server.c revision 1.87
1/* $OpenBSD: server.c,v 1.87 2016/08/15 14:14:55 jsing Exp $ */ 2 3/* 4 * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/param.h> /* nitems */ 20#include <sys/types.h> 21#include <sys/queue.h> 22#include <sys/time.h> 23#include <sys/stat.h> 24#include <sys/socket.h> 25#include <sys/uio.h> 26#include <sys/tree.h> 27 28#include <netinet/in.h> 29#include <netinet/tcp.h> 30#include <arpa/inet.h> 31 32#include <stdio.h> 33#include <stdlib.h> 34#include <stdarg.h> 35#include <limits.h> 36#include <errno.h> 37#include <fcntl.h> 38#include <string.h> 39#include <syslog.h> 40#include <unistd.h> 41#include <event.h> 42#include <imsg.h> 43#include <tls.h> 44#include <vis.h> 45 46#include "httpd.h" 47 48#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 49 50int server_dispatch_parent(int, struct privsep_proc *, 51 struct imsg *); 52int server_dispatch_logger(int, struct privsep_proc *, 53 struct imsg *); 54void server_shutdown(void); 55 56void server_init(struct privsep *, struct privsep_proc *p, void *); 57void server_launch(void); 58int server_socket(struct sockaddr_storage *, in_port_t, 59 struct server_config *, int, int); 60int server_socket_listen(struct sockaddr_storage *, in_port_t, 61 struct server_config *); 62 63int server_tls_init(struct server *); 64void server_tls_readcb(int, short, void *); 65void server_tls_writecb(int, short, void *); 66 67void server_accept(int, short, void *); 68void server_handshake_tls(int, short, void *); 69void server_input(struct client *); 70void server_inflight_dec(struct client *, const char *); 71 72extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, 73 size_t, void *); 74 75volatile int server_clients; 76volatile int server_inflight = 0; 77uint32_t server_cltid; 78 79static struct httpd *env = NULL; 80int proc_id; 81 82static struct privsep_proc procs[] = { 83 { "parent", PROC_PARENT, server_dispatch_parent }, 84 { "logger", PROC_LOGGER, server_dispatch_logger } 85}; 86 87pid_t 88server(struct privsep *ps, struct privsep_proc *p) 89{ 90 pid_t pid; 91 env = ps->ps_env; 92 pid = proc_run(ps, p, procs, nitems(procs), server_init, NULL); 93 server_http(env); 94 return (pid); 95} 96 97void 98server_shutdown(void) 99{ 100 config_purge(env, CONFIG_ALL); 101 usleep(200); /* XXX server needs to shutdown last */ 102} 103 104int 105server_privinit(struct server *srv) 106{ 107 struct server *s; 108 109 if (srv->srv_conf.flags & SRVFLAG_LOCATION) 110 return (0); 111 112 log_debug("%s: adding server %s", __func__, srv->srv_conf.name); 113 114 /* 115 * There's no need to open a new socket if a server with the 116 * same address already exists. 117 */ 118 TAILQ_FOREACH(s, env->sc_servers, srv_entry) { 119 if (s != srv && s->srv_s != -1 && 120 s->srv_conf.port == srv->srv_conf.port && 121 sockaddr_cmp((struct sockaddr *)&s->srv_conf.ss, 122 (struct sockaddr *)&srv->srv_conf.ss, 123 s->srv_conf.prefixlen) == 0) 124 return (0); 125 } 126 127 /* Open listening socket in the privileged process */ 128 if ((srv->srv_s = server_socket_listen(&srv->srv_conf.ss, 129 srv->srv_conf.port, &srv->srv_conf)) == -1) 130 return (-1); 131 132 return (0); 133} 134 135int 136server_tls_cmp(struct server *s1, struct server *s2) 137{ 138 struct server_config *sc1, *sc2; 139 140 sc1 = &s1->srv_conf; 141 sc2 = &s2->srv_conf; 142 143 if (sc1->tls_protocols != sc2->tls_protocols) 144 return (-1); 145 if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) 146 return (-1); 147 if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) 148 return (-1); 149 if (strcmp(sc1->tls_ciphers, sc2->tls_ciphers) != 0) 150 return (-1); 151 if (strcmp(sc1->tls_dhe_params, sc2->tls_dhe_params) != 0) 152 return (-1); 153 if (strcmp(sc1->tls_ecdhe_curve, sc2->tls_ecdhe_curve) != 0) 154 return (-1); 155 156 return (0); 157} 158 159int 160server_tls_load_keypair(struct server *srv) 161{ 162 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 163 return (0); 164 165 if ((srv->srv_conf.tls_cert = tls_load_file( 166 