1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2015 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_connection.h"
26
27 #ifdef HAVE_UNISTD_H
28 # include <unistd.h>
29 #endif // HAVE_UNISTD_H
30 #include <netinet/tcp.h>
31
32 #include <limits>
33
34 #include <openssl/err.h>
35
36 #include "shrpx_tls.h"
37 #include "shrpx_memcached_request.h"
38 #include "shrpx_log.h"
39 #include "memchunk.h"
40 #include "util.h"
41 #include "ssl_compat.h"
42
43 using namespace nghttp2;
44 using namespace std::chrono_literals;
45
46 namespace shrpx {
47
48 #if !LIBRESSL_3_5_API && !LIBRESSL_2_7_API && !OPENSSL_1_1_API
49
BIO_get_data(BIO * bio)50 void *BIO_get_data(BIO *bio) { return bio->ptr; }
BIO_set_data(BIO * bio,void * ptr)51 void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }
BIO_set_init(BIO * bio,int init)52 void BIO_set_init(BIO *bio, int init) { bio->init = init; }
53
54 #endif // !LIBRESSL_3_5_API && !LIBRESSL_2_7_API && !OPENSSL_1_1_API
55
Connection(struct ev_loop * loop,int fd,SSL * ssl,MemchunkPool * mcpool,ev_tstamp write_timeout,ev_tstamp read_timeout,const RateLimitConfig & write_limit,const RateLimitConfig & read_limit,IOCb writecb,IOCb readcb,TimerCb timeoutcb,void * data,size_t tls_dyn_rec_warmup_threshold,ev_tstamp tls_dyn_rec_idle_timeout,Proto proto)56 Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl,
57 MemchunkPool *mcpool, ev_tstamp write_timeout,
58 ev_tstamp read_timeout,
59 const RateLimitConfig &write_limit,
60 const RateLimitConfig &read_limit, IOCb writecb,
61 IOCb readcb, TimerCb timeoutcb, void *data,
62 size_t tls_dyn_rec_warmup_threshold,
63 ev_tstamp tls_dyn_rec_idle_timeout, Proto proto)
64 :
65 #ifdef ENABLE_HTTP3
66 conn_ref{nullptr, this},
67 #endif // ENABLE_HTTP3
68 tls{DefaultMemchunks(mcpool), DefaultPeekMemchunks(mcpool),
69 DefaultMemchunks(mcpool)},
70 wlimit(loop, &wev, write_limit.rate, write_limit.burst),
71 rlimit(loop, &rev, read_limit.rate, read_limit.burst, this),
72 loop(loop),
73 data(data),
74 fd(fd),
75 tls_dyn_rec_warmup_threshold(tls_dyn_rec_warmup_threshold),
76 tls_dyn_rec_idle_timeout(util::duration_from(tls_dyn_rec_idle_timeout)),
77 proto(proto),
78 read_timeout(read_timeout) {
79
80 ev_io_init(&wev, writecb, fd, EV_WRITE);
81 ev_io_init(&rev, readcb, proto == Proto::HTTP3 ? 0 : fd, EV_READ);
82
83 wev.data = this;
84 rev.data = this;
85
86 ev_timer_init(&wt, timeoutcb, 0., write_timeout);
87 ev_timer_init(&rt, timeoutcb, 0., read_timeout);
88
89 wt.data = this;
90 rt.data = this;
91
92 if (ssl) {
93 set_ssl(ssl);
94 }
95 }
96
~Connection()97 Connection::~Connection() { disconnect(); }
98
disconnect()99 void Connection::disconnect() {
100 if (tls.ssl) {
101 if (proto != Proto::HTTP3) {
102 SSL_set_shutdown(tls.ssl,
103 SSL_get_shutdown(tls.ssl) | SSL_RECEIVED_SHUTDOWN);
104 ERR_clear_error();
105
106 if (tls.cached_session) {
107 SSL_SESSION_free(tls.cached_session);
108 tls.cached_session = nullptr;
109 }
110
111 if (tls.cached_session_lookup_req) {
112 tls.cached_session_lookup_req->canceled = true;
113 tls.cached_session_lookup_req = nullptr;
114 }
115
116 SSL_shutdown(tls.ssl);
117 }
118
119 SSL_free(tls.ssl);
120 tls.ssl = nullptr;
121
122 tls.wbuf.reset();
123 tls.rbuf.reset();
124 tls.last_write_idle = {};
125 tls.warmup_writelen = 0;
126 tls.last_writelen = 0;
127 tls.last_readlen = 0;
128 tls.handshake_state = TLSHandshakeState::NORMAL;
129 tls.initial_handshake_done = false;
130 tls.reneg_started = false;
131 tls.sct_requested = false;
132 tls.early_data_finish = false;
133 }
134
135 if (proto != Proto::HTTP3 && fd != -1) {
136 shutdown(fd, SHUT_WR);
137 close(fd);
138 fd = -1;
139 }
140
141 // Stop watchers here because they could be activated in
142 // SSL_shutdown().
143 ev_timer_stop(loop, &rt);
144 ev_timer_stop(loop, &wt);
145
146 rlimit.stopw();
147 wlimit.stopw();
148 }
149
prepare_client_handshake()150 void Connection::prepare_client_handshake() {
151 SSL_set_connect_state(tls.ssl);
152 // This prevents SSL_read_early_data from being called.
153 tls.early_data_finish = true;
154 }
155
prepare_server_handshake()156 void Connection::prepare_server_handshake() {
157 auto &tlsconf = get_config()->tls;
158 if (proto != Proto::HTTP3 && !tlsconf.session_cache.memcached.host.empty()) {
159 auto bio = BIO_new(tlsconf.bio_method);
160 BIO_set_data(bio, this);
161 SSL_set_bio(tls.ssl, bio, bio);
162 }
163
164 SSL_set_accept_state(tls.ssl);
165 tls.server_handshake = true;
166 }
167
168 // BIO implementation is inspired by openldap implementation:
169 // http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls_o.c
170 namespace {
shrpx_bio_write(BIO * b,const char * buf,int len)171 int shrpx_bio_write(BIO *b, const char *buf, int len) {
172 if (buf == nullptr || len <= 0) {
173 return 0;
174 }
175
176 auto conn = static_cast<Connection *>(BIO_get_data(b));
177 auto &wbuf = conn->tls.wbuf;
178
179 BIO_clear_retry_flags(b);
180
181 if (conn->tls.initial_handshake_done) {
182 // After handshake finished, send |buf| of length |len| to the
183 // socket directly.
