From 443c85a053b7a4f3b0ab8bb4e17fb4ef7a3f43c3 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Fri, 2 Jan 2015 13:49:20 +0100 Subject: Sync with -current: change TLS to SSL, support HEAD, other changes. --- config.c | 44 +++++++++++++-------------- control.c | 3 +- httpd.8 | 6 ++-- httpd.c | 21 +++++++------ httpd.conf.5 | 89 +++++++++++++++++++++++++++++++----------------------- httpd.h | 28 ++++++++--------- log.c | 3 +- logger.c | 3 +- parse.y | 94 +++++++++++++++++++++------------------------------------ proc.c | 5 ++-- server.c | 96 +++++++++++++++++++++++++++++------------------------------ server_fcgi.c | 73 ++------------------------------------------- server_file.c | 9 ++---- server_http.c | 63 ++++++++++++++++----------------------- 14 files changed, 220 insertions(+), 317 deletions(-) diff --git a/config.c b/config.c index e545571..d651a02 100644 --- a/config.c +++ b/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.22 2014/09/05 10:04:20 reyk Exp $ */ +/* $OpenBSD: config.c,v 1.26 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2011 - 2014 Reyk Floeter @@ -25,8 +25,6 @@ #include #include #include -#include -#include #include #include @@ -185,13 +183,13 @@ config_setserver(struct httpd *env, struct server *srv) c = 0; iov[c].iov_base = &s; iov[c++].iov_len = sizeof(s); - if (srv->srv_conf.ssl_cert_len != 0) { - iov[c].iov_base = srv->srv_conf.ssl_cert; - iov[c++].iov_len = srv->srv_conf.ssl_cert_len; + if (srv->srv_conf.tls_cert_len != 0) { + iov[c].iov_base = srv->srv_conf.tls_cert; + iov[c++].iov_len = srv->srv_conf.tls_cert_len; } - if (srv->srv_conf.ssl_key_len != 0) { - iov[c].iov_base = srv->srv_conf.ssl_key; - iov[c++].iov_len = srv->srv_conf.ssl_key_len; + if (srv->srv_conf.tls_key_len != 0) { + iov[c].iov_base = srv->srv_conf.tls_key; + iov[c++].iov_len = srv->srv_conf.tls_key_len; } if (id == PROC_SERVER && @@ -285,7 +283,7 @@ config_getserver_config(struct httpd *env, struct server *srv, if ((srv_conf->flags & f) == 0) srv_conf->flags |= parent->flags & f; - f = SRVFLAG_SSL; + f = SRVFLAG_TLS; srv_conf->flags |= parent->flags & f; f = SRVFLAG_ACCESS_LOG; @@ -346,8 +344,8 @@ config_getserver(struct httpd *env, struct imsg *imsg) /* Reset these variables to avoid free'ing invalid pointers */ serverconfig_reset(&srv_conf); - if ((u_int)(IMSG_DATA_SIZE(imsg) - s) < - (srv_conf.ssl_cert_len + srv_conf.ssl_key_len)) { + if ((off_t)(IMSG_DATA_SIZE(imsg) - s) < + (srv_conf.tls_cert_len + srv_conf.tls_key_len)) { log_debug("%s: invalid message length", __func__); goto fail; } @@ -384,24 +382,26 @@ config_getserver(struct httpd *env, struct imsg *imsg) srv->srv_conf.name, srv->srv_conf.id, printb_flags(srv->srv_conf.flags, SRVFLAG_BITS)); - if (srv->srv_conf.ssl_cert_len != 0) { - if ((srv->srv_conf.ssl_cert = get_data(p + s, - srv->srv_conf.ssl_cert_len)) == NULL) + if (srv->srv_conf.tls_cert_len != 0) { + if ((srv->srv_conf.tls_cert = get_data(p + s, + srv->srv_conf.tls_cert_len)) == NULL) goto fail; - s += srv->srv_conf.ssl_cert_len; + s += srv->srv_conf.tls_cert_len; } - if (srv->srv_conf.ssl_key_len != 0) { - if ((srv->srv_conf.ssl_key = get_data(p + s, - srv->srv_conf.ssl_key_len)) == NULL) + if (srv->srv_conf.tls_key_len != 0) { + if ((srv->srv_conf.tls_key = get_data(p + s, + srv->srv_conf.tls_key_len)) == NULL) goto fail; - s += srv->srv_conf.ssl_key_len; + s += srv->srv_conf.tls_key_len; } return (0); fail: - free(srv->srv_conf.ssl_cert); - free(srv->srv_conf.ssl_key); + if (srv != NULL) { + free(srv->srv_conf.tls_cert); + free(srv->srv_conf.tls_key); + } free(srv); return (-1); diff --git a/control.c b/control.c index 1988ba7..a6422bc 100644 --- a/control.c +++ b/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.4 2014/08/04 15:49:28 reyk Exp $ */ +/* $OpenBSD: control.c,v 1.5 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -23,6 +23,7 @@ #include #include +#include #include #include diff --git a/httpd.8 b/httpd.8 index ab301e1..e17f7de 100644 --- a/httpd.8 +++ b/httpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.8,v 1.48 2014/08/09 08:49:48 jmc Exp $ +.\" $OpenBSD: httpd.8,v 1.49 2014/12/12 14:45:59 reyk Exp $ .\" .\" Copyright (c) 2014 Reyk Floeter .