diff options
Diffstat (limited to 'src')
33 files changed, 338 insertions, 331 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index dbb6e81..367f5d9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -241,7 +241,7 @@ mod_compress_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) lib_LTLIBRARIES += mod_auth.la -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c +mod_auth_la_SOURCES = mod_auth.c http_auth.c mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) @@ -268,7 +268,7 @@ mod_accesslog_la_LIBADD = $(common_libadd) hdr = server.h buffer.h network.h log.h keyvalue.h \ response.h request.h fastcgi.h chunk.h \ - settings.h http_chunk.h http_auth_digest.h \ + settings.h http_chunk.h \ md5.h http_auth.h stream.h \ fdevent.h connections.h base.h stat_cache.h \ plugin.h mod_auth.h \ diff --git a/src/Makefile.in b/src/Makefile.in index b2d79d0..ddf128c 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -158,7 +158,7 @@ mod_alias_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(mod_alias_la_LDFLAGS) $(LDFLAGS) -o $@ mod_auth_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) -am_mod_auth_la_OBJECTS = mod_auth.lo http_auth_digest.lo http_auth.lo +am_mod_auth_la_OBJECTS = mod_auth.lo http_auth.lo mod_auth_la_OBJECTS = $(am_mod_auth_la_OBJECTS) mod_auth_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -769,7 +769,7 @@ mod_access_la_LIBADD = $(common_libadd) mod_compress_la_SOURCES = mod_compress.c mod_compress_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd) -mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c +mod_auth_la_SOURCES = mod_auth.c http_auth.c mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd) mod_rewrite_la_SOURCES = mod_rewrite.c @@ -786,7 +786,7 @@ mod_accesslog_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined mod_accesslog_la_LIBADD = $(common_libadd) hdr = server.h buffer.h network.h log.h keyvalue.h \ response.h request.h fastcgi.h chunk.h \ - settings.h http_chunk.h http_auth_digest.h \ + settings.h http_chunk.h \ md5.h http_auth.h stream.h \ fdevent.h connections.h base.h stat_cache.h \ plugin.h mod_auth.h \ @@ -1050,7 +1050,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fdevent_solaris_port.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http-header-glue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_auth.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_auth_digest.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_chunk.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inet_ntop_cache.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/joblist.Po@am__quote@ diff --git a/src/SConscript b/src/SConscript index 1d1592e..7565094 100644 --- a/src/SConscript +++ b/src/SConscript @@ -12,7 +12,8 @@ common_src = Split("buffer.c log.c \ data_integer.c md5.c data_fastcgi.c \ fdevent_select.c fdevent_libev.c \ fdevent_poll.c fdevent_linux_sysepoll.c \ - fdevent_solaris_devpoll.c fdevent_freebsd_kqueue.c \ + fdevent_solaris_devpoll.c fdevent_solaris_port.c \ + fdevent_freebsd_kqueue.c \ data_config.c bitset.c \ inet_ntop_cache.c crc32.c \ connections-glue.c \ @@ -62,7 +63,7 @@ modules = { 'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] }, 'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] }, 'mod_auth' : { - 'src' : [ 'mod_auth.c', 'http_auth_digest.c', 'http_auth.c' ], + 'src' : [ 'mod_auth.c', 'http_auth.c' ], 'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] }, 'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] }, 'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] }, @@ -277,6 +277,7 @@ typedef struct { buffer *ssl_cipher_list; buffer *ssl_dh_file; buffer *ssl_ec_curve; + unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ unsigned short ssl_use_sslv2; unsigned short ssl_use_sslv3; unsigned short ssl_verifyclient; @@ -284,6 +285,7 @@ typedef struct { unsigned short ssl_verifyclient_depth; buffer *ssl_verifyclient_username; unsigned short ssl_verifyclient_export_cert; + unsigned short ssl_disable_client_renegotiation; unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */ unsigned short defer_accept; @@ -437,6 +439,7 @@ typedef struct { # ifndef OPENSSL_NO_TLSEXT buffer *tlsext_server_name; # endif + unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */ #endif /* etag handling */ etag_flags_t etag_flags; @@ -647,11 +650,9 @@ typedef struct server { fdevent_handler_t event_handler; - int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq); - int (* network_backend_read)(struct server *srv, connection *con, int fd, chunkqueue *cq); + int (* network_backend_write)(struct server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); #ifdef USE_OPENSSL - int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); - int (* network_ssl_backend_read)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq); + int (* network_ssl_backend_write)(struct server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif uid_t uid; diff --git a/src/configfile.c b/src/configfile.c index 162fa00..a03c9bd 100644 --- a/src/configfile.c +++ b/src/configfile.c @@ -105,6 +105,8 @@ static int config_insert(server *srv) { { "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 62 */ { "ssl.dh-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 63 */ { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ + { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ + { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, @@ -176,6 +178,7 @@ static int config_insert(server *srv) { s->max_write_idle = 360; s->use_xattr = 0; s->is_ssl = 0; + s->ssl_honor_cipher_order = 1; s->ssl_use_sslv2 = 0; s->ssl_use_sslv3 = 1; s->use_ipv6 = 0; @@ -199,6 +202,7 @@ static int config_insert(server *srv) { s->ssl_verifyclient_username = buffer_init(); s->ssl_verifyclient_depth = 9; s->ssl_verifyclient_export_cert = 0; + s->ssl_disable_client_renegotiation = 1; cv[2].destination = s->errorfile_prefix; @@ -245,6 +249,8 @@ static int config_insert(server *srv) { cv[62].destination = &(s->ssl_use_sslv3); cv[63].destination = s->ssl_dh_file; cv[64].destination = s->ssl_ec_curve; + cv[66].destination = &(s->ssl_honor_cipher_order); + cv[49].destination = &(s->etag_use_inode); cv[50].destination = &(s->etag_use_mtime); cv[51].destination = &(s->etag_use_size); @@ -255,6 +261,7 @@ static int config_insert(server *srv) { cv[58].destination = &(s->ssl_verifyclient_depth); cv[59].destination = s->ssl_verifyclient_username; cv[60].destination = &(s->ssl_verifyclient_export_cert); + cv[65].destination = &(s->ssl_disable_client_renegotiation); srv->config_storage[i] = s; @@ -335,6 +342,7 @@ int config_setup_connection(server *srv, connection *con) { PATCH(ssl_cipher_list); PATCH(ssl_dh_file); PATCH(ssl_ec_curve); + PATCH(ssl_honor_cipher_order); PATCH(ssl_use_sslv2); PATCH(ssl_use_sslv3); PATCH(etag_use_inode); @@ -346,6 +354,7 @@ int config_setup_connection(server *srv, connection *con) { PATCH(ssl_verifyclient_depth); PATCH(ssl_verifyclient_username); PATCH(ssl_verifyclient_export_cert); + PATCH(ssl_disable_client_renegotiation); return 0; } @@ -400,6 +409,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) { #endif } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) { PATCH(ssl_ca_file); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { + PATCH(ssl_honor_cipher_order); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { PATCH(ssl_use_sslv2); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { @@ -454,6 +465,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) { PATCH(ssl_verifyclient_username); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) { PATCH(ssl_verifyclient_export_cert); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) { + PATCH(ssl_disable_client_renegotiation); } } } diff --git a/src/connections.c b/src/connections.c index 75a8f61..cde78e1 100644 --- a/src/connections.c +++ b/src/connections.c @@ -223,6 +223,12 @@ static int connection_handle_read_ssl(server *srv, connection *con) { len = SSL_read(con->ssl, b->ptr + read_offset, toread); + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + connection_set_state(srv, con, CON_STATE_ERROR); + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + if (len > 0) { if (b->used > 0) b->used--; b->used += len; @@ -445,6 +451,7 @@ static int connection_handle_write_prepare(server *srv, connection *con) { default: switch(con->http_status) { case 400: /* bad request */ + case 401: /* authorization required */ case 414: /* overload request header */ case 505: /* unknown protocol */ case 207: /* this was webdav */ @@ -617,8 +624,9 @@ static int connection_handle_write_prepare(server *srv, connection *con) { } static int connection_handle_write(server *srv, connection *con) { - switch(network_write_chunkqueue(srv, con, con->write_queue)) { + switch(network_write_chunkqueue(srv, con, con->write_queue, MAX_WRITE_LIMIT)) { case 0: + con->write_request_ts = srv->cur_ts; if (con->file_finished) { connection_set_state(srv, con, CON_STATE_RESPONSE_END); joblist_append(srv, con); @@ -635,6 +643,7 @@ static int connection_handle_write(server *srv, connection *con) { joblist_append(srv, con); break; case 1: + con->write_request_ts = srv->cur_ts; con->is_writable = 0; /* not finished yet -> WRITE */ @@ -1251,8 +1260,6 @@ static handler_t connection_handle_fdevent(server *srv, void *context, int reven log_error_write(srv, __FILE__, __LINE__, "ds", con->fd, "handle write failed."); - } else if (con->state == CON_STATE_WRITE) { - con->write_request_ts = srv->cur_ts; } } @@ -1352,6 +1359,7 @@ connection *connection_accept(server *srv, server_socket *srv_socket) { return NULL; } + con->renegotiations = 0; #ifndef OPENSSL_NO_TLSEXT SSL_set_app_data(con->ssl, con); #endif @@ -1667,8 +1675,6 @@ int connection_state_machine(server *srv, connection *con) { con->fd, "handle write failed."); connection_set_state(srv, con, CON_STATE_ERROR); - } else if (con->state == CON_STATE_WRITE) { - con->write_request_ts = srv->cur_ts; } } diff --git a/src/http_auth.c b/src/http_auth.c index e479683..33adf71 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -1,7 +1,6 @@ #include "server.h" #include "log.h" #include "http_auth.h" -#include "http_auth_digest.h" #include "inet_ntop_cache.h" #include "stream.h" @@ -28,17 +27,22 @@ #include <unistd.h> #include <ctype.