184
185 // Only when TLS session was prematurely ended before server sent
186 // all handshake message, this condition is true. This could be
187 // alert from SSL_shutdown(). Since connection is already down,
188 // just return error.
189 if (wbuf.rleft()) {
190 return -1;
191 }
192 auto nwrite = conn->write_clear(buf, len);
193 if (nwrite < 0) {
194 return -1;
195 }
196
197 if (nwrite == 0) {
198 BIO_set_retry_write(b);
199 return -1;
200 }
201
202 return nwrite;
203 }
204
205 wbuf.append(buf, len);
206
207 return len;
208 }
209 } // namespace
210
211 namespace {
shrpx_bio_read(BIO * b,char * buf,int len)212 int shrpx_bio_read(BIO *b, char *buf, int len) {
213 if (buf == nullptr || len <= 0) {
214 return 0;
215 }
216
217 auto conn = static_cast<Connection *>(BIO_get_data(b));
218 auto &rbuf = conn->tls.rbuf;
219
220 BIO_clear_retry_flags(b);
221
222 if (conn->tls.initial_handshake_done && rbuf.rleft() == 0) {
223 auto nread = conn->read_clear(buf, len);
224 if (nread < 0) {
225 return -1;
226 }
227 if (nread == 0) {
228 BIO_set_retry_read(b);
229 return -1;
230 }
231 return nread;
232 }
233
234 if (rbuf.rleft() == 0) {
235 BIO_set_retry_read(b);
236 return -1;
237 }
238
239 return rbuf.remove(buf, len);
240 }
241 } // namespace
242
243 namespace {
shrpx_bio_puts(BIO * b,const char * str)244 int shrpx_bio_puts(BIO *b, const char *str) {
245 return shrpx_bio_write(b, str, strlen(str));
246 }
247 } // namespace
248
249 namespace {
shrpx_bio_gets(BIO * b,char * buf,int len)250 int shrpx_bio_gets(BIO *b, char *buf, int len) { return -1; }
251 } // namespace
252
253 namespace {
shrpx_bio_ctrl(BIO * b,int cmd,long num,void * ptr)254 long shrpx_bio_ctrl(BIO *b, int cmd, long num, void *ptr) {
255 switch (cmd) {
256 case BIO_CTRL_FLUSH:
257 return 1;
258 }
259
260 return 0;
261 }
262 } // namespace
263
264 namespace {
shrpx_bio_create(BIO * b)265 int shrpx_bio_create(BIO *b) {
266 #if OPENSSL_1_1_API || LIBRESSL_3_5_API
267 BIO_set_init(b, 1);
268 #else // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
269 b->init = 1;
270 b->num = 0;
271 b->ptr = nullptr;
272 b->flags = 0;
273 #endif // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
274 return 1;
275 }
276 } // namespace
277
278 namespace {
shrpx_bio_destroy(BIO * b)279 int shrpx_bio_destroy(BIO *b) {
280 if (b == nullptr) {
281 return 0;
282 }
283
284 #if !OPENSSL_1_1_API && !LIBRESSL_3_5_API
285 b->ptr = nullptr;
286 b->init = 0;
287 b->flags = 0;
288 #endif // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
289
290 return 1;
291 }
292 } // namespace
293
294 #if OPENSSL_1_1_API || LIBRESSL_3_5_API
295
create_bio_method()296 BIO_METHOD *create_bio_method() {
297 auto meth = BIO_meth_new(BIO_TYPE_FD, "nghttpx-bio");
298 BIO_meth_set_write(meth, shrpx_bio_write);
299 BIO_meth_set_read(meth, shrpx_bio_read);
300 BIO_meth_set_puts(meth, shrpx_bio_puts);
301 BIO_meth_set_gets(meth, shrpx_bio_gets);
302 BIO_meth_set_ctrl(meth, shrpx_bio_ctrl);
303 BIO_meth_set_create(meth, shrpx_bio_create);
304 BIO_meth_set_destroy(meth, shrpx_bio_destroy);
305
306 return meth;
307 }
308
309 #else // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
310
create_bio_method()311 BIO_METHOD *create_bio_method() {
312 static auto meth = new BIO_METHOD{
313 BIO_TYPE_FD, "nghttpx-bio", shrpx_bio_write,
314 shrpx_bio_read, shrpx_bio_puts, shrpx_bio_gets,
315 shrpx_bio_ctrl, shrpx_bio_create, shrpx_bio_destroy,
316 };
317
318 return meth;
319 }
320
321 #endif // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
322
set_ssl(SSL * ssl)323 void Connection::set_ssl(SSL *ssl) {
324 tls.ssl = ssl;
325
326 SSL_set_app_data(tls.ssl, this);
327 }
328
329 namespace {
330 // We should buffer at least full encrypted TLS record here.
