From 2482dd7f774bd6bce4e34a4ffbb1715dbfa46a52 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Mon, 13 Jul 2015 11:28:15 -0700 Subject: [PATCH 01/44] Adding -r and -C options to h2load --- src/h2load.cc | 204 +++++++++++++++++++++++++++++++++++++++++--------- src/h2load.h | 13 ++++ 2 files changed, 183 insertions(+), 34 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index 3eba889c..699563fc 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -75,7 +75,8 @@ Config::Config() : data_length(-1), addrs(nullptr), nreqs(1), nclients(1), nthreads(1), max_concurrent_streams(-1), window_bits(30), connection_window_bits(30), no_tls_proto(PROTO_HTTP2), data_fd(-1), port(0), default_port(0), - verbose(false) {} + verbose(false), + nconns(0), rate(0), current_worker(0) {} Config::~Config() { freeaddrinfo(addrs); @@ -85,6 +86,10 @@ Config::~Config() { } } +bool Config::is_rate_mode() { + return (this->rate != 0); +} + Config config; namespace { @@ -261,7 +266,7 @@ void Client::process_abandoned_streams() { } void Client::report_progress() { - if (worker->id == 0 && + if (!worker->config->is_rate_mode() && worker->id == 0 && worker->stats.req_done % worker->progress_interval == 0) { std::cout << "progress: " << worker->stats.req_done * 100 / worker->stats.req_todo @@ -962,6 +967,33 @@ std::vector read_uri_from_file(std::istream &infile) { } } // namespace +namespace { +// Called every second when rate mode is being used +void second_timeout_cb(EV_P_ ev_timer *w, int revents) { + auto config = static_cast(w->data); + + auto nclients_per_worker = config->rate; + auto nreqs_per_worker = config->max_concurrent_streams * config->rate; + + if(config->current_worker >= std::max(0. , (config->seconds - 1.))) { + nclients_per_worker = config->rate + config->conns_remainder; + nreqs_per_worker = (int)config->max_concurrent_streams * + (config->rate + config->conns_remainder); + ev_timer_stop(config->rate_loop, w); + } + + config->workers.push_back(make_unique(config->current_worker, + config->ssl_ctx, + nreqs_per_worker, + nclients_per_worker, + config)); + + config->current_worker++; + + config->workers.back()->run(); +} +} // namespace + namespace { void print_version(std::ostream &out) { out << "h2load nghttp2/" NGHTTP2_VERSION << std::endl; @@ -1027,6 +1059,7 @@ Options: -p, --no-tls-proto= Specify ALPN identifier of the protocol to be used when accessing http URI without SSL/TLS.)"; + #ifdef HAVE_SPDYLAY out << R"( Available protocols: spdy/2, spdy/3, spdy/3.1 and )"; @@ -1039,6 +1072,24 @@ Options: -d, --data= Post FILE to server. The request method is changed to POST. + -r, --rate= + Specified the fixed rate at which connections are + created. The rate must be a positive integer, + representing the number of connections to be made per + second. When the rate is 0, the program will run as it + normally does, creating connections at whatever variable + rate it wants. The default value for this option is 0. + -C, --num-conns= + Specifies the total number of connections to create. The + total number of connections must be a positive integer. + On each connection, '-m' requests are made. The test + stops once as soon as the N connections have either + completed or failed. When the number of connections is + 0, the program will run as it normally does, creating as + many connections as it needs in order to make the '-n' + requests specified. The defauly value for this option is + 0. The '-n' option is not required if the '-C' option + is being used. -v, --verbose Output debug information. --version Display version information and exit. @@ -1073,10 +1124,12 @@ int main(int argc, char **argv) { {"help", no_argument, nullptr, 'h'}, {"version", no_argument, &flag, 1}, {"ciphers", required_argument, &flag, 2}, + {"rate", required_argument, nullptr, 'r'}, + {"num-conns", required_argument, nullptr, 'C'}, {nullptr, 0, nullptr, 0}}; int option_index = 0; - auto c = getopt_long(argc, argv, "hvW:c:d:m:n:p:t:w:H:i:", long_options, - &option_index); + auto c = getopt_long(argc, argv, "hvW:c:d:m:n:p:t:w:H:i:r:C:", + long_options, &option_index); if (c == -1) { break; } @@ -1170,6 +1223,24 @@ int main(int argc, char **argv) { exit(EXIT_FAILURE); } break; + case 'r': + config.rate = strtoul(optarg, nullptr, 10); + if (config.rate <= 0) { + std::cerr << "-r: the rate at which connections are made " + << "must be positive." + << std::endl; + exit(EXIT_FAILURE); + } + break; + case 'C': + config.nconns = strtoul(optarg, nullptr, 10); + if (config.nconns <= 0) { + std::cerr << "-C: the total number of connections made " + << "must be positive." + << std::endl; + exit(EXIT_FAILURE); + } + break; case 'v': config.verbose = true; break; @@ -1238,6 +1309,25 @@ int main(int argc, char **argv) { << "cores." << std::endl; } + if (config.nconns < 0) { + std::cerr << "-C: the total number of connections made " + << "cannot be negative." + << std::endl; + exit(EXIT_FAILURE); + } + + if (config.rate < 0) { + std::cerr << "-r: the rate at which connections are made " + << "cannot be negative." + << std::endl; + exit(EXIT_FAILURE); + } + + if (config.rate != 0 && config.nthreads != 1) { + std::cerr << "-r, -t: warning: the -t option will be ignored when the -r " + << "option is in use." << std::endl; + } + if (!datafile.empty()) { config.data_fd = open(datafile.c_str(), O_RDONLY | O_BINARY); if (config.data_fd == -1) { @@ -1405,46 +1495,92 @@ int main(int argc, char **argv) { auto start = std::chrono::steady_clock::now(); - std::vector> workers; - workers.reserve(config.nthreads); - + // if not in rate mode, continue making workers and clients normally + if (!config.is_rate_mode()) { + config.workers.reserve(config.nthreads); #ifndef NOTHREADS - std::vector> futures; - for (size_t i = 0; i < config.nthreads - 1; ++i) { - auto nreqs = nreqs_per_thread + (nreqs_rem-- > 0); - auto nclients = nclients_per_thread + (nclients_rem-- > 0); - std::cout << "spawning thread #" << i << ": " << nclients - << " concurrent clients, " << nreqs << " total requests" - << std::endl; - workers.push_back( - make_unique(i, ssl_ctx, nreqs, nclients, &config)); - auto &worker = workers.back(); - futures.push_back( - std::async(std::launch::async, [&worker]() { worker->run(); })); - } + std::vector> futures; + for (size_t i = 0; i < config.nthreads - 1; ++i) { + auto nreqs = nreqs_per_thread + (nreqs_rem-- > 0); + auto nclients = nclients_per_thread + (nclients_rem-- > 0); + std::cout << "spawning thread #" << i << ": " << nclients + << " concurrent clients, " << nreqs << " total requests" + << std::endl; + config.workers.push_back( + make_unique(i, ssl_ctx, nreqs, nclients, &config)); + auto &worker = config.workers.back(); + futures.push_back( + std::async(std::launch::async, [&worker]() { worker->run(); })); + } #endif // NOTHREADS - auto nreqs_last = nreqs_per_thread + (nreqs_rem-- > 0); - auto nclients_last = nclients_per_thread + (nclients_rem-- > 0); - std::cout << "spawning thread #" << (config.nthreads - 1) << ": " - << nclients_last << " concurrent clients, " << nreqs_last - << " total requests" << std::endl; - workers.push_back(make_unique(config.nthreads - 1, ssl_ctx, - nreqs_last, nclients_last, &config)); - workers.back()->run(); + auto nreqs_last = nreqs_per_thread + (nreqs_rem-- > 0); + auto nclients_last = nclients_per_thread + (nclients_rem-- > 0); + std::cout << "spawning thread #" << (config.nthreads - 1) << ": " + << nclients_last << " concurrent clients, " << nreqs_last + << " total requests" << std::endl; + config.workers.push_back(make_unique(config.nthreads - 1, ssl_ctx, + nreqs_last, nclients_last, &config)); + config.workers.back()->run(); #ifndef NOTHREADS - for (auto &fut : futures) { - fut.get(); - } + for (auto &fut : futures) { + fut.get(); + } #endif // NOTHREADS + } //!config.is_rate_mode() + // if in rate mode, create a new worker each second + else { + // set various config values + config.seconds = std::min(n_time, c_time); + + if ((int)config.nreqs < config.nconns) { + config.seconds = c_time; + config.workers.reserve(config.seconds); + } + else if (config.nconns == 0) { + config.seconds = n_time; + } + else { + config.workers.reserve(config.seconds); + } + + config.conns_remainder = config.nconns % config.rate; + + // config.seconds must be positive or else an exception is thrown + if (config.seconds <= 0) { + std::cerr << "Test cannot be run with current option values." + << " Please look at documentation for -r option for" + << " more information." << std::endl; + exit(EXIT_FAILURE); + } + config.current_worker = 0; + + config.ssl_ctx = ssl_ctx; + + // create timer that will go off every second + ev_timer timeout_watcher; + + // create loop for running the timer + struct ev_loop *rate_loop = EV_DEFAULT; + + config.rate_loop = rate_loop; + + // giving the second_timeout_cb access to config + timeout_watcher.data = &config; + + ev_init(&timeout_watcher, second_timeout_cb); + timeout_watcher.repeat = 1.; + ev_timer_again(rate_loop, &timeout_watcher); + ev_run(rate_loop, 0); + } // end rate mode section auto end = std::chrono::steady_clock::now(); auto duration = std::chrono::duration_cast(end - start); Stats stats(0); - for (const auto &w : workers) { + for (const auto &w : config.workers) { const auto &s = w->stats; stats.req_todo += s.req_todo; @@ -1463,7 +1599,7 @@ int main(int argc, char **argv) { } } - auto ts = process_time_stats(workers); + auto ts = process_time_stats(config.workers); // Requests which have not been issued due to connection errors, are // counted towards req_failed and req_error. @@ -1476,7 +1612,7 @@ int main(int argc, char **argv) { // // [1] https://github.com/lighttpd/weighttp // [2] https://github.com/wg/wrk - size_t rps = 0; + double rps = 0; int64_t bps = 0; if (duration.count() > 0) { auto secd = static_cast(duration.count()) / (1000 * 1000); diff --git a/src/h2load.h b/src/h2load.h index 4bca2afa..a68b8dc5 100644 --- a/src/h2load.h +++ b/src/h2load.h @@ -76,6 +76,10 @@ struct Config { ssize_t max_concurrent_streams; size_t window_bits; size_t connection_window_bits; + // rate at which connections should be made + ssize_t rate; + // number of connections made + ssize_t nconns; enum { PROTO_HTTP2, PROTO_SPDY2, PROTO_SPDY3, PROTO_SPDY3_1 } no_tls_proto; // file descriptor for upload data int data_fd; @@ -83,8 +87,17 @@ struct Config { uint16_t default_port; bool verbose; + ssize_t current_worker; + std::vector> workers; + SSL_CTX *ssl_ctx; + struct ev_loop *rate_loop; + ssize_t seconds; + ssize_t conns_remainder; + Config(); ~Config(); + + bool is_rate_mode(); }; struct RequestStat { From 6b53f7ee197f748843b594d4e5abeaab89a5ad86 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Tue, 14 Jul 2015 11:16:37 -0700 Subject: [PATCH 02/44] [EDGE-879] run clang-format and make sure style is good --- src/h2load.cc | 51 +++++++++++++++++++++------------------------------ 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index 699563fc..0c4121fe 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -75,8 +75,7 @@ Config::Config() : data_length(-1), addrs(nullptr), nreqs(1), nclients(1), nthreads(1), max_concurrent_streams(-1), window_bits(30), connection_window_bits(30), no_tls_proto(PROTO_HTTP2), data_fd(-1), port(0), default_port(0), - verbose(false), - nconns(0), rate(0), current_worker(0) {} + verbose(false), nconns(0), rate(0), current_worker(0) {} Config::~Config() { freeaddrinfo(addrs); @@ -86,9 +85,7 @@ Config::~Config() { } } -bool Config::is_rate_mode() { - return (this->rate != 0); -} +bool Config::is_rate_mode() { return (this->rate != 0); } Config config; @@ -975,18 +972,16 @@ void second_timeout_cb(EV_P_ ev_timer *w, int revents) { auto nclients_per_worker = config->rate; auto nreqs_per_worker = config->max_concurrent_streams * config->rate; - if(config->current_worker >= std::max(0. , (config->seconds - 1.))) { + if (config->current_worker >= std::max(0., (config->seconds - 1.))) { nclients_per_worker = config->rate + config->conns_remainder; nreqs_per_worker = (int)config->max_concurrent_streams * (config->rate + config->conns_remainder); ev_timer_stop(config->rate_loop, w); } - config->workers.push_back(make_unique(config->current_worker, - config->ssl_ctx, - nreqs_per_worker, - nclients_per_worker, - config)); + config->workers.push_back( + make_unique(config->current_worker, config->ssl_ctx, + nreqs_per_worker, nclients_per_worker, config)); config->current_worker++; @@ -1068,7 +1063,8 @@ Options: Available protocol: )"; #endif // !HAVE_SPDYLAY out << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( - Default: )" << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( + Default: )" + << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( -d, --data= Post FILE to server. The request method is changed to POST. @@ -1093,7 +1089,8 @@ Options: -v, --verbose Output debug information. --version Display version information and exit. - -h, --help Display this help and exit.)" << std::endl; + -h, --help Display this help and exit.)" + << std::endl; } } // namespace @@ -1128,8 +1125,8 @@ int main(int argc, char **argv) { {"num-conns", required_argument, nullptr, 'C'}, {nullptr, 0, nullptr, 0}}; int option_index = 0; - auto c = getopt_long(argc, argv, "hvW:c:d:m:n:p:t:w:H:i:r:C:", - long_options, &option_index); + auto c = getopt_long(argc, argv, "hvW:c:d:m:n:p:t:w:H:i:r:C:", long_options, + &option_index); if (c == -1) { break; } @@ -1227,8 +1224,7 @@ int main(int argc, char **argv) { config.rate = strtoul(optarg, nullptr, 10); if (config.rate <= 0) { std::cerr << "-r: the rate at which connections are made " - << "must be positive." - << std::endl; + << "must be positive." << std::endl; exit(EXIT_FAILURE); } break; @@ -1236,8 +1232,7 @@ int main(int argc, char **argv) { config.nconns = strtoul(optarg, nullptr, 10); if (config.nconns <= 0) { std::cerr << "-C: the total number of connections made " - << "must be positive." - << std::endl; + << "must be positive." << std::endl; exit(EXIT_FAILURE); } break; @@ -1311,15 +1306,13 @@ int main(int argc, char **argv) { if (config.nconns < 0) { std::cerr << "-C: the total number of