src/network.c

   1 #include "first.h"
   2
   3 #include "network.h"
   4 #include "fdevent.h"
   5 #include "log.h"
   6 #include "connections.h"
   7 #include "plugin.h"
   8 #include "joblist.h"
   9 #include "configfile.h"
  10
  11 #include "network_backends.h"
  12 #include "sys-mmap.h"
  13 #include "sys-socket.h"
  14
  15 #include <sys/types.h>
  16 #include <sys/stat.h>
  17 #include <sys/time.h>
  18
  19 #include <errno.h>
  20 #include <fcntl.h>
  21 #include <unistd.h>
  22 #include <string.h>
  23 #include <stdlib.h>
  24 #include <assert.h>
  25
  26 #ifdef USE_OPENSSL
  27 # include <openssl/ssl.h>
  28 # include <openssl/err.h>
  29 # include <openssl/rand.h>
  30 # ifndef OPENSSL_NO_DH
  31 #  include <openssl/dh.h>
  32 # endif
  33 # include <openssl/bn.h>
  34
  35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
  36 #  ifndef OPENSSL_NO_ECDH
  37 # include <openssl/ecdh.h>
  38 #  endif
  39 # endif
  40 #endif
  41
  42 #ifdef USE_OPENSSL
  43 static void ssl_info_callback(const SSL *ssl, int where, int ret) {
  44         UNUSED(ret);
  45
  46         if (0 != (where & SSL_CB_HANDSHAKE_START)) {
  47                 connection *con = SSL_get_app_data(ssl);
  48                 ++con->renegotiations;
  49         }
  50 }
  51 #endif
  52
  53 static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
  54         server_socket *srv_socket = (server_socket *)context;
  55         connection *con;
  56         int loops = 0;
  57
  58         UNUSED(context);
  59
  60         if (0 == (revents & FDEVENT_IN)) {
  61                 log_error_write(srv, __FILE__, __LINE__, "sdd",
  62                                 "strange event for server socket",
  63                                 srv_socket->fd,
  64                                 revents);
  65                 return HANDLER_ERROR;
  66         }
  67
  68         /* accept()s at most 100 connections directly
  69          *
  70          * we jump out after 100 to give the waiting connections a chance */
  71         for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) {
  72                 connection_state_machine(srv, con);
  73         }
  74         return HANDLER_GO_ON;
  75 }
  76
  77 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
  78 static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
  79         const char *servername;
  80         connection *con = (connection *) SSL_get_app_data(ssl);
  81         UNUSED(al);
  82
  83         buffer_copy_string(con->uri.scheme, "https");
  84
  85         if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
  86 #if 0
  87                 /* this "error" just means the client didn't support it */
  88                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
  89                                 "failed to get TLS server name");
  90 #endif
  91                 return SSL_TLSEXT_ERR_NOACK;
  92         }
  93         buffer_copy_string(con->tlsext_server_name, servername);
  94         buffer_to_lower(con->tlsext_server_name);
  95
  96         /* Sometimes this is still set, confusing COMP_HTTP_HOST */
  97         buffer_reset(con->uri.authority);
  98
  99         config_cond_cache_reset(srv, con);
 100         config_setup_connection(srv, con);
 101
 102         con->conditional_is_valid[COMP_SERVER_SOCKET] = 1;
 103         con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
 104         con->conditional_is_valid[COMP_HTTP_HOST] = 1;
 105         config_patch_connection(srv, con);
 106
 107         if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) {
 108                 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
 109                 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 110                         "no certificate/private key for TLS server name", con->tlsext_server_name);
 111                 return SSL_TLSEXT_ERR_ALERT_FATAL;
 112         }
 113
 114         /* first set certificate! setting private key checks whether certificate matches it */
 115         if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) {
 116                 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
 117                         "failed to set certificate for TLS server name", con->tlsext_server_name,
 118                         ERR_error_string(ERR_get_error(), NULL));
 119                 return SSL_TLSEXT_ERR_ALERT_FATAL;
 120         }
 121
 122         if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) {
 123                 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
 124                         "failed to set private key for TLS server name", con->tlsext_server_name,
 125                         ERR_error_string(ERR_get_error(), NULL));
 126                 return SSL_TLSEXT_ERR_ALERT_FATAL;
 127         }
 128
 129         if (con->conf.ssl_verifyclient) {
 130                 if (NULL == con->conf.ssl_ca_file_cert_names) {
 131                         log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
 132                                 "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
 133                                 ERR_error_string(ERR_get_error(), NULL));
 134                         return SSL_TLSEXT_ERR_ALERT_FATAL;
 135                 }
 136
 137                 SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names));
 138                 /* forcing verification here is really not that useful - a client could just connect without SNI */
 139                 SSL_set_verify(
 140                         ssl,
 141                         SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
 142                         NULL
 143                 );
 144                 SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
 145         } else {
 146                 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
 147         }
 148
 149         return SSL_TLSEXT_ERR_OK;
 150 }
 151 #endif
 152
