1#include "network.h" 2#include "fdevent.h" 3#include "log.h" 4#include "connections.h" 5#include "plugin.h" 6#include "joblist.h" 7#include "configfile.h" 8 9#include "network_backends.h" 10#include "sys-mmap.h" 11#include "sys-socket.h" 12 13#include <sys/types.h> 14#include <sys/stat.h> 15#include <sys/time.h> 16 17#include <errno.h> 18#include <fcntl.h> 19#include <unistd.h> 20#include <string.h> 21#include <stdlib.h> 22#include <assert.h> 23 24#define DBE 0 25 26#ifdef USE_OPENSSL 27# include <openssl/ssl.h> 28# include <openssl/err.h> 29# include <openssl/rand.h> 30# ifndef OPENSSL_NO_DH 31# include <openssl/dh.h> 32# endif 33# include <openssl/bn.h> 34 35# if OPENSSL_VERSION_NUMBER >= 0x0090800fL 36# ifndef OPENSSL_NO_ECDH 37# include <openssl/ecdh.h> 38# endif 39# endif 40#endif 41 42#ifdef USE_OPENSSL 43static void ssl_info_callback(const SSL *ssl, int where, int ret) { 44 UNUSED(ret); 45 46 if (0 != (where & SSL_CB_HANDSHAKE_START)) { 47 connection *con = SSL_get_app_data(ssl); 48 ++con->renegotiations; 49 } 50} 51#endif 52 53static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { 54 server_socket *srv_socket = (server_socket *)context; 55 connection *con; 56 int loops = 0; 57 58 UNUSED(context); 59 60 if (0 == (revents & FDEVENT_IN)) { 61 log_error_write(srv, __FILE__, __LINE__, "sdd", 62 "strange event for server socket", 63 srv_socket->fd, 64 revents); 65 return HANDLER_ERROR; 66 } 67 68 /* accept()s at most 100 connections directly 69 * 70 * we jump out after 100 to give the waiting connections a chance */ 71 for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) { 72 handler_t r; 73 74 connection_state_machine(srv, con); 75 76 switch(r = plugins_call_handle_joblist(srv, con)) { 77 case HANDLER_FINISHED: 78 case HANDLER_GO_ON: 79 break; 80 default: 81 log_error_write(srv, __FILE__, __LINE__, "d", r); 82 break; 83 } 84 } 85 return HANDLER_GO_ON; 86} 87 88#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT 89static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) { 90 const char *servername; 91 connection *con = (connection *) SSL_get_app_data(ssl); 92 UNUSED(al); 93 94 buffer_copy_string(con->uri.scheme, "https"); 95 96 if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { 97#if 0 98 /* this "error" just means the client didn't support it */ 99 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 100 "failed to get TLS server name"); 101#endif 102 return SSL_TLSEXT_ERR_NOACK; 103 } 104 buffer_copy_string(con->tlsext_server_name, servername); 105 buffer_to_lower(con->tlsext_server_name); 106 107 /* Sometimes this is still set, confusing COMP_HTTP_HOST */ 108 buffer_reset(con->uri.authority); 109 110 config_cond_cache_reset(srv, con); 111 config_setup_connection(srv, con); 112 113 config_patch_connection(srv, con, COMP_SERVER_SOCKET); 114 config_patch_connection(srv, con, COMP_HTTP_SCHEME); 115 config_patch_connection(srv, con, COMP_HTTP_HOST); 116 117 if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) { 118 /* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */ 119 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", 120 "no certificate/private key for TLS server name", con->tlsext_server_name); 121 return SSL_TLSEXT_ERR_ALERT_FATAL; 122 } 123 124 /* first set certificate! setting private key checks whether certificate matches it */ 125 if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) { 126 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", 127 "failed to set certificate for TLS server name", con->tlsext_server_name, 128 ERR_error_string(ERR_get_error(), NULL)); 129 return SSL_TLSEXT_ERR_ALERT_FATAL; 130 } 131 132 if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) { 133 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", 134 "failed to set private key for TLS server name", con->tlsext_server_name, 135 ERR_error_string(ERR_get_error(), NULL)); 136 return SSL_TLSEXT_ERR_ALERT_FATAL; 137 } 138 139 if (con->conf.ssl_verifyclient) { 140 if (NULL == con->conf.ssl_ca_file_cert_names) { 141 log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", 