6 #include "connections.h"
9 #include "configfile.h"
11 #include "network_backends.h"
13 #include "sys-socket.h"
15 #include <sys/types.h>
27 # include <openssl/ssl.h>
28 # include <openssl/err.h>
29 # include <openssl/rand.h>
30 # ifndef OPENSSL_NO_DH
31 # include <openssl/dh.h>
33 # include <openssl/bn.h>
35 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
36 # ifndef OPENSSL_NO_ECDH
37 # include <openssl/ecdh.h>
43 static void ssl_info_callback(const SSL
*ssl
, int where
, int ret
) {
46 if (0 != (where
& SSL_CB_HANDSHAKE_START
)) {
47 connection
*con
= SSL_get_app_data(ssl
);
48 ++con
->renegotiations
;
53 static handler_t
network_server_handle_fdevent(server
*srv
, void *context
, int revents
) {
54 server_socket
*srv_socket
= (server_socket
*)context
;
60 if (0 == (revents
& FDEVENT_IN
)) {
61 log_error_write(srv
, __FILE__
, __LINE__
, "sdd",
62 "strange event for server socket",
68 /* accept()s at most 100 connections directly
70 * we jump out after 100 to give the waiting connections a chance */
71 for (loops
= 0; loops
< 100 && NULL
!= (con
= connection_accept(srv
, srv_socket
)); loops
++) {
72 connection_state_machine(srv
, con
);
77 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
78 static int network_ssl_servername_callback(SSL
*ssl
, int *al
, server
*srv
) {
79 const char *servername
;
80 connection
*con
= (connection
*) SSL_get_app_data(ssl
);
83 buffer_copy_string(con
->uri
.scheme
, "https");
85 if (NULL
== (servername
= SSL_get_servername(ssl
, TLSEXT_NAMETYPE_host_name
))) {
87 /* this "error" just means the client didn't support it */
88 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
89 "failed to get TLS server name");
91 return SSL_TLSEXT_ERR_NOACK
;
93 buffer_copy_string(con
->tlsext_server_name
, servername
);
94 buffer_to_lower(con
->tlsext_server_name
);
96 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
97 buffer_reset(con
->uri
.authority
);
99 config_cond_cache_reset(srv
, con
);
100 config_setup_connection(srv
, con
);
102 con
->conditional_is_valid
[COMP_SERVER_SOCKET
] = 1;
103 con
->conditional_is_valid
[COMP_HTTP_SCHEME
] = 1;
104 con
->conditional_is_valid
[COMP_HTTP_HOST
] = 1;
105 config_patch_connection(srv
, con
);
107 if (NULL
== con
->conf
.ssl_pemfile_x509
|| NULL
== con
->conf
.ssl_pemfile_pkey
) {
108 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
109 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
110 "no certificate/private key for TLS server name", con
->tlsext_server_name
);
111 return SSL_TLSEXT_ERR_ALERT_FATAL
;
114 /* first set certificate! setting private key checks whether certificate matches it */
115 if (!SSL_use_certificate(ssl
, con
->conf
.ssl_pemfile_x509
)) {
116 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
117 "failed to set certificate for TLS server name", con
->tlsext_server_name
,
118 ERR_error_string(ERR_get_error(), NULL
));
119 return SSL_TLSEXT_ERR_ALERT_FATAL
;
122 if (!SSL_use_PrivateKey(ssl
, con
->conf
.ssl_pemfile_pkey
)) {
123 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
124 "failed to set private key for TLS server name", con
->tlsext_server_name
,
125 ERR_error_string(ERR_get_error(), NULL
));
126 return SSL_TLSEXT_ERR_ALERT_FATAL
;
129 if (con
->conf
.ssl_verifyclient
) {
130 if (NULL
== con
->conf
.ssl_ca_file_cert_names
) {
131 log_error_write(srv
, __FILE__
, __LINE__
, "ssb:s", "SSL:",
132 "can't verify client without ssl.ca-file for TLS server name", con
->tlsext_server_name
,
133 ERR_error_string(ERR_get_error(), NULL
));
134 return SSL_TLSEXT_ERR_ALERT_FATAL
;
137 SSL_set_client_CA_list(ssl
, SSL_dup_CA_list(con