 153 static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
 154         int val;
 155         socklen_t addr_len;
 156         server_socket *srv_socket;
 157         unsigned int port = 0;
 158         const char *host;
 159         buffer *b;
 160         int is_unix_domain_socket = 0;
 161         int fd;
 162         int err;
 163
 164 #ifdef __WIN32
 165         WORD wVersionRequested;
 166         WSADATA wsaData;
 167
 168         wVersionRequested = MAKEWORD( 2, 2 );
 169
 170         err = WSAStartup( wVersionRequested, &wsaData );
 171         if ( err != 0 ) {
 172                     /* Tell the user that we could not find a usable */
 173                     /* WinSock DLL.                                  */
 174                     return -1;
 175         }
 176 #endif
 177         err = -1;
 178
 179         srv_socket = calloc(1, sizeof(*srv_socket));
 180         force_assert(NULL != srv_socket);
 181         srv_socket->fd = -1;
 182         srv_socket->fde_ndx = -1;
 183
 184         srv_socket->srv_token = buffer_init();
 185         buffer_copy_buffer(srv_socket->srv_token, host_token);
 186
 187         b = buffer_init();
 188         buffer_copy_buffer(b, host_token);
 189
 190         host = b->ptr;
 191
 192         if (host[0] == '/') {
 193                 /* host is a unix-domain-socket */
 194                 is_unix_domain_socket = 1;
 195         } else {
 196                 /* ipv4:port
 197                  * [ipv6]:port
 198                  */
 199                 size_t len = buffer_string_length(b);
 200                 char *sp = NULL;
 201                 if (0 == len) {
 202                         log_error_write(srv, __FILE__, __LINE__, "s", "value of $SERVER[\"socket\"] must not be empty");
 203                         goto error_free_socket;
 204                 }
 205                 if ((b->ptr[0] == '[' && b->ptr[len-1] == ']') || NULL == (sp = strrchr(b->ptr, ':'))) {
 206                         /* use server.port if set in config, or else default from config_set_defaults() */
 207                         port = srv->srvconf.port;
 208                         sp = b->ptr + len; /* point to '\0' at end of string so end of IPv6 address can be found below */
 209                 } else {
 210                         /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
 211                         *(sp++) = '\0';
 212                         port = strtol(sp, NULL, 10);
 213                 }
 214
 215                 /* check for [ and ] */
 216                 if (b->ptr[0] == '[' && *(sp-1) == ']') {
 217                         *(sp-1) = '\0';
 218                         host++;
 219
 220                         s->use_ipv6 = 1;
 221                 }
 222
 223                 if (port == 0 || port > 65535) {
 224                         log_error_write(srv, __FILE__, __LINE__, "sd", "port not set or out of range:", port);
 225
 226                         goto error_free_socket;
 227                 }
 228         }
 229
 230         if (*host == '\0') host = NULL;
 231
 232         if (is_unix_domain_socket) {
 233 #ifdef HAVE_SYS_UN_H
 234
 235                 srv_socket->addr.plain.sa_family = AF_UNIX;
 236
 237                 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
 238                         log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
 239                         goto error_free_socket;
 240                 }
 241 #else
 242                 log_error_write(srv, __FILE__, __LINE__, "s",
 243                                 "ERROR: Unix Domain sockets are not supported.");
 244                 goto error_free_socket;
 245 #endif
 246         }
 247
 248 #ifdef HAVE_IPV6
 249         if (s->use_ipv6) {
 250                 srv_socket->addr.plain.sa_family = AF_INET6;
 251
 252                 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
 253                         log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
 254                         goto error_free_socket;
 255                 }
 256         }
 257 #endif
 258
 259         if (srv_socket->fd == -1) {
 260                 srv_socket->addr.plain.sa_family = AF_INET;
 261                 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
 262                         log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
 263                         goto error_free_socket;
 264                 }
 265         }
 266
 267         /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
 268         fd_close_on_exec(srv_socket->fd);
 269
 270         /* */
 271         srv->cur_fds = srv_socket->fd;
 272
 273         val = 1;
 274         if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
 275                 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno));
 276                 goto error_free_socket;
 277         }
 278
 279         switch(srv_socket->addr.plain.sa_family) {
 280 #ifdef HAVE_IPV6
 281         case AF_INET6:
 282                 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in6));
 283                 srv_socket->addr.ipv6.sin6_family = AF_INET6;
 284                 if (host == NULL) {
 285                         srv_socket->addr.ipv6.sin6_addr = in6addr_any;
 286                         log_error_write(srv, __FILE__, __LINE__, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
 287                 } else {
 288                         struct addrinfo hints, *res;
 289                         int r;
 290
 291                         if (s->set_v6only) {
 292                                 val = 1;
 293                                 if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) {
 294                                         log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno));
 295                                         goto error_free_socket;
 296                                 }
 297                         } else {