srv->srv_conf.tls_cert_file, &srv->srv_conf.tls_cert_len, 167 NULL)) == NULL) 168 return (-1); 169 log_debug("%s: using certificate %s", __func__, 170 srv->srv_conf.tls_cert_file); 171 172 /* XXX allow to specify password for encrypted key */ 173 if ((srv->srv_conf.tls_key = tls_load_file( 174 srv->srv_conf.tls_key_file, &srv->srv_conf.tls_key_len, 175 NULL)) == NULL) 176 return (-1); 177 log_debug("%s: using private key %s", __func__, 178 srv->srv_conf.tls_key_file); 179 180 return (0); 181} 182 183int 184server_tls_init(struct server *srv) 185{ 186 if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) 187 return (0); 188 189 log_debug("%s: setting up tls for %s", __func__, srv->srv_conf.name); 190 191 if (tls_init() != 0) { 192 log_warnx("%s: failed to initialise tls", __func__); 193 return (-1); 194 } 195 if ((srv->srv_tls_config = tls_config_new()) == NULL) { 196 log_warnx("%s: failed to get tls config", __func__); 197 return (-1); 198 } 199 if ((srv->srv_tls_ctx = tls_server()) == NULL) { 200 log_warnx("%s: failed to get tls server", __func__); 201 return (-1); 202 } 203 204 tls_config_set_protocols(srv->srv_tls_config, 205 srv->srv_conf.tls_protocols); 206 207 if (tls_config_set_ciphers(srv->srv_tls_config, 208 srv->srv_conf.tls_ciphers) != 0) { 209 log_warnx("%s: failed to set tls ciphers: %s", 210 __func__, tls_config_error(srv->srv_tls_config)); 211 return (-1); 212 } 213 if (tls_config_set_dheparams(srv->srv_tls_config, 214 srv->srv_conf.tls_dhe_params) != 0) { 215 log_warnx("%s: failed to set tls dhe params: %s", 216 __func__, tls_config_error(srv->srv_tls_config)); 217 return (-1); 218 } 219 if (tls_config_set_ecdhecurve(srv->srv_tls_config, 220 srv->srv_conf.tls_ecdhe_curve) != 0) { 221 log_warnx("%s: failed to set tls ecdhe curve: %s", 222 __func__, tls_config_error(srv->srv_tls_config)); 223 return (-1); 224 } 225 226 if (tls_config_set_keypair_mem(srv->srv_tls_config, 227 srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len, 228 srv->srv_conf.tls_key, srv->srv_conf.tls_key_len) != 0) { 229 log_warnx("%s: failed to set tls certificate/key: %s", 230 __func__, tls_config_error(srv->srv_tls_config)); 231 return (-1); 232 } 233 234 if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { 235 log_warnx("%s: failed to configure tls - %s", __func__, 236 tls_error(srv->srv_tls_ctx)); 237 return (-1); 238 } 239 240 /* We're now done with the public/private key... */ 241 tls_config_clear_keys(srv->srv_tls_config); 242 explicit_bzero(srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len); 243 explicit_bzero(srv->srv_conf.tls_key, srv->srv_conf.tls_key_len); 244 free(srv->srv_conf.tls_cert); 245 free(srv->srv_conf.tls_key); 246 srv->srv_conf.tls_cert = NULL; 247 srv->srv_conf.tls_key = NULL; 248 srv->srv_conf.tls_cert_len = 0; 249 srv->srv_conf.tls_key_len = 0; 250 251 return (0); 252} 253 254void 255server_init(struct privsep *ps, struct privsep_proc *p, void *arg) 256{ 257 server_http(ps->ps_env); 258 259 if (config_init(ps->ps_env) == -1) 260 fatal("failed to initialize configuration"); 261 262 /* Set to current prefork id */ 263 proc_id = p->p_instance; 264 265 /* We use a custom shutdown callback */ 266 p->p_shutdown = server_shutdown; 267 268 /* Unlimited file descriptors (use system limits) */ 269 socket_rlimit(-1); 270 271 if (pledge("stdio rpath inet unix recvfd", NULL) == -1) 272 fatal("pledge"); 273 274#if 0 275 /* Schedule statistics timer */ 276 evtimer_set(&env->sc_statev, server_statistics, NULL); 277 memcpy(&tv, &env->sc_statinterval, sizeof(tv)); 278 evtimer_add(&env->sc_statev, &tv); 279#endif 280} 281 282void 283server_launch(void) 284{ 285 struct server *srv; 286 287 TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { 288 server_tls_init(srv); 289 server_http_init(srv); 290 291 log_debug("%s: running server %s", __func__, 292 srv->srv_conf.name); 293 294 event_set(&srv->srv_ev, srv->srv_s, EV_READ, 295 server_accept, srv); 296 event_add(&srv->srv_ev, NULL); 297 evtimer_set(&srv->srv_evt, server_accept, srv); 