331 // Theoretically, peer can send client hello in several TLS records,
332 // which could exceed this limit, but it is not portable, and we don't
333 // have to handle such exotic behaviour.
read_buffer_full(DefaultPeekMemchunks & rbuf)334 bool read_buffer_full(DefaultPeekMemchunks &rbuf) {
335 return rbuf.rleft_buffered() >= 20_k;
336 }
337 } // namespace
338
tls_handshake()339 int Connection::tls_handshake() {
340 wlimit.stopw();
341 ev_timer_stop(loop, &wt);
342
343 auto &tlsconf = get_config()->tls;
344
345 if (!tls.server_handshake || tlsconf.session_cache.memcached.host.empty()) {
346 return tls_handshake_simple();
347 }
348
349 std::array<uint8_t, 16_k> buf;
350
351 if (ev_is_active(&rev)) {
352 auto nread = read_clear(buf.data(), buf.size());
353 if (nread < 0) {
354 if (LOG_ENABLED(INFO)) {
355 LOG(INFO) << "tls: handshake read error";
356 }
357 return -1;
358 }
359 tls.rbuf.append(buf.data(), nread);
360 if (read_buffer_full(tls.rbuf)) {
361 rlimit.stopw();
362 }
363 }
364
365 if (tls.initial_handshake_done) {
366 return write_tls_pending_handshake();
367 }
368
369 switch (tls.handshake_state) {
370 case TLSHandshakeState::WAIT_FOR_SESSION_CACHE:
371 return SHRPX_ERR_INPROGRESS;
372 case TLSHandshakeState::GOT_SESSION_CACHE: {
373 // Use the same trick invented by @kazuho in h2o project.
374
375 // Discard all outgoing data.
376 tls.wbuf.reset();
377 // Rewind buffered incoming data to replay client hello.
378 tls.rbuf.disable_peek(false);
379
380 auto ssl_ctx = SSL_get_SSL_CTX(tls.ssl);
381 auto ssl_opts = SSL_get_options(tls.ssl);
382 SSL_free(tls.ssl);
383
384 auto ssl = tls::create_ssl(ssl_ctx);
385 if (!ssl) {
386 return -1;
387 }
388 if (ssl_opts & SSL_OP_NO_TICKET) {
389 SSL_set_options(ssl, SSL_OP_NO_TICKET);
390 }
391
392 set_ssl(ssl);
393
394 prepare_server_handshake();
395
396 tls.handshake_state = TLSHandshakeState::NORMAL;
397 break;
398 }
399 case TLSHandshakeState::CANCEL_SESSION_CACHE:
400 tls.handshake_state = TLSHandshakeState::NORMAL;
401 break;
402 default:
403 break;
404 }
405
406 int rv;
407
408 ERR_clear_error();
409
410 #if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
411 if (!tls.server_handshake || tls.early_data_finish) {
412 rv = SSL_do_handshake(tls.ssl);
413 } else {
414 for (;;) {
415 size_t nread;
416
417 rv = SSL_read_early_data(tls.ssl, buf.data(), buf.size(), &nread);
418 if (rv == SSL_READ_EARLY_DATA_ERROR) {
419 // If we have early data, and server sends ServerHello, assume
420 // that handshake is completed in server side, and start
421 // processing request. If we don't exit handshake code here,
422 // server waits for EndOfEarlyData and Finished message from
423 // client, which voids the purpose of 0-RTT data. The left
424 // over of handshake is done through write_tls or read_tls.
425 if (tlsconf.no_postpone_early_data &&
426 (tls.handshake_state == TLSHandshakeState::WRITE_STARTED ||
427 tls.wbuf.rleft()) &&
428 tls.earlybuf.rleft()) {
429 rv = 1;
430 }
431
432 break;
433 }
434
435 if (LOG_ENABLED(INFO)) {
436 LOG(INFO) << "tls: read early data " << nread << " bytes";
437 }
438
439 tls.earlybuf.append(buf.data(), nread);
440
441 if (rv == SSL_READ_EARLY_DATA_FINISH) {
442 if (LOG_ENABLED(INFO)) {
443 LOG(INFO) << "tls: read all early data; total "
444 << tls.earlybuf.rleft() << " bytes";
445 }
446 tls.early_data_finish = true;
447 // The same reason stated above.
448 if (tlsconf.no_postpone_early_data &&
449 (tls.handshake_state == TLSHandshakeState::WRITE_STARTED ||
450 tls.wbuf.rleft()) &&
451 tls.earlybuf.rleft()) {
452 rv = 1;
453 } else {
454 ERR_clear_error();
455 rv = SSL_do_handshake(tls.ssl);
456 }
457 break;
458 }
459 }
460 }
461 #else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
462 rv = SSL_do_handshake(tls.ssl);
463 #endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
464
465 if (rv <= 0) {
466 auto err = SSL_get_error(tls.ssl, rv);
467 switch (err) {
468 case SSL_ERROR_WANT_READ:
469 if (read_buffer_full(tls.rbuf)) {
470 if (LOG_ENABLED(INFO)) {
471 LOG(INFO) << "tls: handshake message is too large";
472 }
473 return -1;
474 }
475 break;
476 case SSL_ERROR_WANT_WRITE:
477 break;
478 case SSL_ERROR_SSL: {
479 if (LOG_ENABLED(INFO)) {
480 LOG(INFO) << "tls: handshake libssl error: "
481 << ERR_error_string(ERR_get_error(), nullptr);
482 }
483
484 struct iovec iov[1];
485 auto iovcnt = tls.wbuf.riovec(iov, 1);
486 auto nwrite = writev_clear(iov, iovcnt);
487 if (nwrite > 0) {
488 tls.wbuf.drain(nwrite);
489 }
490
491 return SHRPX_ERR_NETWORK;
492 }
493 default:
494 if (LOG_ENABLED(INFO)) {
495 LOG(INFO) << "tls: handshake libssl error " << err;
496 }
497 return SHRPX_ERR_NETWORK;
498 }
499 }
500
501 if (tls.handshake_state == TLSHandshakeState::WAIT_FOR_SESSION_CACHE) {
502 if (LOG_ENABLED(INFO)) {
503 LOG(INFO) << "tls: handshake is still in progress";
504 }
505 return SHRPX_ERR_INPROGRESS;
506 }
507
508 // Don't send handshake data if handshake was completed in OpenSSL
509 // routine. We have to check HTTP/2 requirement if HTTP/2 was
510 // negotiated before sending finished message to the peer.
