1 #include "network.h"
2 #include "fdevent.h"
3 #include "log.h"
4 #include "connections.h"
5 #include "plugin.h"
6 #include "joblist.h"
7 #include "configfile.h"
8
9 #include "network_backends.h"
10 #include "sys-mmap.h"
11 #include "sys-socket.h"
12
13 #include <sys/types.h>
14 #include <sys/stat.h>
15 #include <sys/time.h>
16
17 #include <errno.h>
18 #include <fcntl.h>
19 #include <unistd.h>
20 #include <string.h>
21 #include <stdlib.h>
22 #include <assert.h>
23
24 #ifdef USE_OPENSSL
25 # include <openssl/ssl.h>
26 # include <openssl/err.h>
27 # include <openssl/rand.h>
28 # include <openssl/dh.h>
29 # include <openssl/bn.h>
30
31 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
32 # ifndef OPENSSL_NO_ECDH
33 # include <openssl/ecdh.h>
34 # endif
35 # endif
36 #endif
37 /*----------------------------------------------------------------------------*/
38 #ifdef USE_OPENSSL
39 static void
ssl_info_callback(const SSL * ssl,int where,int ret)40 ssl_info_callback(const SSL *ssl, int where, int ret) {
41 UNUSED(ret);
42
43 if (0 != (where & SSL_CB_HANDSHAKE_START)) {
44 connection *con = SSL_get_app_data(ssl);
45 ++con->renegotiations;
46 } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
47 ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
48 }
49 }
50 #endif
51 /*----------------------------------------------------------------------------*/
52 static handler_t
network_server_handle_fdevent(server * srv,void * context,int revents)53 network_server_handle_fdevent(server *srv, void *context, int revents) {
54 server_socket *srv_socket = (server_socket *)context;
55 connection *con;
56 int loops = 0;
57
58 UNUSED(context);
59
60 if (0 == (revents & FDEVENT_IN)) {
61 log_error_write(srv, __FILE__, __LINE__, "sdd",
62 "strange event for server socket",
63 srv_socket->fd,
64 revents);
65 return HANDLER_ERROR;
66 }
67
68 /* accept()s at most 100 connections directly
69 *
70 * we jump out after 100 to give the waiting connections a chance */
71 for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) {
72 handler_t r;
73
74 connection_state_machine(srv, con);
75
76 switch(r = plugins_call_handle_joblist(srv, con)) {
77 case HANDLER_FINISHED:
78 case HANDLER_GO_ON:
79 break;
80 default:
81 log_error_write(srv, __FILE__, __LINE__, "d", r);
82 break;
83 }
84 }
85 return HANDLER_GO_ON;
86 }
87
88 #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
network_ssl_servername_callback(SSL * ssl,int * al,server * srv)89 static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
90 const char *servername;
91 connection *con = (connection *) SSL_get_app_data(ssl);
92 UNUSED(al);
93
94 buffer_copy_string(con->uri.scheme, "https");
95
96 if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
97 #if 0
98 /* this "error" just means the client didn't support it */
99 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
100 "failed to get TLS server name");
101 #endif
102 return SSL_TLSEXT_ERR_NOACK;
103 }
104 buffer_copy_string(con->tlsext_server_name, servername);
105 buffer_to_lower(con->tlsext_server_name);
106
107 /* Sometimes this is still set, confusing COMP_HTTP_HOST */
108 buffer_reset(con->uri.authority);
109
110 config_cond_cache_reset(srv, con);
111 config_setup_connection(srv, con);
112
113 config_patch_connection(srv, con, COMP_SERVER_SOCKET);
114 config_patch_connection(srv, con, COMP_HTTP_SCHEME);
115 config_patch_connection(srv, con, COMP_HTTP_HOST);
116
117 if (NULL == con->conf.ssl_ctx) {
118 /* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
119 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
120 "null SSL_CTX for TLS server name", con->tlsext_server_name);
121 return SSL_TLSEXT_ERR_ALERT_FATAL;
122 }
123
124 /* switch to new SSL_CTX in reaction to a client's server_name extension */
125 if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
126 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
127 "failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
128 return SSL_TLSEXT_ERR_ALERT_FATAL;
129 }
130
131 return SSL_TLSEXT_ERR_OK;
132 }
133 #endif