298 } 299} 300 301void 302server_purge(struct server *srv) 303{ 304 struct client *clt; 305 struct server_config *srv_conf; 306 307 /* shutdown and remove server */ 308 if (event_initialized(&srv->srv_ev)) 309 event_del(&srv->srv_ev); 310 if (evtimer_initialized(&srv->srv_evt)) 311 evtimer_del(&srv->srv_evt); 312 313 if (srv->srv_s != -1) 314 close(srv->srv_s); 315 TAILQ_REMOVE(env->sc_servers, srv, srv_entry); 316 317 /* cleanup sessions */ 318 while ((clt = 319 SPLAY_ROOT(&srv->srv_clients)) != NULL) 320 server_close(clt, NULL); 321 322 /* cleanup hosts */ 323 while ((srv_conf = 324 TAILQ_FIRST(&srv->srv_hosts)) != NULL) { 325 TAILQ_REMOVE(&srv->srv_hosts, srv_conf, entry); 326 327 /* It might point to our own "default" entry */ 328 if (srv_conf != &srv->srv_conf) { 329 serverconfig_free(srv_conf); 330 free(srv_conf); 331 } 332 } 333 334 tls_config_free(srv->srv_tls_config); 335 tls_free(srv->srv_tls_ctx); 336 337 free(srv); 338} 339 340void 341serverconfig_free(struct server_config *srv_conf) 342{ 343 free(srv_conf->return_uri); 344 free(srv_conf->tls_cert_file); 345 free(srv_conf->tls_key_file); 346 347 if (srv_conf->tls_cert != NULL) { 348 explicit_bzero(srv_conf->tls_cert, srv_conf->tls_cert_len); 349 free(srv_conf->tls_cert); 350 } 351 352 if (srv_conf->tls_key != NULL) { 353 explicit_bzero(srv_conf->tls_key, srv_conf->tls_key_len); 354 free(srv_conf->tls_key); 355 } 356} 357 358void 359serverconfig_reset(struct server_config *srv_conf) 360{ 361 srv_conf->auth = NULL; 362 srv_conf->return_uri = NULL; 363 srv_conf->tls_cert = NULL; 364 srv_conf->tls_cert_file = NULL; 365 srv_conf->tls_key = NULL; 366 srv_conf->tls_key_file = NULL; 367} 368 369struct server * 370server_byaddr(struct sockaddr *addr, in_port_t port) 371{ 372 struct server *srv; 373 374 TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { 375 if (port == srv->srv_conf.port && 376 sockaddr_cmp((struct sockaddr *)&srv->srv_conf.ss, 377 addr, srv->srv_conf.prefixlen) == 0) 378 return (srv); 379 } 380 381 return (NULL); 382} 383 384struct server_config * 385serverconfig_byid(uint32_t id) 386{ 387 struct server *srv; 388 struct server_config *srv_conf; 389 390 TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { 391 if (srv->srv_conf.id == id) 392 return (&srv->srv_conf); 393 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 394 if (srv_conf->id == id) 395 return (srv_conf); 396 } 397 } 398 399 return (NULL); 400} 401 402int 403server_foreach(int (*srv_cb)(struct server *, 404 struct server_config *, void *), void *arg) 405{ 406 struct server *srv; 407 struct server_config *srv_conf; 408 409 TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { 410 if ((srv_cb)(srv, &srv->srv_conf, arg) == -1) 411 return (-1); 412 TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { 413 if ((srv_cb)(srv, srv_conf, arg) == -1) 414 return (-1); 415 } 416 } 417 418 return (0); 419} 420 421int 422server_socket_af(struct sockaddr_storage *ss, in_port_t port) 423{ 424 switch (ss->ss_family) { 425 case AF_INET: 426 ((struct sockaddr_in *)ss)->sin_port = port; 427 ((struct sockaddr_in *)ss)->sin_len = 428 sizeof(struct sockaddr_in); 429 break; 430 case AF_INET6: 431 ((struct sockaddr_in6 *)ss)->sin6_port = port; 432 ((struct sockaddr_in6 *)ss)->sin6_len = 433 sizeof(struct sockaddr_in6); 434 break; 435 default: 436 return (-1); 437 } 438 439 return (0); 440} 441 442in_port_t 443server_socket_getport(struct sockaddr_storage *ss) 444{ 445 switch (ss->ss_family) { 446 case AF_INET: 447 return (((struct sockaddr_in *)ss)->sin_port); 448 case AF_INET6: 449 return (((struct sockaddr_in6 *)ss)->sin6_port); 450 default: 451 return (0); 452 } 453 454 /* NOTREACHED */ 455 return (0); 456} 457 458int 459server_socket(struct sockaddr_storage *ss, in_port_t port, 460 struct server_config *srv_conf, int fd, int reuseport) 461{ 462 struct linger lng; 463 int s = -1, val; 464 465 if (server_socket_af(ss, port) == -1) 466 goto bad; 467 468 s = fd == -1 ? socket(ss->ss_family, SOCK_STREAM | SOCK_NONBLOCK, 469 IPPROTO_TCP) : fd; 470 if (s == -1) 471 goto bad; 472 473 /* 474 * Socket options 475 */ 476 memset(&lng, 0, sizeof(lng)); 477 if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) 478 goto bad; 479 if (reuseport) { 480 val = 1; 481 if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &val, 482 sizeof(int)) == -1) 483 goto bad; 484 } 485 if (srv_conf->tcpflags & TCPFLAG_BUFSIZ) { 486 val = srv_conf->tcpbufsiz; 487 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 488 &val, sizeof(val)) == -1) 489 goto bad; 490 val = srv_conf->tcpbufsiz; 491 if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, 492 &val, sizeof(val)) == -1) 493 goto bad; 494 } 495 496 /* 497 * IP options 498 */ 499 if (srv_conf->tcpflags & TCPFLAG_IPTTL) { 500 val = (int)srv_conf->tcpipttl; 501 if (setsockopt(s, IPPROTO_IP, IP_TTL, 502 &val, sizeof(val)) == -1) 503 goto bad; 504 } 505 if (srv_conf->tcpflags & TCPFLAG_IPMINTTL) { 506 val = (int)srv_conf->tcpipminttl; 507 if (setsockopt(s, IPPROTO_IP, IP_MINTTL, 508 &val, sizeof(val)) == -1) 509 goto bad; 510 } 511 512 /* 513 * TCP options 514 */ 515 if (srv_conf->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { 516 if (srv_conf->tcpflags & TCPFLAG_NNODELAY) 517 val = 0; 518 else 519 val = 1; 520 if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, 521 &val, sizeof(val)) == -1) 522 goto bad; 523 } 524 if (srv_conf->tcpflags & (TCPFLAG_SACK|TCPFLAG_NSACK)) { 525 if (srv_conf->tcpflags & TCPFLAG_NSACK) 526 val = 0; 527 else 528 val = 1; 529 if (setsockopt(s, IPPROTO_TCP, TCP_SACK_ENABLE, 530 &val, sizeof(val)) == -1) 531 goto bad; 532 } 533 534 return (s); 535 536 bad: 537 if (s != -1) 538 close(s); 539 return (-1); 540} 541 542int 543server_socket_listen(struct sockaddr_storage *ss, in_port_t port, 544 struct server_config *srv_conf) 545{ 546 int s; 547 548 if ((s = server_socket(ss, port, srv_conf, -1, 1)) == -1) 549 return (-1); 550 551 if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1) 552 goto bad; 553 if (listen(s, srv_conf->tcpbacklog) == -1) 554 goto bad; 555 556 return (s); 557 558 bad: 559 close(s); 560 return (-1); 561} 562 563int 564server_socket_connect(struct sockaddr_storage *ss, in_port_t port, 565 struct server_config *srv_conf) 566{ 567 int s; 568 569 if ((s = server_socket(ss, port, srv_conf, -1, 0)) == -1) 570 return (-1); 571 572 if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) { 573 if (errno != EINPROGRESS) 574 goto bad; 575 } 576 577 return (s); 578 579 bad: 580 close(s); 581 return (-1); 582} 583 584void 585server_tls_readcb(int fd, short event, void *arg) 586{ 587 struct bufferevent *bufev = arg; 588 struct client *clt = bufev->cbarg; 589 char rbuf[IBUF_READ_SIZE]; 590 int what = EVBUFFER_READ; 591 int howmuch = IBUF_READ_SIZE; 592 ssize_t ret; 593 size_t len; 594 595 if (event == EV_TIMEOUT) { 596 what |= EVBUFFER_TIMEOUT; 597 goto err; 598 } 599 600 if (bufev->wm_read.high != 0) 601 howmuch = MINIMUM(sizeof(rbuf), bufev->wm_read.high); 602 603 ret = tls_read(clt->clt_tls_ctx, rbuf, howmuch); 604 if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) { 605 goto retry; 606 } else if (ret < 0) { 607 what |= EVBUFFER_ERROR; 608 goto err; 609 } 610 len = ret; 611 612 if (len == 0) { 613 what |= EVBUFFER_EOF; 614 goto err; 615 } 616 617 if (evbuffer_add(bufev->input, rbuf, len) == -1) { 618 what |= EVBUFFER_ERROR; 619 goto err; 620 } 621 622 server_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 623 624 len = EVBUFFER_LENGTH(bufev->input); 625 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low) 626 return; 627 if (bufev->wm_read.high != 0 && len > bufev->wm_read.high) { 628 struct evbuffer *buf = bufev->input; 629 event_del(&bufev->ev_read); 630 evbuffer_setcb(buf, bufferevent_read_pressure_cb, bufev); 631 return; 632 } 633 634 if (bufev->readcb != NULL) 635 (*bufev->readcb)(bufev, bufev->cbarg); 636 return; 637 638 retry: 639 server_bufferevent_add(&bufev->ev_read, bufev->timeout_read); 640 return; 641 642 err: 643 (*bufev->errorcb)(bufev, what, bufev->cbarg); 644} 645 646void 647server_tls_writecb(int fd, short event, void *arg) 648{ 649 struct bufferevent *bufev = arg; 650 struct client *clt = bufev->cbarg; 651 ssize_t ret; 652 short what = EVBUFFER_WRITE; 653 size_t len; 654 655 if (event == EV_TIMEOUT) { 656 what |= EVBUFFER_TIMEOUT; 657 goto err; 658 } 659 660 if (EVBUFFER_LENGTH(bufev->output)) { 661 ret = tls_write(clt->clt_tls_ctx, 662 EVBUFFER_DATA(bufev->output), 663 EVBUFFER_LENGTH(bufev->output)); 664 if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) { 665 goto retry; 666 } else if (ret < 0) { 667 what |= EVBUFFER_ERROR; 668 goto err; 669 } 670 len = ret; 671 evbuffer_drain(bufev->output, len); 672 } 673 674 if (EVBUFFER_LENGTH(bufev->output) != 0) 675 server_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 676 677 if (bufev->writecb != NULL && 678 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low) 679 (*bufev->writecb)(bufev, bufev->cbarg); 680 return; 681 682 retry: 683 server_bufferevent_add(&bufev->ev_write, bufev->timeout_write); 684 return; 685 686 err: 687 (*bufev->errorcb)(bufev, what, bufev->cbarg); 688} 689 690void 691server_input(struct client *clt) 692{ 693 struct server_config *srv_conf = clt->clt_srv_conf; 694 evbuffercb inrd = server_read; 695 evbuffercb inwr = server_write; 696 socklen_t slen; 697 698 if (server_httpdesc_init(clt) == -1) { 699 server_close(clt, "failed to allocate http descriptor"); 700 return; 701 } 702 703 clt->clt_toread = TOREAD_HTTP_HEADER; 704 inrd = server_read_http; 705 706 slen = sizeof(clt->clt_sndbufsiz); 707 if (getsockopt(clt->clt_s, SOL_SOCKET, SO_SNDBUF, 708 &clt->clt_sndbufsiz, &slen) == -1) { 709 server_close(clt, "failed to get send buffer size"); 710 return; 711 } 712 713 /* 714 * Client <-> Server 715 */ 716 clt->clt_bev = bufferevent_new(clt->clt_s, inrd, inwr, 717 server_error, clt); 718 if (clt->clt_bev == NULL) { 719 server_close(clt, "failed to allocate input buffer event"); 720 return; 721 } 722 723 if (srv_conf->flags & SRVFLAG_TLS) { 724 event_set(&clt->clt_bev->ev_read, clt->clt_s, EV_READ, 725 server_tls_readcb, clt->clt_bev); 726 event_set(&clt->clt_bev->ev_write, clt->clt_s, EV_WRITE, 727 server_tls_writecb, clt->clt_bev); 728 } 729 730 /* Adjust write watermark to the socket buffer output size */ 731 bufferevent_setwatermark(clt->clt_bev, EV_WRITE, 732 SERVER_MIN_PREFETCHED * clt->clt_sndbufsiz, 0); 733 /* Read at most amount of data that fits in one fcgi record. */ 734 bufferevent_setwatermark(clt->clt_bev, EV_READ, 0, FCGI_CONTENT_SIZE); 735 736 bufferevent_settimeout(clt->clt_bev, 737 srv_conf->timeout.tv_sec, srv_conf->timeout.tv_sec); 738 bufferevent_enable(clt->clt_bev, EV_READ|EV_WRITE); 739} 740 741void 742server_write(struct bufferevent *bev, void *arg) 743{ 744 struct client *clt = arg; 745 struct evbuffer *dst = EVBUFFER_OUTPUT(bev); 746 747 if (EVBUFFER_LENGTH(dst) == 0 && 748 clt->clt_toread == TOREAD_HTTP_NONE) 749 goto done; 750 751 getmonotime(&clt->clt_tv_last); 752 753 if (clt->clt_done) 754 goto done; 755 756 bufferevent_enable(bev, EV_READ); 757 758 if (clt->clt_srvbev && clt->clt_srvbev_throttled) { 759 bufferevent_enable(clt->clt_srvbev, EV_READ); 760 clt->clt_srvbev_throttled = 0; 761 } 762 763 return; 764 done: 765 (*bev->errorcb)(bev, EVBUFFER_WRITE|EVBUFFER_EOF, bev->cbarg); 766 return; 767} 768 769void 770server_dump(struct client *clt, const void *buf, size_t len) 771{ 772 if (!len) 773 return; 774 775 /* 776 * This function will dump the specified message directly 777 * to the underlying client, without waiting for success 778 * of non-blocking events etc. This is useful to print an 779 * error message before gracefully closing the client. 