search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
untangle overly complex control flow logic
[lighttpd.git] / src / network.c
blob4d97c135d68670ce1417c8ad90b2dd85e43f8fb3
1 #include "first.h"
2
3 #include "network.h"
4 #include "fdevent.h"
5 #include "log.h"
6 #include "connections.h"
7 #include "plugin.h"
8 #include "joblist.h"
9 #include "configfile.h"
10
11 #include "network_backends.h"
12 #include "sys-mmap.h"
13 #include "sys-socket.h"
14
15 #include <sys/types.h>
16 #include <sys/stat.h>
17 #include <sys/time.h>
18
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <stdlib.h>
24 #include <assert.h>
25
26 #ifdef USE_OPENSSL
27 # include <openssl/ssl.h>
28 # include <openssl/err.h>
29 # include <openssl/rand.h>
30 # ifndef OPENSSL_NO_DH
31 # include <openssl/dh.h>
32 # endif
33 # include <openssl/bn.h>
34
35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
36 # ifndef OPENSSL_NO_ECDH
37 # include <openssl/ecdh.h>
38 # endif
39 # endif
40 #endif
41
42 #ifdef USE_OPENSSL
43 static void ssl_info_callback(const SSL *ssl, int where, int ret) {
44 UNUSED(ret);
45
46 if (0 != (where & SSL_CB_HANDSHAKE_START)) {
47 connection *con = SSL_get_app_data(ssl);
48 ++con->renegotiations;
49 }
50 }
51 #endif
52
53 static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
54 server_socket *srv_socket = (server_socket *)context;
55 connection *con;
56 int loops = 0;
57
58 UNUSED(context);
59
60 if (0 == (revents & FDEVENT_IN)) {
61 log_error_write(srv, __FILE__, __LINE__, "sdd",
62 "strange event for server socket",
63 srv_socket->fd,
64 revents);
65 return HANDLER_ERROR;
66 }
67
68 /* accept()s at most 100 connections directly
69 *
70 * we jump out after 100 to give the waiting connections a chance */
71 for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) {
72 handler_t r;
73
74 connection_state_machine(srv, con);
75
76 switch(r = plugins_call_handle_joblist(srv, con)) {
77 case HANDLER_FINISHED:
78 case HANDLER_GO_ON:
79 break;
80 default:
81 log_error_write(srv, __FILE__, __LINE__, "d", r);
82 break;
83 }
84 }
85 return HANDLER_GO_ON;
86 }
87
88 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
89 static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
90 const char *servername;
91 connection *con = (connection *) SSL_get_app_data(ssl);
92 UNUSED(al);
93
94 buffer_copy_string(con->uri.scheme, "https");
95
96 if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
97 #if 0
98 /* this "error" just means the client didn't support it */
99 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
100 "failed to get TLS server name");
101 #endif
102 return SSL_TLSEXT_ERR_NOACK;
103 }
104 buffer_copy_string(con->tlsext_server_name, servername);
105 buffer_to_lower(con->tlsext_server_name);
106
107 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
108 buffer_reset(con->uri.authority);
109
110 config_cond_cache_reset(srv, con);
111 config_setup_connection(srv, con);
112
113 con->conditional_is_valid[COMP_SERVER_SOCKET] = 1;
114 con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
115 con->conditional_is_valid[COMP_HTTP_HOST] = 1;
116 config_patch_connection(srv, con);
117
118 if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) {
119 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
120 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
121 "no certificate/private key for TLS server name", con->tlsext_server_name);
122 return SSL_TLSEXT_ERR_ALERT_FATAL;
123 }
124
125 /* first set certificate! setting private key checks whether certificate matches it */
126 if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) {
127 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
128 "failed to set certificate for TLS server name", con->tlsext_server_name,
129 ERR_error_string(ERR_get_error(), NULL));
130 return SSL_TLSEXT_ERR_ALERT_FATAL;
131 }
132
133 if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) {
134 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
135 "failed to set private key for TLS server name", con->tlsext_server_name,
136 ERR_error_string(ERR_get_error(), NULL));
