server.c revision 1.106
1/* $OpenBSD: server.c,v 1.106 2017/02/02 22:19:59 reyk Exp $ */ 2 3/* 4 * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/types.h> 20#include <sys/queue.h> 21#include <sys/time.h> 22#include <sys/stat.h> 23#include <sys/socket.h> 24#include <sys/uio.h> 25#include <sys/tree.h> 26 27#include <netinet/in.h> 28#include <netinet/tcp.h> 29#include <arpa/inet.h> 30 31#include <stdio.h> 32#include <stdlib.h> 33#include <stdarg.h> 34#include <limits.h> 35#include <errno.h> 36#include <fcntl.h> 37#include <string.h> 38#include <syslog.h> 39#include <unistd.h> 40#include <event.h> 41#include <imsg.h> 42#include <tls.h> 43#include <vis.h> 44 45#include "httpd.h" 46 47#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 48 49int server_dispatch_parent(int, struct privsep_proc *, 50 struct imsg *); 51int server_dispatch_logger(int, struct privsep_proc *, 52 struct imsg *); 53void server_shutdown(void); 54 55void server_init(struct privsep *, struct privsep_proc *p, void *); 56void server_launch(void); 57int server_socket(struct sockaddr_storage *, in_port_t, 58 struct server_config *, int, int); 59int server_socket_listen(struct sockaddr_storage *, in_port_t, 60 struct server_config *); 61 62int server_tls_init(struct server *); 63void server_tls_readcb(int, short, void *); 64void server_tls_writecb(int, short, void *); 65void server_tls_handshake(int, short, void *); 66 67void server_accept(int, short, void *); 68void server_input(struct client *); 69void server_inflight_dec(struct client *, const char *); 70 71extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, 72 size_t, void *); 73 74volatile int server_clients; 75volatile int server_inflight = 0; 76uint32_t server_cltid; 77 78static struct privsep_proc procs[] = { 79 { "parent", PROC_PARENT, server_dispatch_parent }, 80 { "logger", PROC_LOGGER, server_dispatch_logger } 81}; 82 83void 84server(struct privsep *ps, struct privsep_proc *p) 85{ 86 proc_run(ps, p, procs, nitems(procs), server_init, NULL); 87 server_http(); 88} 89 90void 91server_shutdown(void) 92{ 93 config_purge(httpd_env, CONFIG_ALL); 94 usleep(200); /* XXX server needs to shutdown last */ 95} 96 97int 98server_privinit(struct server *srv) 99{ 100 struct server *s; 101 102 if (srv->srv_conf.flags & SRVFLAG_LOCATION) 103 return (0); 104 105 log_debug("%s: adding server %s", __func__, srv->srv_conf.name); 106 107 /* 108 * There's no need to open a new socket if a server with the 109 * same address already exists. 110 */ 111 TAILQ_FOREACH(s, httpd_env->sc_servers, srv_entry) { 112 if (s != srv && s->srv_s != -1 && 113 s->srv_conf.port == srv->srv_conf.port && 114 sockaddr_cmp((struct sockaddr *)&s->srv_conf.ss, 115 (struct sockaddr *)&srv->srv_conf.ss, 116 s->srv_conf.prefixlen) == 0) 117 return (0); 118 } 119 120 /* Open listening socket in the privileged process */ 121 if ((srv->srv_s = server_socket_listen(&srv->srv_conf.ss, 122 srv->srv_conf.port, &srv->srv_conf)) == -1) 123 return (-1); 124 125 return (0); 126} 127 128int 129server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) 130{ 131 struct server_config *sc1, *sc2; 132 133 sc1 = &s1->srv_conf; 134 sc2 = &s2->srv_conf; 135 136 if (sc1->tls_protocols != sc2->tls_protocols) 137 return (-1); 138 if (strcmp(sc1->tls_ciphers, sc2->tls_ciphers) != 0) 139 return (-1); 140 if (strcmp(sc1->tls_dhe_params, sc2->tls_dhe_params) != 0) 141 return (-1); 142 if (strcmp(sc1->tls_ecdhe_curve, sc2->tls_ecdhe_curve) != 0) 143 return (-1); 144 145 if (match_keypair) { 146 if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) 147 return (-1); 148 if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) 149 return (-1); 150 } 151 152 return (0); 153} 154 155int 156server_tls_load_keypair(struct server *srv) 157{ 158 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 159 return (0); 160 161 if ((srv->srv_conf.tls_cert = tls_load_file(srv->srv_conf.tls_cert_file, 162 &srv->srv_conf.tls_cert_len, NULL)) == NULL) 163 return (-1); 164 log_debug("%s: using certificate %s", __func__, 165 srv->srv_conf.tls_cert_file); 166 167 /* XXX allow to specify password for encrypted key */ 168 if ((srv->srv_conf.tls_key = tls_load_file(srv->srv_conf.tls_key_file, 169 &srv->srv_conf.tls_key_len, NULL)) == NULL) 170 return (-1); 171 log_debug("%s: using private