server.c revision 1.101
1/* $OpenBSD: server.c,v 1.101 2017/01/09 14:49:22 reyk Exp $ */ 2 3/* 4 * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/types.h> 20#include <sys/queue.h> 21#include <sys/time.h> 22#include <sys/stat.h> 23#include <sys/socket.h> 24#include <sys/uio.h> 25#include <sys/tree.h> 26 27#include <netinet/in.h> 28#include <netinet/tcp.h> 29#include <arpa/inet.h> 30 31#include <stdio.h> 32#include <stdlib.h> 33#include <stdarg.h> 34#include <limits.h> 35#include <errno.h> 36#include <fcntl.h> 37#include <string.h> 38#include <syslog.h> 39#include <unistd.h> 40#include <event.h> 41#include <imsg.h> 42#include <tls.h> 43#include <vis.h> 44 45#include "httpd.h" 46 47#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 48 49int server_dispatch_parent(int, struct privsep_proc *, 50 struct imsg *); 51int server_dispatch_logger(int, struct privsep_proc *, 52 struct imsg *); 53void server_shutdown(void); 54 55void server_init(struct privsep *, struct privsep_proc *p, void *); 56void server_launch(void); 57int server_socket(struct sockaddr_storage *, in_port_t, 58 struct server_config *, int, int); 59int server_socket_listen(struct sockaddr_storage *, in_port_t, 60 struct server_config *); 61 62int server_tls_init(struct server *); 63void server_tls_readcb(int, short, void *); 64void server_tls_writecb(int, short, void *); 65void server_tls_handshake(int, short, void *); 66 67void server_accept(int, short, void *); 68void server_input(struct client *); 69void server_inflight_dec(struct client *, const char *); 70 71extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, 72 size_t, void *); 73 74volatile int server_clients; 75volatile int server_inflight = 0; 76uint32_t server_cltid; 77 78static struct privsep_proc procs[] = { 79 { "parent", PROC_PARENT, server_dispatch_parent }, 80 { "logger", PROC_LOGGER, server_dispatch_logger } 81}; 82 83void 84server(struct privsep *ps, struct privsep_proc *p) 85{ 86 proc_run(ps, p, procs, nitems(procs), server_init, NULL); 87 server_http(); 88} 89 90void 91server_shutdown(void) 92{ 93 config_purge(httpd_env, CONFIG_ALL); 94 usleep(200); /* XXX server needs to shutdown last */ 95} 96 97int 98server_privinit(struct server *srv) 99{ 100 struct server *s; 101 102 if (srv->srv_conf.flags & SRVFLAG_LOCATION) 103 return (0); 104 105 log_debug("%s: adding server %s", __func__, srv->srv_conf.name); 106 107 /* 108 * There's no need to open a new socket if a server with the 109 * same address already exists. 110 */ 111 TAILQ_FOREACH(s, httpd_env->sc_servers, srv_entry) { 112 if (s != srv && s->srv_s != -1 && 113 s->srv_conf.port == srv->srv_conf.port && 114 sockaddr_cmp((struct sockaddr *)&s->srv_conf.ss, 115 (struct sockaddr *)&srv->srv_conf.ss, 116 s->srv_conf.prefixlen) == 0) 117 return (0); 118 } 119 120 /* Open listening socket in the privileged process */ 121 if ((srv->srv_s = server_socket_listen(&srv->srv_conf.ss, 122 srv->srv_conf.port, &srv->srv_conf)) == -1) 123 return (-1); 124 125 return (0); 126} 127 128int 129server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) 130{ 131 struct server_config *sc1, *sc2; 132 133 sc1 = &s1->srv_conf; 134 sc2 = &s2->srv_conf; 135 136 if (sc1->tls_protocols != sc2->tls_protocols) 137 return (-1); 138 if (strcmp(sc1->tls_ciphers, sc2->tls_ciphers) != 0) 139 return (-1); 140 if (strcmp(sc1->tls_dhe_params, sc2->tls_dhe_params) != 0) 141 return (-1); 142 if (strcmp(sc1->tls_ecdhe_curve, sc2->tls_ecdhe_curve) != 0) 143 return (-1); 144 145 if (match_keypair) { 146 if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) 147 return (-1); 148 if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) 149 return (-1); 150 } 151 152 return (0); 153} 154 155int 156server_tls_load_keypair(struct server *srv) 157{ 158 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 159 return (0); 160 161 if ((srv->srv_conf.tls_cert = tls_load_file(srv->srv_conf.tls_cert_file, 162 &srv->srv_conf.tls_cert_len, NULL)) == NULL) 163 return (-1); 164 log_debug("%s: using certificate %s", __func__, 165 srv->srv_conf.tls_cert_file); 166 167 /* XXX allow to specify password for encrypted key */ 168 if ((srv->srv_conf.tls_key = tls_load_file(srv->srv_conf.tls_key_file, 169 &srv->srv_conf.tls_key_len, NULL)) == NULL) 170 return (-1); 171 log_debug("%s: using private key %s", __func__, 172 srv->srv_conf.tls_key_file); 173 174 return (0); 175} 176 177int 178server_tls_load_ocsp(struct server *srv) 179{ 180 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 181 return (0); 182 183 if (srv->srv_conf.tls_ocsp_staple_file == NULL) 184 return (0); 185 186 if ((srv->srv_conf.tls_ocsp_staple = tls_load_file( 187 srv->srv_conf.tls_ocsp_staple_file, 188 &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL) 189 return (-1); 190 log_debug("%s: using ocsp staple from %s", __func__, 191 srv->srv_conf.tls_ocsp_staple_file); 192 193 return (0); 194} 195 196int 197server_tls_init(struct server *srv) 198{ 199 struct server_config *srv_conf; 200 201 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 202 return (0); 203 204 log_debug("%s: setting up tls for %s", __func__, srv->srv_conf.name); 205 206 if (tls_init() != 0) { 207 log_warnx("%s: failed to initialise tls", __func__); 208 return (-1); 209 } 210 if ((srv->srv_tls_config = tls_config_new()) == NULL) { 211 log_warnx("%s: failed to get tls config", __func__); 212 return (-1); 213 } 214 if ((srv->srv_tls_ctx = tls_server()) == NULL) { 215 log_warnx("%s: failed to get tls server", __func__); 216 return (-1); 217 } 218 219 if (tls_config_set_protocols(srv->srv_tls_config, 220 srv->srv_conf.tls_protocols) != 0) { 221 log_warnx("%s: failed to set tls protocols: %s", 222 __func__, tls_config_error(srv->srv_tls_config)); 223 return (-1); 224 } 225 if (tls_config_set_ciphers(srv->srv_tls_config, 226 srv->srv_conf.tls_ciphers) != 0) { 227 log_warnx("%s: failed to set tls ciphers: %s", 228 __func__, tls_config_error(srv->srv_tls_config)); 229 return (-1); 230 } 231 if (tls_config_set_dheparams(srv->srv_tls_config, 232 srv->srv_conf.tls_dhe_params) != 0) { 233 log_warnx("%s: failed to set tls dhe params: %s", 234 __func__, tls_config_error(srv->srv_tls_config)); 235 return (-1); 236 } 237 if (tls_config_set_ecdhecurve(srv->srv_tls_config, 238 srv->srv_conf.tls_ecdhe_curve) != 0) { 239 log_warnx("%s: failed to set tls ecdhe curve: %s", 240 __func__, tls_config_error(srv->srv_tls_config)); 241 return (-1); 242 } 243 244 if (tls_config_set_keypair_mem(srv->srv_tls_config, 245 srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len, 246 srv->srv_conf.tls_key, srv->srv_conf.tls_key_len) != 0) { 247 log_warnx("%s: failed to set tls certificate/key: %s", 248 __func__, tls_config_error(srv->srv_tls_config)); 249 return (-1); 250 } 251 252 if (srv->srv_conf.tls_ocsp_staple != NULL) { 253 if (tls_config_set_ocsp_staple_mem(srv->srv_tls_config, 254 srv->srv_conf.tls_ocsp_staple, 255 srv->srv_conf.tls_ocsp_staple_len) != 0 ) { 256 log_warnx("%s: failed to add ocsp staple", __func__); 257 return (-1); 258 } 259 } 260 261 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 262 if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL) 263 continue; 264 log_debug("%s: adding keypair for server %s", __func__, 265 srv->srv_conf.name); 266 if (tls_config_add_keypair_mem(srv->srv_tls_config, 267 srv_conf->tls_cert, srv_conf->tls_cert_len, 268 srv_conf->tls_key, srv_conf->tls_key_len) != 0) { 269 log_warnx("%s: failed to add tls keypair", __func__); 270 return (-1); 271 } 272 if (srv_conf->tls_ocsp_staple == NULL) 273 continue; 274 log_debug("%s: adding ocsp staple for server %s", __func__, 275 srv->srv_conf.name); 276 if (tls_config_set_ocsp_staple_mem(srv->srv_tls_config, 277 srv_conf->tls_ocsp_staple, srv_conf->tls_ocsp_staple_len) 278 != 0 ) { 279 log_warnx("%s: failed to add ocsp staple", __func__); 280 return (-1); 281 } 282 } 283 284 if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { 285 log_warnx("%s: failed to configure tls - %s", __func__, 286 tls_error(srv->srv_tls_ctx)); 287 return (-1); 288 } 289 290 /* We're now done with the public/private key... */ 291 tls_config_clear_keys(srv->srv_tls_config); 292 explicit_bzero(srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len); 293 explicit_bzero(srv->srv_conf.tls_key, srv->srv_conf.tls_key_len); 294 free(srv->srv_conf.tls_cert); 295 free(srv->srv_conf.tls_key); 296 srv->srv_conf.tls_cert = NULL; 297 srv->srv_conf.tls_key = NULL; 298 srv->srv_conf.tls_cert_len = 0; 299 srv->srv_conf.tls_key_len = 0; 300 301 return (0); 302} 303 304void 305server_init(struct privsep *ps, struct privsep_proc *p, void *arg) 306{ 307 server_http(); 308 309 if (config_init(ps->ps_env) == -1) 310 fatal("failed to initialize configuration"); 311 312 /* We