137 return SSL_TLSEXT_ERR_ALERT_FATAL;
138 }
139
140 if (con->conf.ssl_verifyclient) {
141 if (NULL == con->conf.ssl_ca_file_cert_names) {
142 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
143 "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
144 ERR_error_string(ERR_get_error(), NULL));
145 return SSL_TLSEXT_ERR_ALERT_FATAL;
146 }
147
148 SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names));
149 /* forcing verification here is really not that useful - a client could just connect without SNI */
150 SSL_set_verify(
151 ssl,
152 SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
153 NULL
154 );
155 SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
156 } else {
157 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
158 }
159
160 return SSL_TLSEXT_ERR_OK;
161 }
162 #endif
163
164 static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
165 int val;
166 socklen_t addr_len;
167 server_socket *srv_socket;
168 unsigned int port = 0;
169 const char *host;
170 buffer *b;
171 int is_unix_domain_socket = 0;
172 int fd;
173 int err;
174
175 #ifdef __WIN32
176 WORD wVersionRequested;
177 WSADATA wsaData;
178
179 wVersionRequested = MAKEWORD( 2, 2 );
180
181 err = WSAStartup( wVersionRequested, &wsaData );
182 if ( err != 0 ) {
183 /* Tell the user that we could not find a usable */
184 /* WinSock DLL. */
185 return -1;
186 }
187 #endif
188 err = -1;
189
190 srv_socket = calloc(1, sizeof(*srv_socket));
191 force_assert(NULL != srv_socket);
192 srv_socket->fd = -1;
193 srv_socket->fde_ndx = -1;
194
195 srv_socket->srv_token = buffer_init();
196 buffer_copy_buffer(srv_socket->srv_token, host_token);
197
198 b = buffer_init();
199 buffer_copy_buffer(b, host_token);
200
201 host = b->ptr;
202
203 if (host[0] == '/') {
204 /* host is a unix-domain-socket */
205 is_unix_domain_socket = 1;
206 } else {
207 /* ipv4:port
208 * [ipv6]:port
209 */
210 size_t len = buffer_string_length(b);
211 char *sp = NULL;
212 if (0 == len) {
213 log_error_write(srv, __FILE__, __LINE__, "s", "value of $SERVER[\"socket\"] must not be empty");
214 goto error_free_socket;
215 }
216 if ((b->ptr[0] == '[' && b->ptr[len-1] == ']') || NULL == (sp = strrchr(b->ptr, ':'))) {
217 /* use server.port if set in config, or else default from config_set_defaults() */
218 port = srv->srvconf.port;
219 sp = b->ptr + len; /* point to '\0' at end of string so end of IPv6 address can be found below */
220 } else {
221 /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
222 *(sp++) = '\0';
223 port = strtol(sp, NULL, 10);
224 }
225
226 /* check for [ and ] */
227 if (b->ptr[0] == '[' && *(sp-1) == ']') {
228 *(sp-1) = '\0';
229 host++;
230
231 s->use_ipv6 = 1;
232 }
233
234 if (port == 0 || port > 65535) {
235 log_error_write(srv, __FILE__, __LINE__, "sd", "port not set or out of range:", port);
236
237 goto error_free_socket;
238 }
239 }
240
241 if (*host == '\0') host = NULL;
242
243 if (is_unix_domain_socket) {
244 #ifdef HAVE_SYS_UN_H
245
246 srv_socket->addr.plain.sa_family = AF_UNIX;
247
248 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
249 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
250 goto error_free_socket;
251 }
252 #else
253 log_error_write(srv, __FILE__, __LINE__, "s",
254 "ERROR: Unix Domain sockets are not supported.");
255 goto error_free_socket;
256 #endif
257 }
258
259 #ifdef HAVE_IPV6
260 if (s->use_ipv6) {
261 srv_socket->addr.plain.sa_family = AF_INET6;
262
263 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
264 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
265 goto error_free_socket;
266 }
267 }
268 #endif
269
270 if (srv_socket->fd == -1) {
271 srv_socket->addr.plain.sa_family = AF_INET;
272 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
273 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
274 goto error_free_socket;
275 }
276 }
277
278 /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
279 fd_close_on_exec(srv_socket->fd);
280
281 /* */
282 srv->cur_fds = srv_socket->fd;
283
284 val = 1;
285 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
286 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno));