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 9 2014 $ +.Dd $Mdocdate: December 12 2014 $ .Dt HTTPD 8 .Os .Sh NAME @@ -28,7 +28,7 @@ .Sh DESCRIPTION The .Nm -daemon is an HTTP server with FastCGI and SSL support. +daemon is an HTTP server with FastCGI and TLS support. .Pp The FastCGI implementation has optional socket support. .Nm diff --git a/httpd.c b/httpd.c index 6579e6b..491c2d4 100644 --- a/httpd.c +++ b/httpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.c,v 1.24 2014/11/11 15:54:45 beck Exp $ */ +/* $OpenBSD: httpd.c,v 1.28 2014/12/11 17:06:55 schwarze Exp $ */ /* * Copyright (c) 2014 Reyk Floeter @@ -22,7 +22,6 @@ #include #include #include -#include #include #include @@ -40,8 +39,6 @@ #include #include #include -#include -#include #include "httpd.h" @@ -493,7 +490,7 @@ canonicalize_host(const char *host, char *name, size_t len) { struct sockaddr_in sin4; struct sockaddr_in6 sin6; - u_int i, j; + size_t i, j; size_t plen; char c; @@ -565,7 +562,7 @@ url_decode(char *url) * We don't have to validate "hex" because it is * guaranteed to include two hex chars followed by nul. */ - x = strtoul(hex, NULL, 16); + x = strtoul(hex, NULL, 16); *q = (char)x; p += 2; break; @@ -692,7 +689,7 @@ evbuffer_getline(struct evbuffer *evb) u_int8_t *ptr = EVBUFFER_DATA(evb); size_t len = EVBUFFER_LENGTH(evb); char *str; - u_int i; + size_t i; /* Safe version of evbuffer_readline() */ if ((str = get_string(ptr, len)) == NULL) @@ -1119,11 +1116,13 @@ media_find(struct mediatypes *types, char *file) struct media_type *match, media; char *p; - if ((p = strrchr(file, '.')) == NULL) { - p = file; - } else if (*p++ == '\0') { + /* Last component of the file name */ + p = strchr(file, '\0'); + while (p > file && p[-1] != '.' && p[-1] != '/') + p--; + if (*p == '\0') return (NULL); - } + if (strlcpy(media.media_name, p, sizeof(media.media_name)) >= sizeof(media.media_name)) { diff --git a/httpd.conf.5 b/httpd.conf.5 index b6177d3..222b3dc 100644 --- a/httpd.conf.5 +++ b/httpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.conf.5,v 1.36 2014/11/12 16:52:44 jmc Exp $ +.\" $OpenBSD: httpd.conf.5,v 1.40 2014/12/28 13:53:23 reyk Exp $ .\" .\" Copyright (c) 2014 Reyk Floeter .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 12 2014 $ +.Dd $Mdocdate: December 28 2014 $ .Dt HTTPD.CONF 5 .Os .Sh NAME @@ -49,6 +49,15 @@ If the address is an interface name, .Xr httpd 8 will look up the first IPv4 address and any other IPv4 and IPv6 addresses of the specified network interface. +If +.Sq * +is given as an address, +it will be used as an alias for +.Ar 0.0.0.0 +to listen on all IPv4 addresses. +Likewise, +.Sq :: +can be used to listen on all IPv6 addresses. A .Ar port can be specified by number or name. @@ -169,7 +178,7 @@ root directory of .Xr httpd 8 and defaults to .Pa /run/slowcgi.sock . -.It Ic listen on Ar address Oo Ic ssl Oc Ic port Ar number +.It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number Set the listen address and port. .It Ic location Ar path Brq ... Specify server configuration rules for a specific location. @@ -246,33 +255,6 @@ root directory of .Nm httpd . If not specified, it defaults to .Pa /htdocs . -.It Ic ssl Ar option -Set the SSL configuration for the server. -These options are only used if SSL has been enabled via the listen directive. -Valid options are: -.Bl -tag -width Ds -.It Ic certificate Ar file -Specify the certificate to use for this server. -The -.Ar file -should contain a PEM encoded certificate. -.It Ic ciphers Ar string -Specify the SSL cipher string. -If not specified, the default value -.Qq HIGH:!aNULL -will be used (strong crypto cipher suites without anonymous DH). -See the CIPHERS section of -.Xr openssl 1 -for information about SSL cipher suites and preference lists. -.It Ic key Ar file -Specify the private key to use for this server. -The -.Ar file -should contain a PEM encoded private key and reside outside of the -.Xr chroot 2 -root directory of -.Nm httpd . -.El .It Ic tcp Ar option Enable or disable the specified TCP/IP options; see .Xr tcp 4 @@ -297,8 +279,7 @@ according to RFC 5082. Change the default time-to-live value in the IP headers. .It Oo Ic no Oc Ic nodelay Enable the TCP NODELAY option for this connection. -This is recommended to avoid delays in the relayed data stream, -e.g. for SSH connections. +This is recommended to avoid delays in the data stream. .It Oo Ic no Oc Ic sack Use selective acknowledgements for this connection. .It Ic socket buffer Ar number @@ -306,6 +287,33 @@ Set the