key %s", __func__, 172 srv->srv_conf.tls_key_file); 173 174 return (0); 175} 176 177int 178server_tls_load_ocsp(struct server *srv) 179{ 180 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 181 return (0); 182 183 if (srv->srv_conf.tls_ocsp_staple_file == NULL) 184 return (0); 185 186 if ((srv->srv_conf.tls_ocsp_staple = tls_load_file( 187 srv->srv_conf.tls_ocsp_staple_file, 188 &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL) 189 return (-1); 190 log_debug("%s: using ocsp staple from %s", __func__, 191 srv->srv_conf.tls_ocsp_staple_file); 192 193 return (0); 194} 195 196int 197server_tls_init(struct server *srv) 198{ 199 struct server_config *srv_conf; 200 201 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 202 return (0); 203 204 log_debug("%s: setting up tls for %s", __func__, srv->srv_conf.name); 205 206 if (tls_init() != 0) { 207 log_warnx("%s: failed to initialise tls", __func__); 208 return (-1); 209 } 210 if ((srv->srv_tls_config = tls_config_new()) == NULL) { 211 log_warnx("%s: failed to get tls config", __func__); 212 return (-1); 213 } 214 if ((srv->srv_tls_ctx = tls_server()) == NULL) { 215 log_warnx("%s: failed to get tls server", __func__); 216 return (-1); 217 } 218 219 if (tls_config_set_protocols(srv->srv_tls_config, 220 srv->srv_conf.tls_protocols) != 0) { 221 log_warnx("%s: failed to set tls protocols: %s", 222 __func__, tls_config_error(srv->srv_tls_config)); 223 return (-1); 224 } 225 if (tls_config_set_ciphers(srv->srv_tls_config, 226 srv->srv_conf.tls_ciphers) != 0) { 227 log_warnx("%s: failed to set tls ciphers: %s", 228 __func__, tls_config_error(srv->srv_tls_config)); 229 return (-1); 230 } 231 if (tls_config_set_dheparams(srv->srv_tls_config, 232 srv->srv_conf.tls_dhe_params) != 0) { 233 log_warnx("%s: failed to set tls dhe params: %s", 234 __func__, tls_config_error(srv->srv_tls_config)); 235 return (-1); 236 } 237 if (tls_config_set_ecdhecurve(srv->srv_tls_config, 238 srv->srv_conf.tls_ecdhe_curve) != 0) { 239 log_warnx("%s: failed to set tls ecdhe curve: %s", 240 __func__, tls_config_error(srv->srv_tls_config)); 241 return (-1); 242 } 243 244 if (tls_config_set_keypair_ocsp_mem(srv->srv_tls_config, 245 srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len, 246 srv->srv_conf.tls_key, srv->srv_conf.tls_key_len, 247 srv->srv_conf.tls_ocsp_staple, 248 srv->srv_conf.tls_ocsp_staple_len) != 0) { 249 log_warnx("%s: failed to set tls certificate/key: %s", 250 __func__, tls_config_error(srv->srv_tls_config)); 251 return (-1); 252 } 253 254 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 255 if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL) 256 continue; 257 log_debug("%s: adding keypair for server %s", __func__, 258 srv->srv_conf.name); 259 if (tls_config_add_keypair_ocsp_mem(srv->srv_tls_config, 260 srv_conf->tls_cert, srv_conf->tls_cert_len, 261 srv_conf->tls_key, srv_conf->tls_key_len, 262 srv_conf->tls_ocsp_staple, 263 srv_conf->tls_ocsp_staple_len) != 0) { 264 log_warnx("%s: failed to add tls keypair", __func__); 265 return (-1); 266 } 267 } 268 269 if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { 270 log_warnx("%s: failed to configure tls - %s", __func__, 271 tls_error(srv->srv_tls_ctx)); 272 return (-1); 273 } 274 275 /* We're now done with the public/private key... */ 276 tls_config_clear_keys(srv->srv_tls_config); 277 explicit_bzero(srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len); 278 explicit_bzero(srv->srv_conf.tls_key, srv->srv_conf.tls_key_len); 279 free(srv->srv_conf.tls_cert); 280 free(srv->srv_conf.tls_key); 281 srv->srv_conf.tls_cert = NULL; 282 srv->srv_conf.tls_key = NULL; 283 srv->srv_conf.tls_cert_len = 0; 284 srv->srv_conf.tls_key_len = 0; 285 286 return (0); 287} 288 289void 290server_init(struct privsep *ps, struct privsep_proc *p, void *arg) 291{ 292 server_http(); 293 294 if (config_init(ps->ps_env) == -1) 295 fatal("failed to initialize configuration"); 296 297 /* We use a custom shutdown callback */ 298 p->p_shutdown = server_shutdown; 299 300 /* Unlimited file descriptors (use system limits) */ 301 socket_rlimit(-1); 302 303 if (pledge("stdio rpath inet unix recvfd", NULL) == -1) 304 fatal("pledge"); 305 306#if 0 307 /* Schedule statistics timer */ 308 evtimer_set(&ps->ps_env->sc_statev, server_statistics, NULL); 309 