->conf
.ssl_ca_file_cert_names
));
138 /* forcing verification here is really not that useful - a client could just connect without SNI */
141 SSL_VERIFY_PEER
| (con
->conf
.ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
144 SSL_set_verify_depth(ssl
, con
->conf
.ssl_verifyclient_depth
);
146 SSL_set_verify(ssl
, SSL_VERIFY_NONE
, NULL
);
149 return SSL_TLSEXT_ERR_OK
;
153 static int network_server_init(server
*srv
, buffer
*host_token
, specific_config
*s
) {
156 server_socket
*srv_socket
;
157 unsigned int port
= 0;
160 int is_unix_domain_socket
= 0;
165 WORD wVersionRequested
;
168 wVersionRequested
= MAKEWORD( 2, 2 );
170 err
= WSAStartup( wVersionRequested
, &wsaData
);
172 /* Tell the user that we could not find a usable */
179 srv_socket
= calloc(1, sizeof(*srv_socket
));
180 force_assert(NULL
!= srv_socket
);
182 srv_socket
->fde_ndx
= -1;
184 srv_socket
->srv_token
= buffer_init();
185 buffer_copy_buffer(srv_socket
->srv_token
, host_token
);
188 buffer_copy_buffer(b
, host_token
);
192 if (host
[0] == '/') {
193 /* host is a unix-domain-socket */
194 is_unix_domain_socket
= 1;
199 size_t len
= buffer_string_length(b
);
202 log_error_write(srv
, __FILE__
, __LINE__
, "s", "value of $SERVER[\"socket\"] must not be empty");
203 goto error_free_socket
;
205 if ((b
->ptr
[0] == '[' && b
->ptr
[len
-1] == ']') || NULL
== (sp
= strrchr(b
->ptr
, ':'))) {
206 /* use server.port if set in config, or else default from config_set_defaults() */
207 port
= srv
->srvconf
.port
;
208 sp
= b
->ptr
+ len
; /* point to '\0' at end of string so end of IPv6 address can be found below */
210 /* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
212 port
= strtol(sp
, NULL
, 10);
215 /* check for [ and ] */
216 if (b
->ptr
[0] == '[' && *(sp
-1) == ']') {
223 if (port
== 0 || port
> 65535) {
224 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "port not set or out of range:", port
);
226 goto error_free_socket
;
230 if (*host
== '\0') host
= NULL
;
232 if (is_unix_domain_socket
) {
235 srv_socket
->addr
.plain
.sa_family
= AF_UNIX
;
237 if (-1 == (srv_socket
->fd
= socket(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, 0))) {
238 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
239 goto error_free_socket
;
242 log_error_write(srv
, __FILE__
, __LINE__
, "s",
243 "ERROR: Unix Domain sockets are not supported.");
244 goto error_free_socket
;
250 srv_socket
->addr
.plain
.sa_family
= AF_INET6
;
252 if (-1 == (srv_socket
->fd
= socket(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, IPPROTO_TCP
))) {
253 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
254 goto error_free_socket
;
259 if (srv_socket
->fd
== -1) {
260 srv_socket
->addr
.plain
.sa_family
= AF_INET
;
261 if (-1 == (srv_socket
->fd
= socket(srv_socket
->addr
.plain
.sa_family
, SOCK_STREAM
, IPPROTO_TCP
))) {
262 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socket failed:", strerror(errno
));
263 goto error_free_socket
;
267 /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
268 fd_close_on_exec(srv_socket
->fd
);
271 srv
->cur_fds
= srv_socket
->fd
;
274 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_REUSEADDR
, &val
, sizeof(val
)) < 0) {
275 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno
));
276 goto error_free_socket
;
279 switch(srv_socket
->addr
.plain
.sa_family
) {
282 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in6
));
283 srv_socket
->addr
.ipv6
.sin6_family
= AF_INET6
;
285 srv_socket
->addr
.ipv6
.sin6_addr
= in6addr_any
;
286 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
288 struct addrinfo hints
, *res
;