287 goto error_free_socket;
288 }
289
290 switch(srv_socket->addr.plain.sa_family) {
291 #ifdef HAVE_IPV6
292 case AF_INET6:
293 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in6));
294 srv_socket->addr.ipv6.sin6_family = AF_INET6;
295 if (host == NULL) {
296 srv_socket->addr.ipv6.sin6_addr = in6addr_any;
297 log_error_write(srv, __FILE__, __LINE__, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
298 } else {
299 struct addrinfo hints, *res;
300 int r;
301
302 if (s->set_v6only) {
303 val = 1;
304 if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) {
305 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno));
306 goto error_free_socket;
307 }
308 } else {
309 log_error_write(srv, __FILE__, __LINE__, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
310 }
311
312 memset(&hints, 0, sizeof(hints));
313
314 hints.ai_family = AF_INET6;
315 hints.ai_socktype = SOCK_STREAM;
316 hints.ai_protocol = IPPROTO_TCP;
317
318 if (0 != (r = getaddrinfo(host, NULL, &hints, &res))) {
319 log_error_write(srv, __FILE__, __LINE__,
320 "sssss", "getaddrinfo failed: ",
321 gai_strerror(r), "'", host, "'");
322
323 goto error_free_socket;
324 }
325
326 memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen);
327
328 freeaddrinfo(res);
329 }
330 srv_socket->addr.ipv6.sin6_port = htons(port);
331 addr_len = sizeof(struct sockaddr_in6);
332 break;
333 #endif
334 case AF_INET:
335 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in));
336 srv_socket->addr.ipv4.sin_family = AF_INET;
337 if (host == NULL) {
338 srv_socket->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY);
339 } else {
340 struct hostent *he;
341 if (NULL == (he = gethostbyname(host))) {
342 log_error_write(srv, __FILE__, __LINE__,
343 "sds", "gethostbyname failed: ",
344 h_errno, host);
345 goto error_free_socket;
346 }
347
348 if (he->h_addrtype != AF_INET) {
349 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype);
350 goto error_free_socket;
351 }
352
353 if (he->h_length != sizeof(struct in_addr)) {
354 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length);
355 goto error_free_socket;
356 }
357
358 memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length);
359 }
360 srv_socket->addr.ipv4.sin_port = htons(port);
361
362 addr_len = sizeof(struct sockaddr_in);
363
364 break;
365 case AF_UNIX:
366 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_un));
367 srv_socket->addr.un.sun_family = AF_UNIX;
368 {
369 size_t hostlen = strlen(host) + 1;
370 if (hostlen > sizeof(srv_socket->addr.un.sun_path)) {
371 log_error_write(srv, __FILE__, __LINE__, "sS", "unix socket filename too long:", host);
372 goto error_free_socket;
373 }
374 memcpy(srv_socket->addr.un.sun_path, host, hostlen);
375
376 #if defined(SUN_LEN)
377 addr_len = SUN_LEN(&srv_socket->addr.un);
378 #else
379 /* stevens says: */
380 addr_len = hostlen + sizeof(srv_socket->addr.un.sun_family);
381 #endif
382 }
383
384 if (srv->srvconf.preflight_check) break;
385
386 /* check if the socket exists and try to connect to it. */
387 if (-1 != (fd = connect(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len))) {
388 close(fd);
389
390 log_error_write(srv, __FILE__, __LINE__, "ss",
391 "server socket is still in use:",
392 host);
393
394
395 goto error_free_socket;
396 }
397
398 /* connect failed */
399 switch(errno) {
400 case ECONNREFUSED:
401 unlink(host);
402 break;
403 case ENOENT:
404 break;
405 default:
406 log_error_write(srv, __FILE__, __LINE__, "sds",
407 "testing socket failed:",
408 host, strerror(errno));
409
410 goto error_free_socket;
411 }
412
413 break;
414 default:
415 goto error_free_socket;
416 }
417
418 if (srv->srvconf.preflight_check) {
419 err = 0;
420 goto error_free_socket;
421 }
422
423 if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
424 switch(srv_socket->addr.plain.sa_family) {
425 case AF_UNIX:
426 log_error_write(srv, __FILE__, __LINE__, "sds",
427 "can't bind to socket:",
428 host, strerror(errno));
429 break;
430 default:
431 log_error_write(srv, __FILE__, __LINE__, "ssds",
432 "can't bind to port:",