connections made " - << "cannot be negative." - << std::endl; + << "cannot be negative." << std::endl; exit(EXIT_FAILURE); } if (config.rate < 0) { std::cerr << "-r: the rate at which connections are made " - << "cannot be negative." - << std::endl; + << "cannot be negative." << std::endl; exit(EXIT_FAILURE); } @@ -1519,8 +1512,8 @@ int main(int argc, char **argv) { std::cout << "spawning thread #" << (config.nthreads - 1) << ": " << nclients_last << " concurrent clients, " << nreqs_last << " total requests" << std::endl; - config.workers.push_back(make_unique(config.nthreads - 1, ssl_ctx, - nreqs_last, nclients_last, &config)); + config.workers.push_back(make_unique( + config.nthreads - 1, ssl_ctx, nreqs_last, nclients_last, &config)); config.workers.back()->run(); #ifndef NOTHREADS @@ -1528,7 +1521,7 @@ int main(int argc, char **argv) { fut.get(); } #endif // NOTHREADS - } //!config.is_rate_mode() + } //! config.is_rate_mode() // if in rate mode, create a new worker each second else { // set various config values @@ -1537,11 +1530,9 @@ int main(int argc, char **argv) { if ((int)config.nreqs < config.nconns) { config.seconds = c_time; config.workers.reserve(config.seconds); - } - else if (config.nconns == 0) { + } else if (config.nconns == 0) { config.seconds = n_time; - } - else { + } else { config.workers.reserve(config.seconds); } From d6551de8d44f788972a73bdca0a776d9b0f46f3c Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Tue, 14 Jul 2015 23:41:29 +0000 Subject: [PATCH 03/44] [EDGE-877] [h2load] apply changes to new version of h2load --- src/h2load.cc | 34 ++++++++++++++++++++++++++++++++++ src/h2load.h | 1 + 2 files changed, 35 insertions(+) diff --git a/src/h2load.cc b/src/h2load.cc index 0c4121fe..df5e2a4c 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1408,7 +1408,41 @@ int main(int argc, char **argv) { if (config.max_concurrent_streams == -1) { config.max_concurrent_streams = reqlines.size(); } + + // if not in rate mode and -C is set, warn that we are ignoring it + if (!config.is_rate_mode() && config.nconns != 0) { + std::cerr << "-C: warning: This option can only be used with -r, and" + << " will be ignored otherwise." << std::endl; + } + ssize_t n_time = 0; + ssize_t c_time = 0; + // only care about n_time and c_time in rate mode + if (config.is_rate_mode() && config.max_concurrent_streams != 0) { + n_time = (int)config.nreqs / + ((int)config.rate * (int)config.max_concurrent_streams); + c_time = (int)config.nconns / (int)config.rate; + } + // check to see if the two ways of determining test time conflict + if (config.is_rate_mode() && (int)config.max_concurrent_streams != 0 && + (n_time != c_time) && config.nreqs != 1 && config.nconns != 0) { + if ((int)config.nreqs < config.nconns) { + std::cerr << "-C, -n: warning: two different test times are being set. " + << std::endl; + std::cerr << "The test will run for " + << c_time + << " seconds." << std::endl; + } + else { + std::cout << "-C, -n: warning: two different test times are being set. " + << std::endl; + std::cout << "The smaller of the two will be chosen and the test will " + << "run for " + << std::min(n_time, c_time) + << " seconds." << std::endl; + } + } + Headers shared_nva; shared_nva.emplace_back(":scheme", config.scheme); if (config.port != config.default_port) { diff --git a/src/h2load.h b/src/h2load.h index a68b8dc5..986bf78c 100644 --- a/src/h2load.h +++ b/src/h2load.h @@ -57,6 +57,7 @@ using namespace nghttp2; namespace h2load { class Session; +struct Worker; struct Config { std::vector> nva; From 5892385e5c222f24911e0e4e32f07de534f5ab22 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Wed, 15 Jul 2015 09:51:33 -0700 Subject: [PATCH 04/44] [EDGE-879] run clang-format and make sure style is good --- src/h2load.cc | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index df5e2a4c..4e97349b 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1408,7 +1408,7 @@ int main(int argc, char **argv) { if (config.max_concurrent_streams == -1) { config.max_concurrent_streams = reqlines.size(); } - + // if not in rate mode and -C is set, warn that we are ignoring it if (!config.is_rate_mode() && config.nconns != 0) { std::cerr << "-C: warning: This option can only be used with -r, and" @@ -1416,10 +1416,10 @@ int main(int argc, char **argv) { } ssize_t n_time = 0; - ssize_t c_time = 0; + ssize_t c_time = 0; // only care about n_time and c_time in rate mode if (config.is_rate_mode() && config.max_concurrent_streams != 0) { - n_time = (int)config.nreqs / + n_time = (int)config.nreqs / ((int)config.rate * (int)config.max_concurrent_streams); c_time = (int)config.nconns / (int)config.rate; } @@ -1429,20 +1429,17 @@ int main(int argc, char **argv) { if ((int)config.nreqs < config.nconns) { std::cerr << "-C, -n: warning: two different test times are being set. " << std::endl; - std::cerr << "The test will run for " - << c_time - << " seconds." << std::endl; - } - else { + std::cerr << "The test will run for " << c_time << " seconds." + << std::endl; + } else { std::cout << "-C, -n: warning: two different test times are being set. " << std::endl; std::cout << "The smaller of the two will be chosen and the test will " - << "run for " - << std::min(n_time, c_time) - << " seconds." << std::endl; + << "run for " << std::min(n_time, c_time) << " seconds." + << std::endl; } } - + Headers shared_nva; shared_nva.emplace_back(":scheme", config.scheme); if (config.port != config.default_port) { @@ -1555,7 +1552,7 @@ int main(int argc, char **argv) { fut.get(); } #endif // NOTHREADS - } //! config.is_rate_mode() + } //! config.is_rate_mode() // if in rate mode, create a new worker each second else { // set various config values From c470ac7b0021d3cae80ef1c5b6460a108f2e5bdb Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 16 Jul 2015 14:01:18 +0900 Subject: [PATCH 05/44] asio: Fix missing nghttp2_timegm --- src/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Makefile.am b/src/Makefile.am index 8dc53570..ff800463 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -176,6 +176,7 @@ lib_LTLIBRARIES = libnghttp2_asio.la libnghttp2_asio_la_SOURCES = \ util.cc util.h http2.cc http2.h \ ssl.cc ssl.h \ + timegm.c timegm.h \ asio_common.cc asio_common.h \ asio_io_service_pool.cc asio_io_service_pool.h \ asio_server_http2.cc \ From ccfe7f8548e4201181e37b92773fa4886ef4bd15 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Thu, 16 Jul 2015 10:33:44 -0700 Subject: [PATCH 06/44] Reordering Config field initializer list --- src/h2load.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index 4e97349b..bd7ed351 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -74,8 +74,8 @@ namespace h2load { Config::Config() : data_length(-1), addrs(nullptr), nreqs(1), nclients(1), nthreads(1), max_concurrent_streams(-1), window_bits(30), connection_window_bits(30), - no_tls_proto(PROTO_HTTP2), data_fd(-1), port(0), default_port(0), - verbose(false), nconns(0), rate(0), current_worker(0) {} + rate(0), nconns(0), no_tls_proto(PROTO_HTTP2), data_fd(-1), port(0), default_port(0), + verbose(false), current_worker(0) {} Config::~Config() { freeaddrinfo(addrs); From e0d7ce439de76c65847346ddb2c1f49ec65fc87e Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Thu, 16 Jul 2015 10:35:03 -0700 Subject: [PATCH 07/44] Fixing style for Config field initializer list --- src/h2load.