use a custom shutdown callback */ 313 p->p_shutdown = server_shutdown; 314 315 /* Unlimited file descriptors (use system limits) */ 316 socket_rlimit(-1); 317 318 if (pledge("stdio rpath inet unix recvfd", NULL) == -1) 319 fatal("pledge"); 320 321#if 0 322 /* Schedule statistics timer */ 323 evtimer_set(&ps->ps_env->sc_statev, server_statistics, NULL); 324 memcpy(&tv, &ps->ps_env->sc_statinterval, sizeof(tv)); 325 evtimer_add(&ps->ps_env->sc_statev, &tv); 326#endif 327} 328 329void 330server_launch(void) 331{ 332 struct server *srv; 333 334 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 335 log_debug("%s: configuring server %s", __func__, 336 srv->srv_conf.name); 337 338 server_tls_init(srv); 339 server_http_init(srv); 340 341 log_debug("%s: running server %s", __func__, 342 srv->srv_conf.name); 343 344 event_set(&srv->srv_ev, srv->srv_s, EV_READ, 345 server_accept, srv); 346 event_add(&srv->srv_ev, NULL); 347 evtimer_set(&srv->srv_evt, server_accept, srv); 348 } 349} 350 351void 352server_purge(struct server *srv) 353{ 354 struct client *clt; 355 struct server_config *srv_conf; 356 357 /* shutdown and remove server */ 358 if (event_initialized(&srv->srv_ev)) 359 event_del(&srv->srv_ev); 360 if (evtimer_initialized(&srv->srv_evt)) 361 evtimer_del(&srv->srv_evt); 362 363 if (srv->srv_s != -1) 364 close(srv->srv_s); 365 TAILQ_REMOVE(httpd_env->sc_servers, srv, srv_entry); 366 367 /* cleanup sessions */ 368 while ((clt = 369 SPLAY_ROOT(&srv->srv_clients)) != NULL) 370 server_close(clt, NULL); 371 372 /* cleanup hosts */ 373 while ((srv_conf = 374 TAILQ_FIRST(&srv->srv_hosts)) != NULL) { 375 TAILQ_REMOVE(&srv->srv_hosts, srv_conf, entry); 376 377 /* It might point to our own "default" entry */ 378 if (srv_conf != &srv->srv_conf) { 379 serverconfig_free(srv_conf); 380 free(srv_conf); 381 } 382 } 383 384 tls_config_free(srv->srv_tls_config); 385 tls_free(srv->srv_tls_ctx); 386 387 free(srv); 388} 389 390void 391serverconfig_free(struct server_config *srv_conf) 392{ 393 free(srv_conf->return_uri); 394 free(srv_conf->tls_cert_file); 395 free(srv_conf->tls_key_file); 396 free(srv_conf->tls_ocsp_staple_file); 397 free(srv_conf->tls_ocsp_staple); 398 399 if (srv_conf->tls_cert != NULL) { 400 explicit_bzero(srv_conf->tls_cert, srv_conf->tls_cert_len); 401 free(srv_conf->tls_cert); 402 } 403 404 if (srv_conf->tls_key != NULL) { 405 explicit_bzero(srv_conf->tls_key, srv_conf->tls_key_len); 406 free(srv_conf->tls_key); 407 } 408} 409 410void 411serverconfig_reset(struct server_config *srv_conf) 412{ 413 srv_conf->auth = NULL; 414 srv_conf->return_uri = NULL; 415 srv_conf->tls_cert = NULL; 416 srv_conf->tls_cert_file = NULL; 417 srv_conf->tls_key = NULL; 418 srv_conf->tls_key_file = NULL; 419 srv_conf->tls_ocsp_staple = NULL; 420 srv_conf->tls_ocsp_staple_file = NULL; 421} 422 423struct server * 424server_byaddr(struct sockaddr *addr, in_port_t port) 425{ 426 struct server *srv; 427 428 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 429 if (port == srv->srv_conf.port && 430 sockaddr_cmp((struct sockaddr *)&srv->srv_conf.ss, 431 addr, srv->srv_conf.prefixlen) == 0) 432 return (srv); 433 } 434 435 return (NULL); 436} 437 438struct server_config * 439serverconfig_byid(uint32_t id) 440{ 441 struct server *srv; 442 struct server_config *srv_conf; 443 444 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 445 if (srv->srv_conf.id == id) 446 return (&srv->srv_conf); 447 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 448 if (srv_conf->id == id) 449 return (srv_conf); 450 } 451 } 452 453 return (NULL); 454} 455 456int 457server_foreach(int (*srv_cb)(struct server *, 458 struct server_config *, void *), void *arg) 459{ 460 struct server *srv; 461 struct server_config *srv_conf; 462 463 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 464 if ((srv_cb)(srv, &srv->srv_conf, arg) == -1) 465 return (-1); 466 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 467 if ((srv_cb)(srv, srv_conf, arg) == -1) 468 return (-1); 469 } 470 } 471 472 return (0); 473} 474 475struct server * 476server_match(struct server *s2, int match_name) 477{ 478 struct server *s1; 479 480 /* Attempt to find matching server. */ 481 TAILQ_FOREACH(s1, httpd_env->sc_servers, srv_entry) { 482 if ((s1->srv_conf.flags & SRVFLAG_LOCATION) != 0) 483 continue; 484 if (match_name) { 485 if (strcmp(s1->srv_conf.name, s2->srv_conf.name) != 