 298                                 log_error_write(srv, __FILE__, __LINE__, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
 299                         }
 300
 301                         memset(&hints, 0, sizeof(hints));
 302
 303                         hints.ai_family   = AF_INET6;
 304                         hints.ai_socktype = SOCK_STREAM;
 305                         hints.ai_protocol = IPPROTO_TCP;
 306
 307                         if (0 != (r = getaddrinfo(host, NULL, &hints, &res))) {
 308                                 log_error_write(srv, __FILE__, __LINE__,
 309                                                 "sssss", "getaddrinfo failed: ",
 310                                                 gai_strerror(r), "'", host, "'");
 311
 312                                 goto error_free_socket;
 313                         }
 314
 315                         memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen);
 316
 317                         freeaddrinfo(res);
 318                 }
 319                 srv_socket->addr.ipv6.sin6_port = htons(port);
 320                 addr_len = sizeof(struct sockaddr_in6);
 321                 break;
 322 #endif
 323         case AF_INET:
 324                 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in));
 325                 srv_socket->addr.ipv4.sin_family = AF_INET;
 326                 if (host == NULL) {
 327                         srv_socket->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY);
 328                 } else {
 329                         struct hostent *he;
 330                         if (NULL == (he = gethostbyname(host))) {
 331                                 log_error_write(srv, __FILE__, __LINE__,
 332                                                 "sds", "gethostbyname failed: ",
 333                                                 h_errno, host);
 334                                 goto error_free_socket;
 335                         }
 336
 337                         if (he->h_addrtype != AF_INET) {
 338                                 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype);
 339                                 goto error_free_socket;
 340                         }
 341
 342                         if (he->h_length != sizeof(struct in_addr)) {
 343                                 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length);
 344                                 goto error_free_socket;
 345                         }
 346
 347                         memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length);
 348                 }
 349                 srv_socket->addr.ipv4.sin_port = htons(port);
 350
 351                 addr_len = sizeof(struct sockaddr_in);
 352
 353                 break;
 354         case AF_UNIX:
 355                 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_un));
 356                 srv_socket->addr.un.sun_family = AF_UNIX;
 357                 {
 358                         size_t hostlen = strlen(host) + 1;
 359                         if (hostlen > sizeof(srv_socket->addr.un.sun_path)) {
 360                                 log_error_write(srv, __FILE__, __LINE__, "sS", "unix socket filename too long:", host);
 361                                 goto error_free_socket;
 362                         }
 363                         memcpy(srv_socket->addr.un.sun_path, host, hostlen);
 364
 365 #if defined(SUN_LEN)
 366                         addr_len = SUN_LEN(&srv_socket->addr.un);
 367 #else
 368                         /* stevens says: */
 369                         addr_len = hostlen + sizeof(srv_socket->addr.un.sun_family);
 370 #endif
 371                 }
 372
 373                 if (srv->srvconf.preflight_check) break;
 374
 375                 /* check if the socket exists and try to connect to it. */
 376                 if (-1 != (fd = connect(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len))) {
 377                         close(fd);
 378
 379                         log_error_write(srv, __FILE__, __LINE__, "ss",
 380                                 "server socket is still in use:",
 381                                 host);
 382
 383
 384                         goto error_free_socket;
 385                 }
 386
 387                 /* connect failed */
 388                 switch(errno) {
 389                 case ECONNREFUSED:
 390                         unlink(host);
 391                         break;
 392                 case ENOENT:
 393                         break;
 394                 default:
 395                         log_error_write(srv, __FILE__, __LINE__, "sds",
 396                                 "testing socket failed:",
 397                                 host, strerror(errno));
 398
 399                         goto error_free_socket;
 400                 }
 401
 402                 break;
 403         default:
 404                 goto error_free_socket;
 405         }
 406
 407         if (srv->srvconf.preflight_check) {
 408                 err = 0;
 409                 goto error_free_socket;
 410         }
 411
 412         if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
 413                 switch(srv_socket->addr.plain.sa_family) {
 414                 case AF_UNIX:
 415                         log_error_write(srv, __FILE__, __LINE__, "sds",
 416                                         "can't bind to socket:",
 417                                         host, strerror(errno));
 418                         break;
 419                 default:
 420                         log_error_write(srv, __FILE__, __LINE__, "ssds",
 421                                         "can't bind to port:",
 422                                         host, port, strerror(errno));
 423                         break;
 424                 }
 425                 goto error_free_socket;
 426         }
 427