memcpy(&tv, &ps->ps_env->sc_statinterval, sizeof(tv)); 310 evtimer_add(&ps->ps_env->sc_statev, &tv); 311#endif 312} 313 314void 315server_launch(void) 316{ 317 struct server *srv; 318 319 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 320 log_debug("%s: configuring server %s", __func__, 321 srv->srv_conf.name); 322 323 server_tls_init(srv); 324 server_http_init(srv); 325 326 log_debug("%s: running server %s", __func__, 327 srv->srv_conf.name); 328 329 event_set(&srv->srv_ev, srv->srv_s, EV_READ, 330 server_accept, srv); 331 event_add(&srv->srv_ev, NULL); 332 evtimer_set(&srv->srv_evt, server_accept, srv); 333 } 334} 335 336void 337server_purge(struct server *srv) 338{ 339 struct client *clt; 340 struct server_config *srv_conf; 341 342 /* shutdown and remove server */ 343 if (event_initialized(&srv->srv_ev)) 344 event_del(&srv->srv_ev); 345 if (evtimer_initialized(&srv->srv_evt)) 346 evtimer_del(&srv->srv_evt); 347 348 if (srv->srv_s != -1) 349 close(srv->srv_s); 350 TAILQ_REMOVE(httpd_env->sc_servers, srv, srv_entry); 351 352 /* cleanup sessions */ 353 while ((clt = 354 SPLAY_ROOT(&srv->srv_clients)) != NULL) 355 server_close(clt, NULL); 356 357 /* cleanup hosts */ 358 while ((srv_conf = 359 TAILQ_FIRST(&srv->srv_hosts)) != NULL) { 360 TAILQ_REMOVE(&srv->srv_hosts, srv_conf, entry); 361 362 /* It might point to our own "default" entry */ 363 if (srv_conf != &srv->srv_conf) { 364 serverconfig_free(srv_conf); 365 free(srv_conf); 366 } 367 } 368 369 tls_config_free(srv->srv_tls_config); 370 tls_free(srv->srv_tls_ctx); 371 372 free(srv); 373} 374 375void 376serverconfig_free(struct server_config *srv_conf) 377{ 378 free(srv_conf->return_uri); 379 free(srv_conf->tls_cert_file); 380 free(srv_conf->tls_key_file); 381 free(srv_conf->tls_ocsp_staple_file); 382 free(srv_conf->tls_ocsp_staple); 383 384 if (srv_conf->tls_cert != NULL) { 385 explicit_bzero(srv_conf->tls_cert, srv_conf->tls_cert_len); 386 free(srv_conf->tls_cert); 387 } 388 389 if (srv_conf->tls_key != NULL) { 390 explicit_bzero(srv_conf->tls_key, srv_conf->tls_key_len); 391 free(srv_conf->tls_key); 392 } 393} 394 395void 396serverconfig_reset(struct server_config *srv_conf) 397{ 398 srv_conf->auth = NULL; 399 srv_conf->return_uri = NULL; 400 srv_conf->tls_cert = NULL; 401 srv_conf->tls_cert_file = NULL; 402 srv_conf->tls_key = NULL; 403 srv_conf->tls_key_file = NULL; 404 srv_conf->tls_ocsp_staple = NULL; 405 srv_conf->tls_ocsp_staple_file = NULL; 406} 407 408struct server * 409server_byaddr(struct sockaddr *addr, in_port_t port) 410{ 411 struct server *srv; 412 413 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 414 if (port == srv->srv_conf.port && 415 sockaddr_cmp((struct sockaddr *)&srv->srv_conf.ss, 416 addr, srv->srv_conf.prefixlen) == 0) 417 return (srv); 418 } 419 420 return (NULL); 421} 422 423struct server_config * 424serverconfig_byid(uint32_t id) 425{ 426 struct server *srv; 427 struct server_config *srv_conf; 428 429 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 430 if (srv->srv_conf.id == id) 431 return (&srv->srv_conf); 432 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 433 if (srv_conf->id == id) 434 return (srv_conf); 435 } 436 } 437 438 return (NULL); 439} 440 441int 442server_foreach(int (*srv_cb)(struct server *, 443 struct server_config *, void *), void *arg) 444{ 445 struct server *srv; 446 struct server_config *srv_conf; 447 448 TAILQ_FOREACH(srv, httpd_env->sc_servers, srv_entry) { 449 if ((srv_cb)(srv, &srv->srv_conf, arg) == -1) 450 return (-1); 451 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 452 if ((srv_cb)(srv, srv_conf, arg) == -1) 453 return (-1); 454 } 455 } 456 457 return (0); 458} 459 460struct server * 461server_match(struct server *s2, int match_name) 462{ 463 struct server *s1; 464 465 /* Attempt to find matching server. */ 466 TAILQ_FOREACH(s1, httpd_env->sc_servers, srv_entry) { 467 if ((s1->srv_conf.flags & SRVFLAG_LOCATION) != 0) 468 continue; 469 if (match_name) { 470 if (strcmp(s1->srv_conf.name, s2->srv_conf.name) != 0) 471 continue; 472 } 473 if (s1->srv_conf.port != s2->srv_conf.port) 474 continue; 475 if (sockaddr_cmp( 476 (struct sockaddr *)&s1->srv_conf.ss, 477 (struct sockaddr *)&s2->srv_conf.ss, 478 s1->srv_conf.prefixlen) != 0) 479 continue; 480 481 return (s1); 482 } 483 484 return (NULL); 485} 