0) 486 continue; 487 } 488 if (s1->srv_conf.port != s2->srv_conf.port) 489 continue; 490 if (sockaddr_cmp( 491 (struct sockaddr *)&s1->srv_conf.ss, 492 (struct sockaddr *)&s2->srv_conf.ss, 493 s1->srv_conf.prefixlen) != 0) 494 continue; 495 496 return (s1); 497 } 498 499 return (NULL); 500} 501 502int 503server_socket_af(struct sockaddr_storage *ss, in_port_t port) 504{ 505 switch (ss->ss_family) { 506 case AF_INET: 507 ((struct sockaddr_in *)ss)->sin_port = port; 508 ((struct sockaddr_in *)ss)->sin_len = 509 sizeof(struct sockaddr_in); 510 break; 511 case AF_INET6: 512 ((struct sockaddr_in6 *)ss)->sin6_port = port; 513 ((struct sockaddr_in6 *)ss)->sin6_len = 514 sizeof(struct sockaddr_in6); 515 break; 516 default: 517 return (-1); 518 } 519 520 return (0); 521} 522 523in_port_t 524server_socket_getport(struct sockaddr_storage *ss) 525{ 526 switch (ss->ss_family) { 527 case AF_INET: 528 return (((struct sockaddr_in *)ss)->sin_port); 529 case AF_INET6: 530 return (((struct sockaddr_in6 *)ss)->sin6_port); 531 default: 532 return (0); 533 } 534 535 /* NOTREACHED */ 536 return (0); 537} 538 539int 540server_socket(struct sockaddr_storage *ss, in_port_t port, 541 struct server_config *srv_conf, int fd, int reuseport) 542{ 543 struct linger lng; 544 int s = -1, val; 545 546 if (server_socket_af(ss, port) == -1) 547 goto bad; 548 549 s = fd == -1 ? socket(ss->ss_family, SOCK_STREAM | SOCK_NONBLOCK, 550 IPPROTO_TCP) : fd; 551 if (s == -1) 552 goto bad; 553 554 /* 555 * Socket options 556 */ 557 memset(&lng, 0, sizeof(lng)); 558 if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) 559 goto bad; 560 if (reuseport) { 561 val = 1; 562 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, 563 sizeof(int)) == -1) 564 goto bad; 565 } 566 if (srv_conf->tcpflags & TCPFLAG_BUFSIZ) { 567 val = srv_conf->tcpbufsiz; 568 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 569 &val, sizeof(val)) == -1) 570 goto bad; 571 val = srv_conf->tcpbufsiz; 572 if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, 573 &val, sizeof(val)) == -1) 574 goto bad; 575 } 576 577 /* 578 * IP options 579 */ 580 if (srv_conf->tcpflags & TCPFLAG_IPTTL) { 581 val = (int)srv_conf->tcpipttl; 582 switch (ss->ss_family) { 583 case AF_INET: 584 if (setsockopt(s, IPPROTO_IP, IP_TTL, 585 &val, sizeof(val)) == -1) 586 goto bad; 587 break; 588 case AF_INET6: 589 if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, 590 &val, sizeof(val)) == -1) 591 goto bad; 592 break; 593 } 594 } 595 if (srv_conf->tcpflags & TCPFLAG_IPMINTTL) { 596 val = (int)srv_conf->tcpipminttl; 597 switch (ss->ss_family) { 598 case AF_INET: 599 if (setsockopt(s, IPPROTO_IP, IP_MINTTL, 600 &val, sizeof(val)) == -1) 601 goto bad; 602 break; 603 case AF_INET6: 604 if (setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, 605 &val, sizeof(val)) == -1) 606 goto bad; 607 break; 608 } 609 } 610 611 /* 612 * TCP options 613 */ 614 if (srv_conf->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { 615 if (srv_conf->tcpflags & TCPFLAG_NNODELAY) 616 val = 0; 617 else 618 val = 1; 619 if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, 620 &val, sizeof(val)) == -1) 621 goto bad; 622 } 623 if (srv_conf->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) { 624 if (srv_conf->tcpflags & TCPFLAG_NSACK) 625 val = 0; 626 else 627 val = 1; 628 if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE, 629 &val, sizeof(val)) == -1) 630 goto bad; 631 } 632 633 return (s); 634 635 bad: 636 if (s != -1) 637 close(s); 638 return (-1); 639} 640 641int 642server_socket_listen(struct sockaddr_storage *ss, in_port_t port, 643 struct server_config *srv_conf) 644{ 645 int s; 646 647 if ((s = server_socket(ss, port, srv_conf, -1, 1)) == -1) 648 return (-1); 649 650 if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) 651 goto bad; 652 if (listen(s, srv_conf->tcpbacklog) == -1) 653 goto bad; 654 655 return (s); 656 657 bad: 658 close(s); 659 return (-1); 660} 661 662int 663server_socket_connect(struct sockaddr_storage *ss, in_port_t port, 664 struct server_config *srv_conf) 665{ 666 int s; 667 668 if ((s = server_socket(ss, port, srv_conf, -1, 0)) == -1) 669 return (-1); 670 671 if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { 672 if (errno != EINPROGRESS) 673 goto bad; 674 } 675 676 return (s); 677 678 bad: 679 close(s); 680 return (-1); 681} 682 683void 