socket-level buffer size for input and output for this connection. This will affect the TCP window size. .El +.It Ic tls Ar option +Set the TLS configuration for the server. +These options are only used if TLS has been enabled via the listen directive. +Valid options are: +.Bl -tag -width Ds +.It Ic certificate Ar file +Specify the certificate to use for this server. +The +.Ar file +should contain a PEM encoded certificate. +.It Ic ciphers Ar string +Specify the TLS cipher string. +If not specified, the default value +.Qq HIGH:!aNULL +will be used (strong crypto cipher suites without anonymous DH). +See the CIPHERS section of +.Xr openssl 1 +for information about SSL/TLS cipher suites and preference lists. +.It Ic key Ar file +Specify the private key to use for this server. +The +.Ar file +should contain a PEM encoded private key and reside outside of the +.Xr chroot 2 +root directory of +.Nm httpd . +.El .El .Sh TYPES Configure the supported media types. @@ -346,16 +354,13 @@ Include types definitions from an external file, for example .El .Sh EXAMPLES The following example will start one server that is pre-forked two -times and listening on the primary IP address of the network interface -that is a member of the -.Qq egress -group. +times and is listening on all local IP addresses. It additionally defines some media types overriding the defaults. .Bd -literal -offset indent prefork 2 server "default" { - listen on egress port 80 + listen on * port 80 } types { @@ -370,6 +375,16 @@ types { } .Ed .Pp +The server can also be configured to only listen on the primary IP +address of the network interface that is a member of the +.Qq egress +group. +.Bd -literal -offset indent +server "default" { + listen on egress port 80 +} +.Ed +.Pp Multiple servers can be configured to support hosting of different domains. If the same address is repeated multiple times in the .Ic listen on diff --git a/httpd.h b/httpd.h index 5e39fe1..8c14f97 100644 --- a/httpd.h +++ b/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.63 2014/11/11 15:54:45 beck Exp $ */ +/* $OpenBSD: httpd.h,v 1.64 2014/12/12 14:45:59 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -38,9 +38,9 @@ #define HTTPD_LOGROOT "/logs" #define HTTPD_ACCESS_LOG "access.log" #define HTTPD_ERROR_LOG "error.log" -#define HTTPD_SSL_CERT "/etc/ssl/server.crt" -#define HTTPD_SSL_KEY "/etc/ssl/private/server.key" -#define HTTPD_SSL_CIPHERS "HIGH:!aNULL" +#define HTTPD_TLS_CERT "/etc/ssl/server.crt" +#define HTTPD_TLS_KEY "/etc/ssl/private/server.key" +#define HTTPD_TLS_CIPHERS "HIGH:!aNULL" #define FD_RESERVE 5 #define SERVER_MAX_CLIENTS 1024 @@ -322,14 +322,14 @@ SPLAY_HEAD(client_tree, client); #define SRVFLAG_SOCKET 0x0400 #define SRVFLAG_SYSLOG 0x0800 #define SRVFLAG_NO_SYSLOG 0x1000 -#define SRVFLAG_SSL 0x2000 +#define SRVFLAG_TLS 0x2000 #define SRVFLAG_ACCESS_LOG 0x4000 #define SRVFLAG_ERROR_LOG 0x8000 #define SRVFLAG_BITS \ "\10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX" \ "\05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET" \ - "\14SYSLOG\15NO_SYSLOG\16SSL\17ACCESS_LOG\20ERROR_LOG" + "\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG" #define TCPFLAG_NODELAY 0x01 #define TCPFLAG_NNODELAY 0x02 @@ -376,13 +376,13 @@ struct server_config { u_int32_t maxrequests; size_t maxrequestbody; - char *ssl_cert; - off_t ssl_cert_len; - char *ssl_cert_file; - char ssl_ciphers[NAME_MAX]; - char *ssl_key; - off_t ssl_key_len; - char *ssl_key_file; + char *tls_cert; + off_t tls_cert_len; + char *tls_cert_file; + char tls_ciphers[NAME_MAX]; + char *tls_key; + off_t tls_key_len; + char *tls_key_file; u_int16_t flags; u_int8_t tcpflags; @@ -464,7 +464,7 @@ int cmdline_symset(char *); /* server.c */ pid_t server(struct privsep *, struct privsep_proc *); -int server_ssl_load_keypair(struct server *); +int server_tls_load_keypair(struct server *); int server_privinit(struct server *); void server_purge(struct server *); void serverconfig_free(struct server_config *); diff --git a/log.c b/log.c index dc06b16..f086d00 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.3 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: log.c,v 1.4 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -24,7 +24,6 @@ #include #include #include -#include #include #include diff --git a/logger.c b/logger.c index 9402695..672f3b8 100644 --- a/logger.c +++ b/logger.c @@ -1,4 +1,4 @@ -/* $OpenBSD: logger.c,v 1.7 2014/11/11 15:54:45 beck Exp $ */ +/* $OpenBSD: logger.c,v 1.8 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2014 Reyk Floeter @@ -22,6 +22,7 @@ #include #include +#include #include #include diff --git a/parse.y b/parse.y index 2124eb1..943e00a 100644 --- a/parse.y +++ b/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.42 2014/11/20 05:51:20 jsg Exp $ */ +/* $OpenBSD: parse.y,v 1.46 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter @@ -30,13 +30,11 @@ #include #include #include -#include #include #include #include #include -#include #include #include @@ -130,12 +128,12 @@ typedef struct { %token ACCESS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON %token COMBINED CONNECTION DIRECTORY ERR FCGI INDEX IP KEY LISTEN LOCATION %token LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS ROOT -%token SACK SERVER SOCKET SSL STYLE SYSLOG TCP TIMEOUT TYPES +%token SACK SERVER SOCKET STYLE SYSLOG TCP TIMEOUT TLS TYPES %token ERROR INCLUDE %token STRING %token NUMBER %type port -%type optssl +%type opttls %type timeout %type numberstring @@ -174,8 +172,8 @@ varset : STRING '=' STRING { } ; -optssl : /*empty*/ { $$ = 0; } - | SSL { $$ = 1; } +opttls : /*empty*/ { $$ = 0; } + | TLS { $$ = 1; } ; main : PREFORK NUMBER { @@ -231,14 +229,14 @@ server : SERVER STRING { s->srv_conf.maxrequestbody = SERVER_MAXREQUESTBODY; s->srv_conf.flags |= SRVFLAG_LOG; s->srv_conf.logformat = LOG_FORMAT_COMMON; - if ((s->srv_conf.ssl_cert_file = - strdup(HTTPD_SSL_CERT)) == NULL) + if ((s->srv_conf.tls_cert_file = + strdup(HTTPD_TLS_CERT)) == NULL) fatal("out of memory"); - if ((s->srv_conf.ssl_key_file = - strdup(HTTPD_SSL_KEY)) == NULL) + if ((s->srv_conf.tls_key_file = + strdup(HTTPD_TLS_KEY)) == NULL) fatal("out of memory"); - strlcpy(s->srv_conf.ssl_ciphers, HTTPD_SSL_CIPHERS, - sizeof(s->srv_conf.ssl_ciphers)); + strlcpy(s->srv_conf.tls_ciphers, HTTPD_TLS_CIPHERS, + sizeof(s->srv_conf.tls_ciphers)); if (last_server_id == INT_MAX) { yyerror("too many servers defined"); @@ -279,25 +277,19 @@ server : SERVER STRING { YYERROR; } - if (server_ssl_load_keypair(srv) == -1) { + if (server_tls_load_keypair(srv) == -1) { yyerror("failed to load public/private keys " "for server %s", srv->srv_conf.name); serverconfig_free(srv_conf); free(srv); YYERROR; } -<<<<<<< parse.y - - TAILQ_INSERT_TAIL(conf->sc_servers, srv, srv_entry); - -======= DPRINTF("adding server \"%s[%u]\"", srv->srv_conf.name, srv->srv_conf.id); TAILQ_INSERT_TAIL(conf->sc_servers, srv, srv_entry); ->>>>>>> 1.42 srv = NULL; srv_conf = NULL; } @@ -307,7 +299,7 @@ serveropts_l : serveropts_l serveroptsl nl | serveroptsl optnl ; -serveroptsl : LISTEN ON STRING optssl port { +serveroptsl : LISTEN ON STRING opttls port { struct addresslist al; struct address *h; struct server *s; @@ -345,7 +337,7 @@ serveroptsl : LISTEN ON STRING optssl port { host_free(&al); if ($4) { - s->srv_conf.flags |= SRVFLAG_SSL; + s->srv_conf.flags |= SRVFLAG_TLS; } } | TCP { @@ -360,12 +352,12 @@ serveroptsl : LISTEN ON STRING optssl port { YYERROR; } } connection - | SSL { + | TLS { if (parentsrv != NULL) { - yyerror("ssl configuration inside location"); + yyerror("tls configuration inside location"); YYERROR; } - } ssl + } tls | ROOT STRING { if (strlcpy(srv->srv_conf.root, $2, sizeof(srv->srv_conf.root)) >= @@ -439,26 +431,6 @@ serveroptsl : LISTEN ON STRING optssl port { srv = s; srv_conf = &srv->srv_conf; SPLAY_INIT(&srv->srv_clients); -<<<<<<< parse.y - } '{' optnl serveropts_l '}' { - struct server *s = NULL; - - TAILQ_FOREACH(s, conf->sc_servers, srv_entry) { - if ((s->srv_conf.flags & SRVFLAG_LOCATION) && - s->srv_conf.id == srv_conf->id && - strcmp(s->srv_conf.location, - srv_conf->location) == 0) - break; - } - if (s != NULL) { - yyerror("location \"%s\" defined twice", - srv->srv_conf.location); - serverconfig_free(srv_conf); - free(srv); - YYABORT; - } - -======= } '{' optnl serveropts_l '}' { struct server *s = NULL; @@ -481,7 +453,6 @@ serveroptsl : LISTEN ON STRING optssl port { srv->srv_conf.location, srv->srv_conf.name, srv->srv_conf.id); ->>>>>>> 1.42 TAILQ_INSERT_TAIL(conf->sc_servers, srv, srv_entry); srv = parentsrv; @@ -546,30 +517,30 @@ conflags : TIMEOUT timeout { } ; -ssl : '{' sslopts_l '}' - | sslopts +tls : '{' tlsopts_l '}' + | tlsopts ; -sslopts_l : sslopts