433 host, port, strerror(errno));
434 break;
435 }
436 goto error_free_socket;
437 }
438
439 if (-1 == listen(srv_socket->fd, s->listen_backlog)) {
440 log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
441 goto error_free_socket;
442 }
443
444 if (s->ssl_enabled) {
445 #ifdef USE_OPENSSL
446 if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
447 log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
448 goto error_free_socket;
449 }
450 #else
451
452 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
453 "ssl requested but openssl support is not compiled in");
454
455 goto error_free_socket;
456 #endif
457 #ifdef TCP_DEFER_ACCEPT
458 } else if (s->defer_accept) {
459 int v = s->defer_accept;
460 if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
461 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
462 }
463 #endif
464 } else {
465 #ifdef SO_ACCEPTFILTER
466 /* FreeBSD accf_http filter */
467 struct accept_filter_arg afa;
468 memset(&afa, 0, sizeof(afa));
469 strcpy(afa.af_name, "httpready");
470 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
471 if (errno != ENOENT) {
472 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set accept-filter 'httpready': ", strerror(errno));
473 }
474 }
475 #endif
476 }
477
478 srv_socket->is_ssl = s->ssl_enabled;
479
480 if (srv->srv_sockets.size == 0) {
481 srv->srv_sockets.size = 4;
482 srv->srv_sockets.used = 0;
483 srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket*));
484 force_assert(NULL != srv->srv_sockets.ptr);
485 } else if (srv->srv_sockets.used == srv->srv_sockets.size) {
486 srv->srv_sockets.size += 4;
487 srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket*));
488 force_assert(NULL != srv->srv_sockets.ptr);
489 }
490
491 srv->srv_sockets.ptr[srv->srv_sockets.used++] = srv_socket;
492
493 buffer_free(b);
494
495 return 0;
496
497 error_free_socket:
498 if (srv_socket->fd != -1) {
499 /* check if server fd are already registered */
500 if (srv_socket->fde_ndx != -1) {
501 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
502 fdevent_unregister(srv->ev, srv_socket->fd);
503 }
504
505 close(srv_socket->fd);
506 }
507 buffer_free(srv_socket->srv_token);
508 free(srv_socket);
509
510 buffer_free(b);
511
512 return err; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
513 }
514
515 int network_close(server *srv) {
516 size_t i;
517 for (i = 0; i < srv->srv_sockets.used; i++) {
518 server_socket *srv_socket = srv->srv_sockets.ptr[i];
519
520 if (srv_socket->fd != -1) {
521 /* check if server fd are already registered */
522 if (srv_socket->fde_ndx != -1) {
523 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
524 fdevent_unregister(srv->ev, srv_socket->fd);
525 }
526
527 close(srv_socket->fd);
528 }
529
530 buffer_free(srv_socket->srv_token);
531
532 free(srv_socket);
533 }
534
535 free(srv->srv_sockets.ptr);
536
537 return 0;
538 }
539
540 typedef enum {
541 NETWORK_BACKEND_UNSET,
542 NETWORK_BACKEND_WRITE,
543 NETWORK_BACKEND_WRITEV,
544 NETWORK_BACKEND_SENDFILE,
545 } network_backend_t;
546
547 #ifdef USE_OPENSSL
548 static X509* x509_load_pem_file(server *srv, const char *file) {
549 BIO *in;
550 X509 *x = NULL;
551
552 in = BIO_new(BIO_s_file());
553 if (NULL == in) {
554 log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed");
555 goto error;
556 }
557
558 if (BIO_read_filename(in,file) <= 0) {
559 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
560 goto error;
561 }
562 x = PEM_read_bio_X509(in, NULL, NULL, NULL);
563
564 if (NULL == x) {
565 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'");
566 goto error;
567 }
568
569 BIO_free(in);
570 return x;
571
572 error:
573 if (NULL != in) BIO_free(in);
574 return NULL;
575 }
576
577 static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
578 BIO *in;
579 EVP_PKEY *x = NULL;
580
581 in=BIO_new(BIO_s_file());
582 if (NULL == in) {
583 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed");
584 goto error;
585 }
586
587 if (BIO_read_filename(in,file) <= 0) {
588 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
589 goto error;
590 }