511 if ((rv != 1
512 #ifdef OPENSSL_IS_BORINGSSL
513 || SSL_in_init(tls.ssl)
514 #endif // OPENSSL_IS_BORINGSSL
515 ) &&
516 tls.wbuf.rleft()) {
517 // First write indicates that resumption stuff has done.
518 if (tls.handshake_state != TLSHandshakeState::WRITE_STARTED) {
519 tls.handshake_state = TLSHandshakeState::WRITE_STARTED;
520 // If peek has already disabled, this is noop.
521 tls.rbuf.disable_peek(true);
522 }
523 std::array<struct iovec, 4> iov;
524 auto iovcnt = tls.wbuf.riovec(iov.data(), iov.size());
525 auto nwrite = writev_clear(iov.data(), iovcnt);
526 if (nwrite < 0) {
527 if (LOG_ENABLED(INFO)) {
528 LOG(INFO) << "tls: handshake write error";
529 }
530 return -1;
531 }
532 tls.wbuf.drain(nwrite);
533
534 if (tls.wbuf.rleft()) {
535 wlimit.startw();
536 ev_timer_again(loop, &wt);
537 }
538 }
539
540 if (!read_buffer_full(tls.rbuf)) {
541 // We may have stopped reading
542 rlimit.startw();
543 }
544
545 if (rv != 1) {
546 if (LOG_ENABLED(INFO)) {
547 LOG(INFO) << "tls: handshake is still in progress";
548 }
549 return SHRPX_ERR_INPROGRESS;
550 }
551
552 #ifdef OPENSSL_IS_BORINGSSL
553 if (!tlsconf.no_postpone_early_data && SSL_in_early_data(tls.ssl) &&
554 SSL_in_init(tls.ssl)) {
555 auto nread = SSL_read(tls.ssl, buf.data(), buf.size());
556 if (nread <= 0) {
557 auto err = SSL_get_error(tls.ssl, nread);
558 switch (err) {
559 case SSL_ERROR_WANT_READ:
560 case SSL_ERROR_WANT_WRITE:
561 break;
562 case SSL_ERROR_ZERO_RETURN:
563 return SHRPX_ERR_EOF;
564 case SSL_ERROR_SSL:
565 if (LOG_ENABLED(INFO)) {
566 LOG(INFO) << "SSL_read: "
567 << ERR_error_string(ERR_get_error(), nullptr);
568 }
569 return SHRPX_ERR_NETWORK;
570 default:
571 if (LOG_ENABLED(INFO)) {
572 LOG(INFO) << "SSL_read: SSL_get_error returned " << err;
573 }
574 return SHRPX_ERR_NETWORK;
575 }
576 } else {
577 tls.earlybuf.append(buf.data(), nread);
578 }
579
580 if (SSL_in_init(tls.ssl)) {
581 return SHRPX_ERR_INPROGRESS;
582 }
583 }
584 #endif // OPENSSL_IS_BORINGSSL
585
586 // Handshake was done
587
588 rv = check_http2_requirement();
589 if (rv != 0) {
590 return -1;
591 }
592
593 // Just in case
594 tls.rbuf.disable_peek(true);
595
596 tls.initial_handshake_done = true;
597
598 return write_tls_pending_handshake();
599 }
600
tls_handshake_simple()601 int Connection::tls_handshake_simple() {
602 wlimit.stopw();
603 ev_timer_stop(loop, &wt);
604
605 if (tls.initial_handshake_done) {
606 return write_tls_pending_handshake();
607 }
608
609 if (SSL_get_fd(tls.ssl) == -1) {
610 SSL_set_fd(tls.ssl, fd);
611 }
612
613 int rv;
614 #if OPENSSL_1_1_1_API || defined(OPENSSL_IS_BORINGSSL)
615 auto &tlsconf = get_config()->tls;
616 std::array<uint8_t, 16_k> buf;
617 #endif // OPENSSL_1_1_1_API || defined(OPENSSL_IS_BORINGSSL)
618
619 ERR_clear_error();
620
621 #if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
622 if (!tls.server_handshake || tls.early_data_finish) {
623 rv = SSL_do_handshake(tls.ssl);
624 } else {
625 for (;;) {
626 size_t nread;
627
628 rv = SSL_read_early_data(tls.ssl, buf.data(), buf.size(), &nread);
629 if (rv == SSL_READ_EARLY_DATA_ERROR) {
630 // If we have early data, and server sends ServerHello, assume
631 // that handshake is completed in server side, and start
632 // processing request. If we don't exit handshake code here,
633 // server waits for EndOfEarlyData and Finished message from
634 // client, which voids the purpose of 0-RTT data. The left
635 // over of handshake is done through write_tls or read_tls.
636 if (tlsconf.no_postpone_early_data && tls.earlybuf.rleft()) {
637 rv = 1;
638 }
639
640 break;
641 }
642
643 if (LOG_ENABLED(INFO)) {
644 LOG(INFO) << "tls: read early data " << nread << " bytes";
645 }
646
647 tls.earlybuf.append(buf.data(), nread);
648
649 if (rv == SSL_READ_EARLY_DATA_FINISH) {
650 if (LOG_ENABLED(INFO)) {
651 LOG(INFO) << "tls: read all early data; total "
652 << tls.earlybuf.rleft() << " bytes";
653 }
654 tls.early_data_finish = true;
655 // The same reason stated above.