486 487int 488server_socket_af(struct sockaddr_storage *ss, in_port_t port) 489{ 490 switch (ss->ss_family) { 491 case AF_INET: 492 ((struct sockaddr_in *)ss)->sin_port = port; 493 ((struct sockaddr_in *)ss)->sin_len = 494 sizeof(struct sockaddr_in); 495 break; 496 case AF_INET6: 497 ((struct sockaddr_in6 *)ss)->sin6_port = port; 498 ((struct sockaddr_in6 *)ss)->sin6_len = 499 sizeof(struct sockaddr_in6); 500 break; 501 default: 502 return (-1); 503 } 504 505 return (0); 506} 507 508in_port_t 509server_socket_getport(struct sockaddr_storage *ss) 510{ 511 switch (ss->ss_family) { 512 case AF_INET: 513 return (((struct sockaddr_in *)ss)->sin_port); 514 case AF_INET6: 515 return (((struct sockaddr_in6 *)ss)->sin6_port); 516 default: 517 return (0); 518 } 519 520 /* NOTREACHED */ 521 return (0); 522} 523 524int 525server_socket(struct sockaddr_storage *ss, in_port_t port, 526 struct server_config *srv_conf, int fd, int reuseport) 527{ 528 struct linger lng; 529 int s = -1, val; 530 531 if (server_socket_af(ss, port) == -1) 532 goto bad; 533 534 s = fd == -1 ? socket(ss->ss_family, SOCK_STREAM | SOCK_NONBLOCK, 535 IPPROTO_TCP) : fd; 536 if (s == -1) 537 goto bad; 538 539 /* 540 * Socket options 541 */ 542 memset(&lng, 0, sizeof(lng)); 543 if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) 544 goto bad; 545 if (reuseport) { 546 val = 1; 547 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, 548 sizeof(int)) == -1) 549 goto bad; 550 } 551 if (srv_conf->tcpflags & TCPFLAG_BUFSIZ) { 552 val = srv_conf->tcpbufsiz; 553 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 554 &val, sizeof(val)) == -1) 555 goto bad; 556 val = srv_conf->tcpbufsiz; 557 if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, 558 &val, sizeof(val)) == -1) 559 goto bad; 560 } 561 562 /* 563 * IP options 564 */ 565 if (srv_conf->tcpflags & TCPFLAG_IPTTL) { 566 val = (int)srv_conf->tcpipttl; 567 switch (ss->ss_family) { 568 case AF_INET: 569 if (setsockopt(s, IPPROTO_IP, IP_TTL, 570 &val, sizeof(val)) == -1) 571 goto bad; 572 break; 573 case AF_INET6: 574 if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, 575 &val, sizeof(val)) == -1) 576 goto bad; 577 break; 578 } 579 } 580 if (srv_conf->tcpflags & TCPFLAG_IPMINTTL) { 581 val = (int)srv_conf->tcpipminttl; 582 switch (ss->ss_family) { 583 case AF_INET: 584 if (setsockopt(s, IPPROTO_IP, IP_MINTTL, 585 &val, sizeof(val)) == -1) 586 goto bad; 587 break; 588 case AF_INET6: 589 if (setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, 590 &val, sizeof(val)) == -1) 591 goto bad; 592 break; 593 } 594 } 595 596 /* 597 * TCP options 598 */ 599 if (srv_conf->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { 600 if (srv_conf->tcpflags & TCPFLAG_NNODELAY) 601 val = 0; 602 else 603 val = 1; 604 if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, 605 &val, sizeof(val)) == -1) 606 goto bad; 607 } 608 if (srv_conf->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) { 609 if (srv_conf->tcpflags & TCPFLAG_NSACK) 610 val = 0; 611 else 612 val = 1; 613 if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE, 614 &val, sizeof(val)) == -1) 615 goto bad; 616 } 617 618 return (s); 619 620 bad: 621 if (s != -1) 622 close(s); 623 return (-1); 624} 625 626int 627server_socket_listen(struct sockaddr_storage *ss, in_port_t port, 628 struct server_config *srv_conf) 629{ 630 int s; 631 632 if ((s = server_socket(ss, port, srv_conf, -1, 1)) == -1) 633 return (-1); 634 635 if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) 636 goto bad; 637 if (listen(s, srv_conf->tcpbacklog) == -1) 638 goto bad; 639 640 return (s); 641 642 bad: 643 close(s); 644 return (-1); 645} 646 647int 648server_socket_connect(struct sockaddr_storage *ss, in_port_t port, 649 struct server_config *srv_conf) 650{ 651 int s; 652 653 if ((s = server_socket(ss, port, srv_conf, -1, 0)) == -1) 654 return (-1); 655 656 if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { 657 if (errno != EINPROGRESS) 658 goto bad; 659 } 660 661 return (s); 662 663 bad: 664 close(s); 665 return (-1); 666} 667 668void 669server_tls_readcb(int fd, short event, void *arg) 670{ 671 struct bufferevent *bufev = arg; 672 struct client *clt = bufev->cbarg; 673 char rbuf[IBUF_READ_SIZE]; 674 int what = EVBUFFER_READ; 675 int howmuch = IBUF_READ_SIZE; 676 ssize_t ret; 