134 /*----------------------------------------------------------------------------*/
135 static int
network_server_init(server * srv,buffer * host_token,specific_config * s)136 network_server_init(server *srv, buffer *host_token, specific_config *s) {
137 int val;
138 socklen_t addr_len;
139 server_socket *srv_socket;
140 char *sp;
141 unsigned int port = 0;
142 const char *host;
143 buffer *b;
144 int is_unix_domain_socket = 0;
145 int fd;
146
147 #ifdef __WIN32 /* mTCP won't work over here now */
148 WORD wVersionRequested;
149 WSADATA wsaData;
150 int err;
151
152 wVersionRequested = MAKEWORD( 2, 2 );
153
154 err = WSAStartup( wVersionRequested, &wsaData );
155 if ( err != 0 ) {
156 /* Tell the user that we could not find a usable */
157 /* WinSock DLL. */
158 return -1;
159 }
160 #endif
161
162 #ifdef MULTI_THREADED
163 //#ifndef USE_MTCP
164 #if !(defined USE_MTCP || defined REUSEPORT)
165 if (srv == srv->first_entry) {
166 #endif
167 #endif
168 srv_socket = calloc(1, sizeof(*srv_socket));
169 if (NULL == srv_socket) {
170 fprintf(stderr, "%s: %d(%s) - Can't allocate memory for srv_socket\n",
171 __FUNCTION__, __LINE__, __FILE__);
172 exit(EXIT_FAILURE);
173 }
174 srv_socket->fd = -1;
175 srv_socket->fde_ndx = -1;
176
177 srv_socket->srv_token = buffer_init();
178 buffer_copy_string_buffer(srv_socket->srv_token, host_token);
179
180 b = buffer_init();
181 buffer_copy_string_buffer(b, host_token);
182
183 /* ipv4:port
184 * [ipv6]:port
185 */
186 if (NULL == (sp = strrchr(b->ptr, ':'))) {
187 log_error_write(srv, __FILE__, __LINE__, "sb", "value of $SERVER[\"socket\"] has to be \"ip:port\".", b);
188
189 goto error_free_socket;
190 }
191
192 host = b->ptr;
193
194 /* check for [ and ] */
195 if (b->ptr[0] == '[' && *(sp-1) == ']') {
196 *(sp-1) = '\0';
197 host++;
198
199 s->use_ipv6 = 1;
200 }
201
202 *(sp++) = '\0';
203
204 port = strtol(sp, NULL, 10);
205
206 if (host[0] == '/') {
207 /* host is a unix-domain-socket */
208 is_unix_domain_socket = 1;
209 } else if (port == 0 || port > 65535) {
210 log_error_write(srv, __FILE__, __LINE__, "sd", "port out of range:", port);
211
212 goto error_free_socket;
213 }
214
215 if (*host == '\0') host = NULL;
216
217 if (is_unix_domain_socket) {
218 #ifdef HAVE_SYS_UN_H
219
220 srv_socket->addr.plain.sa_family = AF_UNIX;
221
222 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
223 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
224 goto error_free_socket;
225 }
226 #else
227 log_error_write(srv, __FILE__, __LINE__, "s",
228 "ERROR: Unix Domain sockets are not supported.");
229 goto error_free_socket;
230 #endif
231 }
232
233 #ifdef USE_MTCP
234 srv_socket->addr.plain.sa_family = AF_INET;
235 srv_socket->fd = mtcp_socket(srv->mctx, AF_INET, SOCK_STREAM, 0);
236 if (srv_socket->fd < 0) {
237 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
238 goto error_free_socket;
239 }
240 if (mtcp_setsock_nonblock(srv->mctx, srv_socket->fd) < 0) {
241 log_error_write(srv, __FILE__, __LINE__, "ss",
242 "socket non-blocking operation failed:", strerror(errno));
243 goto error_free_socket;
244 }
245 #endif
246
247 #ifdef HAVE_IPV6
248 if (srv_socket->fd == -1 && srv_socket->use_ipv6) {
249 srv_socket->addr.plain.sa_family = AF_INET6;
250
251 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
252 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
253 goto error_free_socket;
254 }
255 srv_socket->use_ipv6 = 1;
256 }
257 #endif
258
259 if (srv_socket->fd == -1) {
260 srv_socket->addr.plain.sa_family = AF_INET;
261 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
262 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
263 goto error_free_socket;
264 }
265 }
266
267 #ifndef USE_MTCP
268 #ifdef FD_CLOEXEC
269 /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
270 fcntl(srv_socket->fd, F_SETFD, FD_CLOEXEC);
271
272 val = 1;
273 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
274 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno));
275 goto error_free_socket;
276 }
277 #endif
278 #endif
279 /* the first field of srv is updated here */
280 srv->cur_fds = srv_socket->fd;