656 if (tlsconf.no_postpone_early_data && tls.earlybuf.rleft()) {
657 rv = 1;
658 } else {
659 ERR_clear_error();
660 rv = SSL_do_handshake(tls.ssl);
661 }
662 break;
663 }
664 }
665 }
666 #else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
667 rv = SSL_do_handshake(tls.ssl);
668 #endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
669
670 if (rv <= 0) {
671 auto err = SSL_get_error(tls.ssl, rv);
672 switch (err) {
673 case SSL_ERROR_WANT_READ:
674 if (read_buffer_full(tls.rbuf)) {
675 if (LOG_ENABLED(INFO)) {
676 LOG(INFO) << "tls: handshake message is too large";
677 }
678 return -1;
679 }
680 break;
681 case SSL_ERROR_WANT_WRITE:
682 wlimit.startw();
683 ev_timer_again(loop, &wt);
684 break;
685 case SSL_ERROR_SSL: {
686 if (LOG_ENABLED(INFO)) {
687 LOG(INFO) << "tls: handshake libssl error: "
688 << ERR_error_string(ERR_get_error(), nullptr);
689 }
690 return SHRPX_ERR_NETWORK;
691 }
692 default:
693 if (LOG_ENABLED(INFO)) {
694 LOG(INFO) << "tls: handshake libssl error " << err;
695 }
696 return SHRPX_ERR_NETWORK;
697 }
698 }
699
700 if (rv != 1) {
701 if (LOG_ENABLED(INFO)) {
702 LOG(INFO) << "tls: handshake is still in progress";
703 }
704 return SHRPX_ERR_INPROGRESS;
705 }
706
707 #ifdef OPENSSL_IS_BORINGSSL
708 if (!tlsconf.no_postpone_early_data && SSL_in_early_data(tls.ssl) &&
709 SSL_in_init(tls.ssl)) {
710 auto nread = SSL_read(tls.ssl, buf.data(), buf.size());
711 if (nread <= 0) {
712 auto err = SSL_get_error(tls.ssl, nread);
713 switch (err) {
714 case SSL_ERROR_WANT_READ:
715 case SSL_ERROR_WANT_WRITE:
716 break;
717 case SSL_ERROR_ZERO_RETURN:
718 return SHRPX_ERR_EOF;
719 case SSL_ERROR_SSL:
720 if (LOG_ENABLED(INFO)) {
721 LOG(INFO) << "SSL_read: "
722 << ERR_error_string(ERR_get_error(), nullptr);
723 }
724 return SHRPX_ERR_NETWORK;
725 default:
726 if (LOG_ENABLED(INFO)) {
727 LOG(INFO) << "SSL_read: SSL_get_error returned " << err;
728 }
729 return SHRPX_ERR_NETWORK;
730 }
731 } else {
732 tls.earlybuf.append(buf.data(), nread);
733 }
734
735 if (SSL_in_init(tls.ssl)) {
736 return SHRPX_ERR_INPROGRESS;
737 }
738 }
739 #endif // OPENSSL_IS_BORINGSSL
740
741 // Handshake was done
742
743 rv = check_http2_requirement();
744 if (rv != 0) {
745 return -1;
746 }
747
748 tls.initial_handshake_done = true;
749
750 return write_tls_pending_handshake();
751 }
752
write_tls_pending_handshake()753 int Connection::write_tls_pending_handshake() {
754 // Send handshake data left in the buffer
755 while (tls.wbuf.rleft()) {
756 std::array<struct iovec, 4> iov;
757 auto iovcnt = tls.wbuf.riovec(iov.data(), iov.size());
758 auto nwrite = writev_clear(iov.data(), iovcnt);
759 if (nwrite < 0) {
760 if (LOG_ENABLED(INFO)) {
761 LOG(INFO) << "tls: handshake write error";
762 }
763 return -1;
764 }
765 if (nwrite == 0) {
766 wlimit.startw();
767 ev_timer_again(loop, &wt);
768
769 return SHRPX_ERR_INPROGRESS;
770 }
771 tls.wbuf.drain(nwrite);
772 }
773
774 #ifdef OPENSSL_IS_BORINGSSL
775 if (!SSL_in_init(tls.ssl)) {
776 // This will send a session ticket.
777 auto nwrite = SSL_write(tls.ssl, "", 0);
778 if (nwrite < 0) {
779 auto err = SSL_get_error(tls.ssl, nwrite);
780 switch (err) {
781 case SSL_ERROR_WANT_READ:
782 if (LOG_ENABLED(INFO)) {
783 LOG(INFO) << "Close connection due to TLS renegotiation";
784 }
785 return SHRPX_ERR_NETWORK;
786 case SSL_ERROR_WANT_WRITE:
787 break;
788 case SSL_ERROR_SSL:
789 if (LOG_ENABLED(INFO)) {
790 LOG(INFO) << "SSL_write: "
791 << ERR_error_string(ERR_get_error(), nullptr);
792 }
793 return SHRPX_ERR_NETWORK;
794 default:
795 if (LOG_ENABLED(INFO)) {
796 LOG(INFO) << "SSL_write: SSL_get_error returned " << err;
797 }
798 return SHRPX_ERR_NETWORK;
799 }
800 }
801 }
802 #endif // OPENSSL_IS_BORINGSSL
803
804 // We have to start read watcher, since later stage of code expects
805 // this.
806 rlimit.startw();
807
808 // We may have whole request in tls.rbuf. This means that we don't
809 // get notified further read event. This is especially true for
810 // HTTP/1.1.