591 x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
592
593 if (NULL == x) {
594 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'");
595 goto error;
596 }
597
598 BIO_free(in);
599 return x;
600
601 error:
602 if (NULL != in) BIO_free(in);
603 return NULL;
604 }
605
606 static int network_openssl_load_pemfile(server *srv, size_t ndx) {
607 specific_config *s = srv->config_storage[ndx];
608
609 #ifdef OPENSSL_NO_TLSEXT
610 {
611 data_config *dc = (data_config *)srv->config_context->data[ndx];
612 if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ))
613 || !s->ssl_enabled) {
614 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
615 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
616 return -1;
617 }
618 }
619 #endif
620
621 if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
622 if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
623
624 if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
625 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
626 "Private key does not match the certificate public key, reason:",
627 ERR_error_string(ERR_get_error(), NULL),
628 s->ssl_pemfile);
629 return -1;
630 }
631
632 return 0;
633 }
634 #endif
635
636 int network_init(server *srv) {
637 buffer *b;
638 size_t i, j;
639 network_backend_t backend;
640
641 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
642 #ifndef OPENSSL_NO_ECDH
643 EC_KEY *ecdh;
644 int nid;
645 #endif
646 #endif
647
648 #ifdef USE_OPENSSL
649 # ifndef OPENSSL_NO_DH
650 DH *dh;
651 # endif
652 BIO *bio;
653
654 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
655 * -----BEGIN DH PARAMETERS-----
656 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
657 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
658 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
659 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
660 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
661 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
662 * -----END DH PARAMETERS-----
663 */
664
665 static const unsigned char dh1024_p[]={
666 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
667 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
668 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
669 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
670 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
671 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
672 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
673 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
674 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
675 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
676 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
677 };
678
679 static const unsigned char dh1024_g[]={
680 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
681 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
682 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
683 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
684 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
685 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
686 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
687 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
688 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
689 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
690 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
691 };
692 #endif
693
694 struct nb_map {
695 network_backend_t nb;
696 const char *name;
697 } network_backends[] = {
698 /* lowest id wins */
699 #if defined USE_SENDFILE
700 { NETWORK_BACKEND_SENDFILE, "sendfile" },
701 #endif
702 #if defined USE_LINUX_SENDFILE
703 { NETWORK_BACKEND_SENDFILE, "linux-sendfile" },
704 #endif
705 #if defined USE_FREEBSD_SENDFILE
706 { NETWORK_BACKEND_SENDFILE, "freebsd-sendfile" },
707 #endif
708 #if defined USE_SOLARIS_SENDFILEV
709 { NETWORK_BACKEND_SENDFILE, "solaris-sendfilev" },
710 #endif
711 #if defined USE_WRITEV
712 { NETWORK_BACKEND_WRITEV, "writev" },
713 #endif
714 { NETWORK_BACKEND_WRITE, "write" },
715 { NETWORK_BACKEND_UNSET, NULL }
716 };
717
718 #ifdef USE_OPENSSL