677 size_t len; 678 679 if (event == EV_TIMEOUT) { 680 what |= EVBUFFER_TIMEOUT; 681 goto err; 682 } 683 684 if (bufev->wm_read.high != 0) 685 howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high); 686 687 ret = tls_read(clt->clt_tls_ctx, rbuf, howmuch); 688 if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) { 689 goto retry; 690 } else if (ret < 0) { 691 what |= EVBUFFER_ERROR; 692 goto err; 693 } 694 len = ret; 695 696 if (len == 0) { 697 what |= EVBUFFER_EOF; 698 goto err; 699 } 700 701 if (evbuffer_add(bufev->input, rbuf, len) == -1) { 702 what |= EVBUFFER_ERROR; 703 goto err; 704 } 705 706 server_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 707 708 len = EVBUFFER_LENGTH(bufev->input); 709 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) 710 return; 711 if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { 712 struct evbuffer *buf = bufev->input; 713 event_del(&bufev->ev_read); 714 evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); 715 return; 716 } 717 718 if (bufev->readcb != NULL) 719 (*bufev->readcb)(bufev, bufev->cbarg); 720 return; 721 722 retry: 723 server_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 724 return; 725 726 err: 727 (*bufev->errorcb)(bufev, what, bufev->cbarg); 728} 729 730void 731server_tls_writecb(int fd, short event, void *arg) 732{ 733 struct bufferevent *bufev = arg; 734 struct client *clt = bufev->cbarg; 735 ssize_t ret; 736 short what = EVBUFFER_WRITE; 737 size_t len; 738 739 if (event == EV_TIMEOUT) { 740 what |= EVBUFFER_TIMEOUT; 741 goto err; 742 } 743 744 if (EVBUFFER_LENGTH(bufev->output)) { 745 ret = tls_write(clt->clt_tls_ctx, 746 EVBUFFER_DATA(bufev->output), 747 EVBUFFER_LENGTH(bufev->output)); 748 if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) { 749 goto retry; 750 } else if (ret < 0) { 751 what |= EVBUFFER_ERROR; 752 goto err; 753 } 754 len = ret; 755 evbuffer_drain(bufev->output, len); 756 } 757 758 if (EVBUFFER_LENGTH(bufev->output) != 0) 759 server_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 760 761 if (bufev->writecb != NULL && 762 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low) 763 (*bufev->writecb)(bufev, bufev->cbarg); 764 return; 765 766 retry: 767 server_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 768 return; 769 770 err: 771 (*bufev->errorcb)(bufev, what, bufev->cbarg); 772} 773 774void 775server_input(struct client *clt) 776{ 777 struct server_config *srv_conf = clt->clt_srv_conf; 778 evbuffercb inrd = server_read; 779 evbuffercb inwr = server_write; 780 socklen_t slen; 781 782 if (server_httpdesc_init(clt) == -1) { 783 server_close(clt, "failed to allocate http descriptor"); 784 return; 785 } 786 787 clt->clt_toread = TOREAD_HTTP_HEADER; 788 inrd = server_read_http; 789 790 slen = sizeof(clt->clt_sndbufsiz); 791 if (getsockopt(clt->clt_s, SOL_SOCKET, SO_SNDBUF, 792 &clt->clt_sndbufsiz, &slen) == -1) { 793 server_close(clt, "failed to get send buffer size"); 794 return; 795 } 796 797 /* 798 * Client <-> Server 799 */ 800 clt->clt_bev = bufferevent_new(clt->clt_s, inrd, inwr, 801 server_error, clt); 802 if (clt->clt_bev == NULL) { 803 server_close(clt, "failed to allocate input buffer event"); 804 return; 805 } 806 807 if (srv_conf->flags & SRVFLAG_TLS) { 808 event_set(&clt->clt_bev->ev_read, clt->clt_s, EV_READ, 809 server_tls_readcb, clt->clt_bev); 810 event_set(&clt->clt_bev->ev_write, clt->clt_s, EV_WRITE, 811 server_tls_writecb, clt->clt_bev); 812 } 813 814 /* Adjust write watermark to the socket buffer output size */ 815 bufferevent_setwatermark(clt->clt_bev, EV_WRITE, 816 SERVER_MIN_PREFETCHED * clt->clt_sndbufsiz, 0); 817 /* Read at most amount of data that fits in one fcgi record. */ 818 bufferevent_setwatermark(clt->clt_bev, EV_READ, 0, FCGI_CONTENT_SIZE); 819 820 bufferevent_settimeout(clt->clt_bev, 821 srv_conf->timeout.tv_sec, srv_conf->timeout.tv_sec); 822 bufferevent_enable(clt->clt_bev, EV_READ|EV_WRITE); 823} 824 825void 826server_write(struct bufferevent *bev, void *arg) 827{ 828 struct client *clt = arg; 829 struct evbuffer *dst = EVBUFFER_OUTPUT(bev); 830 831 if (EVBUFFER_LENGTH(dst) == 0 && 832 clt->clt_toread == TOREAD_HTTP_NONE) 833 goto done; 834 835 getmonotime(&clt->clt_tv_last); 836 837 if (clt->clt_done) 838 goto done; 839 840 if (clt->clt_srvbev && clt->clt_srvbev_throttled) { 841 bufferevent_enable(clt->clt_srvbev, EV_READ); 842 clt->clt_srvbev_throttled = 0; 843 } 844 845 return; 846 done: 847 (*bev->errorcb)(bev, EVBUFFER_WRITE, bev->cbarg); 848 return; 849} 850 851void 852server_dump(struct client *clt, const void *buf, size_t len) 853{ 854 if (!len) 855 return; 856 857 /* 858 * This function will dump the specified message directly 859 * to the underlying client, without waiting for success 860 * of non-blocking events etc. This is useful to print an 861 * error message before gracefully closing the client. 