293 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &val
, sizeof(val
))) {
294 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno
));
295 goto error_free_socket
;
298 log_error_write(srv
, __FILE__
, __LINE__
, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
301 memset(&hints
, 0, sizeof(hints
));
303 hints
.ai_family
= AF_INET6
;
304 hints
.ai_socktype
= SOCK_STREAM
;
305 hints
.ai_protocol
= IPPROTO_TCP
;
307 if (0 != (r
= getaddrinfo(host
, NULL
, &hints
, &res
))) {
308 log_error_write(srv
, __FILE__
, __LINE__
,
309 "sssss", "getaddrinfo failed: ",
310 gai_strerror(r
), "'", host
, "'");
312 goto error_free_socket
;
315 memcpy(&(srv_socket
->addr
), res
->ai_addr
, res
->ai_addrlen
);
319 srv_socket
->addr
.ipv6
.sin6_port
= htons(port
);
320 addr_len
= sizeof(struct sockaddr_in6
);
324 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_in
));
325 srv_socket
->addr
.ipv4
.sin_family
= AF_INET
;
327 srv_socket
->addr
.ipv4
.sin_addr
.s_addr
= htonl(INADDR_ANY
);
330 if (NULL
== (he
= gethostbyname(host
))) {
331 log_error_write(srv
, __FILE__
, __LINE__
,
332 "sds", "gethostbyname failed: ",
334 goto error_free_socket
;
337 if (he
->h_addrtype
!= AF_INET
) {
338 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-type != AF_INET: ", he
->h_addrtype
);
339 goto error_free_socket
;
342 if (he
->h_length
!= sizeof(struct in_addr
)) {
343 log_error_write(srv
, __FILE__
, __LINE__
, "sd", "addr-length != sizeof(in_addr): ", he
->h_length
);
344 goto error_free_socket
;
347 memcpy(&(srv_socket
->addr
.ipv4
.sin_addr
.s_addr
), he
->h_addr_list
[0], he
->h_length
);
349 srv_socket
->addr
.ipv4
.sin_port
= htons(port
);
351 addr_len
= sizeof(struct sockaddr_in
);
355 memset(&srv_socket
->addr
, 0, sizeof(struct sockaddr_un
));
356 srv_socket
->addr
.un
.sun_family
= AF_UNIX
;
358 size_t hostlen
= strlen(host
) + 1;
359 if (hostlen
> sizeof(srv_socket
->addr
.un
.sun_path
)) {
360 log_error_write(srv
, __FILE__
, __LINE__
, "sS", "unix socket filename too long:", host
);
361 goto error_free_socket
;
363 memcpy(srv_socket
->addr
.un
.sun_path
, host
, hostlen
);
366 addr_len
= SUN_LEN(&srv_socket
->addr
.un
);
369 addr_len
= hostlen
+ sizeof(srv_socket
->addr
.un
.sun_family
);
373 if (srv
->srvconf
.preflight_check
) break;
375 /* check if the socket exists and try to connect to it. */
376 if (-1 != (fd
= connect(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
))) {
379 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
380 "server socket is still in use:",
384 goto error_free_socket
;
395 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
396 "testing socket failed:",
397 host
, strerror(errno
));
399 goto error_free_socket
;
404 goto error_free_socket
;
407 if (srv
->srvconf
.preflight_check
) {
409 goto error_free_socket
;
412 if (0 != bind(srv_socket
->fd
, (struct sockaddr
*) &(srv_socket
->addr
), addr_len
)) {
413 switch(srv_socket
->addr
.plain
.sa_family
) {
415 log_error_write(srv
, __FILE__
, __LINE__
, "sds",
416 "can't bind to socket:",
417 host
, strerror(errno
));
420 log_error_write(srv
, __FILE__
, __LINE__
, "ssds",
421 "can't bind to port:",
422 host
, port
, strerror(errno
));
425 goto error_free_socket
;
428 if (-1 == listen(srv_socket
->fd
, s
->listen_backlog
)) {
429 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "listen failed: ", strerror(errno
));
430 goto error_free_socket
;
433 if (s
->ssl_enabled
) {
435 if (NULL
== (srv_socket
->ssl_ctx
= s
->ssl_ctx
)) {
436 log_error_write(srv
, __FILE__
, __LINE__
, "s", "ssl.pemfile has to be set");
437 goto error_free_socket
;
441 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