281
282 switch(srv_socket->addr.plain.sa_family) {
283 #ifdef HAVE_IPV6
284 case AF_INET6:
285 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in6));
286 srv_socket->addr.ipv6.sin6_family = AF_INET6;
287 if (host == NULL) {
288 srv_socket->addr.ipv6.sin6_addr = in6addr_any;
289 log_error_write(srv, __FILE__, __LINE__, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
290 } else {
291 struct addrinfo hints, *res;
292 int r;
293 /* mtcp is not IPv6-only for the time being */
294 if (s->set_v6only) {
295 val = 1;
296 if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) {
297 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno));
298 goto error_free_socket;
299 }
300 } else {
301 log_error_write(srv, __FILE__, __LINE__, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
302 }
303
304 memset(&hints, 0, sizeof(hints));
305
306 hints.ai_family = AF_INET6;
307 hints.ai_socktype = SOCK_STREAM;
308 hints.ai_protocol = IPPROTO_TCP;
309
310 if (0 != (r = getaddrinfo(host, NULL, &hints, &res))) {
311 log_error_write(srv, __FILE__, __LINE__,
312 "sssss", "getaddrinfo failed: ",
313 gai_strerror(r), "'", host, "'");
314
315 goto error_free_socket;
316 }
317
318 memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen);
319
320 freeaddrinfo(res);
321 }
322 srv_socket->addr.ipv6.sin6_port = htons(port);
323 addr_len = sizeof(struct sockaddr_in6);
324 break;
325 #endif
326 case AF_INET:
327 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in));
328 srv_socket->addr.ipv4.sin_family = AF_INET;
329 if (host == NULL) {
330 srv_socket->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY);
331 } else {
332 struct hostent *he;
333 if (NULL == (he = gethostbyname(host))) {
334 log_error_write(srv, __FILE__, __LINE__,
335 "sds", "gethostbyname failed: ",
336 h_errno, host);
337 goto error_free_socket;
338 }
339
340 if (he->h_addrtype != AF_INET) {
341 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype);
342 goto error_free_socket;
343 }
344
345 if (he->h_length != sizeof(struct in_addr)) {
346 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length);
347 goto error_free_socket;
348 }
349
350 memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length);
351 }
352 srv_socket->addr.ipv4.sin_port = htons(port);
353
354 addr_len = sizeof(struct sockaddr_in);
355
356 break;
357 case AF_UNIX:
358 srv_socket->addr.un.sun_family = AF_UNIX;
359 strcpy(srv_socket->addr.un.sun_path, host);
360
361 #ifdef SUN_LEN
362 addr_len = SUN_LEN(&srv_socket->addr.un);
363 #else
364 /* stevens says: */
365 addr_len = strlen(host) + 1 + sizeof(srv_socket->addr.un.sun_family);
366 #endif
367
368 /* check if the socket exists and try to connect to it. */
369 if (-1 != (fd = connect(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len))) {
370 close(fd);
371
372 log_error_write(srv, __FILE__, __LINE__, "ss",
373 "server socket is still in use:",
374 host);
375
376
377 goto error_free_socket;
378 }
379
380 /* connect failed */
381 switch(errno) {
382 case ECONNREFUSED:
383 unlink(host);
384 break;
385 case ENOENT:
386 break;
387 default:
388 log_error_write(srv, __FILE__, __LINE__, "sds",
389 "testing socket failed:",
390 host, strerror(errno));
391
392 goto error_free_socket;
393 }
394
395 break;
396 default:
397 goto error_free_socket;
398 }
399
400 #ifdef USE_MTCP
401 if (0 != mtcp_bind(srv->mctx, srv_socket->fd,
402 (struct sockaddr *) &(srv_socket->addr), addr_len)) {
403 #else
404 #ifdef REUSEPORT
405 int port_reuse = 1;
406 if(setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEPORT, &port_reuse, sizeof(port_reuse)) == -1) {
407 perror( "secksockopt() with SO_REUSEPORT failed");
408 return -1;
409 }
410 #endif
411 if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
412 #endif
413 switch(srv_socket->addr.plain.sa_family) {
414 case AF_UNIX:
415 log_error_write(srv, __FILE__, __LINE__, "sds",
416 "can't bind to socket:",
417 host, strerror(errno));
418 break;
419 default:
420 log_error_write(srv, __FILE__, __LINE__, "ssds",
421 "can't bind to port:",
422 host, port, strerror(errno));
423 break;