comma sslopts_l - | sslopts +tlsopts_l : tlsopts comma tlsopts_l + | tlsopts ; -sslopts : CERTIFICATE STRING { - free(srv_conf->ssl_cert_file); - if ((srv_conf->ssl_cert_file = strdup($2)) == NULL) +tlsopts : CERTIFICATE STRING { + free(srv_conf->tls_cert_file); + if ((srv_conf->tls_cert_file = strdup($2)) == NULL) fatal("out of memory"); free($2); } | KEY STRING { - free(srv_conf->ssl_key_file); - if ((srv_conf->ssl_key_file = strdup($2)) == NULL) + free(srv_conf->tls_key_file); + if ((srv_conf->tls_key_file = strdup($2)) == NULL) fatal("out of memory"); free($2); } | CIPHERS STRING { - if (strlcpy(srv_conf->ssl_ciphers, $2, - sizeof(srv_conf->ssl_ciphers)) >= - sizeof(srv_conf->ssl_ciphers)) { + if (strlcpy(srv_conf->tls_ciphers, $2, + sizeof(srv_conf->tls_ciphers)) >= + sizeof(srv_conf->tls_ciphers)) { yyerror("ciphers too long"); free($2); YYERROR; @@ -914,11 +885,11 @@ lookup(char *s) { "sack", SACK }, { "server", SERVER }, { "socket", SOCKET }, - { "ssl", SSL }, { "style", STYLE }, { "syslog", SYSLOG }, { "tcp", TCP }, { "timeout", TIMEOUT }, + { "tls", TLS }, { "types", TYPES } }; const struct keywords *p; @@ -1151,7 +1122,7 @@ nodigits: x != '!' && x != '=' && x != '#' && \ x != ',' && x != ';' && x != '/')) - if (isalnum(c) || c == ':' || c == '_') { + if (isalnum(c) || c == ':' || c == '_' || c == '*') { do { *p++ = c; if ((unsigned)(p-buf) >= sizeof(buf)) { @@ -1633,6 +1604,9 @@ host(const char *s, struct addresslist *al, int max, { struct address *h; + if (strcmp("*", s) == 0) + s = "0.0.0.0"; + h = host_v4(s); /* IPv6 address? */ diff --git a/proc.c b/proc.c index d0994f8..95c3e98 100644 --- a/proc.c +++ b/proc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.c,v 1.5 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: proc.c,v 1.7 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2010 - 2014 Reyk Floeter @@ -26,7 +26,6 @@ #include #include #include -#include #include #include @@ -351,7 +350,7 @@ proc_run(struct privsep *ps, struct privsep_proc *p, fatal("proc_run: cannot fork"); case 0: /* Set the process group of the current process */ - setpgrp(0, getpid()); + setpgid(0, 0); break; default: return (pid); diff --git a/server.c b/server.c index 4aa8307..1d30f35 100644 --- a/server.c +++ b/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.46 2014/10/31 13:49:52 jsing Exp $ */ +/* $OpenBSD: server.c,v 1.49 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -24,13 +24,11 @@ #include #include #include -#include #include #include #include #include -#include #include #include @@ -60,12 +58,12 @@ int server_socket(struct sockaddr_storage *, in_port_t, int server_socket_listen(struct sockaddr_storage *, in_port_t, struct server_config *); -int server_ssl_init(struct server *); -void server_ssl_readcb(int, short, void *); -void server_ssl_writecb(int, short, void *); +int server_tls_init(struct server *); +void server_tls_readcb(int, short, void *); +void server_tls_writecb(int, short, void *); void server_accept(int, short, void *); -void server_accept_ssl(int, short, void *); +void server_accept_tls(int, short, void *); void server_input(struct client *); extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t, @@ -146,33 +144,33 @@ server_load_file(const char *filename, off_t *len) } int -server_ssl_load_keypair(struct server *srv) +server_tls_load_keypair(struct server *srv) { - if ((srv->srv_conf.flags & SRVFLAG_SSL) == 0) + if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) return (0); - if ((srv->srv_conf.ssl_cert = server_load_file( - srv->srv_conf.ssl_cert_file, &srv->srv_conf.ssl_cert_len)) == NULL) + if ((srv->srv_conf.tls_cert = server_load_file( + srv->srv_conf.tls_cert_file, &srv->srv_conf.tls_cert_len)) == NULL) return (-1); log_debug("%s: using certificate %s", __func__, - srv->srv_conf.ssl_cert_file); + srv->srv_conf.tls_cert_file); - if ((srv->srv_conf.ssl_key = server_load_file( - srv->srv_conf.ssl_key_file, &srv->srv_conf.ssl_key_len)) == NULL) + if ((srv->srv_conf.tls_key = server_load_file( + srv->srv_conf.tls_key_file, &srv->srv_conf.tls_key_len)) == NULL) return (-1); log_debug("%s: using private key %s", __func__, - srv->srv_conf.ssl_key_file); + srv->srv_conf.tls_key_file); return (0); } int -server_ssl_init(struct server *srv) +server_tls_init(struct server *srv) { - if ((srv->srv_conf.flags & SRVFLAG_SSL) == 