442 "ssl requested but openssl support is not compiled in");
444 goto error_free_socket
;
446 #ifdef TCP_DEFER_ACCEPT
447 } else if (s
->defer_accept
) {
448 int v
= s
->defer_accept
;
449 if (-1 == setsockopt(srv_socket
->fd
, IPPROTO_TCP
, TCP_DEFER_ACCEPT
, &v
, sizeof(v
))) {
450 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno
));
454 #ifdef SO_ACCEPTFILTER
455 /* FreeBSD accf_http filter */
456 struct accept_filter_arg afa
;
457 memset(&afa
, 0, sizeof(afa
));
458 strcpy(afa
.af_name
, "httpready");
459 if (setsockopt(srv_socket
->fd
, SOL_SOCKET
, SO_ACCEPTFILTER
, &afa
, sizeof(afa
)) < 0) {
460 if (errno
!= ENOENT
) {
461 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "can't set accept-filter 'httpready': ", strerror(errno
));
467 srv_socket
->is_ssl
= s
->ssl_enabled
;
469 if (srv
->srv_sockets
.size
== 0) {
470 srv
->srv_sockets
.size
= 4;
471 srv
->srv_sockets
.used
= 0;
472 srv
->srv_sockets
.ptr
= malloc(srv
->srv_sockets
.size
* sizeof(server_socket
*));
473 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
474 } else if (srv
->srv_sockets
.used
== srv
->srv_sockets
.size
) {
475 srv
->srv_sockets
.size
+= 4;
476 srv
->srv_sockets
.ptr
= realloc(srv
->srv_sockets
.ptr
, srv
->srv_sockets
.size
* sizeof(server_socket
*));
477 force_assert(NULL
!= srv
->srv_sockets
.ptr
);
480 srv
->srv_sockets
.ptr
[srv
->srv_sockets
.used
++] = srv_socket
;
487 if (srv_socket
->fd
!= -1) {
488 /* check if server fd are already registered */
489 if (srv_socket
->fde_ndx
!= -1) {
490 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
491 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
494 close(srv_socket
->fd
);
496 buffer_free(srv_socket
->srv_token
);
501 return err
; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
504 int network_close(server
*srv
) {
506 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
507 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
509 if (srv_socket
->fd
!= -1) {
510 /* check if server fd are already registered */
511 if (srv_socket
->fde_ndx
!= -1) {
512 fdevent_event_del(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
);
513 fdevent_unregister(srv
->ev
, srv_socket
->fd
);
516 close(srv_socket
->fd
);
519 buffer_free(srv_socket
->srv_token
);
524 free(srv
->srv_sockets
.ptr
);
530 NETWORK_BACKEND_UNSET
,
531 NETWORK_BACKEND_WRITE
,
532 NETWORK_BACKEND_WRITEV
,
533 NETWORK_BACKEND_SENDFILE
,
537 static X509
* x509_load_pem_file(server
*srv
, const char *file
) {
541 in
= BIO_new(BIO_s_file());
543 log_error_write(srv
, __FILE__
, __LINE__
, "S", "SSL: BIO_new(BIO_s_file()) failed");
547 if (BIO_read_filename(in
,file
) <= 0) {
548 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
551 x
= PEM_read_bio_X509(in
, NULL
, NULL
, NULL
);
554 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read X509 certificate from '", file
,"'");
562 if (NULL
!= in
) BIO_free(in
);
566 static EVP_PKEY
* evp_pkey_load_pem_file(server
*srv
, const char *file
) {
570 in
=BIO_new(BIO_s_file());
572 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BIO_new(BIO_s_file()) failed");
576 if (BIO_read_filename(in
,file
) <= 0) {
577 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: BIO_read_filename('", file
,"') failed");
580 x
= PEM_read_bio_PrivateKey(in
, NULL
, NULL
, NULL
);
583 log_error_write(srv
, __FILE__
, __LINE__
, "SSS", "SSL: couldn't read private key from '", file
,"'");
591 if (NULL
!= in
) BIO_free(in
);
595 static int network_openssl_load_pemfile(server
*srv
, size_t ndx
) {
596 specific_config
*s
= srv
->config_storage
[ndx
];
598 #ifdef OPENSSL_NO_TLSEXT