684server_tls_readcb(int fd, short event, void *arg) 685{ 686 struct bufferevent *bufev = arg; 687 struct client *clt = bufev->cbarg; 688 char rbuf[IBUF_READ_SIZE]; 689 int what = EVBUFFER_READ; 690 int howmuch = IBUF_READ_SIZE; 691 ssize_t ret; 692 size_t len; 693 694 if (event == EV_TIMEOUT) { 695 what |= EVBUFFER_TIMEOUT; 696 goto err; 697 } 698 699 if (bufev->wm_read.high != 0) 700 howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high); 701 702 ret = tls_read(clt->clt_tls_ctx, rbuf, howmuch); 703 if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) { 704 goto retry; 705 } else if (ret < 0) { 706 what |= EVBUFFER_ERROR; 707 goto err; 708 } 709 len = ret; 710 711 if (len == 0) { 712 what |= EVBUFFER_EOF; 713 goto err; 714 } 715 716 if (evbuffer_add(bufev->input, rbuf, len) == -1) { 717 what |= EVBUFFER_ERROR; 718 goto err; 719 } 720 721 server_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 722 723 len = EVBUFFER_LENGTH(bufev->input); 724 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) 725 return; 726 if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { 727 struct evbuffer *buf = bufev->input; 728 event_del(&bufev->ev_read); 729 evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); 730 return; 731 } 732 733 if (bufev->readcb != NULL) 734 (*bufev->readcb)(bufev, bufev->cbarg); 735 return; 736 737 retry: 738 server_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 739 return; 740 741 err: 742 (*bufev->errorcb)(bufev, what, bufev->cbarg); 743} 744 745void 746server_tls_writecb(int fd, short event, void *arg) 747{ 748 struct bufferevent *bufev = arg; 749 struct client *clt = bufev->cbarg; 750 ssize_t ret; 751 short what = EVBUFFER_WRITE; 752 size_t len; 753 754 if (event == EV_TIMEOUT) { 755 what |= EVBUFFER_TIMEOUT; 756 goto err; 757 } 758 759 if (EVBUFFER_LENGTH(bufev->output)) { 760 ret = tls_write(clt->clt_tls_ctx, 761 EVBUFFER_DATA(bufev->output), 762 EVBUFFER_LENGTH(bufev->output)); 763 if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) { 764 goto retry; 765 } else if (ret < 0) { 766 what |= EVBUFFER_ERROR; 767 goto err; 768 } 769 len = ret; 770 evbuffer_drain(bufev->output, len); 771 } 772 773 if (EVBUFFER_LENGTH(bufev->output) != 0) 774 server_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 775 776 if (bufev->writecb != NULL && 777 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low) 778 (*bufev->writecb)(bufev, bufev->cbarg); 779 return; 780 781 retry: 782 server_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 783 return; 784 785 err: 786 (*bufev->errorcb)(bufev, what, bufev->cbarg); 787} 788 789void 790server_input(struct client *clt) 791{ 792 struct server_config *srv_conf = clt->clt_srv_conf; 793 evbuffercb inrd = server_read; 794 evbuffercb inwr = server_write; 795 socklen_t slen; 796 797 if (server_httpdesc_init(clt) == -1) { 798 server_close(clt, "failed to allocate http descriptor"); 799 return; 800 } 801 802 clt->clt_toread = TOREAD_HTTP_HEADER; 803 inrd = server_read_http; 804 805 slen = sizeof(clt->clt_sndbufsiz); 806 if (getsockopt(clt->clt_s, SOL_SOCKET, SO_SNDBUF, 807 &clt->clt_sndbufsiz, &slen) == -1) { 808 server_close(clt, "failed to get send buffer size"); 809 return; 810 } 811 812 /* 813 * Client <-> Server 814 */ 815 clt->clt_bev = bufferevent_new(clt->clt_s, inrd, inwr, 816 server_error, clt); 817 if (clt->clt_bev == NULL) { 818 server_close(clt, "failed to allocate input buffer event"); 819 return; 820 } 821 822 if (srv_conf->flags & SRVFLAG_TLS) { 823 event_set(&clt->clt_bev->ev_read, clt->clt_s, EV_READ, 824 server_tls_readcb, clt->clt_bev); 825 event_set(&clt->clt_bev->ev_write, clt->clt_s, EV_WRITE, 826 server_tls_writecb, clt->clt_bev); 827 } 828 829 /* Adjust write watermark to the socket buffer output size */ 830 bufferevent_setwatermark(clt->clt_bev, EV_WRITE, 831 SERVER_MIN_PREFETCHED * clt->clt_sndbufsiz, 0); 832 /* Read at most amount of data that fits in one fcgi record. */ 833 bufferevent_setwatermark(clt->clt_bev, EV_READ, 0, FCGI_CONTENT_SIZE); 834 835 bufferevent_settimeout(clt->clt_bev, 836 srv_conf->timeout.tv_sec, srv_conf->timeout.tv_sec); 837 bufferevent_enable(clt->clt_bev, EV_READ|EV_WRITE); 838} 839 840void 841server_write(struct bufferevent *bev, void *arg) 842{ 843 struct client *clt = arg; 844 struct evbuffer *dst = EVBUFFER_OUTPUT(bev); 845 846 if (EVBUFFER_LENGTH(dst) == 0 && 847 