142 "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name, 143 ERR_error_string(ERR_get_error(), NULL)); 144 return SSL_TLSEXT_ERR_ALERT_FATAL; 145 } 146 147 SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names)); 148 /* forcing verification here is really not that useful - a client could just connect without SNI */ 149 SSL_set_verify( 150 ssl, 151 SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), 152 NULL 153 ); 154 SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth); 155 } 156 157 return SSL_TLSEXT_ERR_OK; 158} 159#endif 160 161static int network_server_init(server *srv, buffer *host_token, specific_config *s) { 162 int val; 163 socklen_t addr_len; 164 server_socket *srv_socket; 165 char *sp; 166 unsigned int port = 0; 167 const char *host; 168 buffer *b; 169 int is_unix_domain_socket = 0; 170 int fd; 171 172#ifdef __WIN32 173 WORD wVersionRequested; 174 WSADATA wsaData; 175 int err; 176 177 wVersionRequested = MAKEWORD( 2, 2 ); 178 179 err = WSAStartup( wVersionRequested, &wsaData ); 180 if ( err != 0 ) { 181 /* Tell the user that we could not find a usable */ 182 /* WinSock DLL. */ 183 return -1; 184 } 185#endif 186 187 srv_socket = calloc(1, sizeof(*srv_socket)); 188 srv_socket->fd = -1; 189 srv_socket->fde_ndx = -1; 190 191 srv_socket->srv_token = buffer_init(); 192 buffer_copy_buffer(srv_socket->srv_token, host_token); 193 194 b = buffer_init(); 195 buffer_copy_buffer(b, host_token); 196 197 /* ipv4:port 198 * [ipv6]:port 199 */ 200 if (NULL == (sp = strrchr(b->ptr, ':'))) { 201 log_error_write(srv, __FILE__, __LINE__, "sb", "value of $SERVER[\"socket\"] has to be \"ip:port\".", b); 202 203 goto error_free_socket; 204 } 205 206 host = b->ptr; 207 208 /* check for [ and ] */ 209 if (b->ptr[0] == '[' && *(sp-1) == ']') { 210 *(sp-1) = '\0'; 211 host++; 212 213 s->use_ipv6 = 1; 214 } 215 216 *(sp++) = '\0'; 217 218 port = strtol(sp, NULL, 10); 219 220 if (host[0] == '/') { 221 /* host is a unix-domain-socket */ 222 is_unix_domain_socket = 1; 223 } else if (port == 0 || port > 65535) { 224 log_error_write(srv, __FILE__, __LINE__, "sd", "port out of range:", port); 225 226 goto error_free_socket; 227 } 228 229 if (*host == '\0') host = NULL; 230 231 if (is_unix_domain_socket) { 232#ifdef HAVE_SYS_UN_H 233 234 srv_socket->addr.plain.sa_family = AF_UNIX; 235 236 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) { 237 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno)); 238 goto error_free_socket; 239 } 240#else 241 log_error_write(srv, __FILE__, __LINE__, "s", 242 "ERROR: Unix Domain sockets are not supported."); 243 goto error_free_socket; 244#endif 245 } 246 247#ifdef HAVE_IPV6 248 if (s->use_ipv6) { 249 srv_socket->addr.plain.sa_family = AF_INET6; 250 251 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) { 252 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno)); 253 goto error_free_socket; 254 } 255 } 256#endif 257 258 if (srv_socket->fd == -1) { 259 srv_socket->addr.plain.sa_family = AF_INET; 260 if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) { 261 log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno)); 262 goto error_free_socket; 263 } 264 } 265 266 /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */ 267 fd_close_on_exec(srv_socket->fd); 268 269 /* */ 270 srv->cur_fds = srv_socket->fd; 271 272 val = 1; 273 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) { 274 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno)); 275 goto error_free_socket; 276 } 277 278 switch(srv_socket->addr.plain.sa_family) { 279#ifdef HAVE_IPV6 280 case AF_INET6: 281 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in6)); 282 srv_socket->addr.ipv6.sin6_family = AF_INET6; 283 if (host == NULL) { 284 srv_socket->addr.ipv6.sin6_addr = in6addr_any; 285 log_error_write(srv, __FILE__, __LINE__, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes"); 286 } else { 287 struct addrinfo hints, *res; 288 int r; 289 290 if (s->set_v6only) { 291 val = 1; 292 if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) { 