600 data_config
*dc
= (data_config
*)srv
->config_context
->data
[ndx
];
601 if ((ndx
> 0 && (COMP_SERVER_SOCKET
!= dc
->comp
|| dc
->cond
!= CONFIG_COND_EQ
))
602 || !s
->ssl_enabled
) {
603 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
604 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
610 if (NULL
== (s
->ssl_pemfile_x509
= x509_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
611 if (NULL
== (s
->ssl_pemfile_pkey
= evp_pkey_load_pem_file(srv
, s
->ssl_pemfile
->ptr
))) return -1;
613 if (!X509_check_private_key(s
->ssl_pemfile_x509
, s
->ssl_pemfile_pkey
)) {
614 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
615 "Private key does not match the certificate public key, reason:",
616 ERR_error_string(ERR_get_error(), NULL
),
625 int network_init(server
*srv
) {
628 network_backend_t backend
;
630 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
631 #ifndef OPENSSL_NO_ECDH
638 # ifndef OPENSSL_NO_DH
643 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
644 * -----BEGIN DH PARAMETERS-----
645 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
646 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
647 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
648 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
649 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
650 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
651 * -----END DH PARAMETERS-----
654 static const unsigned char dh1024_p
[]={
655 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
656 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
657 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
658 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
659 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
660 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
661 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
662 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
663 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
664 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
665 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
668 static const unsigned char dh1024_g
[]={
669 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
670 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
671 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
672 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
673 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
674 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
675 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
676 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
677 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
678 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
679 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
684 network_backend_t nb
;
686 } network_backends
[] = {
688 #if defined USE_SENDFILE
689 { NETWORK_BACKEND_SENDFILE
, "sendfile" },
691 #if defined USE_LINUX_SENDFILE
692 { NETWORK_BACKEND_SENDFILE
, "linux-sendfile" },
694 #if defined USE_FREEBSD_SENDFILE
695 { NETWORK_BACKEND_SENDFILE
, "freebsd-sendfile" },
697 #if defined USE_SOLARIS_SENDFILEV
698 { NETWORK_BACKEND_SENDFILE
, "solaris-sendfilev" },
700 #if defined USE_WRITEV
701 { NETWORK_BACKEND_WRITEV
, "writev" },
703 { NETWORK_BACKEND_WRITE
, "write" },
704 { NETWORK_BACKEND_UNSET
, NULL
}
708 /* load SSL certificates */
709 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
710 specific_config
*s
= srv
->config_storage
[i
];
711 #ifndef SSL_OP_NO_COMPRESSION
712 # define SSL_OP_NO_COMPRESSION 0
715 SSL_OP_ALL
| SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
