lighttpd 1.4.x https://www.lighttpd.net/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1179 lines
34 KiB

#include "first.h"
#include "network.h"
#include "fdevent.h"
#include "log.h"
#include "connections.h"
#include "plugin.h"
#include "joblist.h"
#include "configfile.h"
#include "network_backends.h"
#include "sys-mmap.h"
#include "sys-socket.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
#ifdef USE_OPENSSL
# include <openssl/ssl.h>
# include <openssl/err.h>
# include <openssl/rand.h>
# ifndef OPENSSL_NO_DH
# include <openssl/dh.h>
# endif
# include <openssl/bn.h>
# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
# ifndef OPENSSL_NO_ECDH
# include <openssl/ecdh.h>
# endif
# endif
#endif
#ifdef USE_OPENSSL
static void ssl_info_callback(const SSL *ssl, int where, int ret) {
UNUSED(ret);
if (0 != (where & SSL_CB_HANDSHAKE_START)) {
connection *con = SSL_get_app_data(ssl);
++con->renegotiations;
}
}
#endif
void
network_accept_tcp_nagle_disable (const int fd)
{
static int noinherit_tcpnodelay = -1;
int opt;
if (!noinherit_tcpnodelay) /* TCP_NODELAY inherited from listen socket */
return;
if (noinherit_tcpnodelay < 0) {
socklen_t optlen = sizeof(opt);
if (0 == getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen)) {
noinherit_tcpnodelay = !opt;
if (opt) /* TCP_NODELAY inherited from listen socket */
return;
}
}
opt = 1;
(void)setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof(opt));
}
static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
server_socket *srv_socket = (server_socket *)context;
connection *con;
int loops = 0;
UNUSED(context);
if (0 == (revents & FDEVENT_IN)) {
log_error_write(srv, __FILE__, __LINE__, "sdd",
"strange event for server socket",
srv_socket->fd,
revents);
return HANDLER_ERROR;
}
/* accept()s at most 100 connections directly
*
* we jump out after 100 to give the waiting connections a chance */
for (loops = 0; loops < 100 && NULL != (con = connection_accept(srv, srv_socket)); loops++) {
connection_state_machine(srv, con);
}
return HANDLER_GO_ON;
}
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
const char *servername;
connection *con = (connection *) SSL_get_app_data(ssl);
UNUSED(al);
buffer_copy_string(con->uri.scheme, "https");
if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
#if 0
/* this "error" just means the client didn't support it */
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
"failed to get TLS server name");
#endif
return SSL_TLSEXT_ERR_NOACK;
}
buffer_copy_string(con->tlsext_server_name, servername);
buffer_to_lower(con->tlsext_server_name);
/* Sometimes this is still set, confusing COMP_HTTP_HOST */
buffer_reset(con->uri.authority);
config_cond_cache_reset(srv, con);
config_setup_connection(srv, con);
con->conditional_is_valid[COMP_SERVER_SOCKET] = 1;
con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
con->conditional_is_valid[COMP_HTTP_HOST] = 1;
config_patch_connection(srv, con);
if (NULL == con->conf.ssl_pemfile_x509 || NULL == con->conf.ssl_pemfile_pkey) {
/* x509/pkey available <=> pemfile was set <=> pemfile got patched: so this should never happen, unless you nest $SERVER["socket"] */
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
"no certificate/private key for TLS server name", con->tlsext_server_name);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
/* first set certificate! setting private key checks whether certificate matches it */
if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) {
log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
"failed to set certificate for TLS server name", con->tlsext_server_name,
ERR_error_string(ERR_get_error(), NULL));
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) {
log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
"failed to set private key for TLS server name", con->tlsext_server_name,
ERR_error_string(ERR_get_error(), NULL));
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (con->conf.ssl_verifyclient) {