293 log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno)); 294 goto error_free_socket; 295 } 296 } else { 297 log_error_write(srv, __FILE__, __LINE__, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6"); 298 } 299 300 memset(&hints, 0, sizeof(hints)); 301 302 hints.ai_family = AF_INET6; 303 hints.ai_socktype = SOCK_STREAM; 304 hints.ai_protocol = IPPROTO_TCP; 305 306 if (0 != (r = getaddrinfo(host, NULL, &hints, &res))) { 307 log_error_write(srv, __FILE__, __LINE__, 308 "sssss", "getaddrinfo failed: ", 309 gai_strerror(r), "'", host, "'"); 310 311 goto error_free_socket; 312 } 313 314 memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen); 315 316 freeaddrinfo(res); 317 } 318 srv_socket->addr.ipv6.sin6_port = htons(port); 319 addr_len = sizeof(struct sockaddr_in6); 320 break; 321#endif 322 case AF_INET: 323 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in)); 324 srv_socket->addr.ipv4.sin_family = AF_INET; 325 if (host == NULL) { 326 srv_socket->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY); 327 } else { 328 struct hostent *he; 329 if (NULL == (he = gethostbyname(host))) { 330 log_error_write(srv, __FILE__, __LINE__, 331 "sds", "gethostbyname failed: ", 332 h_errno, host); 333 goto error_free_socket; 334 } 335 336 if (he->h_addrtype != AF_INET) { 337 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype); 338 goto error_free_socket; 339 } 340 341 if (he->h_length != sizeof(struct in_addr)) { 342 log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length); 343 goto error_free_socket; 344 } 345 346 memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length); 347 } 348 srv_socket->addr.ipv4.sin_port = htons(port); 349 350 addr_len = sizeof(struct sockaddr_in); 351 352 break; 353 case AF_UNIX: 354 memset(&srv_socket->addr, 0, sizeof(struct sockaddr_un)); 355 srv_socket->addr.un.sun_family = AF_UNIX; 356 { 357 size_t hostlen = strlen(host) + 1; 358 if (hostlen > sizeof(srv_socket->addr.un.sun_path)) { 359 log_error_write(srv, __FILE__, __LINE__, "sS", "unix socket filename too long:", host); 360 goto error_free_socket; 361 } 362 memcpy(srv_socket->addr.un.sun_path, host, hostlen); 363 364#if defined(SUN_LEN) 365 addr_len = SUN_LEN(&srv_socket->addr.un); 366#else 367 /* stevens says: */ 368 addr_len = hostlen + sizeof(srv_socket->addr.un.sun_family); 369#endif 370 } 371 372 /* check if the socket exists and try to connect to it. */ 373 if (-1 != (fd = connect(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len))) { 374 close(fd); 375 376 log_error_write(srv, __FILE__, __LINE__, "ss", 377 "server socket is still in use:", 378 host); 379 380 381 goto error_free_socket; 382 } 383 384 /* connect failed */ 385 switch(errno) { 386 case ECONNREFUSED: 387 unlink(host); 388 break; 389 case ENOENT: 390 break; 391 default: 392 log_error_write(srv, __FILE__, __LINE__, "sds", 393 "testing socket failed:", 394 host, strerror(errno)); 395 396 goto error_free_socket; 397 } 398 399 break; 400 default: 401 goto error_free_socket; 402 } 403 404 if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) { 405 switch(srv_socket->addr.plain.sa_family) { 406 case AF_UNIX: 407 log_error_write(srv, __FILE__, __LINE__, "sds", 408 "can't bind to socket:", 409 host, strerror(errno)); 410 break; 411 default: 412 log_error_write(srv, __FILE__, __LINE__, "ssds", 413 "can't bind to port:", 414 host, port, strerror(errno)); 415 break; 416 } 417 goto error_free_socket; 418 } 419 420 if (-1 == listen(srv_socket->fd, 128 * 8)) { 421 log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno)); 422 goto error_free_socket; 423 } 424 425 if (s->ssl_enabled) { 426#ifdef USE_OPENSSL 427 if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) { 428 log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set"); 429 goto error_free_socket; 430 } 431#else 432 433 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 434 "ssl requested but openssl support is not compiled in"); 435 436 goto error_free_socket; 437#endif 438#ifdef TCP_DEFER_ACCEPT 439 } else if (s->defer_accept) { 440 int v = s->defer_accept; 441 if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) { 442 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno)); 443 } 444#endif 445 } else { 446#ifdef SO_ACCEPTFILTER 447 /* FreeBSD accf_http filter */ 448 struct accept_filter_arg afa; 449 memset(&afa, 0, sizeof(afa)); 450 strcpy(afa.af_name, "httpready"); 451 if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) { 452 if (errno != ENOENT) { 453 log_error_write(srv, __FILE__, __LINE__, "ss", "can't set accept-filter 'httpready': ", strerror(errno)); 454 } 455 } 456#endif 457 } 458 459 srv_socket->is_ssl = s->ssl_enabled; 460 461 if (srv->srv_sockets.size == 0) { 462 srv->srv_sockets.size = 4; 463 srv->srv_sockets.used = 0; 464 srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket*)); 465 } else if (srv->srv_sockets.used == srv->srv_sockets.size) { 466 srv->srv_sockets.size += 4; 467 srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket*)); 468 } 469 470 srv->srv_sockets.ptr[srv->srv_sockets.used++] = srv_socket; 471 472 buffer_free(b); 473 474 return 0; 475 476error_free_socket: 477 if (srv_socket->fd != -1) { 478 /* check if server fd are already registered */ 479 if (srv_socket->fde_ndx != -1) { 480 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd); 481 fdevent_unregister(srv->ev, srv_socket->fd); 482 } 483 484 close(srv_socket->fd); 485 } 486 buffer_free(srv_socket->srv_token); 487 free(srv_socket); 488 489 buffer_free(b); 490 491 return -1; 492} 493 494int network_close(server *srv) { 495 size_t i; 496 for (i = 0; i < srv->srv_sockets.used; i++) { 497 server_socket *srv_socket = srv->srv_sockets.ptr[i]; 498 499 if (srv_socket->fd != -1) { 500 /* check if server fd are already registered */ 501 if (srv_socket->fde_ndx != -1) { 502 fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd); 503 fdevent_unregister(srv->ev, srv_socket->fd); 504 } 505 506 close(srv_socket->fd); 507 } 508 509 buffer_free(srv_socket->srv_token); 510 511 free(srv_socket); 512 } 513 514 free(srv->srv_sockets.ptr); 515 516 return 0; 517} 518 519typedef enum { 520 NETWORK_BACKEND_UNSET, 521 NETWORK_BACKEND_WRITE, 522 NETWORK_BACKEND_WRITEV, 523 NETWORK_BACKEND_SENDFILE, 524} network_backend_t; 525 526#ifdef USE_OPENSSL 527static X509* x509_load_pem_file(server *srv, const char *file) { 528 BIO *in; 529 X509 *x = NULL; 530 531 in = BIO_new(BIO_s_file()); 532 if (NULL == in) { 533 log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed"); 534 goto error; 535 } 536 537 if (BIO_read_filename(in,file) <= 0) { 538 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed"); 539 goto error; 540 } 541 x = PEM_read_bio_X509(in, NULL, NULL, NULL); 542 543 if (NULL == x) { 544 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'"); 545 goto error; 546 } 547 548 BIO_free(in); 549 return x; 550 551error: 552 if (NULL != in) BIO_free(in); 553 return NULL; 554} 555 556static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) { 557 BIO *in; 558 EVP_PKEY *x = NULL; 559 560 in=BIO_new(BIO_s_file()); 561 if (NULL == in) { 562 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed"); 563 goto error; 564 } 565 566 if (BIO_read_filename(in,file) <= 0) { 567 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed"); 568 goto error; 569 } 570 x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); 571 572 if (NULL == x) { 573 log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'"); 574 goto error; 575 } 576 577 BIO_free(in); 578 return x; 579 580error: 581 if (NULL != in) BIO_free(in); 582 return NULL; 583} 584 585static int network_openssl_load_pemfile(server *srv, size_t ndx) { 586 specific_config *s = srv->config_storage[ndx]; 587 588#ifdef OPENSSL_NO_TLSEXT 589 { 590 data_config *dc = (data_config *)srv->config_context->data[ndx]; 591 if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ)) 592 || !s->ssl_enabled) { 593 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 594 "ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions"); 595 return -1; 596 } 597 } 598#endif 599 600 if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; 