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" +#include "md5.h" -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final +#define HASHLEN 16 +#define HASHHEXLEN 32 +typedef unsigned char HASH[HASHLEN]; +typedef char HASHHEX[HASHHEXLEN+1]; -#endif +static void CvtHex(const HASH Bin, char Hex[33]) { + unsigned short i; + + for (i = 0; i < 16; i++) { + Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); + Hex[i*2+1] = int2hex(Bin[i] & 0xf); + } + Hex[32] = '\0'; +} /** * the $apr1$ handling is taken from apache 1.3.x @@ -95,7 +99,7 @@ static unsigned char * base64_decode(buffer *out, const char *in) { ch = in[0]; /* run through the whole string, converting as we go */ for (i = 0; i < in_len; i++) { - ch = in[i]; + ch = (unsigned char) in[i]; if (ch == '\0') break; @@ -435,7 +439,7 @@ static int http_auth_match_rules(server *srv, mod_auth_plugin_data *p, const cha static void to64(char *s, unsigned long v, int n) { - static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ + static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; while (--n >= 0) { @@ -455,7 +459,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ const char *sp, *ep; unsigned char final[APR_MD5_DIGESTSIZE]; ssize_t sl, pl, i; - MD5_CTX ctx, ctx1; + li_MD5_CTX ctx, ctx1; unsigned long l; /* @@ -487,33 +491,33 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ /* * 'Time to make the doughnuts..' */ - MD5_Init(&ctx); + li_MD5_Init(&ctx); /* * The password first, since that is what is most unknown */ - MD5_Update(&ctx, pw, strlen(pw)); + li_MD5_Update(&ctx, pw, strlen(pw)); /* * Then our magic string */ - MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); + li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID)); /* * Then the raw salt */ - MD5_Update(&ctx, sp, sl); + li_MD5_Update(&ctx, sp, sl); /* * Then just as many characters of the MD5(pw, salt, pw) */ - MD5_Init(&ctx1); - MD5_Update(&ctx1, pw, strlen(pw)); - MD5_Update(&ctx1, sp, sl); - MD5_Update(&ctx1, pw, strlen(pw)); - MD5_Final(final, &ctx1); + li_MD5_Init(&ctx1); + li_MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, sp, sl); + li_MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Final(final, &ctx1); for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { - MD5_Update(&ctx, final, + li_MD5_Update(&ctx, final, (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl); } @@ -527,10 +531,10 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ */ for (i = strlen(pw); i != 0; i >>= 1) { if (i & 1) { - MD5_Update(&ctx, final, 1); + li_MD5_Update(&ctx, final, 1); } else { - MD5_Update(&ctx, pw, 1); + li_MD5_Update(&ctx, pw, 1); } } @@ -542,7 +546,7 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ strncat(passwd, sp, sl); strcat(passwd, "$"); - MD5_Final(final, &ctx); + li_MD5_Final(final, &ctx); /* * And now, just to make sure things don't run too fast.. @@ -550,28 +554,28 @@ static void apr_md5_encode(const char *pw, const char *salt, char *result, size_ * need 30 seconds to build a 1000 entry dictionary... */ for (i = 0; i < 1000; i++) { - MD5_Init(&ctx1); + li_MD5_Init(&ctx1); if (i & 1) { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } else { - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); } if (i % 3) { - MD5_Update(&ctx1, sp, sl); + li_MD5_Update(&ctx1, sp, sl); } if (i % 7) { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } if (i & 1) { - MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); + li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE); } else { - MD5_Update(&ctx1, pw, strlen(pw)); + li_MD5_Update(&ctx1, pw, strlen(pw)); } - MD5_Final(final,&ctx1); + li_MD5_Final(final,&ctx1); } p = passwd + strlen(passwd); @@ -614,17 +618,17 @@ static int http_auth_basic_password_compare(server *srv, mod_auth_plugin_data *p * user:realm:md5(user:realm:password) */ - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; char a1[256]; - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)username->ptr, username->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)realm->ptr, realm->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw)); + li_MD5_Final(HA1, &Md5Ctx); CvtHex(HA1, a1); @@ -930,7 +934,7 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p int i; buffer *password, *b, *username_buf, *realm_buf; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; HASH HA2; HASH RespHash; @@ -1067,13 +1071,13 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) { /* generate password from plain-text */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)username, strlen(username)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)password->ptr, password->used - 1); + li_MD5_Final(HA1, &Md5Ctx); } else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) { /* HA1 */ /* transform the 32-byte-hex-md5 to a 16-byte-md5 */ @@ -1090,45 +1094,45 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p if (algorithm && strcasecmp(algorithm, "md5-sess") == 0) { - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)HA1, 16); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); + li_MD5_Final(HA1, &Md5Ctx); } CvtHex(HA1, a1); /* calculate H(A2) */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri)); if (qop && strcasecmp(qop, "auth-int") == 0) { - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN); } - MD5_Final(HA2, &Md5Ctx); + li_MD5_Final(HA2, &Md5Ctx); CvtHex(HA2, HA2Hex); /* calculate response */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); if (qop && *qop) { - MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); - MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); - MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop)); + li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1); }; - MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); - MD5_Final(RespHash, &Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN); + li_MD5_Final(RespHash, &Md5Ctx); CvtHex(RespHash, a2); if (0 != strcmp(a2, respons)) { @@ -1171,24 +1175,24 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p int http_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char out[33]) { HASH h; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; char hh[32]; UNUSED(p); /* generate shared-secret */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)fn->ptr, fn->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ LI_ltostr(hh, srv->cur_ts); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); LI_ltostr(hh, rand()); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Final(h, &Md5Ctx); + li_MD5_Final(h, &Md5Ctx); CvtHex(h, out); diff --git a/src/http_auth_digest.c b/src/http_auth_digest.c deleted file mode 100644 index 83b3c60..0000000 --- a/src/http_auth_digest.c +++ /dev/null @@ -1,26 +0,0 @@ -#include "buffer.h" - -#include "http_auth_digest.h" - -#include <string.h> - -#ifndef USE_OPENSSL -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - -void CvtHex(IN HASH Bin, OUT HASHHEX Hex) { - unsigned short i; - - for (i = 0; i < HASHLEN; i++) { - Hex[i*2] = int2hex((Bin[i] >> 4) & 0xf); - Hex[i*2+1] = int2hex(Bin[i] & 0xf); - } - Hex[HASHHEXLEN] = '\0'; -} - diff --git a/src/http_auth_digest.h b/src/http_auth_digest.h deleted file mode 100644 index 58e8cb5..0000000 --- a/src/http_auth_digest.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef _DIGCALC_H_ -#define _DIGCALC_H_ - -#ifdef HAVE_CONFIG_H -# include "config.h" -#endif - -#define HASHLEN 16 -typedef unsigned char HASH[HASHLEN]; -#define HASHHEXLEN 32 -typedef char HASHHEX[HASHHEXLEN+1]; -#ifdef USE_OPENSSL -#define IN const -#else -#define IN -#endif -#define OUT - -void CvtHex( - IN HASH Bin, - OUT HASHHEX Hex - ); - -#endif diff --git a/src/mod_cgi.c b/src/mod_cgi.c index 25d2f65..083be91 100644 --- a/src/mod_cgi.c +++ b/src/mod_cgi.c @@ -1288,6 +1288,15 @@ TRIGGER_FUNC(cgi_trigger) { #endif break; case -1: + if (errno == ECHILD) { + /* someone else called waitpid... remove the pid to stop looping the error each time */ + log_error_write(srv, __FILE__, __LINE__, "s", "cgi child vanished, probably someone else called waitpid"); + + cgi_pid_del(srv, p, p->cgi_pid.ptr[ndx]); + ndx--; + continue; + } + log_error_write(srv, __FILE__, __LINE__, "ss", "waitpid failed: ", strerror(errno)); return HANDLER_ERROR; diff --git a/src/mod_cml_funcs.c b/src/mod_cml_funcs.c index b8958ab..9d859c7 100644 --- a/src/mod_cml_funcs.c +++ b/src/mod_cml_funcs.c @@ -17,17 +17,7 @@ #include <dirent.h> #include <stdio.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif +#include "md5.h" #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; @@ -43,7 +33,7 @@ typedef char HASHHEX[HASHHEXLEN+1]; #ifdef HAVE_LUA_H int f_crypto_md5(lua_State *L) { - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; buffer b; char hex[33]; @@ -63,9 +53,9 @@ int f_crypto_md5(lua_State *L) { lua_error(L); } - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)lua_tostring(L, 1), lua_strlen(L, 1)); + li_MD5_Final(HA1, &Md5Ctx); buffer_copy_string_hex(&b, (char *)HA1, 16); diff --git a/src/mod_cml_lua.c b/src/mod_cml_lua.c index 8be4538..9f4e27a 100644 --- a/src/mod_cml_lua.c +++ b/src/mod_cml_lua.c @@ -11,18 +11,6 @@ #include <time.h> #include <string.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif - #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; #define HASHHEXLEN 32 diff --git a/src/mod_dirlisting.c b/src/mod_dirlisting.c index bef8923..cd317ec 100644 --- a/src/mod_dirlisting.c +++ b/src/mod_dirlisting.c @@ -657,7 +657,8 @@ static int http_list_directory(server *srv, connection *con, plugin_data *p, buf i = dir->used - 1; #ifdef HAVE_PATHCONF - if (-1 == (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { + if (0 >= (name_max = pathconf(dir->ptr, _PC_NAME_MAX))) { + /* some broken fs (fuse) return 0 instead of -1 */ #ifdef NAME_MAX name_max = NAME_MAX; #else diff --git a/src/mod_fastcgi.c b/src/mod_fastcgi.c index 0fbcc17..18a433f 100644 --- a/src/mod_fastcgi.c +++ b/src/mod_fastcgi.c @@ -3075,7 +3075,7 @@ static handler_t fcgi_write_request(server *srv, handler_ctx *hctx) { fcgi_set_state(srv, hctx, FCGI_STATE_WRITE); /* fall through */ case FCGI_STATE_WRITE: - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); @@ -3132,7 +3132,6 @@ SUBREQUEST_FUNC(mod_fastcgi_handle_subrequest) { plugin_data *p = p_d; handler_ctx *hctx = con->plugin_ctx[p->id]; - fcgi_proc *proc; fcgi_extension_host *host; if (NULL == hctx) return HANDLER_GO_ON; @@ -3201,7 +3200,6 @@ SUBREQUEST_FUNC(mod_fastcgi_handle_subrequest) { /* ok, create the request */ switch(fcgi_write_request(srv, hctx)) { case HANDLER_ERROR: - proc = hctx->proc; host = hctx->host; if (hctx->state == FCGI_STATE_INIT || diff --git a/src/mod_proxy.c b/src/mod_proxy.c index bd82654..06fe3db 100644 --- a/src/mod_proxy.c +++ b/src/mod_proxy.c @@ -825,7 +825,7 @@ static handler_t proxy_write_request(server *srv, handler_ctx *hctx) { /* fall through */ case PROXY_STATE_WRITE:; - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); diff --git a/src/mod_scgi.c b/src/mod_scgi.c index 59e5ccb..c63de6a 100644 --- a/src/mod_scgi.c +++ b/src/mod_scgi.c @@ -2296,7 +2296,7 @@ static handler_t scgi_write_request(server *srv, handler_ctx *hctx) { /* fall through */ case FCGI_STATE_WRITE: - ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb); + ret = srv->network_backend_write(srv, con, hctx->fd, hctx->wb, MAX_WRITE_LIMIT); chunkqueue_remove_finished_chunks(hctx->wb); diff --git a/src/mod_secure_download.c b/src/mod_secure_download.c index bf33b43..a9c031f 100644 --- a/src/mod_secure_download.c +++ b/src/mod_secure_download.c @@ -8,17 +8,7 @@ #include <stdlib.h> #include <string.