0) + if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) return (0); - log_debug("%s: setting up SSL for %s", __func__, srv->srv_conf.name); + log_debug("%s: setting up TLS for %s", __func__, srv->srv_conf.name); if (tls_init() != 0) { log_warn("%s: failed to initialise tls", __func__); @@ -188,37 +186,37 @@ server_ssl_init(struct server *srv) } if (tls_config_set_ciphers(srv->srv_tls_config, - srv->srv_conf.ssl_ciphers) != 0) { + srv->srv_conf.tls_ciphers) != 0) { log_warn("%s: failed to set tls ciphers", __func__); return (-1); } if (tls_config_set_cert_mem(srv->srv_tls_config, - srv->srv_conf.ssl_cert, srv->srv_conf.ssl_cert_len) != 0) { + srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len) != 0) { log_warn("%s: failed to set tls cert", __func__); return (-1); } if (tls_config_set_key_mem(srv->srv_tls_config, - srv->srv_conf.ssl_key, srv->srv_conf.ssl_key_len) != 0) { + srv->srv_conf.tls_key, srv->srv_conf.tls_key_len) != 0) { log_warn("%s: failed to set tls key", __func__); return (-1); } if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { - log_warn("%s: failed to configure SSL - %s", __func__, + log_warn("%s: failed to configure TLS - %s", __func__, tls_error(srv->srv_tls_ctx)); return (-1); } /* We're now done with the public/private key... */ tls_config_clear_keys(srv->srv_tls_config); - explicit_bzero(srv->srv_conf.ssl_cert, srv->srv_conf.ssl_cert_len); - explicit_bzero(srv->srv_conf.ssl_key, srv->srv_conf.ssl_key_len); - free(srv->srv_conf.ssl_cert); - free(srv->srv_conf.ssl_key); - srv->srv_conf.ssl_cert = NULL; - srv->srv_conf.ssl_key = NULL; - srv->srv_conf.ssl_cert_len = 0; - srv->srv_conf.ssl_key_len = 0; + explicit_bzero(srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len); + explicit_bzero(srv->srv_conf.tls_key, srv->srv_conf.tls_key_len); + free(srv->srv_conf.tls_cert); + free(srv->srv_conf.tls_key); + srv->srv_conf.tls_cert = NULL; + srv->srv_conf.tls_key = NULL; + srv->srv_conf.tls_cert_len = 0; + srv->srv_conf.tls_key_len = 0; return (0); } @@ -254,7 +252,7 @@ server_launch(void) struct server *srv; TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { - server_ssl_init(srv); + server_tls_init(srv); server_http_init(srv); log_debug("%s: running server %s", __func__, @@ -308,17 +306,17 @@ server_purge(struct server *srv) void serverconfig_free(struct server_config *srv_conf) { - free(srv_conf->ssl_cert_file); - free(srv_conf->ssl_cert); - free(srv_conf->ssl_key_file); - free(srv_conf->ssl_key); + free(srv_conf->tls_cert_file); + free(srv_conf->tls_cert); + free(srv_conf->tls_key_file); + free(srv_conf->tls_key); } void serverconfig_reset(struct server_config *srv_conf) { - srv_conf->ssl_cert_file = srv_conf->ssl_cert = - srv_conf->ssl_key_file = srv_conf->ssl_key = NULL; + srv_conf->tls_cert_file = srv_conf->tls_cert = + srv_conf->tls_key_file = srv_conf->tls_key = NULL; } struct server * @@ -538,7 +536,7 @@ server_socket_connect(struct sockaddr_storage *ss, in_port_t port, } void -server_ssl_readcb(int fd, short event, void *arg) +server_tls_readcb(int fd, short event, void *arg) { struct bufferevent *bufev = arg; struct client *clt = bufev->cbarg; @@ -594,7 +592,7 @@ server_ssl_readcb(int fd, short event, void *arg) } void -server_ssl_writecb(int fd, short event, void *arg) +server_tls_writecb(int fd, short event, void *arg) { struct bufferevent *bufev = arg; struct client *clt = bufev->cbarg; @@ -688,11 +686,11 @@ server_input(struct client *clt) return; } - if (srv_conf->flags & SRVFLAG_SSL) { + if (srv_conf->flags & SRVFLAG_TLS) { event_set(&clt->clt_bev->ev_read, clt->clt_s, EV_READ, - server_ssl_readcb, clt->clt_bev); + server_tls_readcb, clt->clt_bev); event_set(&clt->clt_bev->ev_write, clt->clt_s, EV_WRITE, - server_ssl_writecb, clt->clt_bev); + server_tls_writecb, clt->clt_bev); } /* Adjust write watermark to the socket buffer output size */ @@ -899,9 +897,9 @@ server_accept(int fd, short event, void *arg) return; } - if (srv->srv_conf.flags & SRVFLAG_SSL) { + if (srv->srv_conf.flags & SRVFLAG_TLS) { event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, - server_accept_ssl, &clt->clt_tv_start, + server_accept_tls, &clt->clt_tv_start, &srv->srv_conf.timeout, clt); return; } @@ -923,14 +921,14 @@ server_accept(int fd, short event, void *arg) } void -server_accept_ssl(int fd, short event, void *arg) +server_accept_tls(int fd, short