 428         if (-1 == listen(srv_socket->fd, s->listen_backlog)) {
 429                 log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
 430                 goto error_free_socket;
 431         }
 432
 433         if (s->ssl_enabled) {
 434 #ifdef USE_OPENSSL
 435                 if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
 436                         log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
 437                         goto error_free_socket;
 438                 }
 439 #else
 440
 441                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 442                                 "ssl requested but openssl support is not compiled in");
 443
 444                 goto error_free_socket;
 445 #endif
 446 #ifdef TCP_DEFER_ACCEPT
 447         } else if (s->defer_accept) {
 448                 int v = s->defer_accept;
 449                 if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
 450                         log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
 451                 }
 452 #endif
 453         } else {
 454 #ifdef SO_ACCEPTFILTER
 455                 /* FreeBSD accf_http filter */
 456                 struct accept_filter_arg afa;
 457                 memset(&afa, 0, sizeof(afa));
 458                 strcpy(afa.af_name, "httpready");
 459                 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
 460                         if (errno != ENOENT) {
 461                                 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set accept-filter 'httpready': ", strerror(errno));
 462                         }
 463                 }
 464 #endif
 465         }
 466
 467         srv_socket->is_ssl = s->ssl_enabled;
 468
 469         if (srv->srv_sockets.size == 0) {
 470                 srv->srv_sockets.size = 4;
 471                 srv->srv_sockets.used = 0;
 472                 srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket*));
 473                 force_assert(NULL != srv->srv_sockets.ptr);
 474         } else if (srv->srv_sockets.used == srv->srv_sockets.size) {
 475                 srv->srv_sockets.size += 4;
 476                 srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket*));
 477                 force_assert(NULL != srv->srv_sockets.ptr);
 478         }
 479
 480         srv->srv_sockets.ptr[srv->srv_sockets.used++] = srv_socket;
 481
 482         buffer_free(b);
 483
 484         return 0;
 485
 486 error_free_socket:
 487         if (srv_socket->fd != -1) {
 488                 /* check if server fd are already registered */
 489                 if (srv_socket->fde_ndx != -1) {
 490                         fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
 491                         fdevent_unregister(srv->ev, srv_socket->fd);
 492                 }
 493
 494                 close(srv_socket->fd);
 495         }
 496         buffer_free(srv_socket->srv_token);
 497         free(srv_socket);
 498
 499         buffer_free(b);
 500
 501         return err; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
 502 }
 503
 504 int network_close(server *srv) {
 505         size_t i;
 506         for (i = 0; i < srv->srv_sockets.used; i++) {
 507                 server_socket *srv_socket = srv->srv_sockets.ptr[i];
 508
 509                 if (srv_socket->fd != -1) {
 510                         /* check if server fd are already registered */
 511                         if (srv_socket->fde_ndx != -1) {
 512                                 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
 513                                 fdevent_unregister(srv->ev, srv_socket->fd);
 514                         }
 515
 516                         close(srv_socket->fd);
 517                 }
 518
 519                 buffer_free(srv_socket->srv_token);
 520
 521                 free(srv_socket);
 522         }
 523
 524         free(srv->srv_sockets.ptr);
 525
 526         return 0;
 527 }
 528
 529 typedef enum {
 530         NETWORK_BACKEND_UNSET,
 531         NETWORK_BACKEND_WRITE,
 532         NETWORK_BACKEND_WRITEV,
 533         NETWORK_BACKEND_SENDFILE,
 534 } network_backend_t;
 535
 536 #ifdef USE_OPENSSL
 537 static X509* x509_load_pem_file(server *srv, const char *file) {
 538         BIO *in;
 539         X509 *x = NULL;
 540
 541         in = BIO_new(BIO_s_file());
 542         if (NULL == in) {
 543                 log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed");
 544                 goto error;
 545         }
 546
 547         if (BIO_read_filename(in,file) <= 0) {
 548                 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
 549                 goto error;
 550         }
 551         x = PEM_read_bio_X509(in, NULL, NULL, NULL);
 552
 553         if (NULL == x) {
 554                 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'");
 555                 goto error;
 556         }
 557
 558         BIO_free(in);
 559         return x;
 560
 561 error:
 562         if (NULL != in) BIO_free(in);
 563         return NULL;
 564 }
 565
 566 static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
 567         BIO *in;
 568         EVP_PKEY *x = NULL;
 569
 570         in=BIO_new(BIO_s_file());
 571         if (NULL == in) {
 572                 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed");
 573                 goto error;
 574         }
 575
 576         if (BIO_read_filename(in,file) <= 0) {
 577                 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
 578                 goto error;
 579         }
 580         x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
 581
 582         if (NULL == x) {
 583                 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'");
 584                 goto error;
 585         }
 586
 587         BIO_free(in);
 588         return x;
 589
 590 error:
 591         if (NULL != in) BIO_free(in);
 592         return NULL;
 593 }
 594