| SSL_OP_NO_COMPRESSION
;
717 if (buffer_string_is_empty(s
->ssl_pemfile
) && buffer_string_is_empty(s
->ssl_ca_file
)) continue;
719 if (srv
->ssl_is_init
== 0) {
720 SSL_load_error_strings();
722 OpenSSL_add_all_algorithms();
723 srv
->ssl_is_init
= 1;
725 if (0 == RAND_status()) {
726 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
727 "not enough entropy in the pool");
732 if (!buffer_string_is_empty(s
->ssl_pemfile
)) {
733 #ifdef OPENSSL_NO_TLSEXT
734 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
735 if (COMP_HTTP_HOST
== dc
->comp
) {
736 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
737 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
741 if (network_openssl_load_pemfile(srv
, i
)) return -1;
745 if (!buffer_string_is_empty(s
->ssl_ca_file
)) {
746 s
->ssl_ca_file_cert_names
= SSL_load_client_CA_file(s
->ssl_ca_file
->ptr
);
747 if (NULL
== s
->ssl_ca_file_cert_names
) {
748 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
749 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_ca_file
);
753 if (buffer_string_is_empty(s
->ssl_pemfile
) || !s
->ssl_enabled
) continue;
755 if (NULL
== (s
->ssl_ctx
= SSL_CTX_new(SSLv23_server_method()))) {
756 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
757 ERR_error_string(ERR_get_error(), NULL
));
761 /* completely useless identifier; required for client cert verification to work with sessions */
762 if (0 == SSL_CTX_set_session_id_context(s
->ssl_ctx
, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
763 log_error_write(srv
, __FILE__
, __LINE__
, "ss:s", "SSL:",
764 "failed to set session context",
765 ERR_error_string(ERR_get_error(), NULL
));
769 if (s
->ssl_empty_fragments
) {
770 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
771 ssloptions
&= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
;
773 ssloptions
&= ~0x00000800L
; /* hardcode constant */
774 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "WARNING: SSL:",
775 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
779 SSL_CTX_set_options(s
->ssl_ctx
, ssloptions
);
780 SSL_CTX_set_info_callback(s
->ssl_ctx
, ssl_info_callback
);
782 if (!s
->ssl_use_sslv2
) {
784 if (!(SSL_OP_NO_SSLv2
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv2
))) {
785 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
786 ERR_error_string(ERR_get_error(), NULL
));
791 if (!s
->ssl_use_sslv3
) {
793 if (!(SSL_OP_NO_SSLv3
& SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_NO_SSLv3
))) {
794 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
795 ERR_error_string(ERR_get_error(), NULL
));
800 if (!buffer_string_is_empty(s
->ssl_cipher_list
)) {
801 /* Disable support for low encryption ciphers */
802 if (SSL_CTX_set_cipher_list(s
->ssl_ctx
, s
->ssl_cipher_list
->ptr
) != 1) {
803 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
804 ERR_error_string(ERR_get_error(), NULL
));
808 if (s
->ssl_honor_cipher_order
) {
809 SSL_CTX_set_options(s
->ssl_ctx
, SSL_OP_CIPHER_SERVER_PREFERENCE
);
813 #ifndef OPENSSL_NO_DH
814 /* Support for Diffie-Hellman key exchange */
815 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
816 /* DH parameters from file */
817 bio
= BIO_new_file((char *) s
->ssl_dh_file
->ptr
, "r");
819 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to open file", s
->ssl_dh_file
->ptr
);
822 dh
= PEM_read_bio_DHparams(bio
, NULL
, NULL
, NULL
);
825 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: PEM_read_bio_DHparams failed", s
->ssl_dh_file
->ptr
);
829 /* Default DH parameters from RFC5114 */
832 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: DH_new () failed");