601 if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; 602 603 if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { 604 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", 605 "Private key does not match the certificate public key, reason:", 606 ERR_error_string(ERR_get_error(), NULL), 607 s->ssl_pemfile); 608 return -1; 609 } 610 611 return 0; 612} 613#endif 614 615int network_init(server *srv) { 616 buffer *b; 617 size_t i, j; 618 network_backend_t backend; 619 620#if OPENSSL_VERSION_NUMBER >= 0x0090800fL 621#ifndef OPENSSL_NO_ECDH 622 EC_KEY *ecdh; 623 int nid; 624#endif 625#endif 626 627#ifdef USE_OPENSSL 628# ifndef OPENSSL_NO_DH 629 DH *dh; 630# endif 631 BIO *bio; 632 633 /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114) 634 * -----BEGIN DH PARAMETERS----- 635 * MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y 636 * mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4 637 * +qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV 638 * w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0 639 * sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR 640 * jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA= 641 * -----END DH PARAMETERS----- 642 */ 643 644 static const unsigned char dh1024_p[]={ 645 0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E, 646 0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6, 647 0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86, 648 0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0, 649 0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C, 650 0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70, 651 0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA, 652 0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0, 653 0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF, 654 0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08, 655 0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71, 656 }; 657 658 static const unsigned char dh1024_g[]={ 659 0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42, 660 0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F, 661 0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E, 662 0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13, 663 0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F, 664 0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1, 665 0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08, 666 0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A, 667 0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59, 668 0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24, 669 0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5, 670 }; 671#endif 672 673 struct nb_map { 674 network_backend_t nb; 675 const char *name; 676 } network_backends[] = { 677 /* lowest id wins */ 678#if defined USE_SENDFILE 679 { NETWORK_BACKEND_SENDFILE, "sendfile" }, 680#endif 681#if defined USE_LINUX_SENDFILE 682 { NETWORK_BACKEND_SENDFILE, "linux-sendfile" }, 683#endif 684#if defined USE_FREEBSD_SENDFILE 685 { NETWORK_BACKEND_SENDFILE, "freebsd-sendfile" }, 686#endif 687#if defined USE_SOLARIS_SENDFILEV 688 { NETWORK_BACKEND_SENDFILE, "solaris-sendfilev" }, 689#endif 690#if defined USE_WRITEV 691 { NETWORK_BACKEND_WRITEV, "writev" }, 692#endif 693 { NETWORK_BACKEND_WRITE, "write" }, 694 { NETWORK_BACKEND_UNSET, NULL } 695 }; 696 697#ifdef USE_OPENSSL 698 /* load SSL certificates */ 699 for (i = 0; i < srv->config_context->used; i++) { 700 specific_config *s = srv->config_storage[i]; 701#ifndef SSL_OP_NO_COMPRESSION 702# define SSL_OP_NO_COMPRESSION 0 703#endif 704 long ssloptions = 705 SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; 706 707 //- 20160204 Sungmin add 708 ssloptions &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 709 //ssloptions |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 710 711 Cdbg(DBE, "ssloptions = %d", ssloptions); 712 713 if (buffer_string_is_empty(s->ssl_pemfile) && buffer_string_is_empty(s->ssl_ca_file)) continue; 714 715 if (srv->ssl_is_init == 0) { 716 