if (NULL == con->conf.ssl_ca_file_cert_names) {
log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:",
"can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name,
ERR_error_string(ERR_get_error(), NULL));
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
SSL_set_client_CA_list(ssl, SSL_dup_CA_list(con->conf.ssl_ca_file_cert_names));
/* forcing verification here is really not that useful - a client could just connect without SNI */
SSL_set_verify(
ssl,
SSL_VERIFY_PEER | (con->conf.ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
NULL
);
SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
} else {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
}
return SSL_TLSEXT_ERR_OK;
}
#endif
static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
int val;
socklen_t addr_len;
server_socket *srv_socket;
unsigned int port = 0;
const char *host;
buffer *b;
int err;
#ifdef __WIN32
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
/* Tell the user that we could not find a usable */
/* WinSock DLL. */
return -1;
}
#endif
err = -1;
srv_socket = calloc(1, sizeof(*srv_socket));
force_assert(NULL != srv_socket);
srv_socket->addr.plain.sa_family = AF_INET; /* default */
srv_socket->fd = -1;
srv_socket->fde_ndx = -1;
srv_socket->srv_token = buffer_init();
fix buffer, chunk and http_chunk API * remove unused structs and functions (buffer_array, read_buffer) * change return type from int to void for many functions, as the return value (indicating error/success) was never checked, and the function would only fail on programming errors and not on invalid input; changed functions to use force_assert instead of returning an error. * all "len" parameters now are the real size of the memory to be read. the length of strings is given always without the terminating 0. * the "buffer" struct still counts the terminating 0 in ->used, provide buffer_string_length() to get the length of a string in a buffer. unset config "strings" have used == 0, which is used in some places to distinguish unset values from "" (empty string) values. * most buffer usages should now use it as string container. * optimise some buffer copying by "moving" data to other buffers * use (u)intmax_t for generic int-to-string functions * remove unused enum values: UNUSED_CHUNK, ENCODING_UNSET * converted BUFFER_APPEND_SLASH to inline function (no macro feature needed) * refactor: create chunkqueue_steal: moving (partial) chunks into another queue * http_chunk: added separate function to terminate chunked body instead of magic handling in http_chunk_append_mem(). http_chunk_append_* now handle empty chunks, and never terminate the chunked body. From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2975 152afb58-edef-0310-8abb-c4023f1b3aa9
7 years ago
buffer_copy_buffer(srv_socket->srv_token, host_token);
b = buffer_init();
fix buffer, chunk and http_chunk API * remove unused structs and functions (buffer_array, read_buffer) * change return type from int to void for many functions, as the return value (indicating error/success) was never checked, and the function would only fail on programming errors and not on invalid input; changed functions to use force_assert instead of returning an error. * all "len" parameters now are the real size of the memory to be read. the length of strings is given always without the terminating 0. * the "buffer" struct still counts the terminating 0 in ->used, provide buffer_string_length() to get the length of a string in a buffer. unset config "strings" have used == 0, which is used in some places to distinguish unset values from "" (empty string) values. * most buffer usages should now use it as string container. * optimise some buffer copying by "moving" data to other buffers * use (u)intmax_t for generic int-to-string functions * remove unused enum values: UNUSED_CHUNK, ENCODING_UNSET * converted BUFFER_APPEND_SLASH to inline function (no macro feature needed) * refactor: create chunkqueue_steal: moving (partial) chunks into another queue * http_chunk: added separate function to terminate chunked body instead of magic handling in http_chunk_append_mem(). http_chunk_append_* now handle empty chunks, and never terminate the chunked body. From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2975 152afb58-edef-0310-8abb-c4023f1b3aa9