424 }
425 goto error_free_socket;
426 }
427
428 #ifdef USE_MTCP
429 if (-1 == mtcp_listen(srv->mctx, srv_socket->fd, srv->listen_backlog)) {
430 #else
431 if (-1 == listen(srv_socket->fd, 128 * 8)) {
432 #endif
433 log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
434 goto error_free_socket;
435 }
436
437 if (s->is_ssl) {
438 #ifdef USE_OPENSSL
439 if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
440 log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
441 goto error_free_socket;
442 }
443 #else
444
445 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
446 "ssl requested but openssl support is not compiled in");
447
448 goto error_free_socket;
449 #endif
450 #ifdef TCP_DEFER_ACCEPT
451 } else if (s->defer_accept) {
452 int v = s->defer_accept;
453 if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
454 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
455 }
456 #endif
457 } else {
458 #ifdef SO_ACCEPTFILTER
459 control will not come here
460 /* FreeBSD accf_http filter */
461 struct accept_filter_arg afa;
462 memset(&afa, 0, sizeof(afa));
463 strcpy(afa.af_name, "httpready");
464 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
465 if (errno != ENOENT) {
466 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set accept-filter 'httpready': ", strerror(errno));
467 }
468 }
469 #endif
470 }
471
472 srv_socket->is_ssl = s->is_ssl;
473
474 /* srv sockets are updated next */
475 if (srv->srv_sockets.size == 0) {
476 srv->srv_sockets.size = 4;
477 srv->srv_sockets.used = 0;
478 srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket));
479 } else if (srv->srv_sockets.used == srv->srv_sockets.size) {
480 srv->srv_sockets.size += 4;
481 srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket));
482 }
483
484 srv->srv_sockets.ptr[srv->srv_sockets.used++] = srv_socket;
485
486 buffer_free(b);
487
488 #ifdef MULTI_THREADED
489 //#ifndef USE_MTCP
490 #if !(defined USE_MTCP || defined REUSEPORT)
491 } /* this closes `if (srv == srv->first_entry)` condition */
492 else {
493 /* busy wait while the first thread has finished network initialization */
494 while (srv->first_entry->srv_sockets.used == 0) { fprintf(stdout, " "); }
495 /* now copy socket data to the remaining threads */
496 srv->cur_fds = srv->first_entry->srv_sockets.ptr[srv->first_entry->srv_sockets.used - 1]->fd;
497
498 if (srv->srv_sockets.size == 0) {
499 /* fprintf(stderr, "%u: 1 Do i come here", srv->cpu); */
500 srv->srv_sockets.size = 4;
501 srv->srv_sockets.used = 0;
502 srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket));
503 } else if (srv->srv_sockets.used == srv->srv_sockets.size) {
504 /* fprintf(stderr, "%u: 2 Do i come here", srv->cpu); */
505 srv->srv_sockets.size += 4;
506 srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket));
507 }
508
509 srv->srv_sockets.ptr[srv->srv_sockets.used] = calloc(1, sizeof(*srv_socket));
510 if (NULL == srv->srv_sockets.ptr[srv->srv_sockets.used]) {
511 fprintf(stderr, "%s: %d(%s) - Can't allocate memory for srv_socket\n",
512 __FUNCTION__, __LINE__, __FILE__);
513 exit(EXIT_FAILURE);
514 }
515 #if 0
516 memcpy((srv->srv_sockets.ptr[srv->srv_sockets.used]),
517 (srv->first_entry->srv_sockets.ptr[srv->first_entry->srv_sockets.used - 1]),
518 sizeof(server_socket));
519 #endif
520 srv->srv_sockets.ptr[srv->srv_sockets.used]->fd =
521 srv->first_entry->srv_sockets.ptr[srv->first_entry->srv_sockets.used - 1]->fd;
522 srv->srv_sockets.ptr[srv->srv_sockets.used]->fde_ndx = -1;
523 srv->srv_sockets.ptr[srv->srv_sockets.used]->addr =
524 srv->first_entry->srv_sockets.ptr[srv->first_entry->srv_sockets.used - 1]->addr;
525 srv->srv_sockets.ptr[srv->srv_sockets.used]->use_ipv6 =
526 srv->first_entry->srv_sockets.ptr[srv->first_entry->srv_sockets.used - 1]->use_ipv6;
527 srv->srv_sockets.ptr[srv->srv_sockets.used]->is_ssl =
528 srv->first_entry->srv_sockets.ptr[srv->first_entry->srv_sockets.used - 1]->is_ssl;
529 srv->srv_sockets.used++;
530 }
531 #endif /* !USE_MTCP */
532 #endif /* !MULTI_THREADED */
533 return 0;
534
535 error_free_socket:
536 if (srv_socket->fd != -1) {