719 /* load SSL certificates */
720 for (i = 0; i < srv->config_context->used; i++) {
721 specific_config *s = srv->config_storage[i];
722 #ifndef SSL_OP_NO_COMPRESSION
723 # define SSL_OP_NO_COMPRESSION 0
724 #endif
725 long ssloptions =
726 SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
727
728 if (buffer_string_is_empty(s->ssl_pemfile) && buffer_string_is_empty(s->ssl_ca_file)) continue;
729
730 if (srv->ssl_is_init == 0) {
731 SSL_load_error_strings();
732 SSL_library_init();
733 OpenSSL_add_all_algorithms();
734 srv->ssl_is_init = 1;
735
736 if (0 == RAND_status()) {
737 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
738 "not enough entropy in the pool");
739 return -1;
740 }
741 }
742
743 if (!buffer_string_is_empty(s->ssl_pemfile)) {
744 #ifdef OPENSSL_NO_TLSEXT
745 data_config *dc = (data_config *)srv->config_context->data[i];
746 if (COMP_HTTP_HOST == dc->comp) {
747 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
748 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
749 return -1;
750 }
751 #endif
752 if (network_openssl_load_pemfile(srv, i)) return -1;
753 }
754
755
756 if (!buffer_string_is_empty(s->ssl_ca_file)) {
757 s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
758 if (NULL == s->ssl_ca_file_cert_names) {
759 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
760 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
761 }
762 }
763
764 if (buffer_string_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
765
766 if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
767 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
768 ERR_error_string(ERR_get_error(), NULL));
769 return -1;
770 }
771
772 /* completely useless identifier; required for client cert verification to work with sessions */
773 if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
774 log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
775 "failed to set session context",
776 ERR_error_string(ERR_get_error(), NULL));
777 return -1;
778 }
779
780 if (s->ssl_empty_fragments) {
781 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
782 ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
783 #else
784 ssloptions &= ~0x00000800L; /* hardcode constant */
785 log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:",
786 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
787 #endif
788 }
789
790 SSL_CTX_set_options(s->ssl_ctx, ssloptions);
791 SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
792
793 if (!s->ssl_use_sslv2) {
794 /* disable SSLv2 */
795 if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
796 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
797 ERR_error_string(ERR_get_error(), NULL));
798 return -1;
799 }
800 }
801
802 if (!s->ssl_use_sslv3) {
803 /* disable SSLv3 */
804 if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
805 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
806 ERR_error_string(ERR_get_error(), NULL));
807 return -1;
808 }
809 }
810
811 if (!buffer_string_is_empty(s->ssl_cipher_list)) {
812 /* Disable support for low encryption ciphers */
813 if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
814 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
815 ERR_error_string(ERR_get_error(), NULL));
816 return -1;
817 }
818
819 if (s->ssl_honor_cipher_order) {
820 SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
821 }
822 }
823
824 #ifndef OPENSSL_NO_DH
825 /* Support for Diffie-Hellman key exchange */
826 if (!buffer_string_is_empty(s->ssl_dh_file)) {
827 /* DH parameters from file */
828 bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
829 if (bio == NULL) {
830 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr);
831 return -1;
832 }
833 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
834 BIO_free(bio);
835 if (dh == NULL) {
836 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr);
837 return -1;
838 }
839 } else {
840 /* Default DH parameters from RFC5114 */
841 dh = DH_new();
842 if (dh == NULL) {
843 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
844 return -1;
845 }