835 dh
->p
= BN_bin2bn(dh1024_p
,sizeof(dh1024_p
), NULL
);
836 dh
->g
= BN_bin2bn(dh1024_g
,sizeof(dh1024_g
), NULL
);
838 if ((dh
->p
== NULL
) || (dh
->g
== NULL
)) {
840 log_error_write(srv
, __FILE__
, __LINE__
, "s", "SSL: BN_bin2bn () failed");
844 SSL_CTX_set_tmp_dh(s
->ssl_ctx
,dh
);
845 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_DH_USE
);
848 if (!buffer_string_is_empty(s
->ssl_dh_file
)) {
849 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s
->ssl_dh_file
->ptr
);
853 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
854 #ifndef OPENSSL_NO_ECDH
855 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
856 if (!buffer_string_is_empty(s
->ssl_ec_curve
)) {
857 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
858 nid
= OBJ_sn2nid((char *) s
->ssl_ec_curve
->ptr
);
860 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unknown curve name", s
->ssl_ec_curve
->ptr
);
865 nid
= OBJ_sn2nid("prime256v1");
867 ecdh
= EC_KEY_new_by_curve_name(nid
);
869 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL: Unable to create curve", s
->ssl_ec_curve
->ptr
);
872 SSL_CTX_set_tmp_ecdh(s
->ssl_ctx
,ecdh
);
873 SSL_CTX_set_options(s
->ssl_ctx
,SSL_OP_SINGLE_ECDH_USE
);
878 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */
879 for (j
= 0; j
< srv
->config_context
->used
; j
++) {
880 specific_config
*s1
= srv
->config_storage
[j
];
882 if (!buffer_string_is_empty(s1
->ssl_ca_file
)) {
883 if (1 != SSL_CTX_load_verify_locations(s
->ssl_ctx
, s1
->ssl_ca_file
->ptr
, NULL
)) {
884 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
885 ERR_error_string(ERR_get_error(), NULL
), s1
->ssl_ca_file
);
891 if (s
->ssl_verifyclient
) {
892 if (NULL
== s
->ssl_ca_file_cert_names
) {
893 log_error_write(srv
, __FILE__
, __LINE__
, "s",
894 "SSL: You specified ssl.verifyclient.activate but no ca_file"
898 SSL_CTX_set_client_CA_list(s
->ssl_ctx
, SSL_dup_CA_list(s
->ssl_ca_file_cert_names
));
901 SSL_VERIFY_PEER
| (s
->ssl_verifyclient_enforce
? SSL_VERIFY_FAIL_IF_NO_PEER_CERT
: 0),
904 SSL_CTX_set_verify_depth(s
->ssl_ctx
, s
->ssl_verifyclient_depth
);
907 if (SSL_CTX_use_certificate(s
->ssl_ctx
, s
->ssl_pemfile_x509
) < 0) {
908 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
909 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
913 if (SSL_CTX_use_PrivateKey(s
->ssl_ctx
, s
->ssl_pemfile_pkey
) < 0) {
914 log_error_write(srv
, __FILE__
, __LINE__
, "ssb", "SSL:",
915 ERR_error_string(ERR_get_error(), NULL
), s
->ssl_pemfile
);
919 if (SSL_CTX_check_private_key(s
->ssl_ctx
) != 1) {
920 log_error_write(srv
, __FILE__
, __LINE__
, "sssb", "SSL:",
921 "Private key does not match the certificate public key, reason:",
922 ERR_error_string(ERR_get_error(), NULL
),
926 SSL_CTX_set_default_read_ahead(s
->ssl_ctx
, 1);
927 SSL_CTX_set_mode(s
->ssl_ctx
, SSL_CTX_get_mode(s
->ssl_ctx
) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
);
929 # ifndef OPENSSL_NO_TLSEXT
930 if (!SSL_CTX_set_tlsext_servername_callback(s
->ssl_ctx
, network_ssl_servername_callback
) ||
931 !SSL_CTX_set_tlsext_servername_arg(s
->ssl_ctx
, srv
)) {
932 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "SSL:",
933 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
942 buffer_copy_buffer(b
, srv
->srvconf
.bindhost
);
943 buffer_append_string_len(b
, CONST_STR_LEN(":"));
944 buffer_append_int(b
, srv
->srvconf
.port
);
946 if (0 != network_server_init(srv
, b
, srv
->config_storage
[0])) {
953 srv
->network_ssl_backend_write
= network_write_chunkqueue_openssl
;
956 /* get a usefull default */
957 backend
= network_backends
