef OPENSSL_NO_TLSEXT
941 if (!SSL_CTX_set_tlsext_servername_callback(s
->ssl_ctx
, network_ssl_servername_callback
) ||
942 !SSL_CTX_set_tlsext_servername_arg(s
->ssl_ctx
, srv
)) {
943 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
944 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
953 buffer_copy_buffer(b
, srv
->srvconf
.bindhost
);
954 buffer_append_string_len(b
, CONST_STR_LEN(":"));
955 buffer_append_int(b
, srv
->srvconf
.port
);
957 if (0 != network_server_init(srv
, b
, srv
->config_storage
[0])) {
964 srv
->network_ssl_backend_write
= network_write_chunkqueue_openssl
;
967 /* get a usefull default */
968 backend
= network_backends
[0].nb
;
970 /* match name against known types */
971 if (!buffer_string_is_empty(srv
->srvconf
.network_backend
)) {
972 for (i
= 0; network_backends
[i
].name
; i
++) {
974 if (buffer_is_equal_string(srv
->srvconf
.network_backend
, network_backends
[i
].name
, strlen(network_backends
[i
].name
))) {
975 backend
= network_backends
[i
].nb
;
979 if (NULL
== network_backends
[i
].name
) {
980 /* we don't know it */
982 log_error_write(srv
, __FILE__
, __LINE__
, "sb",
983 "server.network-backend has a unknown value:",
984 srv
->srvconf
.network_backend
);
991 case NETWORK_BACKEND_WRITE
:
992 srv
->network_backend_write
= network_write_chunkqueue_write
;
994 #if defined(USE_WRITEV)
995 case NETWORK_BACKEND_WRITEV
:
996 srv
->network_backend_write
= network_write_chunkqueue_writev
;
999 #if defined(USE_SENDFILE)
1000 case NETWORK_BACKEND_SENDFILE
:
1001 srv
->network_backend_write
= network_write_chunkqueue_sendfile
;
1008 /* check for $SERVER["socket"] */
1009 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
1010 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
1011 specific_config
*s
= srv
->config_storage
[i
];
1014 if (COMP_SERVER_SOCKET
!= dc
->comp
) continue;
1016 if (dc
->cond
!= CONFIG_COND_EQ
) continue;
1018 /* check if we already know this socket,
1019 * if yes, don't init it */
1020 for (j
= 0; j
< srv
->srv_sockets
.used
; j
++) {
1021 if (buffer_is_equal(srv
->srv_sockets
.ptr
[j
]->srv_token
, dc
->string
)) {
1026 if (j
== srv
->srv_sockets
.used
) {
1027 if (0 != network_server_init(srv
, dc
->string
, s
)) return -1;
1034 int network_register_fdevents(server
*srv
) {
1037 if (-1 == fdevent_reset(srv
->ev
)) {
1041 /* register fdevents after reset */
1042 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
1043 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
1045 fdevent_register(srv
->ev
, srv_socket
->fd
, network_server_handle_fdevent
, srv_socket
);
1046 fdevent_event_set(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
, FDEVENT_IN
);
1051 int network_write_chunkqueue(server
*srv
, connection
*con
, chunkqueue
*cq
, off_t max_bytes
) {
1057 server_socket
*srv_socket
= con
->srv_socket
;
1059 if (con
->conf
.global_kbytes_per_second
) {
1060 off_t limit
= con
->conf
.global_kbytes_per_second
* 1024 - *(con
->conf
.global_bytes_per_second_cnt_ptr
);
1062 /* we reached the global traffic limit */
1064 con
->traffic_limit_reached
= 1;
1065 joblist_append(srv
, con
);
1069 if (max_bytes
> limit
) max_bytes
= limit
;
1073 if (con
->conf
.kbytes_per_second
) {
1074 off_t limit
= con
->conf
.kbytes_per_second
* 1024 - con
->bytes_written_cur_second
;
1076 /* we reached the traffic limit */
1078 con
->traffic_limit_reached
= 1;
1079 joblist_append(srv
, con
);
1083 if (max_bytes
> limit
) max_bytes
= limit
;
1087 written
= cq
->bytes_out
;
1090 /* Linux: put a cork into the socket as we want to combine the write() calls
1091 * but only if we really have multiple chunks
1093 if (cq
->first
&& cq
->first
->next
) {
1095 setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1099 if (srv_socket
->is_ssl
) {
1101 ret
= srv
->network_ssl_backend_write(srv
, con
, con
->ssl
, cq
, max_bytes
);
1104 ret
= srv
->network_backend_write(srv
, con
, con
->fd
, cq
, max_bytes
);
1108 chunkqueue_remove_finished_chunks(cq
);
1109 ret
= chunkqueue_is_empty(cq
) ? 0 : 1;
1115 setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1119 written
= cq
->bytes_out
- written
;
1120 con
->bytes_written
+= written
;
1121 con
->bytes_written_cur_second
+= written
;
1123 *(con
->conf
.global_bytes_per_second_cnt_ptr
) += written
;