537 /* check if server fd are already registered */
538 if (srv_socket->fde_ndx != -1) {
539 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
540 fdevent_unregister(srv->ev, srv_socket->fd);
541 }
542 #ifdef USE_MTCP
543 mtcp_close(srv->mctx, srv_socket->fd);
544 #else
545 close(srv_socket->fd);
546 #endif
547 }
548 buffer_free(srv_socket->srv_token);
549 free(srv_socket);
550
551 buffer_free(b);
552
553 return -1;
554 }
555 /*----------------------------------------------------------------------------*/
556 int
557 network_close(server *srv) {
558 size_t i;
559 for (i = 0; i < srv->srv_sockets.used; i++) {
560 server_socket *srv_socket = srv->srv_sockets.ptr[i];
561
562 if (srv_socket->fd != -1) {
563 /* check if server fd are already registered */
564 if (srv_socket->fde_ndx != -1) {
565 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
566 fdevent_unregister(srv->ev, srv_socket->fd);
567 }
568 #ifdef HAVE_LIBMTCP
569 mtcp_close(srv->mctx, srv_socket->fd);
570 #else
571 close(srv_socket->fd);
572 #endif
573 }
574
575 buffer_free(srv_socket->srv_token);
576
577 free(srv_socket);
578 }
579
580 free(srv->srv_sockets.ptr);
581
582 return 0;
583 }
584 /*----------------------------------------------------------------------------*/
585 typedef enum {
586 NETWORK_BACKEND_UNSET,
587 NETWORK_BACKEND_WRITE,
588 NETWORK_BACKEND_WRITEV,
589 NETWORK_BACKEND_LINUX_SENDFILE,
590 NETWORK_BACKEND_FREEBSD_SENDFILE,
591 NETWORK_BACKEND_SOLARIS_SENDFILEV,
592 #if defined USE_MTCP
593 NETWORK_BACKEND_MTCP
594 #endif
595 } network_backend_t;
596
597 int
598 network_init(server *srv) {
599 buffer *b;
600 size_t i;
601 network_backend_t backend;
602
603 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
604 #ifndef OPENSSL_NO_ECDH
605 EC_KEY *ecdh;
606 int nid;
607 #endif
608 #endif
609
610 #ifdef USE_OPENSSL
611 DH *dh;
612 BIO *bio;
613
614 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114)
615 * -----BEGIN DH PARAMETERS-----
616 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
617 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
618 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
619 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
620 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
621 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=
622 * -----END DH PARAMETERS-----
623 */
624
625 static const unsigned char dh1024_p[]={
626 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
627 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
628 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
629 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
630 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
631 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
632 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
633 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
634 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
635 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
636 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
637 };
638
639 static const unsigned char dh1024_g[]={
640 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
641 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
642 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
643 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
644 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
645 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
646 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
647 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
648 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
649 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
650 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
651 };
652 #endif
653
654 struct nb_map {
655 network_backend_t nb;
656 const char *name;
657 } network_backends[] = {
658 /* lowest id wins */
659 #if defined USE_LINUX_SENDFILE
660 { NETWORK_BACKEND_LINUX_SENDFILE, "linux-sendfile" },
661 #endif
662 #if defined USE_FREEBSD_SENDFILE
663 { NETWORK_BACKEND_FREEBSD_SENDFILE, "freebsd-sendfile" },