 595 static int network_openssl_load_pemfile(server *srv, size_t ndx) {
 596         specific_config *s = srv->config_storage[ndx];
 597
 598 #ifdef OPENSSL_NO_TLSEXT
 599         {
 600                 data_config *dc = (data_config *)srv->config_context->data[ndx];
 601                 if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ))
 602                         || !s->ssl_enabled) {
 603                         log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 604                                         "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
 605                         return -1;
 606                 }
 607         }
 608 #endif
 609
 610         if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
 611         if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
 612
 613         if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
 614                 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
 615                                 "Private key does not match the certificate public key, reason:",
 616                                 ERR_error_string(ERR_get_error(), NULL),
 617                                 s->ssl_pemfile);
 618                 return -1;
 619         }
 620
 621         return 0;
 622 }
 623 #endif
 624
 625 int network_init(server *srv) {
 626         buffer *b;
 627         size_t i, j;
 628         network_backend_t backend;
 629
 630 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 631 #ifndef OPENSSL_NO_ECDH
 632         EC_KEY *ecdh;
 633         int nid;
 634 #endif
 635 #endif
 636
 637 #ifdef USE_OPENSSL
 638 # ifndef OPENSSL_NO_DH
 639         DH *dh;
 640 # endif
 641         BIO *bio;
 642
 643        /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
 644         * -----BEGIN DH PARAMETERS-----
 645         * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
 646         * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
 647         * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
 648         * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
 649         * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
 650         * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
 651         * -----END DH PARAMETERS-----
 652         */
 653
 654         static const unsigned char dh1024_p[]={
 655                 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
 656                 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
 657                 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
 658                 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
 659                 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
 660                 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
 661                 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
 662                 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
 663                 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
 664                 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
 665                 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
 666         };
 667
 668         static const unsigned char dh1024_g[]={
 669                 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
 670                 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
 671                 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
 672                 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
 673                 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
 674                 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
 675                 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
 676                 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
 677                 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
 678                 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
 679                 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
 680         };
 681 #endif
 682
 683         struct nb_map {
 684                 network_backend_t nb;
 685                 const char *name;
 686         } network_backends[] = {
 687                 /* lowest id wins */
 688 #if defined USE_SENDFILE
 689                 { NETWORK_BACKEND_SENDFILE,   "sendfile" },
 690 #endif
 691 #if defined USE_LINUX_SENDFILE
 692                 { NETWORK_BACKEND_SENDFILE,   "linux-sendfile" },
 693 #endif
 694 #if defined USE_FREEBSD_SENDFILE
 695                 { NETWORK_BACKEND_SENDFILE,   "freebsd-sendfile" },
 696 #endif
 697 #if defined USE_SOLARIS_SENDFILEV
 698                 { NETWORK_BACKEND_SENDFILE,   "solaris-sendfilev" },
 699 #endif
 700 #if defined USE_WRITEV
 701                 { NETWORK_BACKEND_WRITEV,     "writev" },
 702 #endif
 703                 { NETWORK_BACKEND_WRITE,      "write" },
 704                 { NETWORK_BACKEND_UNSET,       NULL }
 705         };
 706
 707 #ifdef USE_OPENSSL
 708         /* load SSL certificates */
 709         for (i = 0; i < srv->config_context->used; i++) {
 710                 specific_config *s = srv->config_storage[i];
 711 #ifndef SSL_OP_NO_COMPRESSION
 712 # define SSL_OP_NO_COMPRESSION 0
 713 #endif
 714                 long ssloptions =
 715                         SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
 716
 717                 if (buffer_string_is_empty(s->ssl_pemfile) && buffer_string_is_empty(s->ssl_ca_file)) continue;
 718
 719                 if (srv->ssl_is_init == 0) {
 720                         SSL_load_error_strings();
 721                         SSL_library_init();
 722                         OpenSSL_add_all_algorithms();
 723                         srv->ssl_is_init = 1;
 724
 725                         if (0 == RAND_status()) {
 726                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 727                                                 "not enough entropy in the pool");