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index bd7ed351..d8edb725 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -74,8 +74,8 @@ namespace h2load { Config::Config() : data_length(-1), addrs(nullptr), nreqs(1), nclients(1), nthreads(1), max_concurrent_streams(-1), window_bits(30), connection_window_bits(30), - rate(0), nconns(0), no_tls_proto(PROTO_HTTP2), data_fd(-1), port(0), default_port(0), - verbose(false), current_worker(0) {} + rate(0), nconns(0), no_tls_proto(PROTO_HTTP2), data_fd(-1), port(0), + default_port(0), verbose(false), current_worker(0) {} Config::~Config() { freeaddrinfo(addrs); From 7d2ea42c38ae6f2b3fe9ac99204dfe9960ad13c4 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Thu, 16 Jul 2015 10:43:50 -0700 Subject: [PATCH 08/44] Fixing spelling mistake in num-conns description --- src/h2load.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/h2load.cc b/src/h2load.cc index d8edb725..8855c397 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1083,7 +1083,7 @@ Options: completed or failed. When the number of connections is 0, the program will run as it normally does, creating as many connections as it needs in order to make the '-n' - requests specified. The defauly value for this option is + requests specified. The default value for this option is 0. The '-n' option is not required if the '-C' option is being used. -v, --verbose From ce00c50720166054bf21f81396a8c95a034e55f2 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Thu, 16 Jul 2015 10:51:41 -0700 Subject: [PATCH 09/44] Changing comparison from double to ssize_t --- src/h2load.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/h2load.cc b/src/h2load.cc index 8855c397..ef368e60 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -972,7 +972,7 @@ void second_timeout_cb(EV_P_ ev_timer *w, int revents) { auto nclients_per_worker = config->rate; auto nreqs_per_worker = config->max_concurrent_streams * config->rate; - if (config->current_worker >= std::max(0., (config->seconds - 1.))) { + if (config->current_worker >= std::max((ssize_t)0, (config->seconds - 1))) { nclients_per_worker = config->rate + config->conns_remainder; nreqs_per_worker = (int)config->max_concurrent_streams * (config->rate + config->conns_remainder); From eeba12144cc7378d0de9647fa6dcd1f6c2ca5d66 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Thu, 16 Jul 2015 11:02:01 -0700 Subject: [PATCH 10/44] Refactored seconds setting and worker space reservation --- src/h2load.cc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index ef368e60..983a35db 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1556,16 +1556,14 @@ int main(int argc, char **argv) { // if in rate mode, create a new worker each second else { // set various config values - config.seconds = std::min(n_time, c_time); - if ((int)config.nreqs < config.nconns) { config.seconds = c_time; - config.workers.reserve(config.seconds); } else if (config.nconns == 0) { config.seconds = n_time; } else { - config.workers.reserve(config.seconds); + config.seconds = std::min(n_time, c_time); } + config.workers.reserve(config.seconds); config.conns_remainder = config.nconns % config.rate; From a23ab00686108eff07579bb3602bdb66452fe82c Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 18 Jul 2015 00:19:47 +0900 Subject: [PATCH 11/44] Allow custom install location for python bindings --- python/Makefile.am | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/python/Makefile.am b/python/Makefile.am index 7a352396..46a7ef22 100644 --- a/python/Makefile.am +++ b/python/Makefile.am @@ -33,11 +33,12 @@ all-local: nghttp2.c $(PYTHON) setup.py build install-exec-local: - $(PYTHON) setup.py install --prefix=$(DESTDIR)$(prefix) + test -d $(pyexecdir) || mkdir -p $(pyexecdir) + PYTHONUSERBASE=$(DESTDIR)/$(prefix) $(PYTHON) setup.py install --user uninstall-local: rm -f $(DESTDIR)$(libdir)/python*/site-packages/nghttp2.so - rm -f $(DESTDIR)$(libdir)/python*/site-packages/python_nghttp2-*.egg-info + rm -f $(DESTDIR)$(libdir)/python*/site-packages/python_nghttp2-*.egg clean-local: $(PYTHON) setup.py clean --all From fa872a6b48a9846d9e0c599f7be5be2c95e978b4 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 18 Jul 2015 00:21:29 +0900 Subject: [PATCH 12/44] Bump up version number to 1.1.2 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 930c0f7c..d606752f 100644 --- a/configure.ac +++ b/configure.ac @@ -25,7 +25,7 @@ dnl Do not change user variables! dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html AC_PREREQ(2.61) -AC_INIT([nghttp2], [1.1.2-DEV], [t-tujikawa@users.sourceforge.net]) +AC_INIT([nghttp2], [1.1.2], [t-tujikawa@users.sourceforge.net]) AC_USE_SYSTEM_EXTENSIONS LT_PREREQ([2.2.6]) From 03034c00812eb024f0654407ef138038b455bd3a Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 18 Jul 2015 00:23:53 +0900 Subject: [PATCH 13/44] Update man pages --- doc/h2load.1 | 2 +- doc/nghttp.1 | 2 +- doc/nghttpd.1 | 2 +- doc/nghttpx.1 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/h2load.1 b/doc/h2load.1 index d3f6b7a1..9a118b75 100644 --- a/doc/h2load.1 +++ b/doc/h2load.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "July 15, 2015" "1.1.1" "nghttp2" +.TH "H2LOAD" "1" "July 18, 2015" "1.1.2" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff --git a/doc/nghttp.1 b/doc/nghttp.1 index b1ee0180..67d88a1f 100644 --- a/doc/nghttp.1 +++ b/doc/nghttp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "July 15, 2015" "1.1.1" "nghttp2" +.TH "NGHTTP" "1" "July 18, 2015" "1.1.2" "nghttp2" .SH NAME nghttp \- HTTP/2 experimental client . diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 index ac31ae6b..4152da97 100644 --- a/doc/nghttpd.1 +++ b/doc/nghttpd.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "July 15, 2015" "1.1.1" "nghttp2" +.TH "NGHTTPD" "1" "July 18, 2015" "1.1.2" "nghttp2" .SH NAME nghttpd \- HTTP/2 experimental server . diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 index b7e2041d..8daf5d47 100644 --- a/doc/nghttpx.1 +++ b/doc/nghttpx.