clt->clt_toread == TOREAD_HTTP_NONE) 848 goto done; 849 850 getmonotime(&clt->clt_tv_last); 851 852 if (clt->clt_done) 853 goto done; 854 855 bufferevent_enable(bev, EV_READ); 856 857 if (clt->clt_srvbev && clt->clt_srvbev_throttled) { 858 bufferevent_enable(clt->clt_srvbev, EV_READ); 859 clt->clt_srvbev_throttled = 0; 860 } 861 862 return; 863 done: 864 (*bev->errorcb)(bev, EVBUFFER_WRITE|EVBUFFER_EOF, bev->cbarg); 865 return; 866} 867 868void 869server_dump(struct client *clt, const void *buf, size_t len) 870{ 871 if (!len) 872 return; 873 874 /* 875 * This function will dump the specified message directly 876 * to the underlying client, without waiting for success 877 * of non-blocking events etc. This is useful to print an 878 * error message before gracefully closing the client. 879 */ 880 if (clt->clt_tls_ctx != NULL) 881 (void)tls_write(clt->clt_tls_ctx, buf, len); 882 else 883 (void)write(clt->clt_s, buf, len); 884} 885 886void 887server_read(struct bufferevent *bev, void *arg) 888{ 889 struct client *clt = arg; 890 struct evbuffer *src = EVBUFFER_INPUT(bev); 891 892 getmonotime(&clt->clt_tv_last); 893 894 if (!EVBUFFER_LENGTH(src)) 895 return; 896 if (server_bufferevent_write_buffer(clt, src) == -1) 897 goto fail; 898 if (clt->clt_done) 899 goto done; 900 901 if (EVBUFFER_LENGTH(EVBUFFER_OUTPUT(clt->clt_bev)) > (size_t) 902 SERVER_MAX_PREFETCH * clt->clt_sndbufsiz) { 903 bufferevent_disable(clt->clt_srvbev, EV_READ); 904 clt->clt_srvbev_throttled = 1; 905 } 906 907 return; 908 done: 909 (*bev->errorcb)(bev, EVBUFFER_READ|EVBUFFER_EOF, bev->cbarg); 910 return; 911 fail: 912 server_close(clt, strerror(errno)); 913} 914 915void 916server_error(struct bufferevent *bev, short error, void *arg) 917{ 918 struct client *clt = arg; 919 struct evbuffer *dst; 920 921 if (error & EVBUFFER_TIMEOUT) { 922 server_close(clt, "buffer event timeout"); 923 return; 924 } 925 if (error & EVBUFFER_ERROR) { 926 if (errno == EFBIG) { 927 bufferevent_enable(bev, EV_READ); 928 return; 929 } 930 server_close(clt, "buffer event error"); 931 return; 932 } 933 if (error & (EVBUFFER_READ|EVBUFFER_WRITE|EVBUFFER_EOF)) { 934 bufferevent_disable(bev, EV_READ|EV_WRITE); 935 936 clt->clt_done = 1; 937 938 dst = EVBUFFER_OUTPUT(clt->clt_bev); 939 if (EVBUFFER_LENGTH(dst)) { 940 /* Finish writing all data first */ 941 bufferevent_enable(clt->clt_bev, EV_WRITE); 942 return; 943 } 944 945 server_close(clt, "done"); 946 return; 947 } 948 server_close(clt, "unknown event error"); 949 return; 950} 951 952void 953server_accept(int fd, short event, void *arg) 954{ 955 struct server *srv = arg; 956 struct client *clt = NULL; 957 socklen_t slen; 958 struct sockaddr_storage ss; 959 int s = -1; 960 961 event_add(&srv->srv_ev, NULL); 962 if ((event & EV_TIMEOUT)) 963 return; 964 965 slen = sizeof(ss); 966 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, 967 &slen, FD_RESERVE, &server_inflight)) == -1) { 968 /* 969 * Pause accept if we are out of file descriptors, or 970 * libevent will haunt us here too. 971 */ 972 if (errno == ENFILE || errno == EMFILE) { 973 struct timeval evtpause = { 1, 0 }; 974 975 event_del(&srv->srv_ev); 976 evtimer_add(&srv->srv_evt, &evtpause); 977 log_debug("%s: deferring connections", __func__); 978 } 979 return; 980 } 981 if (server_clients >= SERVER_MAX_CLIENTS) 982 goto err; 983 984 if ((clt = calloc(1, sizeof(*clt))) == NULL) 985 goto err; 986 987 /* Pre-allocate log buffer */ 988 clt->clt_log = evbuffer_new(); 989 if (clt->clt_log == NULL) 990 goto err; 991 992 clt->clt_s = s; 993 clt->clt_fd = -1; 994 clt->clt_toread = TOREAD_UNLIMITED; 995 clt->clt_srv = srv; 996 clt->clt_srv_conf = &srv->srv_conf; 997 clt->clt_id = ++server_cltid; 998 clt->clt_srv_id = srv->srv_conf.id; 999 clt->clt_pid = getpid(); 1000 clt->clt_inflight = 1; 1001 1002 /* get local address */ 1003 slen = sizeof(clt->clt_srv_ss); 1004 if (getsockname(s, (struct sockaddr *)&clt->clt_srv_ss, 1005 &slen) == -1) { 1006 server_close(clt, "listen address lookup failed"); 1007 return; 1008 } 1009 1010 /* get client address */ 1011 memcpy(&clt->clt_ss, &ss, sizeof(clt->clt_ss)); 1012 1013 /* get ports */ 1014 switch (ss.ss_family) { 1015 case AF_INET: 1016 clt->clt_port = ((struct sockaddr_in *)&ss)->sin_port; 1017 break; 1018 case AF_INET6: 1019 clt->clt_port = ((struct sockaddr_in6 *)&ss)->sin6_port; 1020 break; 1021 } 1022 1023 