 728                                 return -1;
 729                         }
 730                 }
 731
 732                 if (!buffer_string_is_empty(s->ssl_pemfile)) {
 733 #ifdef OPENSSL_NO_TLSEXT
 734                         data_config *dc = (data_config *)srv->config_context->data[i];
 735                         if (COMP_HTTP_HOST == dc->comp) {
 736                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 737                                                 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
 738                                 return -1;
 739                         }
 740 #endif
 741                         if (network_openssl_load_pemfile(srv, i)) return -1;
 742                 }
 743
 744
 745                 if (!buffer_string_is_empty(s->ssl_ca_file)) {
 746                         s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
 747                         if (NULL == s->ssl_ca_file_cert_names) {
 748                                 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 749                                                 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
 750                         }
 751                 }
 752
 753                 if (buffer_string_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue;
 754
 755                 if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
 756                         log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 757                                         ERR_error_string(ERR_get_error(), NULL));
 758                         return -1;
 759                 }
 760
 761                 /* completely useless identifier; required for client cert verification to work with sessions */
 762                 if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
 763                         log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
 764                                 "failed to set session context",
 765                                 ERR_error_string(ERR_get_error(), NULL));
 766                         return -1;
 767                 }
 768
 769                 if (s->ssl_empty_fragments) {
 770 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 771                         ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 772 #else
 773                         ssloptions &= ~0x00000800L; /* hardcode constant */
 774                         log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:",
 775                                         "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
 776 #endif
 777                 }
 778
 779                 SSL_CTX_set_options(s->ssl_ctx, ssloptions);
 780                 SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
 781
 782                 if (!s->ssl_use_sslv2) {
 783                         /* disable SSLv2 */
 784                         if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
 785                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 786                                                 ERR_error_string(ERR_get_error(), NULL));
 787                                 return -1;
 788                         }
 789                 }
 790
 791                 if (!s->ssl_use_sslv3) {
 792                         /* disable SSLv3 */
 793                         if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
 794                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 795                                                 ERR_error_string(ERR_get_error(), NULL));
 796                                 return -1;
 797                         }
 798                 }
 799
 800                 if (!buffer_string_is_empty(s->ssl_cipher_list)) {
 801                         /* Disable support for low encryption ciphers */
 802                         if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
 803                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 804                                                 ERR_error_string(ERR_get_error(), NULL));
 805                                 return -1;
 806                         }
 807
 808                         if (s->ssl_honor_cipher_order) {
 809                                 SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 810                         }
 811                 }
 812
 813 #ifndef OPENSSL_NO_DH
 814                 /* Support for Diffie-Hellman key exchange */
 815                 if (!buffer_string_is_empty(s->ssl_dh_file)) {
 816                         /* DH parameters from file */
 817                         bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
 818                         if (bio == NULL) {
 819                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr);
 820                                 return -1;
 821                         }
 822                         dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
 823                         BIO_free(bio);
 824                         if (dh == NULL) {
 825                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr);
 826                                 return -1;
 827                         }
 828                 } else {
 829                         /* Default DH parameters from RFC5114 */
 830                         dh = DH_new();
 831                         if (dh == NULL) {
 832                                 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
 833                                 return -1;
 834                         }
 835                         dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
 836                         dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
 837                         dh->length = 160;
 838                         if ((dh->p == NULL) || (dh->g == NULL)) {