event, void *arg) { struct client *clt = (struct client *)arg; struct server *srv = (struct server *)clt->clt_srv; int ret; if (event == EV_TIMEOUT) { - server_close(clt, "SSL accept timeout"); + server_close(clt, "TLS accept timeout"); return; } @@ -941,14 +939,14 @@ server_accept_ssl(int fd, short event, void *arg) clt->clt_s); if (ret == TLS_READ_AGAIN) { event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, - server_accept_ssl, &clt->clt_tv_start, + server_accept_tls, &clt->clt_tv_start, &srv->srv_conf.timeout, clt); } else if (ret == TLS_WRITE_AGAIN) { event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_WRITE, - server_accept_ssl, &clt->clt_tv_start, + server_accept_tls, &clt->clt_tv_start, &srv->srv_conf.timeout, clt); } else if (ret != 0) { - log_warnx("%s: SSL accept failed - %s", __func__, + log_warnx("%s: TLS accept failed - %s", __func__, tls_error(srv->srv_tls_ctx)); return; } diff --git a/server_fcgi.c b/server_fcgi.c index 17fdca9..842214e 100644 --- a/server_fcgi.c +++ b/server_fcgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_fcgi.c,v 1.40 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: server_fcgi.c,v 1.43 2014/12/21 00:54:49 guenther Exp $ */ /* * Copyright (c) 2014 Florian Obser @@ -23,13 +23,11 @@ #include #include #include -#include #include #include #include #include -#include #include #include @@ -96,24 +94,12 @@ server_fcgi(struct httpd *env, struct client *clt) { struct server_fcgi_param param; struct server_config *srv_conf = clt->clt_srv_conf; -<<<<<<< server_fcgi.c struct http_descriptor *desc = clt->clt_descreq; - struct sockaddr_un sun; -======= - struct http_descriptor *desc = clt->clt_descreq; ->>>>>>> 1.40 struct fcgi_record_header *h; struct fcgi_begin_request_body *begin; -<<<<<<< server_fcgi.c - size_t len; - char hbuf[MAXHOSTNAMELEN]; - size_t scriptlen; - int pathlen; -======= char hbuf[MAXHOSTNAMELEN]; size_t scriptlen; int pathlen; ->>>>>>> 1.40 int fd = -1, ret; const char *errstr = NULL; char *str, *p, *script = NULL; @@ -266,7 +252,7 @@ server_fcgi(struct httpd *env, struct client *clt) goto fail; } - if (srv_conf->flags & SRVFLAG_SSL) + if (srv_conf->flags & SRVFLAG_TLS) if (fcgi_add_param(¶m, "HTTPS", "on", clt) == -1) { errstr = "failed to encode param"; goto fail; @@ -667,60 +653,6 @@ server_fcgi_writeheader(struct client *clt, struct kv *hdr, void *arg) int server_fcgi_writechunk(struct client *clt) { -<<<<<<< server_fcgi.c - struct evbuffer *evb = clt->clt_srvevb; - size_t len; - - if (clt->clt_fcgi_type == FCGI_END_REQUEST) { - len = 0; - } else - len = EVBUFFER_LENGTH(evb); - - /* If len is 0, make sure to write the end marker only once */ - if (len == 0 && clt->clt_fcgi_end++) - return (0); - - if (clt->clt_fcgi_chunked) { - if (server_bufferevent_printf(clt, "%zx\r\n", len) == -1 || - server_bufferevent_write_chunk(clt, evb, len) == -1 || - server_bufferevent_print(clt, "\r\n") == -1) - return (-1); - } else - return (server_bufferevent_write_buffer(clt, evb)); - - return (0); -} - -int -server_fcgi_getheaders(struct client *clt) -{ - struct http_descriptor *resp = clt->clt_descresp; - struct evbuffer *evb = clt->clt_srvevb; - int code = 200; - char *line, *key, *value; - const char *errstr; - - while ((line = evbuffer_getline(evb)) != NULL && *line != '\0') { - key = line; - - if ((value = strchr(key, ':')) == NULL) - break; - if (*value == ':') { - *value++ = '\0'; - value += strspn(value, " \t"); - } else { - *value++ = '\0'; - } - - if (strcasecmp("Status", key) == 0) { - value[strcspn(value, " \t")] = '\0'; - code = (int)strtonum(value, 100, 600, &errstr); - if (errstr != NULL || server_httperror_byid( - code) == NULL) - code = 200; - } else { - (void)kv_add(&resp->http_headers, key, value); -======= struct evbuffer *evb = clt->clt_srvevb; size_t len; @@ -775,7 +707,6 @@ server_fcgi_getheaders(struct client *clt) code = 200; } else { (void)kv_add(&resp->http_headers, key, value); ->>>>>>> 1.40 } free(line); } diff --git a/server_file.c b/server_file.c index 3a71959..c2eca71 100644 --- a/server_file.c +++ b/server_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_file.c,v 1.39 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: server_file.c,v 1.43 2015/01/01 14:15:02 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -23,13 +23,11 @@ #include #include #include -#include #include #include #include #include -#include #include #include @@ -83,7 +81,7 @@ server_file_access(struct httpd *env, struct client *clt, /* Redirect to path with trailing "/" */ if (path[strlen(path) - 1] != '/') { if (asprintf(&newpath, "http%s://%s%s/", - srv_conf->flags & SRVFLAG_SSL ? "s" : "", + srv_conf->flags & SRVFLAG_TLS ? "s" : "", desc->http_host, desc->http_path) == -1) return (500); /* Path alias will be used for the redirection */ @@ -313,8 +311,7 @@ server_file_index(struct httpd *env, struct client *clt, struct stat *st) "sans-serif; }\nhr { border: 0; border-bottom: 1px dashed; }\n"; /* Generate simple HTML index document */ if (evbuffer_add_printf(evb, - "\n" + "\n" "\n" "\n" "Index of %s\n" diff --git a/server_http.c b/server_http.c index 1953036..3a5d84e 100644 --- a/server_http.c +++ b/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.54 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: server_http.c,v 1.58 2015/01/01 14:15:02 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -23,13 +23,11 @@ #include #include #include -#include #include #include #include #include -#include #include #include @@ -665,10 +663,11 @@ server_abort_http(struct client *clt, u_int code, const char *msg) struct server *srv = clt->clt_srv; struct server_config *srv_conf = &srv->srv_conf; struct bufferevent *bev = clt->clt_bev; - const char *httperr = NULL, *text = ""; - char *httpmsg, *extraheader = NULL; + struct http_descriptor *desc = clt->clt_descreq; + const char *httperr = NULL, *style; + char *httpmsg, *body = NULL, *extraheader = NULL; char tmbuf[32], hbuf[128]; - const char *style; + int bodylen; if ((httperr = server_httperror_byid(code)) == NULL) httperr = "Unknown Error"; @@ -696,8 +695,6 @@ server_abort_http(struct client *clt, u_int code, const char *msg) } break; default: -<<<<<<< server_http.c -======= /* * Do not send details of the error. Traditionally, * web servers responsed with the request path on 40x @@ -705,7 +702,6 @@ server_abort_http(struct client *clt, u_int code, const char *msg) * Instead of sanitizing the path here, we just don't * reprint it. */ ->>>>>>> 1.54 break; } @@ -713,17 +709,10 @@ server_abort_http(struct client *clt, u_int code, const char *msg) style = "body { background-color: white; color: black; font-family: " "'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }\n" "hr { border: 0; border-bottom: 1px dashed; }\n"; - /* Generate simple HTTP+HTML error document */ - if (asprintf(&httpmsg, - "HTTP/1.0 %03d %s\r\n" - "Date: %s\r\n" - "Server: %s\r\n" - "Connection: close\r\n" - "Content-Type: text/html\r\n" - "%s" - "\r\n" - "\n" + + /* Generate simple HTML error document */ + if ((bodylen = asprintf(&body, + "\n" "\n" "\n" "%03d %s\n" @@ -731,14 +720,26 @@ server_abort_http(struct client *clt, u_int code, const char *msg) "\n" "\n" "

%03d %s

\n" - "
%s
\n" "
\n
%s
\n" "\n" "\n", - code, httperr, tmbuf, HTTPD_SERVERNAME, + code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1) + goto done; + + /* Add basic HTTP headers */ + if (asprintf(&httpmsg, + "HTTP/1.0 %03d %s\r\n" + "Date: %s\r\n" + "Server: %s\r\n" + "Connection: close\r\n" + "Content-Type: text/html\r\n" + "Content-Length: %d\r\n" + "%s" + "\r\n" + "%s", + code, httperr, tmbuf, HTTPD_SERVERNAME, bodylen, extraheader == NULL ? "" : extraheader, - code, httperr, style, code, httperr, text, - HTTPD_SERVERNAME) == -1) + desc->http_method == HTTP_METHOD_HEAD ? "" : body) == -1) goto done; /* Dump the message without checking for success */ @@ -746,6 +747,7 @@ server_abort_http(struct client *clt, u_int code, const char *msg) free(httpmsg); done: + free(body); free(extraheader); if (asprintf(&httpmsg, "%s (%03d %s)", msg, code, httperr) == -1) { server_close(clt, msg); @@ -758,27 +760,14 @@ server_abort_http(struct client *clt, u_int code, const char *msg) void server_close_http(struct client *clt) { -<<<<<<< server_http.c struct http_descriptor *desc; desc = clt->clt_descreq; server_httpdesc_free(desc); free(desc); clt->clt_descreq = NULL; -======= - struct http_descriptor *desc; ->>>>>>> 1.54 - -<<<<<<< server_http.c - desc = clt->clt_descresp; -======= - desc = clt->clt_descreq; - server_httpdesc_free(desc); - free(desc); - clt->clt_descreq = NULL; desc = clt->clt_descresp; ->>>>>>> 1.54 server_httpdesc_free(desc); free(desc); clt->clt_descresp = NULL; -- cgit v1.2.3-54-g00ecf