getmonotime(&clt->clt_tv_start); 1024 memcpy(&clt->clt_tv_last, &clt->clt_tv_start, sizeof(clt->clt_tv_last)); 1025 1026 server_clients++; 1027 SPLAY_INSERT(client_tree, &srv->srv_clients, clt); 1028 1029 /* Pre-allocate output buffer */ 1030 clt->clt_output = evbuffer_new(); 1031 if (clt->clt_output == NULL) { 1032 server_close(clt, "failed to allocate output buffer"); 1033 return; 1034 } 1035 1036 if (srv->srv_conf.flags & SRVFLAG_TLS) { 1037 if (tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx, 1038 clt->clt_s) != 0) { 1039 server_close(clt, "failed to setup tls context"); 1040 return; 1041 } 1042 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, 1043 server_tls_handshake, &clt->clt_tv_start, 1044 &srv->srv_conf.timeout, clt); 1045 return; 1046 } 1047 1048 server_input(clt); 1049 return; 1050 1051 err: 1052 if (s != -1) { 1053 close(s); 1054 free(clt); 1055 /* 1056 * the client struct was not completely set up, but still 1057 * counted as an inflight client. account for this. 1058 */ 1059 server_inflight_dec(NULL, __func__); 1060 } 1061} 1062 1063void 1064server_tls_handshake(int fd, short event, void *arg) 1065{ 1066 struct client *clt = (struct client *)arg; 1067 struct server *srv = (struct server *)clt->clt_srv; 1068 int ret; 1069 1070 if (event == EV_TIMEOUT) { 1071 server_close(clt, "tls handshake timeout"); 1072 return; 1073 } 1074 1075 if (srv->srv_tls_ctx == NULL || clt->clt_tls_ctx == NULL) 1076 fatalx("NULL tls context"); 1077 1078 ret = tls_handshake(clt->clt_tls_ctx); 1079 if (ret == 0) { 1080 server_input(clt); 1081 } else if (ret == TLS_WANT_POLLIN) { 1082 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, 1083 server_tls_handshake, &clt->clt_tv_start, 1084 &srv->srv_conf.timeout, clt); 1085 } else if (ret == TLS_WANT_POLLOUT) { 1086 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_WRITE, 1087 server_tls_handshake, &clt->clt_tv_start, 1088 &srv->srv_conf.timeout, clt); 1089 } else { 1090 log_debug("%s: tls handshake failed - %s", __func__, 1091 tls_error(clt->clt_tls_ctx)); 1092 server_close(clt, "tls handshake failed"); 1093 } 1094} 1095 1096void 1097server_inflight_dec(struct client *clt, const char *why) 1098{ 1099 if (clt != NULL) { 1100 /* the flight already left inflight mode. */ 1101 if (clt->clt_inflight == 0) 1102 return; 1103 clt->clt_inflight = 0; 1104 } 1105 1106 /* the file was never opened, thus this was an inflight client. */ 1107 server_inflight--; 1108 DPRINTF("%s: inflight decremented, now %d, %s", 1109 __func__, server_inflight, why); 1110} 1111 1112void 1113server_sendlog(struct server_config *srv_conf, int cmd, const char *emsg, ...) 1114{ 1115 va_list ap; 1116 char *msg; 1117 int ret; 1118 struct iovec iov[2]; 1119 1120 if (srv_conf->flags & SRVFLAG_SYSLOG) { 1121 va_start(ap, emsg); 1122 if (cmd == IMSG_LOG_ACCESS) 1123 vlog(LOG_INFO, emsg, ap); 1124 else 1125 vlog(LOG_DEBUG, emsg, ap); 1126 va_end(ap); 1127 return; 1128 } 1129 1130 va_start(ap, emsg); 1131 ret = vasprintf(&msg, emsg, ap); 1132 va_end(ap); 1133 if (ret == -1) { 1134 log_warn("%s: vasprintf", __func__); 1135 return; 1136 } 1137 1138 iov[0].iov_base = &srv_conf->id; 1139 iov[0].iov_len = sizeof(srv_conf->id); 1140 iov[1].iov_base = msg; 1141 iov[1].iov_len = strlen(msg) + 1; 1142 1143 if (proc_composev(httpd_env->sc_ps, PROC_LOGGER, cmd, iov, 2) != 0) { 1144 log_warn("%s: failed to compose imsg", __func__); 1145 return; 1146 } 1147} 1148 1149void 1150server_log(struct client *clt, const char *msg) 1151{ 1152 char ibuf[HOST_NAME_MAX+1], obuf[HOST_NAME_MAX+1]; 1153 struct server_config *srv_conf = clt->clt_srv_conf; 1154 char *ptr = NULL, *vmsg = NULL; 1155 int debug_cmd = -1; 1156 1157 switch (srv_conf->logformat) { 1158 case LOG_FORMAT_CONNECTION: 1159 debug_cmd = IMSG_LOG_ACCESS; 1160 break; 1161 default: 1162 if (log_getverbose() > 1) 1163 debug_cmd = IMSG_LOG_ERROR; 1164 if (EVBUFFER_LENGTH(clt->clt_log)) { 1165 while ((ptr = 1166 evbuffer_readline(clt->clt_log)) != NULL) { 1167 server_sendlog(srv_conf, 1168 IMSG_LOG_ACCESS, "%s", ptr); 1169 free(ptr); 1170 } 1171 } 1172 break; 1173 } 1174 1175 if (debug_cmd != -1 && msg != NULL) { 1176 memset(ibuf, 0, sizeof(ibuf)); 1177 memset(obuf, 0, sizeof(obuf)); 1178 (void)print_host(&clt->clt_ss, ibuf, sizeof(ibuf)); 1179 (void)server_http_host(&clt->clt_srv_ss, obuf, sizeof(obuf)); 1180 if (EVBUFFER_LENGTH(clt->clt_log) && 