811 handle_tls_pending_read();
812
813 if (LOG_ENABLED(INFO)) {
814 LOG(INFO) << "SSL/TLS handshake completed";
815 nghttp2::tls::TLSSessionInfo tls_info{};
816 if (nghttp2::tls::get_tls_session_info(&tls_info, tls.ssl)) {
817 LOG(INFO) << "cipher=" << tls_info.cipher
818 << " protocol=" << tls_info.protocol
819 << " resumption=" << (tls_info.session_reused ? "yes" : "no")
820 << " session_id="
821 << util::format_hex(tls_info.session_id,
822 tls_info.session_id_length);
823 }
824 }
825
826 return 0;
827 }
828
check_http2_requirement()829 int Connection::check_http2_requirement() {
830 const unsigned char *next_proto = nullptr;
831 unsigned int next_proto_len;
832
833 #ifndef OPENSSL_NO_NEXTPROTONEG
834 SSL_get0_next_proto_negotiated(tls.ssl, &next_proto, &next_proto_len);
835 #endif // !OPENSSL_NO_NEXTPROTONEG
836 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
837 if (next_proto == nullptr) {
838 SSL_get0_alpn_selected(tls.ssl, &next_proto, &next_proto_len);
839 }
840 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
841 if (next_proto == nullptr ||
842 !util::check_h2_is_selected(StringRef{next_proto, next_proto_len})) {
843 return 0;
844 }
845 if (!nghttp2::tls::check_http2_tls_version(tls.ssl)) {
846 if (LOG_ENABLED(INFO)) {
847 LOG(INFO) << "TLSv1.2 was not negotiated. HTTP/2 must not be used.";
848 }
849 return -1;
850 }
851
852 auto check_block_list = false;
853 if (tls.server_handshake) {
854 check_block_list = !get_config()->tls.no_http2_cipher_block_list;
855 } else {
856 check_block_list = !get_config()->tls.client.no_http2_cipher_block_list;
857 }
858
859 if (check_block_list &&
860 nghttp2::tls::check_http2_cipher_block_list(tls.ssl)) {
861 if (LOG_ENABLED(INFO)) {
862 LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite "
863 "block list. HTTP/2 must not be used.";
864 }
865 return -1;
866 }
867
868 return 0;
869 }
870
871 namespace {
872 constexpr size_t SHRPX_SMALL_WRITE_LIMIT = 1300;
873 } // namespace
874
get_tls_write_limit()875 size_t Connection::get_tls_write_limit() {
876
877 if (tls_dyn_rec_warmup_threshold == 0) {
878 return std::numeric_limits<ssize_t>::max();
879 }
880
881 auto t = std::chrono::steady_clock::now();
882
883 if (tls.last_write_idle.time_since_epoch().count() >= 0 &&
884 t - tls.last_write_idle > tls_dyn_rec_idle_timeout) {
885 // Time out, use small record size
886 tls.warmup_writelen = 0;
887 return SHRPX_SMALL_WRITE_LIMIT;
888 }
889
890 if (tls.warmup_writelen >= tls_dyn_rec_warmup_threshold) {
891 return std::numeric_limits<ssize_t>::max();
892 }
893
894 return SHRPX_SMALL_WRITE_LIMIT;
895 }
896
update_tls_warmup_writelen(size_t n)897 void Connection::update_tls_warmup_writelen(size_t n) {
898 if (tls.warmup_writelen < tls_dyn_rec_warmup_threshold) {
899 tls.warmup_writelen += n;
900 }
901 }
902
start_tls_write_idle()903 void Connection::start_tls_write_idle() {
904 if (tls.last_write_idle.time_since_epoch().count() < 0) {
905 tls.last_write_idle = std::chrono::steady_clock::now();
906 }
907 }
908
write_tls(const void * data,size_t len)909 ssize_t Connection::write_tls(const void *data, size_t len) {
910 // SSL_write requires the same arguments (buf pointer and its
911 // length) on SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
912 // get_write_limit() may return smaller length than previously
913 // passed to SSL_write, which violates OpenSSL assumption. To avoid
914 // this, we keep last length passed to SSL_write to
915 // tls.last_writelen if SSL_write indicated I/O blocking.
916 if (tls.last_writelen == 0) {
917 len = std::min(len, wlimit.avail());
918 len = std::min(len, get_tls_write_limit());
919 if (len == 0) {
920 return 0;
921 }
922 } else {
923 len = tls.last_writelen;
924 tls.last_writelen = 0;
925 }
926
927 tls.last_write_idle = std::chrono::steady_clock::time_point(-1s);
928
929 auto &tlsconf = get_config()->tls;
930 auto via_bio =
931 tls.server_handshake && !tlsconf.session_cache.memcached.host.empty();
932
933 ERR_clear_error();
934
935 #if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
936 int rv;
937 if (SSL_is_init_finished(tls.ssl)) {
938 rv = SSL_write(tls.ssl, data, len);
939 } else {
940 size_t nwrite;
941 rv = SSL_write_early_data(tls.ssl, data, len, &nwrite);
942 // Use the same semantics with SSL_write.
943 if (rv == 1) {
944 rv = nwrite;
945 }
946 }
947 #else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
948 auto rv = SSL_write(tls.ssl, data, len);
949 #endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
950
951 if (rv <= 0) {
952 auto err = SSL_get_error(tls.ssl, rv);
953 switch (err) {
954 case SSL_ERROR_WANT_READ:
955 if (LOG_ENABLED(INFO)) {
956 LOG(INFO) << "Close connection due to TLS renegotiation";
957 }
958 return SHRPX_ERR_NETWORK;
959 case SSL_ERROR_WANT_WRITE:
960 tls.last_writelen = len;
961 // starting write watcher and timer is done in write_clear via
962 // bio otherwise.
963 if (!via_bio) {
964 wlimit.startw();
965 ev_timer_again(loop, &wt);
966 }
967
968 return 0;
969 case SSL_ERROR_SSL:
970 if (LOG_ENABLED(INFO)) {
971 LOG(INFO) << "SSL_write: "
972 << ERR_error_string(ERR_get_error(), nullptr);
973 }
974 return SHRPX_ERR_NETWORK;
975 default:
976 if (LOG_ENABLED(INFO)) {
977 LOG(INFO) << "SSL_write: SSL_get_error returned " << err;
978 }
979 return SHRPX_ERR_NETWORK;
980 }
981 }
982
983 if (!via_bio) {
984 wlimit.drain(rv);
985
986 if (ev_is_active(&wt)) {
987 ev_timer_again(loop, &wt);
988 }
989 }
990
991 update_tls_warmup_writelen(rv);
992
993 return rv;
994 }
995
read_tls(void * data,size_t len)996 ssize_t Connection::read_tls(void *data, size_t len) {
997 ERR_clear_error();
998
999 #if OPENSSL_1_1_1_API
1000 if (tls.earlybuf.rleft()) {
1001 return tls.earlybuf.remove(data, len);
1002 }
1003 #endif // OPENSSL_1_1_1_API
1004
1005 // SSL_read requires the same arguments (buf pointer and its
1006 // length) on SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
1007 // rlimit_.avail() or rlimit_.avail() may return different length
1008 // than the length previously passed to SSL_read, which violates
1009 // OpenSSL assumption. To avoid this, we keep last length passed
1010 // to SSL_read to tls_last_readlen_ if SSL_read indicated I/O
1011 // blocking.