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "July 15, 2015" "1.1.1" "nghttp2" +.TH "NGHTTPX" "1" "July 18, 2015" "1.1.2" "nghttp2" .SH NAME nghttpx \- HTTP/2 experimental proxy . From ac301537ef3784d1f0246b6ddfaedb5f8ce59dca Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 18 Jul 2015 00:31:43 +0900 Subject: [PATCH 14/44] Bump up version number to 1.1.3-DEV --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index d606752f..a9d04ad5 100644 --- a/configure.ac +++ b/configure.ac @@ -25,7 +25,7 @@ dnl Do not change user variables! dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html AC_PREREQ(2.61) -AC_INIT([nghttp2], [1.1.2], [t-tujikawa@users.sourceforge.net]) +AC_INIT([nghttp2], [1.1.3-DEV], [t-tujikawa@users.sourceforge.net]) AC_USE_SYSTEM_EXTENSIONS LT_PREREQ([2.2.6]) From e8167ceea71595a66a871e4091aeb505c415e0f8 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 18 Jul 2015 01:49:20 +0900 Subject: [PATCH 15/44] nghttpx: Add AES-256-CBC encryption for TLS session ticket --- gennghttpxfun.py | 1 + src/shrpx-unittest.cc | 2 + src/shrpx.cc | 50 ++++++++++++++++++++---- src/shrpx_config.cc | 83 +++++++++++++++++++++++++++++++++------- src/shrpx_config.h | 24 +++++++++--- src/shrpx_config_test.cc | 54 ++++++++++++++++++++++---- src/shrpx_config_test.h | 1 + src/shrpx_ssl.cc | 16 ++++---- src/util.h | 4 ++ 9 files changed, 193 insertions(+), 42 deletions(-) diff --git a/gennghttpxfun.py b/gennghttpxfun.py index 6412ae2b..9bf1c012 100755 --- a/gennghttpxfun.py +++ b/gennghttpxfun.py @@ -91,6 +91,7 @@ OPTIONS = [ "header-field-buffer", "max-header-fields", "include", + "tls-ticket-cipher", "conf", ] diff --git a/src/shrpx-unittest.cc b/src/shrpx-unittest.cc index 83695204..aea0eb33 100644 --- a/src/shrpx-unittest.cc +++ b/src/shrpx-unittest.cc @@ -122,6 +122,8 @@ int main(int argc, char *argv[]) { shrpx::test_shrpx_config_parse_log_format) || !CU_add_test(pSuite, "config_read_tls_ticket_key_file", shrpx::test_shrpx_config_read_tls_ticket_key_file) || + !CU_add_test(pSuite, "config_read_tls_ticket_key_file_aes_256", + shrpx::test_shrpx_config_read_tls_ticket_key_file_aes_256) || !CU_add_test(pSuite, "config_match_downstream_addr_group", shrpx::test_shrpx_config_match_downstream_addr_group) || !CU_add_test(pSuite, "util_streq", shrpx::test_util_streq) || diff --git a/src/shrpx.cc b/src/shrpx.cc index a5fa929f..d3b1c9fb 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -627,8 +627,21 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { ticket_keys->keys.resize(1); } - if (RAND_bytes(reinterpret_cast(&ticket_keys->keys[0]), - sizeof(ticket_keys->keys[0])) == 0) { + auto &new_key = ticket_keys->keys[0]; + new_key.cipher = get_config()->tls_ticket_cipher; + new_key.hmac = EVP_sha256(); + new_key.hmac_keylen = EVP_MD_size(new_key.hmac); + + assert(EVP_CIPHER_key_length(new_key.cipher) <= sizeof(new_key.data.enc_key)); + assert(new_key.hmac_keylen <= sizeof(new_key.data.hmac_key)); + + if (LOG_ENABLED(INFO)) { + LOG(INFO) << "enc_keylen=" << EVP_CIPHER_key_length(new_key.cipher) + << ", hmac_keylen=" << new_key.hmac_keylen; + } + + if (RAND_bytes(reinterpret_cast(&new_key.data), + sizeof(new_key.data)) == 0) { if (LOG_ENABLED(INFO)) { LOG(INFO) << "failed to renew ticket key"; } @@ -638,7 +651,7 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { if (LOG_ENABLED(INFO)) { LOG(INFO) << "ticket keys generation done"; for (auto &key : ticket_keys->keys) { - LOG(INFO) << "name: " << util::format_hex(key.name, sizeof(key.name)); + LOG(INFO) << "name: " << util::format_hex(key.data.name); } } @@ -709,8 +722,17 @@ int event_loop() { if (!get_config()->upstream_no_tls) { bool auto_tls_ticket_key = true; if (!get_config()->tls_ticket_key_files.empty()) { - auto ticket_keys = - read_tls_ticket_key_file(get_config()->tls_ticket_key_files); + if (!get_config()->tls_ticket_cipher_given) { + LOG(WARN) << "It is strongly recommended to specify " + "--tls-ticket-cipher=aes-128-cbc (or " + "tls-ticket-cipher=aes-128-cbc in configuration file) " + "when --tls-ticket-key-file is used for the smooth " + "transition when the default value of --tls-ticket-cipher " + "becomes aes-256-cbc"; + } + auto ticket_keys = read_tls_ticket_key_file( + get_config()->tls_ticket_key_files, get_config()->tls_ticket_cipher, + EVP_sha256()); if (!ticket_keys) { LOG(WARN) << "Use internal session ticket key generator"; } else { @@ -967,6 +989,8 @@ void fill_default_config() { mod_config()->header_field_buffer = 64_k; mod_config()->max_header_fields = 100; mod_config()->downstream_addr_group_catch_all = 0; + mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); + mod_config()->tls_ticket_cipher_given = false; } } // namespace @@ -1278,8 +1302,11 @@ SSL/TLS: are treated as a part of protocol string. Default: )" << DEFAULT_TLS_PROTO_LIST << R"( --tls-ticket-key-file= - Path to file that contains 48 bytes random data to - construct TLS session ticket parameters. This options + Path to file that contains random data to construct TLS + session ticket parameters. If aes-128-cbc is given in + --tls-ticket-cipher, the file must contain exactly 48 + bytes. If aes-256-cbc is given in --tls-ticket-cipher, + the file must contain exactly 80 bytes. This options can be used repeatedly to specify multiple ticket parameters. If several files are given, only the first key is used to encrypt TLS session tickets. Other keys @@ -1294,6 +1321,10 @@ SSL/TLS: while opening or reading a file, key is generated automatically and renewed every 12hrs. At most 2 keys are stored in memory. + --tls-ticket-cipher= + Specify cipher to encrypt TLS session ticket. Specify + either aes-128-cbc or aes-256-cbc. By default, + aes-128-cbc is used. --fetch-ocsp-response-file= Path to fetch-ocsp-response script file. It should be absolute path. @@ -1660,6 +1691,7 @@ int main(int argc, char **argv) { {SHRPX_OPT_MAX_HEADER_FIELDS, required_argument, &flag, 81}, {SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82}, {SHRPX_OPT_INCLUDE, required_argument, &flag, 83}, + {SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84}, {nullptr, 0, nullptr, 0}}; int option_index = 0; @@ -2026,6 +2058,10 @@ int main(int argc, char **argv) { // --include cmdcfgs.emplace_back(SHRPX_OPT_INCLUDE, optarg); break; + case 84: + // --tls-ticket-cipher + cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg); + break; default: break; } diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 2b20fa93..5486fda8 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -144,36 +144,72 @@ bool is_secure(const char *filename) { } // namespace std::unique_ptr -read_tls_ticket_key_file(const std::vector &files) { +read_tls_ticket_key_file(const std::vector &files, + const EVP_CIPHER *cipher, const EVP_MD *hmac) { auto ticket_keys = make_unique(); auto &keys = ticket_keys->keys; keys.resize(files.size()); + auto enc_keylen = EVP_CIPHER_key_length(cipher); + auto hmac_keylen = EVP_MD_size(hmac); + if (cipher == EVP_aes_128_cbc()) { + // backward compatibility, as a legacy of using same file format + // with nginx and apache. + hmac_keylen = 16; + } + auto expectedlen = sizeof(keys[0].data.name) + enc_keylen + hmac_keylen; + char buf[256]; + assert(sizeof(buf) >= expectedlen); + size_t i = 0; for (auto &file : files) { + struct stat fst {}; + + if (stat(file.c_str(), &fst) == -1) { + auto error = errno; + LOG(ERROR) << "tls-ticket-key-file: could not stat file " << file + << ", errno=" << error; + return nullptr; + } + + if (fst.st_size != expectedlen) { + LOG(ERROR) << "tls-ticket-key-file: the expected file size is " + << expectedlen << ", the actual file size is " << fst.st_size; + return nullptr; + } + std::ifstream f(file.c_str()); if (!f) { LOG(ERROR) << "tls-ticket-key-file: could not open file " << file; return nullptr; } - char