780 */ 781 if (clt->clt_tls_ctx != NULL) 782 (void)tls_write(clt->clt_tls_ctx, buf, len); 783 else 784 (void)write(clt->clt_s, buf, len); 785} 786 787void 788server_read(struct bufferevent *bev, void *arg) 789{ 790 struct client *clt = arg; 791 struct evbuffer *src = EVBUFFER_INPUT(bev); 792 793 getmonotime(&clt->clt_tv_last); 794 795 if (!EVBUFFER_LENGTH(src)) 796 return; 797 if (server_bufferevent_write_buffer(clt, src) == -1) 798 goto fail; 799 if (clt->clt_done) 800 goto done; 801 802 if (EVBUFFER_LENGTH(EVBUFFER_OUTPUT(clt->clt_bev)) > (size_t) 803 SERVER_MAX_PREFETCH * clt->clt_sndbufsiz) { 804 bufferevent_disable(clt->clt_srvbev, EV_READ); 805 clt->clt_srvbev_throttled = 1; 806 } 807 808 return; 809 done: 810 (*bev->errorcb)(bev, EVBUFFER_READ|EVBUFFER_EOF, bev->cbarg); 811 return; 812 fail: 813 server_close(clt, strerror(errno)); 814} 815 816void 817server_error(struct bufferevent *bev, short error, void *arg) 818{ 819 struct client *clt = arg; 820 struct evbuffer *dst; 821 822 if (error & EVBUFFER_TIMEOUT) { 823 server_close(clt, "buffer event timeout"); 824 return; 825 } 826 if (error & EVBUFFER_ERROR) { 827 if (errno == EFBIG) { 828 bufferevent_enable(bev, EV_READ); 829 return; 830 } 831 server_close(clt, "buffer event error"); 832 return; 833 } 834 if (error & (EVBUFFER_READ|EVBUFFER_WRITE|EVBUFFER_EOF)) { 835 bufferevent_disable(bev, EV_READ|EV_WRITE); 836 837 clt->clt_done = 1; 838 839 dst = EVBUFFER_OUTPUT(clt->clt_bev); 840 if (EVBUFFER_LENGTH(dst)) { 841 /* Finish writing all data first */ 842 bufferevent_enable(clt->clt_bev, EV_WRITE); 843 return; 844 } 845 846 server_close(clt, "done"); 847 return; 848 } 849 server_close(clt, "unknown event error"); 850 return; 851} 852 853void 854server_accept(int fd, short event, void *arg) 855{ 856 struct server *srv = arg; 857 struct client *clt = NULL; 858 socklen_t slen; 859 struct sockaddr_storage ss; 860 int s = -1; 861 862 event_add(&srv->srv_ev, NULL); 863 if ((event & EV_TIMEOUT)) 864 return; 865 866 slen = sizeof(ss); 867 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, 868 &slen, FD_RESERVE, &server_inflight)) == -1) { 869 /* 870 * Pause accept if we are out of file descriptors, or 871 * libevent will haunt us here too. 872 */ 873 if (errno == ENFILE || errno == EMFILE) { 874 struct timeval evtpause = { 1, 0 }; 875 876 event_del(&srv->srv_ev); 877 evtimer_add(&srv->srv_evt, &evtpause); 878 log_debug("%s: deferring connections", __func__); 879 } 880 return; 881 } 882 if (server_clients >= SERVER_MAX_CLIENTS) 883 goto err; 884 885 if ((clt = calloc(1, sizeof(*clt))) == NULL) 886 goto err; 887 888 /* Pre-allocate log buffer */ 889 clt->clt_log = evbuffer_new(); 890 if (clt->clt_log == NULL) 891 goto err; 892 893 clt->clt_s = s; 894 clt->clt_fd = -1; 895 clt->clt_toread = TOREAD_UNLIMITED; 896 clt->clt_srv = srv; 897 clt->clt_srv_conf = &srv->srv_conf; 898 clt->clt_id = ++server_cltid; 899 clt->clt_srv_id = srv->srv_conf.id; 900 clt->clt_pid = getpid(); 901 clt->clt_inflight = 1; 902 903 /* get local address */ 904 slen = sizeof(clt->clt_srv_ss); 905 if (getsockname(s, (struct sockaddr *)&clt->clt_srv_ss, 906 &slen) == -1) { 907 server_close(clt, "listen address lookup failed"); 908 return; 909 } 910 911 /* get client address */ 912 memcpy(&clt->clt_ss, &ss, sizeof(clt->clt_ss)); 913 914 /* get ports */ 915 switch (ss.ss_family) { 916 case AF_INET: 917 clt->clt_port = ((struct sockaddr_in *)&ss)->sin_port; 918 break; 919 case AF_INET6: 920 clt->clt_port = ((struct sockaddr_in6 *)&ss)->sin6_port; 921 break; 922 } 923 924 getmonotime(&clt->clt_tv_start); 925 memcpy(&clt->clt_tv_last, &clt->clt_tv_start, sizeof(clt->clt_tv_last)); 926 927 server_clients++; 928 SPLAY_INSERT(client_tree, &srv->srv_clients, clt); 929 930 /* Increment the per-relay client counter */ 931 //srv->srv_stats[proc_id].last++; 932 933 /* Pre-allocate output buffer */ 934 clt->clt_output = evbuffer_new(); 935 if (clt->clt_output == NULL) { 936 server_close(clt, "failed to allocate output buffer"); 937 return; 938 } 939 940 if (srv->srv_conf.flags & SRVFLAG_TLS) { 941 if (tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx, 942 clt->clt_s) != 0) { 943 server_close(clt, "failed to setup tls context"); 944 return; 945 } 946 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, 