1012 if (tls.last_readlen == 0) {
1013 len = std::min(len, rlimit.avail());
1014 if (len == 0) {
1015 return 0;
1016 }
1017 } else {
1018 len = tls.last_readlen;
1019 tls.last_readlen = 0;
1020 }
1021
1022 auto &tlsconf = get_config()->tls;
1023 auto via_bio =
1024 tls.server_handshake && !tlsconf.session_cache.memcached.host.empty();
1025
1026 #if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
1027 if (!tls.early_data_finish) {
1028 // TLSv1.3 handshake is still going on.
1029 size_t nread;
1030 auto rv = SSL_read_early_data(tls.ssl, data, len, &nread);
1031 if (rv == SSL_READ_EARLY_DATA_ERROR) {
1032 auto err = SSL_get_error(tls.ssl, rv);
1033 switch (err) {
1034 case SSL_ERROR_WANT_READ:
1035 tls.last_readlen = len;
1036 return 0;
1037 case SSL_ERROR_SSL:
1038 if (LOG_ENABLED(INFO)) {
1039 LOG(INFO) << "SSL_read: "
1040 << ERR_error_string(ERR_get_error(), nullptr);
1041 }
1042 return SHRPX_ERR_NETWORK;
1043 default:
1044 if (LOG_ENABLED(INFO)) {
1045 LOG(INFO) << "SSL_read: SSL_get_error returned " << err;
1046 }
1047 return SHRPX_ERR_NETWORK;
1048 }
1049 }
1050
1051 if (LOG_ENABLED(INFO)) {
1052 LOG(INFO) << "tls: read early data " << nread << " bytes";
1053 }
1054
1055 if (rv == SSL_READ_EARLY_DATA_FINISH) {
1056 if (LOG_ENABLED(INFO)) {
1057 LOG(INFO) << "tls: read all early data";
1058 }
1059 tls.early_data_finish = true;
1060 // We may have stopped write watcher in write_tls.
1061 wlimit.startw();
1062 }
1063
1064 if (!via_bio) {
1065 rlimit.drain(nread);
1066 }
1067
1068 return nread;
1069 }
1070 #endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
1071
1072 auto rv = SSL_read(tls.ssl, data, len);
1073
1074 if (rv <= 0) {
1075 auto err = SSL_get_error(tls.ssl, rv);
1076 switch (err) {
1077 case SSL_ERROR_WANT_READ:
1078 tls.last_readlen = len;
1079 return 0;
1080 case SSL_ERROR_WANT_WRITE:
1081 if (LOG_ENABLED(INFO)) {
1082 LOG(INFO) << "Close connection due to TLS renegotiation";
1083 }
1084 return SHRPX_ERR_NETWORK;
1085 case SSL_ERROR_ZERO_RETURN:
1086 return SHRPX_ERR_EOF;
1087 case SSL_ERROR_SSL:
1088 if (LOG_ENABLED(INFO)) {
1089 LOG(INFO) << "SSL_read: " << ERR_error_string(ERR_get_error(), nullptr);
1090 }
1091 return SHRPX_ERR_NETWORK;
1092 default:
1093 if (LOG_ENABLED(INFO)) {
1094 LOG(INFO) << "SSL_read: SSL_get_error returned " << err;
1095 }
1096 return SHRPX_ERR_NETWORK;
1097 }
1098 }
1099
1100 if (!via_bio) {
1101 rlimit.drain(rv);
1102 }
1103
1104 return rv;
1105 }
1106
write_clear(const void * data,size_t len)1107 ssize_t Connection::write_clear(const void *data, size_t len) {
1108 len = std::min(len, wlimit.avail());
1109 if (len == 0) {
1110 return 0;
1111 }
1112
1113 ssize_t nwrite;
1114 while ((nwrite = write(fd, data, len)) == -1 && errno == EINTR)
1115 ;
1116 if (nwrite == -1) {
1117 if (errno == EAGAIN || errno == EWOULDBLOCK) {
1118 wlimit.startw();
1119 ev_timer_again(loop, &wt);
1120 return 0;
1121 }
1122 return SHRPX_ERR_NETWORK;
1123 }
1124
1125 wlimit.drain(nwrite);
1126
1127 if (ev_is_active(&wt)) {
1128 ev_timer_again(loop, &wt);
1129 }
1130
1131 return nwrite;
1132 }
1133
writev_clear(struct iovec * iov,int iovcnt)1134 ssize_t Connection::writev_clear(struct iovec *iov, int iovcnt) {
1135 iovcnt = limit_iovec(iov, iovcnt, wlimit.avail());
1136 if (iovcnt == 0) {
1137 return 0;
1138 }
1139
1140 ssize_t nwrite;
1141 while ((nwrite = writev(fd, iov, iovcnt)) == -1 && errno == EINTR)
1142 ;
1143 if (nwrite == -1) {
1144 if (errno == EAGAIN || errno == EWOULDBLOCK) {
1145 wlimit.startw();
1146 ev_timer_again(loop, &wt);
1147 return 0;
1148 }
1149 return SHRPX_ERR_NETWORK;
1150 }
1151
1152 wlimit.drain(nwrite);
1153
1154 if (ev_is_active(&wt)) {
1155 ev_timer_again(loop, &wt);
1156 }
1157
1158 return nwrite;
1159 }
1160
read_clear(void * data,size_t len)1161 ssize_t Connection::read_clear(void *data, size_t len) {
1162 len = std::min(len, rlimit.avail());
1163 if (len == 0) {
1164 return 0;
1165 }
1166
1167 ssize_t nread;
1168 while ((nread = read(fd, data, len)) == -1 && errno == EINTR)
1169 ;
1170 if (nread == -1) {
1171 if (errno == EAGAIN || errno == EWOULDBLOCK) {
1172 return 0;
1173 }