7 years ago
buffer_copy_buffer(b, host_token);
host = b->ptr;
if (host[0] == '/') {
/* host is a unix-domain-socket */
#ifdef HAVE_SYS_UN_H
srv_socket->addr.plain.sa_family = AF_UNIX;
#else
log_error_write(srv, __FILE__, __LINE__, "s",
"ERROR: Unix Domain sockets are not supported.");
goto error_free_socket;
#endif
} else {
/* ipv4:port
* [ipv6]:port
*/
size_t len = buffer_string_length(b);
char *sp = NULL;
if (0 == len) {
log_error_write(srv, __FILE__, __LINE__, "s", "value of $SERVER[\"socket\"] must not be empty");
goto error_free_socket;
}
if ((b->ptr[0] == '[' && b->ptr[len-1] == ']') || NULL == (sp = strrchr(b->ptr, ':'))) {
/* use server.port if set in config, or else default from config_set_defaults() */
port = srv->srvconf.port;
sp = b->ptr + len; /* point to '\0' at end of string so end of IPv6 address can be found below */
} else {
/* found ip:port separator at *sp; port doesn't end in ']', so *sp hopefully doesn't split an IPv6 address */
*sp = '\0';
port = strtol(sp+1, NULL, 10);
}
/* check for [ and ] */
if (b->ptr[0] == '[' && *(sp-1) == ']') {
*(sp-1) = '\0';
host++;
s->use_ipv6 = 1;
}
if (port == 0 || port > 65535) {
log_error_write(srv, __FILE__, __LINE__, "sd", "port not set or out of range:", port);
goto error_free_socket;
}
}
if (*host == '\0') host = NULL;
#ifdef HAVE_IPV6
if (s->use_ipv6) {
srv_socket->addr.plain.sa_family = AF_INET6;
}
#endif
switch(srv_socket->addr.plain.sa_family) {
#ifdef HAVE_IPV6
case AF_INET6:
memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in6));
srv_socket->addr.ipv6.sin6_family = AF_INET6;
if (host == NULL) {
srv_socket->addr.ipv6.sin6_addr = in6addr_any;
log_error_write(srv, __FILE__, __LINE__, "s", "warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes");
} else {
struct addrinfo hints, *res;
int r;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if (0 != (r = getaddrinfo(host, NULL, &hints, &res))) {
hints.ai_family = AF_INET;
if (
#ifdef EAI_ADDRFAMILY
EAI_ADDRFAMILY == r &&
#endif
0 == getaddrinfo(host, NULL, &hints, &res)) {
memcpy(&srv_socket->addr.ipv4, res->ai_addr, res->ai_addrlen);
srv_socket->addr.ipv4.sin_family = AF_INET;
srv_socket->addr.ipv4.sin_port = htons(port);
addr_len = sizeof(struct sockaddr_in);
/*assert(addr_len == res->ai_addrlen);*/
freeaddrinfo(res);
break;
}
log_error_write(srv, __FILE__, __LINE__,
"sssss", "getaddrinfo failed: ",
gai_strerror(r), "'", host, "'");
goto error_free_socket;
}
memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen);
freeaddrinfo(res);
}
srv_socket->addr.ipv6.sin6_port = htons(port);
addr_len = sizeof(struct sockaddr_in6);
break;
#endif
case AF_INET:
memset(&srv_socket->addr, 0, sizeof(struct sockaddr_in));
srv_socket->addr.ipv4.sin_family = AF_INET;
if (host == NULL) {
srv_socket->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY);
} else {
struct hostent *he;
if (NULL == (he = gethostbyname(host))) {
log_error_write(srv, __FILE__, __LINE__,
"sds", "gethostbyname failed: ",
h_errno, host);
goto error_free_socket;
}
if (he->h_addrtype != AF_INET) {
log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype);
goto error_free_socket;
}
if (he->h_length != sizeof(struct in_addr)) {
log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length);
goto error_free_socket;
}
memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length);
}
srv_socket->addr.ipv4.sin_port = htons(port);
addr_len = sizeof(struct sockaddr_in);
break;
#ifdef HAVE_SYS_UN_H
case AF_UNIX:
memset(&srv_socket->addr, 0, sizeof(struct sockaddr_un));
srv_socket->addr.un.sun_family = AF_UNIX;