[0].nb
;
959 /* match name against known types */
960 if (!buffer_string_is_empty(srv
->srvconf
.network_backend
)) {
961 for (i
= 0; network_backends
[i
].name
; i
++) {
963 if (buffer_is_equal_string(srv
->srvconf
.network_backend
, network_backends
[i
].name
, strlen(network_backends
[i
].name
))) {
964 backend
= network_backends
[i
].nb
;
968 if (NULL
== network_backends
[i
].name
) {
969 /* we don't know it */
971 log_error_write(srv
, __FILE__
, __LINE__
, "sb",
972 "server.network-backend has a unknown value:",
973 srv
->srvconf
.network_backend
);
980 case NETWORK_BACKEND_WRITE
:
981 srv
->network_backend_write
= network_write_chunkqueue_write
;
983 #if defined(USE_WRITEV)
984 case NETWORK_BACKEND_WRITEV
:
985 srv
->network_backend_write
= network_write_chunkqueue_writev
;
988 #if defined(USE_SENDFILE)
989 case NETWORK_BACKEND_SENDFILE
:
990 srv
->network_backend_write
= network_write_chunkqueue_sendfile
;
997 /* check for $SERVER["socket"] */
998 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
999 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
1000 specific_config
*s
= srv
->config_storage
[i
];
1003 if (COMP_SERVER_SOCKET
!= dc
->comp
) continue;
1005 if (dc
->cond
!= CONFIG_COND_EQ
) continue;
1007 /* check if we already know this socket,
1008 * if yes, don't init it */
1009 for (j
= 0; j
< srv
->srv_sockets
.used
; j
++) {
1010 if (buffer_is_equal(srv
->srv_sockets
.ptr
[j
]->srv_token
, dc
->string
)) {
1015 if (j
== srv
->srv_sockets
.used
) {
1016 if (0 != network_server_init(srv
, dc
->string
, s
)) return -1;
1023 int network_register_fdevents(server
*srv
) {
1026 if (-1 == fdevent_reset(srv
->ev
)) {
1030 /* register fdevents after reset */
1031 for (i
= 0; i
< srv
->srv_sockets
.used
; i
++) {
1032 server_socket
*srv_socket
= srv
->srv_sockets
.ptr
[i
];
1034 fdevent_register(srv
->ev
, srv_socket
->fd
, network_server_handle_fdevent
, srv_socket
);
1035 fdevent_event_set(srv
->ev
, &(srv_socket
->fde_ndx
), srv_socket
->fd
, FDEVENT_IN
);
1040 int network_write_chunkqueue(server
*srv
, connection
*con
, chunkqueue
*cq
, off_t max_bytes
) {
1046 server_socket
*srv_socket
= con
->srv_socket
;
1048 if (con
->conf
.global_kbytes_per_second
) {
1049 off_t limit
= con
->conf
.global_kbytes_per_second
* 1024 - *(con
->conf
.global_bytes_per_second_cnt_ptr
);
1051 /* we reached the global traffic limit */
1053 con
->traffic_limit_reached
= 1;
1054 joblist_append(srv
, con
);
1058 if (max_bytes
> limit
) max_bytes
= limit
;
1062 if (con
->conf
.kbytes_per_second
) {
1063 off_t limit
= con
->conf
.kbytes_per_second
* 1024 - con
->bytes_written_cur_second
;
1065 /* we reached the traffic limit */
1067 con
->traffic_limit_reached
= 1;
1068 joblist_append(srv
, con
);
1072 if (max_bytes
> limit
) max_bytes
= limit
;
1076 written
= cq
->bytes_out
;
1079 /* Linux: put a cork into the socket as we want to combine the write() calls
1080 * but only if we really have multiple chunks
1082 if (cq
->first
&& cq
->first
->next
) {
1084 setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1088 if (srv_socket
->is_ssl
) {
1090 ret
= srv
->network_ssl_backend_write(srv
, con
, con
->ssl
, cq
, max_bytes
);
1093 ret
= srv
->network_backend_write(srv
, con
, con
->fd
, cq
, max_bytes
);
1097 chunkqueue_remove_finished_chunks(cq
);
1098 ret
= chunkqueue_is_empty(cq
) ? 0 : 1;
1104 setsockopt(con
->fd
, IPPROTO_TCP
, TCP_CORK
, &corked
, sizeof(corked
));
1108 written
= cq
->bytes_out
- written
;
1109 con
->bytes_written
+= written
;
1110 con
->bytes_written_cur_second
+= written
;
1112 *(con
->conf
.global_bytes_per_second_cnt_ptr
) += written
;