1 files changed, 43 insertions, 12 deletions

diff --git a/httpd/server.c b/httpd/server.c
index ca67a47..86d0dca 100644
--- a/httpd/server.c
+++ b/httpd/server.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server.c,v 1.63 2015/04/23 16:59:28 florian Exp $	*/
+/*	$OpenBSD: server.c,v 1.70 2015/07/16 16:29:25 florian Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -41,6 +41,7 @@
 #include <event.h>
 #include <imsg.h>
 #include <tls.h>
+#include <vis.h>
 
 #include "httpd.h"
 
@@ -312,20 +313,31 @@ server_purge(struct server *srv)
 void
 serverconfig_free(struct server_config *srv_conf)
 {
+	free(srv_conf->auth);
 	free(srv_conf->return_uri);
 	free(srv_conf->tls_cert_file);
-	free(srv_conf->tls_cert);
 	free(srv_conf->tls_key_file);
-	free(srv_conf->tls_key);
+
+	if (srv_conf->tls_cert != NULL) {
+		explicit_bzero(srv_conf->tls_cert, srv_conf->tls_cert_len);
+		free(srv_conf->tls_cert);
+	}
+
+	if (srv_conf->tls_key != NULL) {
+		explicit_bzero(srv_conf->tls_key, srv_conf->tls_key_len);
+		free(srv_conf->tls_key);
+	}
 }
 
 void
 serverconfig_reset(struct server_config *srv_conf)
 {
-	srv_conf->tls_cert_file = srv_conf->tls_key_file = NULL;
-	srv_conf->tls_cert = srv_conf->tls_key = NULL;
-	srv_conf->return_uri = NULL;
 	srv_conf->auth = NULL;
+	srv_conf->return_uri = NULL;
+	srv_conf->tls_cert = NULL;
+	srv_conf->tls_cert_file = NULL;
+	srv_conf->tls_key = NULL;
+	srv_conf->tls_key_file = NULL;
 }
 
 struct server *
@@ -571,6 +583,11 @@ server_tls_readcb(int fd, short event, void *arg)
 		goto err;
 	}
 
+	if (len == 0) {
+		what |= EVBUFFER_EOF;
+		goto err;
+	}
+
 	if (evbuffer_add(bufev->input, rbuf, len) == -1) {
 		what |= EVBUFFER_ERROR;
 		goto err;
@@ -704,7 +721,7 @@ server_input(struct client *clt)
 
 	/* Adjust write watermark to the socket buffer output size */
 	bufferevent_setwatermark(clt->clt_bev, EV_WRITE,
-	    clt->clt_sndbufsiz, 0);
+	    SERVER_MIN_PREFETCHED * clt->clt_sndbufsiz, 0);
 	/* Read at most amount of data that fits in one fcgi record. */
 	bufferevent_setwatermark(clt->clt_bev, EV_READ, 0, FCGI_CONTENT_SIZE);
 
@@ -729,6 +746,10 @@ server_write(struct bufferevent *bev, void *arg)
 		goto done;
 
 	bufferevent_enable(bev, EV_READ);
+
+	if (clt->clt_srvbev && !(clt->clt_srvbev->enabled & EV_READ))
+		bufferevent_enable(clt->clt_srvbev, EV_READ);
+
 	return;
  done:
 	(*bev->errorcb)(bev, EVBUFFER_WRITE|EVBUFFER_EOF, bev->cbarg);
@@ -769,6 +790,11 @@ server_read(struct bufferevent *bev, void *arg)
 		goto fail;
 	if (clt->clt_done)
 		goto done;
+
+	if (EVBUFFER_LENGTH(EVBUFFER_OUTPUT(clt->clt_bev)) > (size_t)
+	    SERVER_MAX_PREFETCH * clt->clt_sndbufsiz)
+		bufferevent_disable(bev, EV_READ);
+
 	return;
  done:
 	(*bev->errorcb)(bev, EVBUFFER_READ|EVBUFFER_EOF, bev->cbarg);
@@ -919,7 +945,7 @@ server_accept(int fd, short event, void *arg)
 		close(s);
 		free(clt);
 		/*
-		 * the client struct was not completly set up, but still
+		 * the client struct was not completely set up, but still
 		 * counted as an inflight client. account for this.
 		 */
 		server_inflight_dec(NULL, __func__);
@@ -954,6 +980,7 @@ server_accept_tls(int fd, short event, void *arg)
 	} else if (ret != 0) {
 		log_warnx("%s: TLS accept failed - %s", __func__,
 		    tls_error(srv->srv_tls_ctx));
+		server_close(clt, "TLS accept failed");
 		return;
 	}
 
@@ -1020,7 +1047,7 @@ server_log(struct client *clt, const char *msg)
 {
 	char			 ibuf[HOST_NAME_MAX+1], obuf[HOST_NAME_MAX+1];
 	struct server_config	*srv_conf = clt->clt_srv_conf;
-	char			*ptr = NULL;
+	char			*ptr = NULL, *vmsg = NULL;
 	int			 debug_cmd = -1;
 	extern int		 verbose;
 
@@ -1050,13 +1077,14 @@ server_log(struct client *clt, const char *msg)
 		if (EVBUFFER_LENGTH(clt->clt_log) &&
 		    evbuffer_add_printf(clt->clt_log, "\n") != -1)
 			ptr = evbuffer_readline(clt->clt_log);
+		(void)stravis(&vmsg, msg, HTTPD_LOGVIS);
 		server_sendlog(srv_conf, debug_cmd, "server %s, "
 		    "client %d (%d active), %s:%u -> %s, "
 		    "%s%s%s", srv_conf->name, clt->clt_id, server_clients,
-		    ibuf, ntohs(clt->clt_port), obuf, msg,
+		    ibuf, ntohs(clt->clt_port), obuf, vmsg == NULL ? "" : vmsg,
 		    ptr == NULL ? "" : ",", ptr == NULL ? "" : ptr);
-		if (ptr != NULL)
-			free(ptr);
+		free(vmsg);
+		free(ptr);
 	}
 }
 
@@ -1118,6 +1146,9 @@ server_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 	case IMSG_CFG_SERVER:
 		config_getserver(env, imsg);
 		break;
+	case IMSG_CFG_TLS:
+		config_gettls(env, imsg);
+		break;
 	case IMSG_CFG_DONE:
 		config_getcfg(env, imsg);
 		break;