buf[48]; - f.read(buf, sizeof(buf)); - if (f.gcount() != sizeof(buf)) { - LOG(ERROR) << "tls-ticket-key-file: want to read 48 bytes but read " - << f.gcount() << " bytes from " << file; + + f.read(buf, expectedlen); + if (f.gcount() != expectedlen) { + LOG(ERROR) << "tls-ticket-key-file: want to read " << expectedlen + << " bytes but only read " << f.gcount() << " bytes from " + << file; return nullptr; } auto &key = keys[i++]; - auto p = buf; - memcpy(key.name, p, sizeof(key.name)); - p += sizeof(key.name); - memcpy(key.aes_key, p, sizeof(key.aes_key)); - p += sizeof(key.aes_key); - memcpy(key.hmac_key, p, sizeof(key.hmac_key)); + key.cipher = cipher; + key.hmac = hmac; + key.hmac_keylen = hmac_keylen; if (LOG_ENABLED(INFO)) { - LOG(INFO) << "session ticket key: " << util::format_hex(key.name, - sizeof(key.name)); + LOG(INFO) << "enc_keylen=" << enc_keylen + << ", hmac_keylen=" << key.hmac_keylen; + } + + auto p = buf; + memcpy(key.data.name, p, sizeof(key.data.name)); + p += sizeof(key.data.name); + memcpy(key.data.enc_key, p, enc_keylen); + p += enc_keylen; + memcpy(key.data.hmac_key, p, hmac_keylen); + + if (LOG_ENABLED(INFO)) { + LOG(INFO) << "session ticket key: " << util::format_hex(key.data.name); } } return ticket_keys; @@ -668,6 +704,7 @@ enum { SHRPX_OPTID_SUBCERT, SHRPX_OPTID_SYSLOG_FACILITY, SHRPX_OPTID_TLS_PROTO_LIST, + SHRPX_OPTID_TLS_TICKET_CIPHER, SHRPX_OPTID_TLS_TICKET_KEY_FILE, SHRPX_OPTID_USER, SHRPX_OPTID_VERIFY_CLIENT, @@ -959,6 +996,11 @@ int option_lookup_token(const char *name, size_t namelen) { return SHRPX_OPTID_WORKER_WRITE_RATE; } break; + case 'r': + if (util::strieq_l("tls-ticket-ciphe", name, 16)) { + return SHRPX_OPTID_TLS_TICKET_CIPHER; + } + break; case 's': if (util::strieq_l("max-header-field", name, 16)) { return SHRPX_OPTID_MAX_HEADER_FIELDS; @@ -1805,6 +1847,19 @@ int parse_config(const char *opt, const char *optarg, return 0; } + case SHRPX_OPTID_TLS_TICKET_CIPHER: + if (util::strieq(optarg, "aes-128-cbc")) { + mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); + } else if (util::strieq(optarg, "aes-256-cbc")) { + mod_config()->tls_ticket_cipher = EVP_aes_256_cbc(); + } else { + LOG(ERROR) << opt + << ": unsupported cipher for ticket encryption: " << optarg; + return -1; + } + mod_config()->tls_ticket_cipher_given = true; + + return 0; case SHRPX_OPTID_CONF: LOG(WARN) << "conf: ignored"; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 87af15ba..1fee15f4 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -171,6 +171,7 @@ constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp"; constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer"; constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields"; constexpr char SHRPX_OPT_INCLUDE[] = "include"; +constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher"; union sockaddr_union { sockaddr_storage storage; @@ -224,9 +225,17 @@ struct DownstreamAddrGroup { }; struct TicketKey { - uint8_t name[16]; - uint8_t aes_key[16]; - uint8_t hmac_key[16]; + const EVP_CIPHER *cipher; + const EVP_MD *hmac; + size_t hmac_keylen; + struct { + // name of this ticket configuration + uint8_t name[16]; + // encryption key for |cipher| + uint8_t enc_key[32]; + // hmac key for |hmac| + uint8_t hmac_key[32]; + } data; }; struct TicketKeys { @@ -300,6 +309,7 @@ struct Config { nghttp2_session_callbacks *http2_downstream_callbacks; nghttp2_option *http2_option; nghttp2_option *http2_client_option; + const EVP_CIPHER *tls_ticket_cipher; char **argv; char *cwd; size_t num_worker; @@ -376,6 +386,8 @@ struct Config { // true if host contains UNIX domain socket path bool host_unix; bool no_ocsp; + // true if --tls-ticket-cipher is used + bool tls_ticket_cipher_given; }; const Config *get_config(); @@ -447,10 +459,12 @@ int int_syslog_facility(const char *strfacility); FILE *open_file_for_write(const char *filename); // Reads TLS ticket key file in |files| and returns TicketKey which -// stores read key data. This function returns TicketKey if it +// stores read key data. The given |cipher| and |hmac| determine the +// expected file size. This function returns TicketKey if it // succeeds, or nullptr. std::unique_ptr -read_tls_ticket_key_file(const std::vector &files); +read_tls_ticket_key_file(const std::vector &files, + const EVP_CIPHER *cipher, const EVP_MD *hmac); // Selects group based on request's |hostport| and |path|. |hostport| // is the value taken from :authority or host header field, and may diff --git a/src/shrpx_config_test.cc b/src/shrpx_config_test.cc index c5116294..d91a706b 100644 --- a/src/shrpx_config_test.cc +++ b/src/shrpx_config_test.cc @@ -190,24 +190,62 @@ void test_shrpx_config_read_tls_ticket_key_file(void) { close(fd1); close(fd2); - auto ticket_keys = read_tls_ticket_key_file({file1, file2}); + auto ticket_keys = + read_tls_ticket_key_file({file1, file2}, EVP_aes_128_cbc(), EVP_sha256()); unlink(file1); unlink(file2); CU_ASSERT(ticket_keys.get() != nullptr); CU_ASSERT(2 == ticket_keys->keys.size()); auto key = &ticket_keys->keys[0]; - CU_ASSERT(0 == memcmp("0..............1", key->name, sizeof(key->name))); CU_ASSERT(0 == - memcmp("2..............3", key->aes_key, sizeof(key->aes_key))); - CU_ASSERT(0 == - memcmp("4..............5", key->hmac_key, sizeof(key->hmac_key))); + memcmp("0..............1", key->data.name, sizeof(key->data.name))); + CU_ASSERT(0 == memcmp("2..............3", key->data.enc_key, 16)); + CU_ASSERT(0 == memcmp("4..............5", key->data.hmac_key, 16)); key = &ticket_keys->keys[1]; - CU_ASSERT(0 == memcmp("6..............7", key->name, sizeof(key->name))); CU_ASSERT(0 == - memcmp("8..............9", key->aes_key, sizeof(key->aes_key))); + memcmp("6..............7", key->data.name, sizeof(key->data.name))); + CU_ASSERT(0 == memcmp("8..............9", key->data.enc_key, 16)); + CU_ASSERT(0 == memcmp("a..............b", key->data.hmac_key, 16)); +} + +void test_shrpx_config_read_tls_ticket_key_file_aes_256(void) { + char file1[] = "/tmp/nghttpx-unittest.XXXXXX"; + auto fd1 = mkstemp(file1); + assert(fd1 != -1); + assert(80 == write(fd1, "0..............12..............................34..." + "...........................5", + 80)); + char file2[] = "/tmp/nghttpx-unittest.XXXXXX"; + auto fd2 = mkstemp(file2); + assert(fd2 != -1); + assert(80 == write(fd2, "6..............78..............................9a..." + "...........................b", + 80)); + + close(fd1); + close(fd2); + auto ticket_keys = + read_tls_ticket_key_file({file1, file2}, EVP_aes_256_cbc(), EVP_sha256()); + unlink(file1); + unlink(file2); + CU_ASSERT(ticket_keys.get() != nullptr); + CU_ASSERT(2 == ticket_keys->keys.size()); + auto key = &ticket_keys->keys[0]; CU_ASSERT(0 == - memcmp("a..............b", key->hmac_key, sizeof(key->hmac_key))); + memcmp("0..............1", key->data.name, sizeof(key->data.name))); + CU_ASSERT(0 == + memcmp("2..............................3", key->data.enc_key, 32)); + CU_ASSERT(0 == + memcmp("4..............................5", key->data.hmac_key, 32)); + + key = &ticket_keys->keys[1]; + CU_ASSERT(0 == + memcmp("6..............7", key->data.name, sizeof(key->data.name))); + CU_ASSERT(0 == + memcmp("8..............................9", key->data.enc_key, 32)); + CU_ASSERT(0 == + memcmp("a..............................b", key->data.hmac_key, 32)); } void test_shrpx_config_match_downstream_addr_group(void) { diff --git a/src/shrpx_config_test.h b/src/shrpx_config_test.h index 5f9c170a..5db97392 100644 --- a/src/shrpx_config_test.h +++ b/src/shrpx_config_test.h @@ -35,6 +35,7 @@ void test_shrpx_config_parse_config_str_list(void); void test_shrpx_config_parse_header(void); void test_shrpx_config_parse_log_format(void); void test_shrpx_config_read_tls_ticket_key_file(void); +void test_shrpx_config_read_tls_ticket_key_file_aes_256(void); void test_shrpx_config_match_downstream_addr_group(void); } // namespace shrpx diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 9f95fa2f..121f4ce3 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -213,21 +213,21 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv, if (LOG_ENABLED(INFO)) { CLOG(INFO, handler) << "encrypt session ticket key: " - << util::format_hex(key.name, 16); + << util::format_hex(key.data.name); } - memcpy(key_name, key.name, sizeof(key.name)); + memcpy(key_name, key.data.name, sizeof(key.data.name)); - EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), nullptr, key.aes_key, iv); - HMAC_Init_ex(hctx, key.hmac_key, sizeof(key.hmac_key), EVP_sha256(), - nullptr); + EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_cipher, nullptr, + key.data.enc_key, iv); + HMAC_Init_ex(hctx, key.data.hmac_key, key.hmac_keylen, key.hmac, nullptr); return 1; } size_t i; for (i = 0; i < keys.size(); ++i) { auto &key = keys[0]; - if (memcmp(key.name, key_name, sizeof(key.name)) == 0) { + if (memcmp(key_name, key.data.name, sizeof(key.data.name)) == 0) { break; } } @@ -246,8 +246,8 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv, } auto &key = keys[i]; - HMAC_Init_ex(hctx, key.hmac_key, sizeof(key.hmac_key), EVP_sha256(), nullptr); - EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), nullptr, key.aes_key, iv); + HMAC_Init_ex(hctx, key.data.hmac_key, key.hmac_keylen, key.hmac, nullptr); + EVP_DecryptInit_ex(ctx, key.cipher, nullptr, key.data.enc_key, iv); return i == 0 ? 1 : 2; } diff --git a/src/util.h b/src/util.h index d43d3c76..6c04fef0 100644 --- a/src/util.h +++ b/src/util.h @@ -212,6 +212,10 @@ std::string quote_string(const std::string &target); std::string format_hex(const unsigned char *s, size_t len); +template std::string format_hex(const unsigned char (&s)[N]) { + return format_hex(s, N); +} + std::string http_date(time_t t); // Returns given time |t| from epoch in Common Log format (e.g., From c1c177addc2226e74744c5dfafae3094bc6e5a40 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Fri, 17 Jul 2015 14:10:21 -0700 Subject: [PATCH 16/44] Changing warning to mention #reqs rather than test time --- src/h2load.cc | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index 983a35db..5ec34e82 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1427,19 +1427,24 @@ int main(int argc, char **argv) { if (config.is_rate_mode() && (int)config.max_concurrent_streams != 0 && (n_time != c_time) && config.nreqs != 1 && config.nconns != 0) { if ((int)config.nreqs < config.nconns) { - std::cerr << "-C, -n: warning: two different test times are being set. " + std::cerr << "-C, -n: warning: number of requests conflict. " << std::endl; - std::cerr << "The test will run for " << c_time << " seconds." - << std::endl; - } else { - std::cout << "-C, -n: warning: two different test times are being set. " + std::cerr << "The test will create " + << (config.max_concurrent_streams * config.nconns) + << " total requests." << std::endl; + } + else { + std::cout << "-C, -n: warning: number of requests conflict. " << std::endl; std::cout << "The smaller of the two will be chosen and the test will " - << "run for " << std::min(n_time, c_time) << " seconds." - << std::endl; + << "create " + << std::min(config.nreqs, + (size_t)(config.max_concurrent_streams * config.nconns)) + << " total requests." << std::endl; } } + Headers shared_nva; shared_nva.emplace_back(":scheme", config.scheme); if (config.port != config.default_port) { From d326e28c9233eed625d903d2e295e0898b179ab1 Mon Sep 17 00:00:00 2001 From: Nora Shoemaker Date: Fri, 17 Jul 2015 14:10:40 -0700 Subject: [PATCH 17/44] running clang-format --- src/h2load.cc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index 5ec34e82..b1f5a672 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1432,19 +1432,18 @@ int main(int argc, char **argv) { std::cerr << "The test will create " << (config.max_concurrent_streams * config.nconns) << " total requests." << std::endl; - } - else { + } else { std::cout << "-C, -n: warning: number of requests conflict. " << std::endl; std::cout << "The smaller of the two will be chosen and the test will " << "create " - << std::min(config.nreqs, - (size_t)(config.max_concurrent_streams * config.nconns)) + << std::min( + config.nreqs, + (size_t)(config.max_concurrent_streams * config.nconns)) << " total requests." << std::endl; } } - Headers shared_nva; shared_nva.emplace_back(":scheme", config.scheme); if (config.port != config.default_port) { From f2a1c8ee60ffd1e67e4287ea0d12a72cc7cd92f2 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 16:11:42 +0900 Subject: [PATCH 18/44] Partially revert a23ab00686108eff07579bb3602bdb66452fe82c The workaround introduced in a23ab00686108eff07579bb3602bdb66452fe82c may cause a problem in certain platform (e.g., MacPorts, see GH-303) --- python/Makefile.am | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python/Makefile.am b/python/Makefile.am index 46a7ef22..43aa5491 100644 --- a/python/Makefile.am +++ b/python/Makefile.am @@ -33,8 +33,7 @@ all-local: nghttp2.c $(PYTHON) setup.py build install-exec-local: - test -d $(pyexecdir) || mkdir -p $(pyexecdir) - PYTHONUSERBASE=$(DESTDIR)/$(prefix) $(PYTHON) setup.py install --user + $(PYTHON) setup.py install --prefix=$(DESTDIR)$(prefix) uninstall-local: rm -f $(DESTDIR)$(libdir)/python*/site-packages/nghttp2.so From 5465cdf4a40099f6abfba6ae2b2f379f6f9730cc Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 17:14:25 +0900 Subject: [PATCH 19/44] src: Don't use struct tm.tm_yday from strptime --- src/timegm.c | 33 +++++++++++++++++++++++++++++++++ src/timegm.h | 5 +++++ src/util.cc | 2 +- 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/timegm.c b/src/timegm.c index 62b14430..e52fe74a 100644 --- a/src/timegm.c +++ b/src/timegm.c @@ -53,3 +53,36 @@ time_t nghttp2_timegm(struct tm *tm) { return (time_t)t; } + +/* Returns nonzero if the |y| is the leap year. The |y| is the year, + including century (e.g., 2012) */ +static int is_leap_year(int y) { + return y % 4 == 0 && (y % 100 != 0 || y % 400 == 0); +} + +/* The number of days before ith month begins */ +static int daysum[] = {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; + +time_t nghttp2_timegm_without_yday(struct tm *tm) { + int