846 dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
847 dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
848 dh->length = 160;
849 if ((dh->p == NULL) || (dh->g == NULL)) {
850 DH_free(dh);
851 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
852 return -1;
853 }
854 }
855 SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
856 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
857 DH_free(dh);
858 #else
859 if (!buffer_string_is_empty(s->ssl_dh_file)) {
860 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s->ssl_dh_file->ptr);
861 }
862 #endif
863
864 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
865 #ifndef OPENSSL_NO_ECDH
866 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
867 if (!buffer_string_is_empty(s->ssl_ec_curve)) {
868 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
869 nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
870 if (nid == 0) {
871 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr);
872 return -1;
873 }
874 } else {
875 /* Default curve */
876 nid = OBJ_sn2nid("prime256v1");
877 }
878 ecdh = EC_KEY_new_by_curve_name(nid);
879 if (ecdh == NULL) {
880 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
881 return -1;
882 }
883 SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
884 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
885 EC_KEY_free(ecdh);
886 #endif
887 #endif
888
889 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
890 for (j = 0; j < srv->config_context->used; j++) {
891 specific_config *s1 = srv->config_storage[j];
892
893 if (!buffer_string_is_empty(s1->ssl_ca_file)) {
894 if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) {
895 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
896 ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file);
897 return -1;
898 }
899 }
900 }
901
902 if (s->ssl_verifyclient) {
903 if (NULL == s->ssl_ca_file_cert_names) {
904 log_error_write(srv, __FILE__, __LINE__, "s",
905 "SSL: You specified ssl.verifyclient.activate but no ca_file"
906 );
907 return -1;
908 }
909 SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
910 SSL_CTX_set_verify(
911 s->ssl_ctx,
912 SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
913 NULL
914 );
915 SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
916 }
917
918 if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
919 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
920 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
921 return -1;
922 }
923
924 if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) {
925 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
926 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
927 return -1;
928 }
929
930 if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
931 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
932 "Private key does not match the certificate public key, reason:",
933 ERR_error_string(ERR_get_error(), NULL),
934 s->ssl_pemfile);
935 return -1;
936 }
937 SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
938 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
939
940 # ifndef OPENSSL_NO_TLSEXT
941 if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
942 !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
943 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
944 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
945 return -1;
946 }
947 # endif
948 }
949 #endif
950
951 b = buffer_init();
952
953 buffer_copy_buffer(b, srv->srvconf.bindhost);
954 buffer_append_string_len(b, CONST_STR_LEN(":"));
955 buffer_append_int(b, srv->srvconf.port);
956
957 if (0 != network_server_init(srv, b, srv->config_storage[0])) {
958 buffer_free(b);
959 return -1;
960 }
961 buffer_free(b);
962
963 #ifdef USE_OPENSSL
964 srv->network_ssl_backend_write = network_write_chunkqueue_openssl;
965 #endif
966
967 /* get a usefull default */
968 backend = network_backends[0].nb;
969
970 /* match name against known types */
971 if (!buffer_string_is_empty(srv->srvconf.network_backend)) {
972 for (i = 0; network_backends[i].name; i++) {
973 /**/