862 */ 863 if (clt->clt_tls_ctx != NULL) 864 (void)tls_write(clt->clt_tls_ctx, buf, len); 865 else 866 (void)write(clt->clt_s, buf, len); 867} 868 869void 870server_read(struct bufferevent *bev, void *arg) 871{ 872 struct client *clt = arg; 873 struct evbuffer *src = EVBUFFER_INPUT(bev); 874 875 getmonotime(&clt->clt_tv_last); 876 877 if (!EVBUFFER_LENGTH(src)) 878 return; 879 if (server_bufferevent_write_buffer(clt, src) == -1) 880 goto fail; 881 if (clt->clt_done) 882 goto done; 883 884 if (EVBUFFER_LENGTH(EVBUFFER_OUTPUT(clt->clt_bev)) > (size_t) 885 SERVER_MAX_PREFETCH * clt->clt_sndbufsiz) { 886 bufferevent_disable(clt->clt_srvbev, EV_READ); 887 clt->clt_srvbev_throttled = 1; 888 } 889 890 return; 891 done: 892 (*bev->errorcb)(bev, EVBUFFER_READ, bev->cbarg); 893 return; 894 fail: 895 server_close(clt, strerror(errno)); 896} 897 898void 899server_error(struct bufferevent *bev, short error, void *arg) 900{ 901 struct client *clt = arg; 902 struct evbuffer *dst; 903 904 if (error & EVBUFFER_TIMEOUT) { 905 server_close(clt, "buffer event timeout"); 906 return; 907 } 908 if (error & EVBUFFER_ERROR) { 909 if (errno == EFBIG) { 910 bufferevent_enable(bev, EV_READ); 911 return; 912 } 913 server_close(clt, "buffer event error"); 914 return; 915 } 916 if (error & EVBUFFER_EOF) { 917 server_close(clt, "closed"); 918 return; 919 } 920 if (error & (EVBUFFER_READ|EVBUFFER_WRITE)) { 921 bufferevent_disable(bev, EV_READ|EV_WRITE); 922 923 clt->clt_done = 1; 924 925 dst = EVBUFFER_OUTPUT(clt->clt_bev); 926 if (EVBUFFER_LENGTH(dst)) { 927 /* Finish writing all data first */ 928 bufferevent_enable(clt->clt_bev, EV_WRITE); 929 return; 930 } 931 932 server_close(clt, "done"); 933 return; 934 } 935 server_close(clt, "unknown event error"); 936 return; 937} 938 939void 940server_accept(int fd, short event, void *arg) 941{ 942 struct server *srv = arg; 943 struct client *clt = NULL; 944 socklen_t slen; 945 struct sockaddr_storage ss; 946 int s = -1; 947 948 event_add(&srv->srv_ev, NULL); 949 if ((event & EV_TIMEOUT)) 950 return; 951 952 slen = sizeof(ss); 953 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, 954 &slen, FD_RESERVE, &server_inflight)) == -1) { 955 /* 956 * Pause accept if we are out of file descriptors, or 957 * libevent will haunt us here too. 958 */ 959 if (errno == ENFILE || errno == EMFILE) { 960 struct timeval evtpause = { 1, 0 }; 961 962 event_del(&srv->srv_ev); 963 evtimer_add(&srv->srv_evt, &evtpause); 964 log_debug("%s: deferring connections", __func__); 965 } 966 return; 967 } 968 if (server_clients >= SERVER_MAX_CLIENTS) 969 goto err; 970 971 if ((clt = calloc(1, sizeof(*clt))) == NULL) 972 goto err; 973 974 /* Pre-allocate log buffer */ 975 clt->clt_log = evbuffer_new(); 976 if (clt->clt_log == NULL) 977 goto err; 978 979 clt->clt_s = s; 980 clt->clt_fd = -1; 981 clt->clt_toread = TOREAD_UNLIMITED; 982 clt->clt_srv = srv; 983 clt->clt_srv_conf = &srv->srv_conf; 984 clt->clt_id = ++server_cltid; 985 clt->clt_srv_id = srv->srv_conf.id; 986 clt->clt_pid = getpid(); 987 clt->clt_inflight = 1; 988 989 /* get local address */ 990 slen = sizeof(clt->clt_srv_ss); 991 if (getsockname(s, (struct sockaddr *)&clt->clt_srv_ss, 992 &slen) == -1) { 993 server_close(clt, "listen address lookup failed"); 994 return; 995 } 996 997 /* get client address */ 998 memcpy(&clt->clt_ss, &ss, sizeof(clt->clt_ss)); 999 1000 /* get ports */ 1001 switch (ss.ss_family) { 1002 case AF_INET: 1003 clt->clt_port = ((struct sockaddr_in *)&ss)->sin_port; 1004 break; 1005 case AF_INET6: 1006 clt->clt_port = ((struct sockaddr_in6 *)&ss)->sin6_port; 1007 break; 1008 } 1009 1010 getmonotime(&clt->clt_tv_start); 1011 memcpy(&clt->clt_tv_last, &clt->clt_tv_start, sizeof(clt->clt_tv_last)); 1012 1013 