947 server_handshake_tls, &clt->clt_tv_start, 948 &srv->srv_conf.timeout, clt); 949 return; 950 } 951 952 server_input(clt); 953 return; 954 955 err: 956 if (s != -1) { 957 close(s); 958 free(clt); 959 /* 960 * the client struct was not completely set up, but still 961 * counted as an inflight client. account for this. 962 */ 963 server_inflight_dec(NULL, __func__); 964 } 965} 966 967void 968server_handshake_tls(int fd, short event, void *arg) 969{ 970 struct client *clt = (struct client *)arg; 971 struct server *srv = (struct server *)clt->clt_srv; 972 int ret; 973 974 if (event == EV_TIMEOUT) { 975 server_close(clt, "tls handshake timeout"); 976 return; 977 } 978 979 if (srv->srv_tls_ctx == NULL || clt->clt_tls_ctx == NULL) 980 fatalx("NULL tls context"); 981 982 ret = tls_handshake(clt->clt_tls_ctx); 983 if (ret == 0) { 984 server_input(clt); 985 } else if (ret == TLS_WANT_POLLIN) { 986 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, 987 server_handshake_tls, &clt->clt_tv_start, 988 &srv->srv_conf.timeout, clt); 989 } else if (ret == TLS_WANT_POLLOUT) { 990 event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_WRITE, 991 server_handshake_tls, &clt->clt_tv_start, 992 &srv->srv_conf.timeout, clt); 993 } else { 994 log_warnx("%s: tls handshake failed - %s", __func__, 995 tls_error(clt->clt_tls_ctx)); 996 server_close(clt, "tls handshake failed"); 997 } 998} 999 1000void 1001server_inflight_dec(struct client *clt, const char *why) 1002{ 1003 if (clt != NULL) { 1004 /* the flight already left inflight mode. */ 1005 if (clt->clt_inflight == 0) 1006 return; 1007 clt->clt_inflight = 0; 1008 } 1009 1010 /* the file was never opened, thus this was an inflight client. */ 1011 server_inflight--; 1012 DPRINTF("%s: inflight decremented, now %d, %s", 1013 __func__, server_inflight, why); 1014} 1015 1016void 1017server_sendlog(struct server_config *srv_conf, int cmd, const char *emsg, ...) 1018{ 1019 va_list ap; 1020 char *msg; 1021 int ret; 1022 struct iovec iov[2]; 1023 1024 if (srv_conf->flags & SRVFLAG_SYSLOG) { 1025 va_start(ap, emsg); 1026 if (cmd == IMSG_LOG_ACCESS) 1027 vlog(LOG_INFO, emsg, ap); 1028 else 1029 vlog(LOG_DEBUG, emsg, ap); 1030 va_end(ap); 1031 return; 1032 } 1033 1034 va_start(ap, emsg); 1035 ret = vasprintf(&msg, emsg, ap); 1036 va_end(ap); 1037 if (ret == -1) { 1038 log_warn("%s: vasprintf", __func__); 1039 return; 1040 } 1041 1042 iov[0].iov_base = &srv_conf->id; 1043 iov[0].iov_len = sizeof(srv_conf->id); 1044 iov[1].iov_base = msg; 1045 iov[1].iov_len = strlen(msg) + 1; 1046 1047 if (proc_composev(env->sc_ps, PROC_LOGGER, cmd, iov, 2) != 0) { 1048 log_warn("%s: failed to compose imsg", __func__); 1049 return; 1050 } 1051} 1052 1053void 1054server_log(struct client *clt, const char *msg) 1055{ 1056 char ibuf[HOST_NAME_MAX+1], obuf[HOST_NAME_MAX+1]; 1057 struct server_config *srv_conf = clt->clt_srv_conf; 1058 char *ptr = NULL, *vmsg = NULL; 1059 int debug_cmd = -1; 1060 extern int verbose; 1061 1062 switch (srv_conf->logformat) { 1063 case LOG_FORMAT_CONNECTION: 1064 debug_cmd = IMSG_LOG_ACCESS; 1065 break; 1066 default: 1067 if (verbose > 1) 1068 debug_cmd = IMSG_LOG_ERROR; 1069 if (EVBUFFER_LENGTH(clt->clt_log)) { 1070 while ((ptr = 1071 evbuffer_readline(clt->clt_log)) != NULL) { 1072 server_sendlog(srv_conf, 1073 IMSG_LOG_ACCESS, "%s", ptr); 1074 free(ptr); 1075 } 1076 } 1077 break; 1078 } 1079 1080 if (debug_cmd != -1 && msg != NULL) { 1081 memset(ibuf, 0, sizeof(ibuf)); 1082 memset(obuf, 0, sizeof(obuf)); 1083 (void)print_host(&clt->clt_ss, ibuf, sizeof(ibuf)); 1084 (void)server_http_host(&clt->clt_srv_ss, obuf, sizeof(obuf)); 1085 if (EVBUFFER_LENGTH(clt->clt_log) && 1086 evbuffer_add_printf(clt->clt_log, "\n") != -1) 1087 ptr = evbuffer_readline(clt->clt_log); 1088 (void)stravis(&vmsg, msg, HTTPD_LOGVIS); 1089 server_sendlog(srv_conf, debug_cmd, "server %s, " 1090 "client %d (%d active), %s:%u -> %s, " 1091 "%s%s%s", srv_conf->name, clt->clt_id, server_clients, 1092 ibuf, ntohs(clt->clt_port), obuf, vmsg == NULL ? "" : vmsg, 1093 ptr == NULL ? "" : ",", ptr == NULL ? "" : ptr); 1094 free(vmsg); 1095 free(ptr); 1096 } 1097} 1098 1099void 1100server_close(struct client *clt, const char *msg) 1101{ 1102 struct server *srv = clt->clt_srv; 1103 1104 SPLAY_REMOVE(client_tree, &srv->srv_clients, clt); 1105 1106 /* free the HTTP descriptors incl. headers */ 1107 server_close_http(clt); 1108 1109 event_del(&clt->clt_ev); 1110 if (clt->clt_bev != NULL) 1111 bufferevent_disable(clt->clt_bev, EV_READ|EV_WRITE); 1112 if (clt->clt_srvbev != NULL) 1113 bufferevent_disable(clt->clt_srvbev, EV_READ|EV_WRITE); 1114 1115 server_log(clt, msg); 1116 1117 if (clt->clt_bev != NULL) 1118 bufferevent_free(clt->clt_bev); 1119 if (clt->clt_output != NULL) 1120 evbuffer_free(clt->clt_output); 1121 if (clt->clt_srvevb != NULL) 1122 evbuffer_free(clt->clt_srvevb); 1123 1124 if (clt->clt_srvbev != NULL) 1125 bufferevent_free(clt->clt_srvbev); 1126 if (clt->clt_fd != -1) 1127 close(clt->clt_fd); 1128 if (clt->clt_s != -1) 1129 close(clt->clt_s); 1130 1131 if (clt->clt_tls_ctx != NULL) 1132 tls_close(clt->clt_tls_ctx); 1133 tls_free(clt->clt_tls_ctx); 1134 1135 server_inflight_dec(clt, __func__); 1136 1137 if (clt->clt_log != NULL) 1138 evbuffer_free(clt->clt_log); 1139 1140 free(clt); 1141 server_clients--; 1142} 1143 1144int 1145server_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 1146{ 1147 switch (imsg->hdr.type) { 1148 case IMSG_CFG_MEDIA: 1149 config_getmedia(env, imsg); 1150 break; 1151 case IMSG_CFG_AUTH: 1152 config_getauth(env, imsg); 1153 break; 1154 case IMSG_CFG_SERVER: 1155 config_getserver(env, imsg); 1156 break; 1157 case IMSG_CFG_TLS: 1158 config_gettls(env, imsg); 1159 break; 1160 case IMSG_CFG_DONE: 1161 config_getcfg(env, imsg); 1162 break; 1163 case IMSG_CTL_START: 1164 server_launch(); 1165 break; 1166 case IMSG_CTL_RESET: 1167 config_getreset(env, imsg); 1168 break; 1169 default: 1170 return (-1); 1171 } 1172 1173 return (0); 1174} 1175 1176int 1177server_dispatch_logger(int fd, struct privsep_proc *p, struct imsg *imsg) 1178{ 1179 switch (imsg->hdr.type) { 1180 default: 1181 return (-1); 1182 } 1183 1184 return (0); 1185} 1186 1187int 1188server_bufferevent_add(struct event *ev, int timeout) 1189{ 1190 struct timeval tv, *ptv = NULL; 1191 1192 if (timeout) { 1193 timerclear(&tv); 1194 tv.tv_sec = timeout; 1195 ptv = &tv; 1196 } 1197 1198 return (event_add(ev, ptv)); 1199} 1200 1201int 1202server_bufferevent_printf(struct client *clt, const char *fmt, ...) 1203{ 1204 int ret; 1205 va_list ap; 1206 char *str; 1207 1208 va_start(ap, fmt); 1209 ret = vasprintf(&str, fmt, ap); 1210 va_end(ap); 1211 1212 if (ret == -1) 1213 return (ret); 1214 1215 ret = server_bufferevent_print(clt, str); 1216 free(str); 1217 1218 return (ret); 1219} 1220 1221int 1222server_bufferevent_print(struct client *clt, const char *str) 1223{ 1224 if (clt->clt_bev == NULL) 1225 return (evbuffer_add(clt->clt_output, str, strlen(str))); 1226 return (bufferevent_write(clt->clt_bev, str, strlen(str))); 1227} 1228 1229int 1230server_bufferevent_write_buffer(struct client *clt, struct evbuffer *buf) 1231{ 1232 if (clt->clt_bev == NULL) 1233 return (evbuffer_add_buffer(clt->clt_output, buf)); 1234 return (bufferevent_write_buffer(clt->clt_bev, buf)); 1235} 1236 1237int 1238server_bufferevent_write_chunk(struct client *clt, 1239 struct evbuffer *buf, size_t size) 1240{ 1241 int ret; 1242 ret = server_bufferevent_write(clt, buf->buffer, size); 1243 if (ret != -1) 1244 evbuffer_drain(buf, size); 1245 return (ret); 1246} 1247 1248int 1249server_bufferevent_write(struct client *clt, void *data, size_t size) 1250{ 1251 if (clt->clt_bev == NULL) 1252 return (evbuffer_add(clt->clt_output, data, size)); 1253 return (bufferevent_write(clt->clt_bev, data, size)); 1254} 1255 1256int 1257server_client_cmp(struct client *a, struct client *b) 1258{ 1259 return ((int)a->clt_id - b->clt_id); 1260} 1261 1262SPLAY_GENERATE(client_tree, client, clt_nodes, server_client_cmp); 1263