1174 return SHRPX_ERR_NETWORK;
1175 }
1176
1177 if (nread == 0) {
1178 return SHRPX_ERR_EOF;
1179 }
1180
1181 rlimit.drain(nread);
1182
1183 return nread;
1184 }
1185
read_nolim_clear(void * data,size_t len)1186 ssize_t Connection::read_nolim_clear(void *data, size_t len) {
1187 ssize_t nread;
1188 while ((nread = read(fd, data, len)) == -1 && errno == EINTR)
1189 ;
1190 if (nread == -1) {
1191 if (errno == EAGAIN || errno == EWOULDBLOCK) {
1192 return 0;
1193 }
1194 return SHRPX_ERR_NETWORK;
1195 }
1196
1197 if (nread == 0) {
1198 return SHRPX_ERR_EOF;
1199 }
1200
1201 return nread;
1202 }
1203
peek_clear(void * data,size_t len)1204 ssize_t Connection::peek_clear(void *data, size_t len) {
1205 ssize_t nread;
1206 while ((nread = recv(fd, data, len, MSG_PEEK)) == -1 && errno == EINTR)
1207 ;
1208 if (nread == -1) {
1209 if (errno == EAGAIN || errno == EWOULDBLOCK) {
1210 return 0;
1211 }
1212 return SHRPX_ERR_NETWORK;
1213 }
1214
1215 if (nread == 0) {
1216 return SHRPX_ERR_EOF;
1217 }
1218
1219 return nread;
1220 }
1221
handle_tls_pending_read()1222 void Connection::handle_tls_pending_read() {
1223 if (!ev_is_active(&rev)) {
1224 return;
1225 }
1226 rlimit.handle_tls_pending_read();
1227 }
1228
get_tcp_hint(TCPHint * hint) const1229 int Connection::get_tcp_hint(TCPHint *hint) const {
1230 #if defined(TCP_INFO) && defined(TCP_NOTSENT_LOWAT)
1231 struct tcp_info tcp_info;
1232 socklen_t tcp_info_len = sizeof(tcp_info);
1233 int rv;
1234
1235 rv = getsockopt(fd, IPPROTO_TCP, TCP_INFO, &tcp_info, &tcp_info_len);
1236
1237 if (rv != 0) {
1238 return -1;
1239 }
1240
1241 auto avail_packets = tcp_info.tcpi_snd_cwnd > tcp_info.tcpi_unacked
1242 ? tcp_info.tcpi_snd_cwnd - tcp_info.tcpi_unacked
1243 : 0;
1244
1245 // http://www.slideshare.net/kazuho/programming-tcp-for-responsiveness
1246
1247 // TODO 29 (5 (header) + 8 (explicit nonce) + 16 (tag)) is TLS
1248 // overhead for AES-GCM. For CHACHA20_POLY1305, it is 21 since it
1249 // does not need 8 bytes explicit nonce.
1250 //
1251 // For TLSv1.3, AES-GCM and CHACHA20_POLY1305 overhead are now 22
1252 // bytes (5 (header) + 1 (ContentType) + 16 (tag)).
1253 size_t tls_overhead;
1254 # ifdef TLS1_3_VERSION
1255 if (SSL_version(tls.ssl) == TLS1_3_VERSION) {
1256 tls_overhead = 22;
1257 } else
1258 # endif // TLS1_3_VERSION
1259 {
1260 tls_overhead = 29;
1261 }
1262
1263 auto writable_size =
1264 (avail_packets + 2) * (tcp_info.tcpi_snd_mss - tls_overhead);
1265 if (writable_size > 16_k) {
1266 writable_size = writable_size & ~(16_k - 1);
1267 } else {
1268 if (writable_size < 536) {
1269 LOG(INFO) << "writable_size is too small: " << writable_size;
1270 }
1271 // TODO is this required?
1272 writable_size = std::max(writable_size, static_cast<size_t>(536 * 2));
1273 }
1274
1275 // if (LOG_ENABLED(INFO)) {
1276 // LOG(INFO) << "snd_cwnd=" << tcp_info.tcpi_snd_cwnd
1277 // << ", unacked=" << tcp_info.tcpi_unacked
1278 // << ", snd_mss=" << tcp_info.tcpi_snd_mss
1279 // << ", rtt=" << tcp_info.tcpi_rtt << "us"
1280 // << ", rcv_space=" << tcp_info.tcpi_rcv_space
1281 // << ", writable=" << writable_size;
1282 // }
1283
1284 hint->write_buffer_size = writable_size;
1285 // TODO tcpi_rcv_space is considered as rwin, is that correct?
1286 hint->rwin = tcp_info.tcpi_rcv_space;
1287
1288 return 0;
1289 #else // !defined(TCP_INFO) || !defined(TCP_NOTSENT_LOWAT)
1290 return -1;
1291 #endif // !defined(TCP_INFO) || !defined(TCP_NOTSENT_LOWAT)
1292 }
1293
again_rt(ev_tstamp t)1294 void Connection::again_rt(ev_tstamp t) {
1295 read_timeout = t;
1296 rt.repeat = t;
1297 ev_timer_again(loop, &rt);
1298 last_read = std::chrono::steady_clock::now();
1299 }
1300
again_rt()1301 void Connection::again_rt() {
1302 rt.repeat = read_timeout;
1303 ev_timer_again(loop, &rt);
1304 last_read = std::chrono::steady_clock::now();
1305 }
1306
expired_rt()1307 bool Connection::expired_rt() {
1308 auto delta = read_timeout - util::ev_tstamp_from(
1309 std::chrono::steady_clock::now() - last_read);
1310 if (delta < 1e-9) {
1311 return true;
1312 }
1313 rt.repeat = delta;
1314 ev_timer_again(loop, &rt);
1315 return false;
1316 }
1317
1318 } // namespace shrpx
1319