server_clients++; 1014 SPLAY_INSERT(client_tree, &srv->srv_clients, clt); 1015 1016 /* Pre-allocate output buffer */ 1017 clt->clt_output = evbuffer_new(); 1018 if (clt->clt_output == NULL) { 1019 server_close(clt, "failed to allocate output buffer"); 1020 return; 1021 } 1022 1023 if (srv->srv_conf.flags & SRVFLAG_TLS) { 1024 if (tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx, 1025 clt->clt_s) != 0) { 1026 server_close(clt, "failed to setup tls context"); 1027 return; 1028 } 1029 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, 1030 server_tls_handshake, &clt->clt_tv_start, 1031 &srv->srv_conf.timeout, clt); 1032 return; 1033 } 1034 1035 server_input(clt); 1036 return; 1037 1038 err: 1039 if (s != -1) { 1040 close(s); 1041 free(clt); 1042 /* 1043 * the client struct was not completely set up, but still 1044 * counted as an inflight client. account for this. 1045 */ 1046 server_inflight_dec(NULL, __func__); 1047 } 1048} 1049 1050void 1051server_tls_handshake(int fd, short event, void *arg) 1052{ 1053 struct client *clt = (struct client *)arg; 1054 struct server *srv = (struct server *)clt->clt_srv; 1055 int ret; 1056 1057 if (event == EV_TIMEOUT) { 1058 server_close(clt, "tls handshake timeout"); 1059 return; 1060 } 1061 1062 if (srv->srv_tls_ctx == NULL || clt->clt_tls_ctx == NULL) 1063 fatalx("NULL tls context"); 1064 1065 ret = tls_handshake(clt->clt_tls_ctx); 1066 if (ret == 0) { 1067 server_input(clt); 1068 } else if (ret == TLS_WANT_POLLIN) { 1069 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, 1070 server_tls_handshake, &clt->clt_tv_start, 1071 &srv->srv_conf.timeout, clt); 1072 } else if (ret == TLS_WANT_POLLOUT) { 1073 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_WRITE, 1074 server_tls_handshake, &clt->clt_tv_start, 1075 &srv->srv_conf.timeout, clt); 1076 } else { 1077 log_debug("%s: tls handshake failed - %s", __func__, 1078 tls_error(clt->clt_tls_ctx)); 1079 server_close(clt, "tls handshake failed"); 1080 } 1081} 1082 1083void 1084server_inflight_dec(struct client *clt, const char *why) 1085{ 1086 if (clt != NULL) { 1087 /* the flight already left inflight mode. */ 1088 if (clt->clt_inflight == 0) 1089 return; 1090 clt->clt_inflight = 0; 1091 } 1092 1093 /* the file was never opened, thus this was an inflight client. */ 1094 server_inflight--; 1095 DPRINTF("%s: inflight decremented, now %d, %s", 1096 __func__, server_inflight, why); 1097} 1098 1099void 1100server_sendlog(struct server_config *srv_conf, int cmd, const char *emsg, ...) 1101{ 1102 va_list ap; 1103 char *msg; 1104 int ret; 1105 struct iovec iov[2]; 1106 1107 if (srv_conf->flags & SRVFLAG_SYSLOG) { 1108 va_start(ap, emsg); 1109 if (cmd == IMSG_LOG_ACCESS) 1110 vlog(LOG_INFO, emsg, ap); 1111 else 1112 vlog(LOG_DEBUG, emsg, ap); 1113 va_end(ap); 1114 return; 1115 } 1116 1117 va_start(ap, emsg); 1118 ret = vasprintf(&msg, emsg, ap); 1119 va_end(ap); 1120 if (ret == -1) { 1121 log_warn("%s: vasprintf", __func__); 1122 return; 1123 } 1124 1125 iov[0].iov_base = &srv_conf->id; 1126 iov[0].iov_len = sizeof(srv_conf->id); 1127 iov[1].iov_base = msg; 1128 iov[1].iov_len = strlen(msg) + 1; 1129 1130 if (proc_composev(httpd_env->sc_ps, PROC_LOGGER, cmd, iov, 2) != 0) { 1131 log_warn("%s: failed to compose imsg", __func__); 1132 return; 1133 } 1134} 1135 1136void 1137server_log(struct client *clt, const char *msg) 1138{ 1139 char ibuf[HOST_NAME_MAX+1], obuf[HOST_NAME_MAX+1]; 1140 struct server_config *srv_conf = clt->clt_srv_conf; 1141 char *ptr = NULL, *vmsg = NULL; 1142 int debug_cmd = -1; 1143 1144 switch (srv_conf->logformat) { 1145 case LOG_FORMAT_CONNECTION: 1146 debug_cmd = IMSG_LOG_ACCESS; 1147 break; 1148 default: 1149 if (log_getverbose() > 1) 1150 debug_cmd = IMSG_LOG_ERROR; 1151 if (EVBUFFER_LENGTH(clt->clt_log)) { 1152 while ((ptr = 1153 evbuffer_readline(clt->clt_log)) != NULL) { 1154 server_sendlog(srv_conf, 1155 IMSG_LOG_ACCESS, "%s", ptr); 1156 free(ptr); 1157 } 1158 } 1159 break; 1160 } 1161 1162 if (debug_cmd != -1 && msg != NULL) { 1163 memset(ibuf, 0, sizeof(ibuf)); 1164 memset(obuf, 0, sizeof(obuf)); 1165 (void)print_host(&clt->clt_ss, ibuf, sizeof(ibuf)); 1166 (void)server_http_host(&clt->clt_srv_ss, obuf, sizeof(obuf)); 1167 if (EVBUFFER_LENGTH(clt->clt_log) && 1168 evbuffer_add_printf(clt->clt_log, "\n") != -1) 1169 ptr = evbuffer_readline(clt->clt_log); 1170 (void)stravis(&vmsg, msg, HTTPD_LOGVIS); 1171 server_sendlog(srv_conf, debug_cmd, "server %s, " 1172 "client %d (%d active), %s:%u -> %s, " 1173 "%s%s%s", srv_conf->name, clt->clt_id, server_clients, 1174 ibuf, ntohs(clt->clt_port), obuf, vmsg == NULL ? "" : vmsg, 1175 ptr == NULL ? "" : ",", ptr == NULL ? "" : ptr); 1176 free(vmsg); 1177 free(ptr); 1178 } 1179} 1180 1181void 1182server_close(struct client *clt, const char *msg) 1183{ 1184 struct server *srv = clt->clt_srv; 1185 1186 SPLAY_REMOVE(client_tree, &srv->srv_clients, clt); 1187 1188 /* free the HTTP descriptors incl. headers */ 1189 server_close_http(clt); 1190 1191 event_del(&clt->clt_ev); 1192 if (clt->clt_bev != NULL) 1193 bufferevent_disable(clt->clt_bev, EV_READ|EV_WRITE); 1194 if (clt->clt_srvbev != NULL) 1195 bufferevent_disable(clt->clt_srvbev, EV_READ|EV_WRITE); 1196 1197 server_log(clt, msg); 1198 1199 if (clt->clt_bev != NULL) 1200 bufferevent_free(clt->clt_bev); 1201 if (clt->clt_output != NULL) 1202 evbuffer_free(clt->clt_output); 1203 if (clt->clt_srvevb != NULL) 1204 evbuffer_free(clt->clt_srvevb); 1205 1206 if (clt->clt_srvbev != NULL) 1207 bufferevent_free(clt->clt_srvbev); 1208 if (clt->clt_fd != -1) 1209 close(clt->clt_fd); 1210 if (clt->clt_s != -1) 1211 close(clt->clt_s); 1212 1213 if (clt->clt_tls_ctx != NULL) 1214 tls_close(clt->clt_tls_ctx); 1215 tls_free(clt->clt_tls_ctx); 1216 1217 server_inflight_dec(clt, __func__); 1218 1219 if (clt->clt_log != NULL) 1220 evbuffer_free(clt->clt_log); 1221 1222 free(clt); 1223 server_clients--; 1224} 1225 1226int 1227server_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 1228{ 1229 switch (imsg->hdr.type) { 1230 case IMSG_CFG_MEDIA: 1231 config_getmedia(httpd_env, imsg); 1232 break; 1233 case IMSG_CFG_AUTH: 1234 config_getauth(httpd_env, imsg); 1235 break; 1236 case IMSG_CFG_SERVER: 1237 config_getserver(httpd_env, imsg); 1238 break; 1239 case IMSG_CFG_TLS: 1240 config_gettls(httpd_env, imsg); 1241 break; 1242 case IMSG_CFG_DONE: 1243 config_getcfg(httpd_env, imsg); 1244 break; 1245 case IMSG_CTL_START: 1246 server_launch(); 1247 break; 1248 case IMSG_CTL_RESET: 1249 config_getreset(httpd_env, imsg); 1250 break; 1251 default: 1252 return (-1); 1253 } 1254 1255 return (0); 1256} 1257 1258int 1259server_dispatch_logger(int fd, struct privsep_proc *p, struct imsg *imsg) 1260{ 1261 switch (imsg->hdr.type) { 1262 default: 1263 return (-1); 1264 } 1265 1266 return (0); 1267} 1268 1269int 1270server_bufferevent_add(struct event *ev, int timeout) 1271{ 1272 struct timeval tv, *ptv = NULL; 1273 1274 if (timeout) { 1275 timerclear(&tv); 1276 tv.tv_sec = timeout; 1277 ptv = &tv; 1278 } 1279 1280 return (event_add(ev, ptv)); 1281} 1282 1283int 1284server_bufferevent_printf(struct client *clt, const char *fmt, ...) 1285{ 1286 int ret; 1287 va_list ap; 1288 char *str; 1289 1290 va_start(ap, fmt); 1291 ret = vasprintf(&str, fmt, ap); 1292 va_end(ap); 1293 1294 if (ret == -1) 1295 return (ret); 1296 1297 ret = server_bufferevent_print(clt, str); 1298 free(str); 1299 1300 return (ret); 1301} 1302 1303int 1304server_bufferevent_print(struct client *clt, const char *str) 1305{ 1306 if (clt->clt_bev == NULL) 1307 return (evbuffer_add(clt->clt_output, str, strlen(str))); 1308 return (bufferevent_write(clt->clt_bev, str, strlen(str))); 1309} 1310 1311int 1312server_bufferevent_write_buffer(struct client *clt, struct evbuffer *buf) 1313{ 1314 if (clt->clt_bev == NULL) 1315 return (evbuffer_add_buffer(clt->clt_output, buf)); 1316 return (bufferevent_write_buffer(clt->clt_bev, buf)); 1317} 1318 1319int 1320server_bufferevent_write_chunk(struct client *clt, 1321 struct evbuffer *buf, size_t size) 1322{ 1323 int ret; 1324 ret = server_bufferevent_write(clt, buf->buffer, size); 1325 if (ret != -1) 1326 evbuffer_drain(buf, size); 1327 return (ret); 1328} 1329 1330int 1331server_bufferevent_write(struct client *clt, void *data, size_t size) 1332{ 1333 if (clt->clt_bev == NULL) 1334 return (evbuffer_add(clt->clt_output, data, size)); 1335 return (bufferevent_write(clt->clt_bev, data, size)); 1336} 1337 1338int 1339server_client_cmp(struct client *a, struct client *b) 1340{ 1341 return ((int)a->clt_id - b->clt_id); 1342} 1343 1344SPLAY_GENERATE(client_tree, client, clt_nodes, server_client_cmp); 1345