664 #endif
665 #if defined USE_SOLARIS_SENDFILEV
666 { NETWORK_BACKEND_SOLARIS_SENDFILEV, "solaris-sendfilev" },
667 #endif
668 #if defined USE_WRITEV
669 { NETWORK_BACKEND_WRITEV, "writev" },
670 #endif
671 { NETWORK_BACKEND_WRITE, "write" },
672 #if defined USE_MTCP
673 { NETWORK_BACKEND_MTCP, "mtcp_writev" },
674 #endif
675 { NETWORK_BACKEND_UNSET, NULL }
676 };
677
678 #ifdef USE_OPENSSL
679 /* load SSL certificates */
680 for (i = 0; i < srv->config_context->used; i++) {
681 specific_config *s = srv->config_storage[i];
682 #ifndef SSL_OP_NO_COMPRESSION
683 # define SSL_OP_NO_COMPRESSION 0
684 #endif
685 long ssloptions =
686 SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
687
688 if (buffer_is_empty(s->ssl_pemfile)) continue;
689
690 #ifdef OPENSSL_NO_TLSEXT
691 {
692 data_config *dc = (data_config *)srv->config_context->data[i];
693 if (COMP_HTTP_HOST == dc->comp) {
694 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
695 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
696 return -1;
697 }
698 }
699 #endif
700
701 if (srv->ssl_is_init == 0) {
702 SSL_load_error_strings();
703 SSL_library_init();
704 OpenSSL_add_all_algorithms();
705 srv->ssl_is_init = 1;
706
707 if (0 == RAND_status()) {
708 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
709 "not enough entropy in the pool");
710 return -1;
711 }
712 }
713
714 if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
715 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
716 ERR_error_string(ERR_get_error(), NULL));
717 return -1;
718 }
719
720 SSL_CTX_set_options(s->ssl_ctx, ssloptions);
721 SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
722
723 if (!s->ssl_use_sslv2) {
724 /* disable SSLv2 */
725 if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
726 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
727 ERR_error_string(ERR_get_error(), NULL));
728 return -1;
729 }
730 }
731
732 if (!s->ssl_use_sslv3) {
733 /* disable SSLv3 */
734 if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) {
735 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
736 ERR_error_string(ERR_get_error(), NULL));
737 return -1;
738 }
739 }
740
741 if (!buffer_is_empty(s->ssl_cipher_list)) {
742 /* Disable support for low encryption ciphers */
743 if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
744 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
745 ERR_error_string(ERR_get_error(), NULL));
746 return -1;
747 }
748
749 if (s->ssl_honor_cipher_order) {
750 SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
751 }
752 }
753
754 /* Support for Diffie-Hellman key exchange */
755 if (!buffer_is_empty(s->ssl_dh_file)) {
756 /* DH parameters from file */
757 bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r");
758 if (bio == NULL) {
759 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr);
760 return -1;
761 }
762 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
763 BIO_free(bio);
764 if (dh == NULL) {
765 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr);
766 return -1;
767 }
768 } else {
769 /* Default DH parameters from RFC5114 */
770 dh = DH_new();
771 if (dh == NULL) {
772 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
773 return -1;
774 }
775 dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
776 dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
777 dh->length = 160;
778 if ((dh->p == NULL) || (dh->g == NULL)) {
779 DH_free(dh);
780 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
781 return -1;
782 }
783 }
784 SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
785 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
786 DH_free(dh);
787
788 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
789 #ifndef OPENSSL_NO_ECDH
790 /* Support for Elliptic-Curve Diffie-Hellman key exchange */
791 if (!buffer_is_empty(s->ssl_ec_curve)) {
792 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */
793 nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr);
794 if (nid == 0) {
795 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr);
796 return -1;
797 }