SSL_load_error_strings(); 717 SSL_library_init(); 718 OpenSSL_add_all_algorithms(); 719 srv->ssl_is_init = 1; 720 721 if (0 == RAND_status()) { 722 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 723 "not enough entropy in the pool"); 724 return -1; 725 } 726 } 727 728 if (!buffer_string_is_empty(s->ssl_pemfile)) { 729#ifdef OPENSSL_NO_TLSEXT 730 data_config *dc = (data_config *)srv->config_context->data[i]; 731 if (COMP_HTTP_HOST == dc->comp) { 732 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 733 "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions"); 734 return -1; 735 } 736#endif 737 if (network_openssl_load_pemfile(srv, i)) return -1; 738 } 739 740 741 if (!buffer_string_is_empty(s->ssl_ca_file)) { 742 s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr); 743 if (NULL == s->ssl_ca_file_cert_names) { 744 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", 745 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); 746 } 747 } 748 749 if (buffer_string_is_empty(s->ssl_pemfile) || !s->ssl_enabled) continue; 750 751 if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { 752 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 753 ERR_error_string(ERR_get_error(), NULL)); 754 return -1; 755 } 756 757 /* completely useless identifier; required for client cert verification to work with sessions */ 758 if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) { 759 log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:", 760 "failed to set session context", 761 ERR_error_string(ERR_get_error(), NULL)); 762 return -1; 763 } 764 765 if (s->ssl_empty_fragments) { 766#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 767 ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; 768#else 769 ssloptions &= ~0x00000800L; /* hardcode constant */ 770 log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:", 771 "'insert empty fragments' not supported by the openssl version used to compile lighttpd with"); 772#endif 773 } 774 775 SSL_CTX_set_options(s->ssl_ctx, ssloptions); 776 SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); 777 778 if (!s->ssl_use_sslv2) { 779 /* disable SSLv2 */ 780 if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { 781 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 782 ERR_error_string(ERR_get_error(), NULL)); 783 return -1; 784 } 785 } 786 787 if (!s->ssl_use_sslv3) { 788 /* disable SSLv3 */ 789 if (!(SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3))) { 790 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 791 ERR_error_string(ERR_get_error(), NULL)); 792 return -1; 793 } 794 } 795 796 if (!buffer_string_is_empty(s->ssl_cipher_list)) { 797 /* Disable support for low encryption ciphers */ 798 if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { 799 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 800 ERR_error_string(ERR_get_error(), NULL)); 801 return -1; 802 } 803 804 if (s->ssl_honor_cipher_order) { 805 SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 806 } 807 } 808 809#ifndef OPENSSL_NO_DH 810 /* Support for Diffie-Hellman key exchange */ 811 if (!buffer_string_is_empty(s->ssl_dh_file)) { 812 /* DH parameters from file */ 813 bio = BIO_new_file((char *) s->ssl_dh_file->ptr, "r"); 814 if (bio == NULL) { 815 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to open file", s->ssl_dh_file->ptr); 816 return -1; 817 } 818 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); 819 BIO_free(bio); 820 if (dh == NULL) { 821 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: PEM_read_bio_DHparams failed", s->ssl_dh_file->ptr); 822 return -1; 823 } 824 } else { 825 /* Default DH parameters from RFC5114 */ 826 dh = DH_new(); 827 if (dh == NULL) { 828 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed"); 829 return -1; 830 } 831 dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL); 832 dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL); 833 dh->length = 160; 834 if ((dh->p == NULL) || (dh->g == NULL)) { 835 DH_free(dh); 836 log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed"); 