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif +#include "md5.h" #define HASHLEN 16 typedef unsigned char HASH[HASHLEN]; @@ -200,7 +190,7 @@ static int mod_secdownload_patch_connection(server *srv, connection *con, plugin URIHANDLER_FUNC(mod_secdownload_uri_handler) { plugin_data *p = p_d; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; HASH HA1; const char *rel_uri, *ts_str, *md5_str; time_t ts = 0; @@ -266,9 +256,9 @@ URIHANDLER_FUNC(mod_secdownload_uri_handler) { buffer_append_string(p->md5, rel_uri); buffer_append_string_len(p->md5, ts_str, 8); - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); - MD5_Final(HA1, &Md5Ctx); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)p->md5->ptr, p->md5->used - 1); + li_MD5_Final(HA1, &Md5Ctx); buffer_copy_string_hex(p->md5, (char *)HA1, 16); diff --git a/src/mod_staticfile.c b/src/mod_staticfile.c index 9b937ce..f5114dd 100644 --- a/src/mod_staticfile.c +++ b/src/mod_staticfile.c @@ -26,6 +26,7 @@ typedef struct { array *exclude_ext; unsigned short etags_used; + unsigned short disable_pathinfo; } plugin_config; typedef struct { @@ -84,6 +85,7 @@ SETDEFAULTS_FUNC(mod_staticfile_set_defaults) { config_values_t cv[] = { { "static-file.exclude-extensions", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ { "static-file.etags", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ + { "static-file.disable-pathinfo", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 2 */ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } }; @@ -97,9 +99,11 @@ SETDEFAULTS_FUNC(mod_staticfile_set_defaults) { s = calloc(1, sizeof(plugin_config)); s->exclude_ext = array_init(); s->etags_used = 1; + s->disable_pathinfo = 0; cv[0].destination = s->exclude_ext; cv[1].destination = &(s->etags_used); + cv[2].destination = &(s->disable_pathinfo); p->config_storage[i] = s; @@ -119,6 +123,7 @@ static int mod_staticfile_patch_connection(server *srv, connection *con, plugin_ PATCH(exclude_ext); PATCH(etags_used); + PATCH(disable_pathinfo); /* skip the first, the global context */ for (i = 1; i < srv->config_context->used; i++) { @@ -136,7 +141,9 @@ static int mod_staticfile_patch_connection(server *srv, connection *con, plugin_ PATCH(exclude_ext); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.etags"))) { PATCH(etags_used); - } + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("static-file.disable-pathinfo"))) { + PATCH(disable_pathinfo); + } } } @@ -350,7 +357,6 @@ static int http_response_parse_range(server *srv, connection *con, plugin_data * URIHANDLER_FUNC(mod_staticfile_subrequest) { plugin_data *p = p_d; size_t k; - int s_len; stat_cache_entry *sce = NULL; buffer *mtime = NULL; data_string *ds; @@ -376,7 +382,12 @@ URIHANDLER_FUNC(mod_staticfile_subrequest) { mod_staticfile_patch_connection(srv, con, p); - s_len = con->uri.path->used - 1; + if (p->conf.disable_pathinfo && 0 != con->request.pathinfo->used) { + if (con->conf.log_request_handling) { + log_error_write(srv, __FILE__, __LINE__, "s", "-- NOT handling file as static file, pathinfo forbidden"); + } + return HANDLER_GO_ON; + } /* ignore certain extensions */ for (k = 0; k < p->conf.exclude_ext->used; k++) { diff --git a/src/mod_status.c b/src/mod_status.c index 69c5de5..76061f9 100644 --- a/src/mod_status.c +++ b/src/mod_status.c @@ -487,7 +487,7 @@ static handler_t mod_status_handle_server_status_html(server *srv, connection *c buffer_append_string_len(b, CONST_STR_LEN("</td><td class=\"int\">")); - if (con->request.content_length) { + if (c->request.content_length) { buffer_append_long(b, c->request_content_queue->bytes_in); buffer_append_string_len(b, CONST_STR_LEN("/")); buffer_append_long(b, c->request.content_length); diff --git a/src/mod_userdir.c b/src/mod_userdir.c index f0fc005..4a1967f 100644 --- a/src/mod_userdir.c +++ b/src/mod_userdir.c @@ -166,7 +166,6 @@ static int mod_userdir_patch_connection(server *srv, connection *con, plugin_dat URIHANDLER_FUNC(mod_userdir_docroot_handler) { plugin_data *p = p_d; - int uri_len; size_t k; char *rel_url; #ifdef HAVE_PWD_H @@ -182,8 +181,6 @@ URIHANDLER_FUNC(mod_userdir_docroot_handler) { */ if (p->conf.path->used == 0) return HANDLER_GO_ON; - uri_len = con->uri.path->used - 1; - /* /~user/foo.html -> /home/user/public_html/foo.html */ if (con->uri.path->ptr[0] != '/' || diff --git a/src/mod_usertrack.c b/src/mod_usertrack.c index 06de298..9ecabdc 100644 --- a/src/mod_usertrack.c +++ b/src/mod_usertrack.c @@ -8,17 +8,7 @@ #include <stdlib.h> #include <string.h> -#ifdef USE_OPENSSL -# include <openssl/md5.h> -#else -# include "md5.h" - -typedef li_MD5_CTX MD5_CTX; -#define MD5_Init li_MD5_Init -#define MD5_Update li_MD5_Update -#define MD5_Final li_MD5_Final - -#endif +#include "md5.h" /* plugin config for all request/connections */ @@ -182,7 +172,7 @@ URIHANDLER_FUNC(mod_usertrack_uri_handler) { plugin_data *p = p_d; data_string *ds; unsigned char h[16]; - MD5_CTX Md5Ctx; + li_MD5_CTX Md5Ctx; char hh[32]; if (con->uri.path->used == 0) return HANDLER_GO_ON; @@ -228,18 +218,18 @@ URIHANDLER_FUNC(mod_usertrack_uri_handler) { /* taken from mod_auth.c */ /* generate shared-secret */ - MD5_Init(&Md5Ctx); - MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); - MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); + li_MD5_Init(&Md5Ctx); + li_MD5_Update(&Md5Ctx, (unsigned char *)con->uri.path->ptr, con->uri.path->used - 1); + li_MD5_Update(&Md5Ctx, (unsigned char *)"+", 1); /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */ LI_ltostr(hh, srv->cur_ts); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy)); LI_ltostr(hh, rand()); - MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); + li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh)); - MD5_Final(h, &Md5Ctx); + li_MD5_Final(h, &Md5Ctx); buffer_append_string_encoded(ds->value, (char *)h, 16, ENCODING_HEX); buffer_append_string_len(ds->value, CONST_STR_LEN("; Path=/")); diff --git a/src/network.c b/src/network.c index 58b8e5c..ba36654 100644 --- a/src/network.c +++ b/src/network.c @@ -27,6 +27,19 @@ # include <openssl/rand.h> #endif +#ifdef USE_OPENSSL +static void ssl_info_callback(const SSL *ssl, int where, int ret) { + UNUSED(ret); + + if (0 != (where & SSL_CB_HANDSHAKE_START)) { + connection *con = SSL_get_app_data(ssl); + ++con->renegotiations; + } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) { server_socket *srv_socket = (server_socket *)context; connection *con; @@ -480,9 +493,11 @@ int network_init(server *srv) { network_backend_t backend; #if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; int nid; #endif +#endif #ifdef USE_OPENSSL DH *dh; @@ -553,6 +568,11 @@ int network_init(server *srv) { /* load SSL certificates */ for (i = 0; i < srv->config_context->used; i++) { specific_config *s = srv->config_storage[i]; +#ifndef SSL_OP_NO_COMPRESSION +# define SSL_OP_NO_COMPRESSION 0 +#endif + long ssloptions = + SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION; if (buffer_is_empty(s->ssl_pemfile)) continue; @@ -586,6 +606,9 @@ int network_init(server *srv) { return -1; } + SSL_CTX_set_options(s->ssl_ctx, ssloptions); + SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); + if (!s->ssl_use_sslv2) { /* disable SSLv2 */ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { @@ -611,6 +634,10 @@ int network_init(server *srv) { ERR_error_string(ERR_get_error(), NULL)); return -1; } + + if (s->ssl_honor_cipher_order) { + SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + } } /* Support for Diffie-Hellman key exchange */ @@ -847,7 +874,7 @@ int network_register_fdevents(server *srv) { return 0; } -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq, off_t max_bytes) { int ret = -1; off_t written = 0; #ifdef TCP_CORK @@ -855,14 +882,32 @@ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { #endif server_socket *srv_socket = con->srv_socket; - if (con->conf.global_kbytes_per_second && - *(con->conf.global_bytes_per_second_cnt_ptr) > con->conf.global_kbytes_per_second * 1024) { - /* we reached the global traffic limit */ + if (con->conf.global_kbytes_per_second) { + off_t limit = con->conf.global_kbytes_per_second * 1024 - *(con->conf.global_bytes_per_second_cnt_ptr); + if (limit <= 0) { + /* we reached the global traffic limit */ - con->traffic_limit_reached = 1; - joblist_append(srv, con); + con->traffic_limit_reached = 1; + joblist_append(srv, con); - return 1; + return 1; + } else { + if (max_bytes > limit) max_bytes = limit; + } + } + + if (con->conf.kbytes_per_second) { + off_t limit = con->conf.kbytes_per_second * 1024 - con->bytes_written_cur_second; + if (limit <= 0) { + /* we reached the traffic limit */ + + con->traffic_limit_reached = 1; + joblist_append(srv, con); + + return 1; + } else { + if (max_bytes > limit) max_bytes = limit; + } } written = cq->bytes_out; @@ -879,10 +924,10 @@ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { if (srv_socket->is_ssl) { #ifdef USE_OPENSSL - ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq); + ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq, max_bytes); #endif } else { - ret = srv->network_backend_write(srv, con, con->fd, cq); + ret = srv->network_backend_write(srv, con, con->fd, cq, max_bytes); } if (ret >= 0) { @@ -903,12 +948,5 @@ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) { *(con->conf.global_bytes_per_second_cnt_ptr) += written; - if (con->conf.kbytes_per_second && - (con->bytes_written_cur_second > con->conf.kbytes_per_second * 1024)) { - /* we reached the traffic limit */ - - con->traffic_limit_reached = 1; - joblist_append(srv, con); - } return ret; } diff --git a/src/network.h b/src/network.h index 99c7596..d9d4e7a 100644 --- a/src/network.h +++ b/src/network.h @@ -3,7 +3,7 @@ #include "server.h" -int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c); +int network_write_chunkqueue(server *srv, connection *con, chunkqueue *c, off_t max_bytes); int network_init(server *srv); int network_close(server *srv); diff --git a/src/network_backends.h b/src/network_backends.h index 8d92006..54a07d7 100644 --- a/src/network_backends.h +++ b/src/network_backends.h @@ -47,18 +47,18 @@ #include "base.h" /* return values: - * >= 0 : chunks completed + * >= 0 : no error * -1 : error (on our side) * -2 : remote close */ -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq); -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq); +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes); #ifdef USE_OPENSSL -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq); +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes); #endif #endif diff --git a/src/network_freebsd_sendfile.c b/src/network_freebsd_sendfile.c index ba92aaf..7b165fc 100644 --- a/src/network_freebsd_sendfile.c +++ b/src/network_freebsd_sendfile.c @@ -31,17 +31,16 @@ # endif #endif -int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -49,12 +48,10 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f chunk *tc; size_t num_bytes = 0; - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < UIO_MAXIOV - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for(num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; num_chunks++, tc = tc->next); @@ -69,9 +66,9 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -105,6 +102,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f /* check which chunks have been written */ cq->bytes_out += r; + max_bytes -= r; for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { if (r >= (ssize_t)chunks[i].iov_len) { @@ -114,11 +112,10 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -134,7 +131,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f } case FILE_CHUNK: { off_t offset, r; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { @@ -144,9 +141,8 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f } offset = c->file.start + c->offset; - /* limit the toSend to 2^31-1 bytes in a chunk */ - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? - ((1 << 30) - 1) : c->file.length - c->offset; + toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (-1 == c->file.fd) { if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) { @@ -197,6 +193,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -218,7 +215,7 @@ int network_write_chunkqueue_freebsdsendfile(server *srv, connection *con, int f } } - return chunks_written; + return 0; } #endif diff --git a/src/network_linux_sendfile.c b/src/network_linux_sendfile.c index 5a44b47..9105603 100644 --- a/src/network_linux_sendfile.c +++ b/src/network_linux_sendfile.c @@ -27,17 +27,16 @@ /* on linux 2.4.29 + debian/ubuntu we have crashes if this is enabled */ #undef HAVE_POSIX_FADVISE -int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -45,12 +44,10 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunk *tc; size_t num_bytes = 0; - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < UIO_MAXIOV - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < UIO_MAXIOV; @@ -67,9 +64,9 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -100,6 +97,7 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, /* check which chunks have been written */ cq->bytes_out += r; + max_bytes -= r; for(i = 0, tc = c; i < num_chunks; i++, tc = tc->next) { if (r >= (ssize_t)chunks[i].iov_len) { @@ -109,11 +107,10 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -130,13 +127,12 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, case FILE_CHUNK: { ssize_t r; off_t offset; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; offset = c->file.start + c->offset; - /* limit the toSend to 2^31-1 bytes in a chunk */ - toSend = c->file.length - c->offset > ((1 << 30) - 1) ? - ((1 << 30) - 1) : c->file.length - c->offset; + toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; /* open file if not already opened */ if (-1 == c->file.fd) { @@ -215,6 +211,7 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -243,7 +240,7 @@ int network_write_chunkqueue_linuxsendfile(server *srv, connection *con, int fd, } } - return chunks_written; + return 0; } #endif diff --git a/src/network_openssl.c b/src/network_openssl.c index d2fb6d8..7bed710 100644 --- a/src/network_openssl.c +++ b/src/network_openssl.c @@ -27,10 +27,9 @@ # include <openssl/ssl.h> # include <openssl/err.h> -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { int ssl_r; chunk *c; - size_t chunks_written = 0; /* this is a 64k sendbuffer * @@ -59,13 +58,13 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); } - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; if (c->mem->used == 0 || c->mem->used == 1) { @@ -75,6 +74,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; + if (toSend > max_bytes) toSend = max_bytes; /** * SSL_write man-page @@ -87,7 +87,14 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu */ ERR_clear_error(); - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { + r = SSL_write(ssl, offset, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -139,6 +146,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } if (c->offset == (off_t)c->mem->used - 1) { @@ -168,6 +176,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu do { off_t offset = c->file.start + c->offset; off_t toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; @@ -190,7 +199,14 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu close(ifd); ERR_clear_error(); - if ((r = SSL_write(ssl, s, toSend)) <= 0) { + r = SSL_write(ssl, s, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -243,12 +259,13 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } if (c->offset == c->file.length) { chunk_finished = 1; } - } while(!chunk_finished && !write_wait); + } while (!chunk_finished && !write_wait && max_bytes > 0); break; } @@ -263,11 +280,9 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif diff --git a/src/network_solaris_sendfilev.c b/src/network_solaris_sendfilev.c index fcfa178..2003200 100644 --- a/src/network_solaris_sendfilev.c +++ b/src/network_solaris_sendfilev.c @@ -38,17 +38,16 @@ */ -int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next, chunks_written++) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -77,9 +76,9 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -119,11 +118,10 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -139,8 +137,8 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int } case FILE_CHUNK: { ssize_t r; - off_t offset; - size_t toSend, written; + off_t offset, toSend; + size_t written; sendfilevec_t fvec; stat_cache_entry *sce = NULL; int ifd; @@ -153,6 +151,7 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int offset = c->file.start + c->offset; toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (offset > sce->st.st_size) { log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); @@ -186,6 +185,7 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int close(ifd); c->offset += written; cq->bytes_out += written; + max_bytes -= written; if (c->offset == c->file.length) { chunk_finished = 1; @@ -207,7 +207,7 @@ int network_write_chunkqueue_solarissendfilev(server *srv, connection *con, int } } - return chunks_written; + return 0; } #endif diff --git a/src/network_write.c b/src/network_write.c index b5c89f5..6aa6cfa 100644 --- a/src/network_write.c +++ b/src/network_write.c @@ -24,17 +24,16 @@ # include <sys/resource.h> #endif -int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; if (c->mem->used == 0) { @@ -44,6 +43,8 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; + if (toSend > max_bytes) toSend = max_bytes; + #ifdef __WIN32 if ((r = send(fd, offset, toSend, 0)) < 0) { /* no error handling for windows... */ @@ -72,6 +73,7 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == (off_t)c->mem->used - 1) { chunk_finished = 1; @@ -85,7 +87,7 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu #endif ssize_t r; off_t offset; - size_t toSend; + off_t toSend; stat_cache_entry *sce = NULL; int ifd; @@ -98,6 +100,8 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu offset = c->file.start + c->offset; toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; + if (offset > sce->st.st_size) { log_error_write(srv, __FILE__, __LINE__, "sb", "file was shrinked:", c->file.name); @@ -181,6 +185,7 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -200,11 +205,9 @@ int network_write_chunkqueue_write(server *srv, connection *con, int fd, chunkqu break; } - - chunks_written++; } - return chunks_written; + return 0; } #if 0 diff --git a/src/network_writev.c b/src/network_writev.c index 6a19348..65bb19d 100644 --- a/src/network_writev.c +++ b/src/network_writev.c @@ -30,17 +30,16 @@ #define LOCAL_BUFFERING 1 #endif -int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq) { +int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkqueue *cq, off_t max_bytes) { chunk *c; - size_t chunks_written = 0; - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; size_t num_chunks, i; @@ -65,12 +64,10 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq #error "sysconf() doesnt return _SC_IOV_MAX ..., check the output of 'man writev' for the EINVAL error and send the output to jan@kneschke.de" #endif - /* we can't send more then SSIZE_MAX bytes in one chunk */ - /* build writev list * * 1. limit: num_chunks < max_chunks - * 2. limit: num_bytes < SSIZE_MAX + * 2. limit: num_bytes < max_bytes */ for (num_chunks = 0, tc = c; tc && tc->type == MEM_CHUNK && num_chunks < max_chunks; num_chunks++, tc = tc->next); @@ -87,9 +84,9 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq chunks[i].iov_base = offset; /* protect the return value of writev() */ - if (toSend > SSIZE_MAX || - num_bytes + toSend > SSIZE_MAX) { - chunks[i].iov_len = SSIZE_MAX - num_bytes; + if (toSend > max_bytes || + (off_t) num_bytes + toSend > max_bytes) { + chunks[i].iov_len = max_bytes - num_bytes; num_chunks = i + 1; break; @@ -121,6 +118,7 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq } cq->bytes_out += r; + max_bytes -= r; /* check which chunks have been written */ @@ -132,11 +130,10 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq if (chunk_finished) { /* skip the chunks from further touches */ - chunks_written++; c = c->next; } else { /* chunks_written + c = c->next is done in the for()*/ - chunk_finished++; + chunk_finished = 1; } } else { /* partially written */ @@ -284,6 +281,8 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq assert(toSend < 0); } + if (toSend > max_bytes) toSend = max_bytes; + #ifdef LOCAL_BUFFERING start = c->mem->ptr; #else @@ -309,6 +308,7 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq c->offset += r; cq->bytes_out += r; + max_bytes -= r; if (c->offset == c->file.length) { chunk_finished = 1; @@ -334,11 +334,9 @@ int network_write_chunkqueue_writev(server *srv, connection *con, int fd, chunkq break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif diff --git a/src/request.c b/src/request.c index 5879efe..a48bf48 100644 --- a/src/request.c +++ b/src/request.c @@ -49,7 +49,7 @@ static int request_check_hostname(server *srv, connection *con, buffer *host) { if (++colon_cnt > 7) { return -1; } - } else if (!light_isxdigit(*c)) { + } else if (!light_isxdigit(*c) && '.' != *c) { return -1; } } diff --git a/src/server.c b/src/server.c index 5fcbfe4..bad6c07 100644 --- a/src/server.c +++ b/src/server.c @@ -1120,6 +1120,14 @@ int main (int argc, char **argv) { "s", "fdevent_init failed"); return -1; } + + /* libev backend overwrites our SIGCHLD handler and calls waitpid on SIGCHLD; we want our own SIGCHLD handling. */ +#ifdef HAVE_SIGACTION + sigaction(SIGCHLD, &act, NULL); +#elif defined(HAVE_SIGNAL) + signal(SIGCHLD, signal_handler); +#endif + /* * kqueue() is called here, select resets its internals, * all server sockets get their handlers diff --git a/src/settings.h b/src/settings.h index 6ee44b6..137a0a8 100644 --- a/src/settings.h +++ b/src/settings.h @@ -21,7 +21,10 @@ * 64kB (no real reason, just a guess) */ #define BUFFER_MAX_REUSE_SIZE (4 * 1024) -#define MAX_READ_LIMIT (4*1024*1024) + +/* both should be way smaller than SSIZE_MAX :) */ +#define MAX_READ_LIMIT (256*1024) +#define MAX_WRITE_LIMIT (256*1024) /** * max size of the HTTP request header |