{
size_t hostlen = strlen(host) + 1;
if (hostlen > sizeof(srv_socket->addr.un.sun_path)) {
log_error_write(srv, __FILE__, __LINE__, "sS", "unix socket filename too long:", host);
goto error_free_socket;
}
memcpy(srv_socket->addr.un.sun_path, host, hostlen);
#if defined(SUN_LEN)
addr_len = SUN_LEN(&srv_socket->addr.un);
#else
/* stevens says: */
addr_len = hostlen + sizeof(srv_socket->addr.un.sun_family);
#endif
}
break;
#endif
default:
goto error_free_socket;
}
if (srv->srvconf.preflight_check) {
err = 0;
goto error_free_socket;
}
if (srv->sockets_disabled) { /* lighttpd -1 (one-shot mode) */
#ifdef USE_OPENSSL
if (s->ssl_enabled) srv_socket->ssl_ctx = s->ssl_ctx;
#endif
goto srv_sockets_append;
}
#ifdef HAVE_SYS_UN_H
if (AF_UNIX == srv_socket->addr.plain.sa_family) {
/* check if the socket exists and try to connect to it. */
force_assert(host); /*(static analysis hint)*/
if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
goto error_free_socket;
}
if (0 == connect(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"server socket is still in use:",
host);
goto error_free_socket;
}
/* connect failed */
switch(errno) {
case ECONNREFUSED:
unlink(host);
break;
case ENOENT:
break;
default:
log_error_write(srv, __FILE__, __LINE__, "sds",
"testing socket failed:",
host, strerror(errno));
goto error_free_socket;
}
} else
#endif
{
if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
goto error_free_socket;
}
#ifdef HAVE_IPV6
if (AF_INET6 == srv_socket->addr.plain.sa_family
&& host != NULL) {
if (s->set_v6only) {
val = 1;
if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(IPV6_V6ONLY) failed:", strerror(errno));
goto error_free_socket;
}
} else {
log_error_write(srv, __FILE__, __LINE__, "s", "warning: server.set-v6only will be removed soon, update your config to have different sockets for ipv4 and ipv6");
}
}
#endif
}
/* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
fd_close_on_exec(srv_socket->fd);
/* */
srv->cur_fds = srv_socket->fd;
val = 1;
if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(SO_REUSEADDR) failed:", strerror(errno));
goto error_free_socket;
}
if (srv_socket->addr.plain.sa_family != AF_UNIX) {
val = 1;
if (setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)) < 0) {
log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt(TCP_NODELAY) failed:", strerror(errno));
goto error_free_socket;
}
}
if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
switch(srv_socket->addr.plain.sa_family) {
case AF_UNIX:
log_error_write(srv, __FILE__, __LINE__, "sds",
"can't bind to socket:",
host, strerror(errno));
break;
default:
log_error_write(srv, __FILE__, __LINE__, "ssds",
"can't bind to port:",
host, port, strerror(errno));
break;
}
goto error_free_socket;
}
if (-1 == listen(srv_socket->fd, s->listen_backlog)) {
log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
goto error_free_socket;
}
if (s->ssl_enabled) {
#ifdef USE_OPENSSL
if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
goto error_free_socket;
}
#else
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
"ssl requested but openssl support is not compiled in");
goto error_free_socket;
#endif
#ifdef TCP_DEFER_ACCEPT
} else if (s->defer_accept) {
int v = s->defer_accept;
if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
}
#endif
#if defined(__FreeBSD__) || defined(__NetBSD__) \
|| defined(__OpenBSD__) || defined(__DragonflyBSD__)
} else if (!buffer_is_empty(s->bsd_accept_filter)
&& (buffer_is_equal_string(s->bsd_accept_filter, CONST_STR_LEN("httpready"))
|| buffer_is_equal_string(s->bsd_accept_filter, CONST_STR_LEN("dataready")))) {
#ifdef SO_ACCEPTFILTER
/* FreeBSD accf_http filter */
struct accept_filter_arg afa;
memset(&afa, 0, sizeof(afa));
strncpy(afa.af_name, s->bsd_accept_filter->ptr, sizeof(afa.af_name));
if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
if (errno != ENOENT) {
log_error_write(srv, __FILE__, __LINE__, "SBss", "can't set accept-filter '", s->bsd_accept_filter, "':", strerror(errno));