1181 evbuffer_add_printf(clt->clt_log, "\n") != -1) 1182 ptr = evbuffer_readline(clt->clt_log); 1183 (void)stravis(&vmsg, msg, HTTPD_LOGVIS); 1184 server_sendlog(srv_conf, debug_cmd, "server %s, " 1185 "client %d (%d active), %s:%u -> %s, " 1186 "%s%s%s", srv_conf->name, clt->clt_id, server_clients, 1187 ibuf, ntohs(clt->clt_port), obuf, vmsg == NULL ? "" : vmsg, 1188 ptr == NULL ? "" : ",", ptr == NULL ? "" : ptr); 1189 free(vmsg); 1190 free(ptr); 1191 } 1192} 1193 1194void 1195server_close(struct client *clt, const char *msg) 1196{ 1197 struct server *srv = clt->clt_srv; 1198 1199 SPLAY_REMOVE(client_tree, &srv->srv_clients, clt); 1200 1201 /* free the HTTP descriptors incl. headers */ 1202 server_close_http(clt); 1203 1204 event_del(&clt->clt_ev); 1205 if (clt->clt_bev != NULL) 1206 bufferevent_disable(clt->clt_bev, EV_READ|EV_WRITE); 1207 if (clt->clt_srvbev != NULL) 1208 bufferevent_disable(clt->clt_srvbev, EV_READ|EV_WRITE); 1209 1210 server_log(clt, msg); 1211 1212 if (clt->clt_bev != NULL) 1213 bufferevent_free(clt->clt_bev); 1214 if (clt->clt_output != NULL) 1215 evbuffer_free(clt->clt_output); 1216 if (clt->clt_srvevb != NULL) 1217 evbuffer_free(clt->clt_srvevb); 1218 1219 if (clt->clt_srvbev != NULL) 1220 bufferevent_free(clt->clt_srvbev); 1221 if (clt->clt_fd != -1) 1222 close(clt->clt_fd); 1223 if (clt->clt_s != -1) 1224 close(clt->clt_s); 1225 1226 if (clt->clt_tls_ctx != NULL) 1227 tls_close(clt->clt_tls_ctx); 1228 tls_free(clt->clt_tls_ctx); 1229 1230 server_inflight_dec(clt, __func__); 1231 1232 if (clt->clt_log != NULL) 1233 evbuffer_free(clt->clt_log); 1234 1235 free(clt); 1236 server_clients--; 1237} 1238 1239int 1240server_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 1241{ 1242 switch (imsg->hdr.type) { 1243 case IMSG_CFG_MEDIA: 1244 config_getmedia(httpd_env, imsg); 1245 break; 1246 case IMSG_CFG_AUTH: 1247 config_getauth(httpd_env, imsg); 1248 break; 1249 case IMSG_CFG_SERVER: 1250 config_getserver(httpd_env, imsg); 1251 break; 1252 case IMSG_CFG_TLS: 1253 config_gettls(httpd_env, imsg); 1254 break; 1255 case IMSG_CFG_DONE: 1256 config_getcfg(httpd_env, imsg); 1257 break; 1258 case IMSG_CTL_START: 1259 server_launch(); 1260 break; 1261 case IMSG_CTL_RESET: 1262 config_getreset(httpd_env, imsg); 1263 break; 1264 default: 1265 return (-1); 1266 } 1267 1268 return (0); 1269} 1270 1271int 1272server_dispatch_logger(int fd, struct privsep_proc *p, struct imsg *imsg) 1273{ 1274 switch (imsg->hdr.type) { 1275 default: 1276 return (-1); 1277 } 1278 1279 return (0); 1280} 1281 1282int 1283server_bufferevent_add(struct event *ev, int timeout) 1284{ 1285 struct timeval tv, *ptv = NULL; 1286 1287 if (timeout) { 1288 timerclear(&tv); 1289 tv.tv_sec = timeout; 1290 ptv = &tv; 1291 } 1292 1293 return (event_add(ev, ptv)); 1294} 1295 1296int 1297server_bufferevent_printf(struct client *clt, const char *fmt, ...) 1298{ 1299 int ret; 1300 va_list ap; 1301 char *str; 1302 1303 va_start(ap, fmt); 1304 ret = vasprintf(&str, fmt, ap); 1305 va_end(ap); 1306 1307 if (ret == -1) 1308 return (ret); 1309 1310 ret = server_bufferevent_print(clt, str); 1311 free(str); 1312 1313 return (ret); 1314} 1315 1316int 1317server_bufferevent_print(struct client *clt, const char *str) 1318{ 1319 if (clt->clt_bev == NULL) 1320 return (evbuffer_add(clt->clt_output, str, strlen(str))); 1321 return (bufferevent_write(clt->clt_bev, str, strlen(str))); 1322} 1323 1324int 1325server_bufferevent_write_buffer(struct client *clt, struct evbuffer *buf) 1326{ 1327 if (clt->clt_bev == NULL) 1328 return (evbuffer_add_buffer(clt->clt_output, buf)); 1329 return (bufferevent_write_buffer(clt->clt_bev, buf)); 1330} 1331 1332int 1333server_bufferevent_write_chunk(struct client *clt, 1334 struct evbuffer *buf, size_t size) 1335{ 1336 int ret; 1337 ret = server_bufferevent_write(clt, buf->buffer, size); 1338 if (ret != -1) 1339 evbuffer_drain(buf, size); 1340 return (ret); 1341} 1342 1343int 1344server_bufferevent_write(struct client *clt, void *data, size_t size) 1345{ 1346 if (clt->clt_bev == NULL) 1347 return (evbuffer_add(clt->clt_output, data, size)); 1348 return (bufferevent_write(clt->clt_bev, data, size)); 1349} 1350 1351int 1352server_client_cmp(struct client *a, struct client *b) 1353{ 1354 return ((int)a->clt_id - b->clt_id); 1355} 1356 1357SPLAY_GENERATE(client_tree, client, clt_nodes, server_client_cmp); 1358