837 return -1; 838 } 839 } 840 SSL_CTX_set_tmp_dh(s->ssl_ctx,dh); 841 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE); 842 DH_free(dh); 843#else 844 if (!buffer_string_is_empty(s->ssl_dh_file)) { 845 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s->ssl_dh_file->ptr); 846 } 847#endif 848 849#if OPENSSL_VERSION_NUMBER >= 0x0090800fL 850#ifndef OPENSSL_NO_ECDH 851 /* Support for Elliptic-Curve Diffie-Hellman key exchange */ 852 if (!buffer_string_is_empty(s->ssl_ec_curve)) { 853 /* OpenSSL only supports the "named curves" from RFC 4492, section 5.1.1. */ 854 nid = OBJ_sn2nid((char *) s->ssl_ec_curve->ptr); 855 if (nid == 0) { 856 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unknown curve name", s->ssl_ec_curve->ptr); 857 return -1; 858 } 859 } else { 860 /* Default curve */ 861 nid = OBJ_sn2nid("prime256v1"); 862 } 863 ecdh = EC_KEY_new_by_curve_name(nid); 864 if (ecdh == NULL) { 865 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr); 866 return -1; 867 } 868 SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh); 869 SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE); 870 EC_KEY_free(ecdh); 871#endif 872#endif 873 874 /* load all ssl.ca-files specified in the config into each SSL_CTX to be prepared for SNI */ 875 for (j = 0; j < srv->config_context->used; j++) { 876 specific_config *s1 = srv->config_storage[j]; 877 878 if (!buffer_string_is_empty(s1->ssl_ca_file)) { 879 if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) { 880 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", 881 ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file); 882 return -1; 883 } 884 } 885 } 886 887 if (s->ssl_verifyclient) { 888 if (NULL == s->ssl_ca_file_cert_names) { 889 log_error_write(srv, __FILE__, __LINE__, "s", 890 "SSL: You specified ssl.verifyclient.activate but no ca_file" 891 ); 892 return -1; 893 } 894 SSL_CTX_set_client_CA_list(s->ssl_ctx, SSL_dup_CA_list(s->ssl_ca_file_cert_names)); 895 SSL_CTX_set_verify( 896 s->ssl_ctx, 897 SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), 898 NULL 899 ); 900 SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth); 901 } 902 903 if (SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509) < 0) { 904 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", 905 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); 906 return -1; 907 } 908 909 if (SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey) < 0) { 910 log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", 911 ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); 912 return -1; 913 } 914 915 if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { 916 log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", 917 "Private key does not match the certificate public key, reason:", 918 ERR_error_string(ERR_get_error(), NULL), 919 s->ssl_pemfile); 920 return -1; 921 } 922 SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1); 923 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); 924 925# ifndef OPENSSL_NO_TLSEXT 926 if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) || 927 !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) { 928 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 929 "failed to initialize TLS servername callback, openssl library does not support TLS servername extension"); 930 return -1; 931 } 932# endif 933 } 934#endif 935 936 b = buffer_init(); 937 938 buffer_copy_buffer(b, srv->srvconf.bindhost); 939 buffer_append_string_len(b, CONST_STR_LEN(":")); 940 buffer_append_int(b, srv->srvconf.port); 941 942 if (0 != network_server_init(srv, b, srv->config_storage[0])) { 943 buffer_free(b); 944 return -1; 945 } 946 buffer_free(b); 947 948#ifdef USE_OPENSSL 949 srv->network_ssl_backend_write = network_write_chunkqueue_openssl; 950#endif 951 952 /* get a usefull default */ 953 backend = network_backends[0].nb; 954 955 /* match name against known types */ 956 if (!buffer_string_is_empty(srv->srvconf.network_backend)) { 957 for (i = 0; network_backends[i].name; i++) { 958 /**/ 959 if (buffer_is_equal_string(srv->srvconf.network_backend, network_backends[i].name, strlen(network_backends[i].name))) { 960 backend = network_backends[i].nb; 961 break; 962 } 963 } 964 if (NULL == network_backends[i].name) { 965 /* we don't know it */ 966 967 log_error_write(srv, __FILE__, __LINE__, "sb", 968 "server.network-backend has a unknown value:", 969 srv->srvconf.network_backend); 970 971 return -1; 972 } 973 } 974 975 switch(backend) { 976 case NETWORK_BACKEND_WRITE: 977 srv->network_backend_write = network_write_chunkqueue_write; 978 break; 979#if defined(USE_WRITEV) 980 case NETWORK_BACKEND_WRITEV: 981 srv->network_backend_write = network_write_chunkqueue_writev; 982 break; 983#endif 984#if defined(USE_SENDFILE) 985 case NETWORK_BACKEND_SENDFILE: 986 srv->network_backend_write = network_write_chunkqueue_sendfile; 987 break; 988#endif 989 default: 990 return -1; 991 } 992 993 /* check for $SERVER["socket"] */ 994 for (i = 1; i < srv->config_context->used; i++) { 995 data_config *dc = (data_config *)srv->config_context->data[i]; 996 specific_config *s = srv->config_storage[i]; 997 998 /* not our stage */ 999 if (COMP_SERVER_SOCKET != dc->comp) continue; 1000 1001 if (dc->cond != CONFIG_COND_EQ) continue; 1002 1003 /* check if we already know this socket, 1004 * if yes, don't init it */ 1005 for (j = 0; j < srv->srv_sockets.used; j++) { 1006 if (buffer_is_equal(srv->srv_sockets.ptr[j]->srv_token, dc->string)) { 1007 break; 1008 } 1009 } 1010 1011 if (j == srv->srv_sockets.used) { 1012 if (0 != network_server_init(srv, dc->string, s)) return -1; 1013 } 1014 } 1015 1016 return 0; 1017} 1018 1019int network_register_fdevents(server *srv) { 1020 size_t i; 1021 1022 if (-1 == fdevent_reset(srv->ev)) { 1023 return -1; 1024 } 1025 1026 /* register fdevents after reset */ 1027 for (i = 0; i < srv->srv_sockets.used; i++) { 1028 server_socket *srv_socket = srv->srv_sockets.ptr[i]; 1029 1030 fdevent_register(srv->ev, srv_socket->fd, network_server_handle_fdevent, srv_socket); 1031 fdevent_event_set(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd, FDEVENT_IN); 1032 } 1033 return 0; 1034} 1035 1036int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { 1037 int ret = -1; 1038 off_t written = 0; 1039#ifdef TCP_CORK 1040 int corked = 0; 1041#endif 1042 server_socket *srv_socket = con->srv_socket; 1043 1044 if (con->conf.global_kbytes_per_second) { 1045 off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); 1046 if (limit <= 0) { 1047 /* we reached the global traffic limit */ 1048 1049 con->traffic_limit_reached = 1; 1050 joblist_append(srv, con); 1051 1052 return 1; 1053 } else { 1054 if (max_bytes > limit) max_bytes = limit; 1055 } 1056 } 1057 1058 if (con->conf.kbytes_per_second) { 1059 off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; 1060 if (limit <= 0) { 1061 /* we reached the traffic limit */ 1062 1063 con->traffic_limit_reached = 1; 1064 joblist_append(srv, con); 1065 1066 return 1; 1067 } else { 1068 if (max_bytes > limit) max_bytes = limit; 1069 } 1070 } 1071 1072 written = cq->bytes_out; 1073 1074#ifdef TCP_CORK 1075 /* Linux: put a cork into the socket as we want to combine the write() calls 1076 * but only if we really have multiple chunks 1077 */ 1078 if (cq->first && cq->first->next) { 1079 corked = 1; 1080 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked)); 1081 } 1082#endif 1083 1084 if (srv_socket->is_ssl) { 1085#ifdef USE_OPENSSL 1086 ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); 1087#endif 1088 } else { 1089 ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); 1090 } 1091 1092 if (ret >= 0) { 1093 chunkqueue_remove_finished_chunks(cq); 1094 ret = chunkqueue_is_empty(cq) ? 0 : 1; 1095 } 1096 1097#ifdef TCP_CORK 1098 if (corked) { 1099 corked = 0; 1100 setsockopt(con->fd, IPPROTO_TCP, TCP_CORK, &corked, sizeof(corked)); 1101 } 1102#endif 1103 1104 written = cq->bytes_out - written; 1105 con->bytes_written += written; 1106 con->bytes_written_cur_second += written; 1107 1108 *(con->conf.global_bytes_per_second_cnt_ptr) += written; 1109 1110 return ret; 1111} 1112