 839                                 DH_free(dh);
 840                                 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
 841                                 return -1;
 842                         }
 843                 }
 844                 SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
 845                 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
 846                 DH_free(dh);
 847 #else
 848                 if (!buffer_string_is_empty(s->ssl_dh_file)) {
 849                         log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s->ssl_dh_file->ptr);
 850                 }
 851 #endif
 852
 853 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 854 #ifndef OPENSSL_NO_ECDH
 855                 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
 856                 if (!buffer_string_is_empty(s->ssl_ec_curve)) {
 857                         /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
 858                         nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
 859                         if (nid == 0) {
 860                                 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr);
 861                                 return -1;
 862                         }
 863                 } else {
 864                         /* Default curve */
 865                         nid = OBJ_sn2nid("prime256v1");
 866                 }
 867                 ecdh = EC_KEY_new_by_curve_name(nid);
 868                 if (ecdh == NULL) {
 869                         log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
 870                         return -1;
 871                 }
 872                 SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
 873                 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
 874                 EC_KEY_free(ecdh);
 875 #endif
 876 #endif
 877
 878                 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
 879                 for (j = 0; j < srv->config_context->used; j++) {
 880                         specific_config *s1 = srv->config_storage[j];
 881
 882                         if (!buffer_string_is_empty(s1->ssl_ca_file)) {
 883                                 if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) {
 884                                         log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 885                                                         ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file);
 886                                         return -1;
 887                                 }
 888                         }
 889                 }
 890
 891                 if (s->ssl_verifyclient) {
 892                         if (NULL == s->ssl_ca_file_cert_names) {
 893                                 log_error_write(srv, __FILE__, __LINE__, "s",
 894                                         "SSL: You specified ssl.verifyclient.activate but no ca_file"
 895                                 );
 896                                 return -1;
 897                         }
 898                         SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names));
 899                         SSL_CTX_set_verify(
 900                                 s->ssl_ctx,
 901                                 SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
 902                                 NULL
 903                         );
 904                         SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
 905                 }
 906
 907                 if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) {
 908                         log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 909                                         ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
 910                         return -1;
 911                 }
 912
 913                 if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) {
 914                         log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 915                                         ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
 916                         return -1;
 917                 }
 918
 919                 if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
 920                         log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
 921                                         "Private key does not match the certificate public key, reason:",
 922                                         ERR_error_string(ERR_get_error(), NULL),
 923                                         s->ssl_pemfile);
 924                         return -1;
 925                 }
 926                 SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
 927                 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 928
 929 # ifndef OPENSSL_NO_TLSEXT
 930                 if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
 931                     !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
 932                         log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 933                                         "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
 934                         return -1;
 935                 }
 936 # endif
 937         }
 938 #endif
 939
 940         b = buffer_init();
 941
 942         buffer_copy_buffer(b, srv->srvconf.bindhost);
 943         buffer_append_string_len(b, CONST_STR_LEN(":"));
 944         buffer_append_int(b, srv->srvconf.port);
 945
 946         if (0 != network_server_init(srv, b, srv->config_storage[0])) {
 947                 buffer_free(b);
 948                 return -1;
 949         }
 950         buffer_free(b);
 951
 952 #ifdef USE_OPENSSL
 953         srv->network_ssl_backend_write = network_write_chunkqueue_openssl;
 954 #endif
 955
 956         /* get a usefull default */
 957         backend = network_backends[0].nb;