974 if (buffer_is_equal_string(srv->srvconf.network_backend, network_backends[i].name, strlen(network_backends[i].name))) {
975 backend = network_backends[i].nb;
976 break;
977 }
978 }
979 if (NULL == network_backends[i].name) {
980 /* we don't know it */
981
982 log_error_write(srv, __FILE__, __LINE__, "sb",
983 "server.network-backend has a unknown value:",
984 srv->srvconf.network_backend);
985
986 return -1;
987 }
988 }
989
990 switch(backend) {
991 case NETWORK_BACKEND_WRITE:
992 srv->network_backend_write = network_write_chunkqueue_write;
993 break;
994 #if defined(USE_WRITEV)
995 case NETWORK_BACKEND_WRITEV:
996 srv->network_backend_write = network_write_chunkqueue_writev;
997 break;
998 #endif
999 #if defined(USE_SENDFILE)
1000 case NETWORK_BACKEND_SENDFILE:
1001 srv->network_backend_write = network_write_chunkqueue_sendfile;
1002 break;
1003 #endif
1004 default:
1005 return -1;
1006 }
1007
1008 /* check for $SERVER["socket"] */
1009 for (i = 1; i < srv->config_context->used; i++) {
1010 data_config *dc = (data_config *)srv->config_context->data[i];
1011 specific_config *s = srv->config_storage[i];
1012
1013 /* not our stage */
1014 if (COMP_SERVER_SOCKET != dc->comp) continue;
1015
1016 if (dc->cond != CONFIG_COND_EQ) continue;
1017
1018 /* check if we already know this socket,
1019 * if yes, don't init it */
1020 for (j = 0; j < srv->srv_sockets.used; j++) {
1021 if (buffer_is_equal(srv->srv_sockets.ptr[j]->srv_token, dc->string)) {
1022 break;
1023 }
1024 }
1025
1026 if (j == srv->srv_sockets.used) {
1027 if (0 != network_server_init(srv, dc->string, s)) return -1;
1028 }
1029 }
1030
1031 return 0;
1032 }
1033
1034 int network_register_fdevents(server *srv) {
1035 size_t i;
1036
1037 if (-1 == fdevent_reset(srv->ev)) {
1038 return -1;
1039 }
1040
1041 /* register fdevents after reset */
1042 for (i = 0; i < srv->srv_sockets.used; i++) {
1043 server_socket *srv_socket = srv->srv_sockets.ptr[i];
1044
1045 fdevent_register(srv->ev, srv_socket->fd, network_server_handle_fdevent, srv_socket);
1046 fdevent_event_set(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd, FDEVENT_IN);
1047 }
1048 return 0;
1049 }
1050
1051 int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
1052 int ret = -1;
1053 off_t written = 0;
1054 #ifdef TCP_CORK
1055 int corked = 0;
1056 #endif
1057 server_socket *srv_socket = con->srv_socket;
1058
1059 if (con->conf.global_kbytes_per_second) {
1060 off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
1061 if (limit <= 0) {
1062 /* we reached the global traffic limit */
1063
1064 con->traffic_limit_reached = 1;
1065 joblist_append(srv, con);
1066
1067 return 1;
1068 } else {
1069 if (max_bytes > limit) max_bytes = limit;
1070 }
1071 }
1072
1073 if (con->conf.kbytes_per_second) {
1074 off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
1075 if (limit <= 0) {
1076 /* we reached the traffic limit */
1077
1078 con->traffic_limit_reached = 1;
1079 joblist_append(srv, con);
1080
1081 return 1;
1082 } else {
1083 if (max_bytes > limit) max_bytes = limit;
1084 }
1085 }
1086
1087 written = cq->bytes_out;
1088
1089 #ifdef TCP_CORK
1090 /* Linux: put a cork into the socket as we want to combine the write() calls
1091 * but only if we really have multiple chunks
1092 */
1093 if (cq->first && cq->first->next) {
1094 corked = 1;
1095 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1096 }
1097 #endif
1098
1099 if (srv_socket->is_ssl) {
1100 #ifdef USE_OPENSSL
1101 ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
1102 #endif
1103 } else {
1104 ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
1105 }
1106
1107 if (ret >= 0) {
1108 chunkqueue_remove_finished_chunks(cq);
1109 ret = chunkqueue_is_empty(cq) ? 0 : 1;
1110 }
1111
1112 #ifdef TCP_CORK
1113 if (corked) {
1114 corked = 0;
1115 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1116 }
1117 #endif
1118
1119 written = cq->bytes_out - written;
1120 con->bytes_written += written;
1121 con->bytes_written_cur_second += written;
1122
1123 *(con->conf.global_bytes_per_second_cnt_ptr) += written;
1124
1125 return ret;
1126 }
A fast webserver with minimal memory-footprint (lighttpd)