798 } else {
799 /* Default curve */
800 nid = OBJ_sn2nid("prime256v1");
801 }
802 ecdh = EC_KEY_new_by_curve_name(nid);
803 if (ecdh == NULL) {
804 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
805 return -1;
806 }
807 SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
808 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
809 EC_KEY_free(ecdh);
810 #endif
811 #endif
812
813 if (!buffer_is_empty(s->ssl_ca_file)) {
814 if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
815 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
816 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
817 return -1;
818 }
819 if (s->ssl_verifyclient) {
820 STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
821 if (!certs) {
822 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
823 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
824 }
825 if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
826 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
827 ERR_error_string(ERR_get_error(), NULL));
828 return -1;
829 }
830 SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
831 SSL_CTX_set_verify(
832 s->ssl_ctx,
833 SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
834 NULL
835 );
836 SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
837 }
838 } else if (s->ssl_verifyclient) {
839 log_error_write(
840 srv, __FILE__, __LINE__, "s",
841 "SSL: You specified ssl.verifyclient.activate but no ca_file"
842 );
843 }
844
845 if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
846 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
847 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
848 return -1;
849 }
850
851 if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
852 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
853 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
854 return -1;
855 }
856
857 if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
858 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
859 "Private key does not match the certificate public key, reason:",
860 ERR_error_string(ERR_get_error(), NULL),
861 s->ssl_pemfile);
862 return -1;
863 }
864 SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
865 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
866
867 # ifndef OPENSSL_NO_TLSEXT
868 if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
869 !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
870 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
871 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
872 return -1;
873 }
874 # endif /* !OPENSSL_NO_TLSEXT */
875 }
876 #endif /* !OPENSSL_VERSION_NUMBER */
877
878 /* non-SSL version starts here... */
879 b = buffer_init();
880
881 buffer_copy_string_buffer(b, srv->srvconf.bindhost);
882 buffer_append_string_len(b, CONST_STR_LEN(":"));
883 buffer_append_long(b, srv->srvconf.port);
884
885 if (0 != network_server_init(srv, b, srv->config_storage[0])) {
886 return -1;
887 }
888 buffer_free(b);
889
890 #ifdef USE_OPENSSL
891 srv->network_ssl_backend_write = network_write_chunkqueue_openssl;
892 #endif
893
894 /* get a usefull default */
895 backend = network_backends[0].nb;
896
897 /* match name against known types */
898 if (!buffer_is_empty(srv->srvconf.network_backend)) {
899 for (i = 0; network_backends[i].name; i++) {
900 /**/
901 if (buffer_is_equal_string(srv->srvconf.network_backend, network_backends[i].name, strlen(network_backends[i].name))) {
902 backend = network_backends[i].nb;
903 break;
904 }
905 }
906 if (NULL == network_backends[i].name) {
907 /* we don't know it */
908
909 log_error_write(srv, __FILE__, __LINE__, "sb",
910 "server.network-backend has a unknown value:",
911 srv->srvconf.network_backend);
912
913 return -1;
914 }
915 }
916
917 switch(backend) {
918 case NETWORK_BACKEND_WRITE:
919 srv->network_backend_write = network_write_chunkqueue_write;
920 break;
921 #ifdef USE_WRITEV
922 case NETWORK_BACKEND_WRITEV:
923 srv->network_backend_write = network_write_chunkqueue_writev;
924 break;
925 #endif
926 #ifdef USE_LINUX_SENDFILE
927 case NETWORK_BACKEND_LINUX_SENDFILE:
928 srv->network_backend_write = network_write_chunkqueue_linuxsendfile;
929 break;
930 #endif
931 #ifdef USE_FREEBSD_SENDFILE
932 case NETWORK_BACKEND_FREEBSD_SENDFILE:
933 srv->network_backend_write = network_write_chunkqueue_freebsdsendfile;
934 break;
935 #endif
936 #ifdef USE_SOLARIS_SENDFILEV
937 case NETWORK_BACKEND_SOLARIS_SENDFILEV:
938 srv->network_backend_write = network_write_chunkqueue_solarissendfilev;
939 break;
940 #endif
941 #ifdef USE_MTCP
942 case NETWORK_BACKEND_MTCP:
943 srv->network_backend_write = network_write_chunkqueue_mtcp_writev;
944 break;
945 #endif
946 default:
947 return -1;
948 }
949
950 /* check for $SERVER["socket"] */
951 for (i = 1; i < srv->config_context->used; i++) {
952 data_config *dc = (data_config *)srv->config_context->data[i];
953 specific_config *s = srv->config_storage[i];
954 size_t j;
955
956 /* not our stage */
957 if (COMP_SERVER_SOCKET != dc->comp) continue;
958
959 if (dc->cond != CONFIG_COND_EQ) continue;
960
961 /* check if we already know this socket,
962 * if yes, don't init it */
963 for (j = 0; j < srv->srv_sockets.used; j++) {
964 if (buffer_is_equal(srv->srv_sockets.ptr[j]->srv_token, dc->string)) {
965 break;
966 }
967 }
968
969 if (j == srv->srv_sockets.used) {
970 if (0 != network_server_init(srv, dc->string, s)) return -1;
971 }
972 }
973
974 return 0;
975 }
976 /*----------------------------------------------------------------------------*/
977 int
978 network_register_fdevents(server *srv) {
979 size_t i;
980
981 if (-1 == fdevent_reset(srv->ev)) {
982 return -1;
983 }
984
985 /* register fdevents after reset */
986 for (i = 0; i < srv->srv_sockets.used; i++) {
987 server_socket *srv_socket = srv->srv_sockets.ptr[i];
988
989 fdevent_register(srv->ev, srv_socket->fd, network_server_handle_fdevent, srv_socket);
990 fdevent_event_set(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd, FDEVENT_IN);
991 }
992 return 0;
993 }
994 /*----------------------------------------------------------------------------*/
995 int
996 network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) {
997 int ret = -1;
998 off_t written = 0;
999 #ifdef TCP_CORK
1000 int corked = 0;
1001 #endif
1002 server_socket *srv_socket = con->srv_socket;
1003
1004 if (con->conf.global_kbytes_per_second) {
1005 off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr);
1006 if (limit <= 0) {
1007 /* we reached the global traffic limit */
1008
1009 con->traffic_limit_reached = 1;
1010 joblist_append(srv, con);
1011
1012 return 1;
1013 } else {
1014 if (max_bytes > limit) max_bytes = limit;
1015 }
1016 }
1017
1018 if (con->conf.kbytes_per_second) {
1019 off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second;
1020 if (limit <= 0) {
1021 /* we reached the traffic limit */
1022
1023 con->traffic_limit_reached = 1;
1024 joblist_append(srv, con);
1025
1026 return 1;
1027 } else {
1028 if (max_bytes > limit) max_bytes = limit;
1029 }
1030 }
1031
1032 written = cq->bytes_out;
1033
1034 #ifdef TCP_CORK
1035 /* Linux: put a cork into the socket as we want to combine the write() calls
1036 * but only if we really have multiple chunks
1037 */
1038 if (cq->first && cq->first->next) {
1039 corked = 1;
1040 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1041 }
1042 #endif
1043
1044 if (srv_socket->is_ssl) {
1045 #ifdef USE_OPENSSL
1046 ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes);
1047 #endif
1048 } else {
1049 ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes);
1050 }
1051
1052 if (ret >= 0) {
1053 chunkqueue_remove_finished_chunks(cq);
1054 ret = chunkqueue_is_empty(cq) ? 0 : 1;
1055 }
1056
1057 #ifdef TCP_CORK
1058 if (corked) {
1059 corked = 0;
1060 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked));
1061 }
1062 #endif
1063
1064 written = cq->bytes_out - written;
1065 con->bytes_written += written;
1066 con->bytes_written_cur_second += written;
1067
1068 *(con->conf.global_bytes_per_second_cnt_ptr) += written;
1069
1070 return ret;
1071 }
1072 /*----------------------------------------------------------------------------*/
1073