}
}
#endif
#endif
}
srv_sockets_append:
srv_socket->is_ssl = s->ssl_enabled;
if (srv->srv_sockets.size == 0) {
srv->srv_sockets.size = 4;
srv->srv_sockets.used = 0;
srv->srv_sockets.ptr = malloc(srv->srv_sockets.size * sizeof(server_socket*));
force_assert(NULL != srv->srv_sockets.ptr);
} else if (srv->srv_sockets.used == srv->srv_sockets.size) {
srv->srv_sockets.size += 4;
srv->srv_sockets.ptr = realloc(srv->srv_sockets.ptr, srv->srv_sockets.size * sizeof(server_socket*));
force_assert(NULL != srv->srv_sockets.ptr);
}
srv->srv_sockets.ptr[srv->srv_sockets.used++] = srv_socket;
buffer_free(b);
return 0;
error_free_socket:
if (srv_socket->fd != -1) {
/* check if server fd are already registered */
if (srv_socket->fde_ndx != -1) {
fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
fdevent_unregister(srv->ev, srv_socket->fd);
}
close(srv_socket->fd);
}
buffer_free(srv_socket->srv_token);
free(srv_socket);
buffer_free(b);
return err; /* -1 if error; 0 if srv->srvconf.preflight_check successful */
}
int network_close(server *srv) {
size_t i;
for (i = 0; i < srv->srv_sockets.used; i++) {
server_socket *srv_socket = srv->srv_sockets.ptr[i];
if (srv_socket->fd != -1) {
/* check if server fd are already registered */
if (srv_socket->fde_ndx != -1) {
fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
fdevent_unregister(srv->ev, srv_socket->fd);
}
close(srv_socket->fd);
}
buffer_free(srv_socket->srv_token);
free(srv_socket);
}
free(srv->srv_sockets.ptr);
return 0;
}
typedef enum {
NETWORK_BACKEND_UNSET,
NETWORK_BACKEND_WRITE,
NETWORK_BACKEND_WRITEV,
NETWORK_BACKEND_SENDFILE,
} network_backend_t;
#ifdef USE_OPENSSL
static X509* x509_load_pem_file(server *srv, const char *file) {
BIO *in;
X509 *x = NULL;
in = BIO_new(BIO_s_file());
if (NULL == in) {
log_error_write(srv, __FILE__, __LINE__, "S", "SSL: BIO_new(BIO_s_file()) failed");
goto error;
}
if (BIO_read_filename(in,file) <= 0) {
log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
goto error;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
if (NULL == x) {
log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read X509 certificate from '", file,"'");
goto error;
}
BIO_free(in);
return x;
error:
if (NULL != in) BIO_free(in);
return NULL;
}
static EVP_PKEY* evp_pkey_load_pem_file(server *srv, const char *file) {
BIO *in;
EVP_PKEY *x = NULL;
in=BIO_new(BIO_s_file());
if (NULL == in) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BIO_new(BIO_s_file()) failed");
goto error;
}
if (BIO_read_filename(in,file) <= 0) {
log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: BIO_read_filename('", file,"') failed");
goto error;
}
x = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
if (NULL == x) {
log_error_write(srv, __FILE__, __LINE__, "SSS", "SSL: couldn't read private key from '", file,"'");
goto error;
}
BIO_free(in);
return x;
error:
if (NULL != in) BIO_free(in);
return NULL;
}
static int network_openssl_load_pemfile(server *srv, size_t ndx) {
specific_config *s = srv->config_storage[ndx];
#ifdef OPENSSL_NO_TLSEXT
{
data_config *dc = (data_config *)srv->config_context->data[ndx];
if ((ndx > 0 && (COMP_SERVER_SOCKET != dc->comp || dc->cond != CONFIG_COND_EQ))
|| !s->ssl_enabled) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
"ssl.pemfile only works in SSL socket binding context as openssl version does not support TLS extensions");
return -1;
}
}
#endif
if (NULL == (s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1;
if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
"Private key does not match the certificate public key, reason:",
ERR_error_string(ERR_get_error(), NULL),
s->ssl_pemfile);
return -1;
}
return 0;
}
#endif
int network_init(server *srv) {
buffer *b;
size_t i, j;
network_backend_t backend;
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh;
int nid;
#endif
#endif
#ifdef USE_OPENSSL
# ifndef OPENSSL_NO_DH
DH *dh;
# endif