 958
 959         /* match name against known types */
 960         if (!buffer_string_is_empty(srv->srvconf.network_backend)) {
 961                 for (i = 0; network_backends[i].name; i++) {
 962                         /**/
 963                         if (buffer_is_equal_string(srv->srvconf.network_backend, network_backends[i].name, strlen(network_backends[i].name))) {
 964                                 backend = network_backends[i].nb;
 965                                 break;
 966                         }
 967                 }
 968                 if (NULL == network_backends[i].name) {
 969                         /* we don't know it */
 970
 971                         log_error_write(srv, __FILE__, __LINE__, "sb",
 972                                         "server.network-backend has a unknown value:",
 973                                         srv->srvconf.network_backend);
 974
 975                         return -1;
 976                 }
 977         }
 978
 979         switch(backend) {
 980         case NETWORK_BACKEND_WRITE:
 981                 srv->network_backend_write = network_write_chunkqueue_write;
 982                 break;
 983 #if defined(USE_WRITEV)
 984         case NETWORK_BACKEND_WRITEV:
 985                 srv->network_backend_write = network_write_chunkqueue_writev;
 986                 break;
 987 #endif
 988 #if defined(USE_SENDFILE)
 989         case NETWORK_BACKEND_SENDFILE:
 990                 srv->network_backend_write = network_write_chunkqueue_sendfile;
 991                 break;
 992 #endif
 993         default:
 994                 return -1;
 995         }
 996
 997         /* check for $SERVER["socket"] */
 998         for (i = 1; i < srv->config_context->used; i++) {
 999                 data_config *dc = (data_config *)srv->config_context->data[i];
1000                 specific_config *s = srv->config_storage[i];
1001
1002                 /* not our stage */
1003                 if (COMP_SERVER_SOCKET != dc->comp) continue;
1004
1005                 if (dc->cond != CONFIG_COND_EQ) continue;
1006
1007                 /* check if we already know this socket,
1008                  * if yes, don't init it */
1009                 for (j = 0; j < srv->srv_sockets.used; j++) {
1010                         if (buffer_is_equal(srv->srv_sockets.ptr[j]->srv_token, dc->string)) {
1011                                 break;
1012                         }
1013                 }
1014
1015                 if (j == srv->srv_sockets.used) {
1016                         if (0 != network_server_init(srv, dc->string, s)) return -1;
1017                 }
1018         }
1019
1020         return 0;
1021 }
1022
1023 int network_register_fdevents(server *srv) {
1024         size_t i;
1025
1026         if (-1 == fdevent_reset(srv->ev)) {
1027                 return -1;
1028         }
1029
1030         /* register fdevents after reset */
1031         for (i = 0; i < srv->srv_sockets.used; i++) {
1032                 server_socket *srv_socket = srv->srv_sockets.ptr[i];
1033
1034                 fdevent_register(srv->ev, srv_socket->fd, network_server_handle_fdevent, srv_socket);
1035                 fdevent_event_set(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd, FDEVENT_IN);
1036         }
1037         return 0;
1038 }
1039
1040 int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
1041         int ret = -1;
1042         off_t written = 0;
1043 #ifdef TCP_CORK
1044         int corked = 0;
1045 #endif
1046         server_socket *srv_socket = con->srv_socket;
1047
1048         if (con->conf.global_kbytes_per_second) {
1049                 off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
1050                 if (limit <= 0) {
1051                         /* we reached the global traffic limit */
1052
1053                         con->traffic_limit_reached = 1;
1054                         joblist_append(srv, con);
1055
1056                         return 1;
1057                 } else {
1058                         if (max_bytes > limit) max_bytes = limit;
1059                 }
1060         }
1061
1062         if (con->conf.kbytes_per_second) {
1063                 off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
1064                 if (limit <= 0) {
1065                         /* we reached the traffic limit */
1066
1067                         con->traffic_limit_reached = 1;
1068                         joblist_append(srv, con);
1069
1070                         return 1;
1071                 } else {
1072                         if (max_bytes > limit) max_bytes = limit;
1073                 }
1074         }
1075
1076         written = cq->bytes_out;
1077
1078 #ifdef TCP_CORK
1079         /* Linux: put a cork into the socket as we want to combine the write() calls
1080          * but only if we really have multiple chunks
1081          */
1082         if (cq->first && cq->first->next) {
1083                 corked = 1;
1084                 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1085         }
1086 #endif
1087
1088         if (srv_socket->is_ssl) {
1089 #ifdef USE_OPENSSL
1090                 ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
1091 #endif
1092         } else {
1093                 ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
1094         }
1095
1096         if (ret >= 0) {
1097                 chunkqueue_remove_finished_chunks(cq);
1098                 ret = chunkqueue_is_empty(cq) ? 0 : 1;
1099         }
1100
1101 #ifdef TCP_CORK
1102         if (corked) {
1103                 corked = 0;
1104                 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1105         }
1106 #endif
1107
1108         written = cq->bytes_out - written;
1109         con->bytes_written += written;
1110         con->bytes_written_cur_second += written;
1111
1112         *(con->conf.global_bytes_per_second_cnt_ptr) += written;
1113
1114         return ret;
1115 }