days; + int num_leap_year; + int64_t t; + if (tm->tm_mon > 11) { + return -1; + } + num_leap_year = count_leap_year(tm->tm_year + 1900) - count_leap_year(1970); + days = (tm->tm_year - 70) * 365 + num_leap_year + daysum[tm->tm_mon] + + tm->tm_mday - 1; + if (tm->tm_mon >= 2 && is_leap_year(tm->tm_year + 1900)) { + ++days; + } + t = ((int64_t)days * 24 + tm->tm_hour) * 3600 + tm->tm_min * 60 + tm->tm_sec; + +#if SIZEOF_TIME_T == 4 + if (t < INT32_MIN || t > INT32_MAX) { + return -1; + } +#endif /* SIZEOF_TIME_T == 4 */ + + return t; +} diff --git a/src/timegm.h b/src/timegm.h index 4168fdd1..4383fda1 100644 --- a/src/timegm.h +++ b/src/timegm.h @@ -39,6 +39,11 @@ extern "C" { time_t nghttp2_timegm(struct tm *tm); +/* Just like nghttp2_timegm, but without using tm->tm_yday. This is + useful if we use tm from strptime, since some platforms do not + calculate tm_yday with that call. */ +time_t nghttp2_timegm_without_yday(struct tm *tm); + #ifdef __cplusplus } #endif /* __cplusplus */ diff --git a/src/util.cc b/src/util.cc index 191bd13f..9586ab77 100644 --- a/src/util.cc +++ b/src/util.cc @@ -354,7 +354,7 @@ time_t parse_http_date(const std::string &s) { if (r == 0) { return 0; } - return nghttp2_timegm(&tm); + return nghttp2_timegm_without_yday(&tm); } namespace { From 006ac7b1b0415016d6634a207a6c5b2ea731f67b Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 17:27:38 +0900 Subject: [PATCH 20/44] h2load: Fix HTML formatting --- src/h2load.cc | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index b1f5a672..f9519d34 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1063,34 +1063,32 @@ Options: Available protocol: )"; #endif // !HAVE_SPDYLAY out << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( - Default: )" - << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( + Default: )" << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( -d, --data= Post FILE to server. The request method is changed to POST. -r, --rate= - Specified the fixed rate at which connections are - created. The rate must be a positive integer, - representing the number of connections to be made per - second. When the rate is 0, the program will run as it + Specified the fixed rate at which connections are + created. The rate must be a positive integer, + representing the number of connections to be made per + second. When the rate is 0, the program will run as it normally does, creating connections at whatever variable - rate it wants. The default value for this option is 0. + rate it wants. The default value for this option is 0. -C, --num-conns= - Specifies the total number of connections to create. The - total number of connections must be a positive integer. - On each connection, '-m' requests are made. The test - stops once as soon as the N connections have either - completed or failed. When the number of connections is + Specifies the total number of connections to create. + The total number of connections must be a positive + integer. On each connection, -m requests are made. The + test stops once as soon as the N connections have either + completed or failed. When the number of connections is 0, the program will run as it normally does, creating as - many connections as it needs in order to make the '-n' - requests specified. The default value for this option is - 0. The '-n' option is not required if the '-C' option - is being used. + many connections as it needs in order to make the -n + requests specified. The default value for this option + is 0. The -n option is not required if the -C option is + being used. -v, --verbose Output debug information. --version Display version information and exit. - -h, --help Display this help and exit.)" - << std::endl; + -h, --help Display this help and exit.)" << std::endl; } } // namespace From cce64e67288ee46a12ef45b31063d4dd141130c3 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 17:31:35 +0900 Subject: [PATCH 21/44] h2load: Call second_timeout_cb manually so that we don't waste first 1 second --- src/h2load.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/h2load.cc b/src/h2load.cc index f9519d34..918e0f42 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1594,6 +1594,10 @@ int main(int argc, char **argv) { ev_init(&timeout_watcher, second_timeout_cb); timeout_watcher.repeat = 1.; ev_timer_again(rate_loop, &timeout_watcher); + + // call callback so that we don't waste first 1 second. + second_timeout_cb(rate_loop, &timeout_watcher, 0); + ev_run(rate_loop, 0); } // end rate mode section From 5dc060c1a2f04cc9c6f183b5822c5da2411909e4 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 17:55:37 +0900 Subject: [PATCH 22/44] src: Use C++11 value-initialization, instead of memset-ing 0 --- src/HttpServer.cc | 3 +-- src/h2load.cc | 12 ++++-------- src/http2_test.cc | 3 +-- src/nghttp.cc | 21 +++++++-------------- src/nghttpd.cc | 3 +-- src/shrpx.cc | 11 ++++------- src/shrpx_config.cc | 3 +-- src/shrpx_connection_handler.cc | 12 ++++-------- src/shrpx_downstream.cc | 3 +-- src/shrpx_http2_upstream.cc | 6 ++---- src/shrpx_spdy_upstream.cc | 3 +-- src/util.cc | 6 ++---- 12 files changed, 29 insertions(+), 57 deletions(-) diff --git a/src/HttpServer.cc b/src/HttpServer.cc index 02279ad1..6936bc85 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -1666,7 +1666,6 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { namespace { int start_listen(HttpServer *sv, struct ev_loop *loop, Sessions *sessions, const Config *config) { - addrinfo hints; int r; bool ok = false; const char *addr = nullptr; @@ -1674,7 +1673,7 @@ int start_listen(HttpServer *sv, struct ev_loop *loop, Sessions *sessions, auto acceptor = std::make_shared(sv, sessions, config); auto service = util::utos(config->port); - memset(&hints, 0, sizeof(addrinfo)); + addrinfo hints{}; hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; diff --git a/src/h2load.cc b/src/h2load.cc index 918e0f42..32763a0a 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -841,9 +841,8 @@ process_time_stats(const std::vector> &workers) { namespace { void resolve_host() { int rv; - addrinfo hints, *res; + addrinfo hints{}, *res; - memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = 0; @@ -906,8 +905,7 @@ std::vector parse_uris(Iterator first, Iterator last) { // First URI is treated specially. We use scheme, host and port of // this URI and ignore those in the remaining URIs if present. - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; if (first == last) { std::cerr << "no URI available" << std::endl; @@ -935,8 +933,7 @@ std::vector parse_uris(Iterator first, Iterator last) { reqlines.push_back(get_reqline(uri, u)); for (; first != last; ++first) { - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; auto uri = (*first).c_str(); @@ -1333,8 +1330,7 @@ int main(int argc, char **argv) { config.data_length = data_stat.st_size; } - struct sigaction act; - memset(&act, 0, sizeof(struct sigaction)); + struct sigaction act {}; act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, nullptr); diff --git a/src/http2_test.cc b/src/http2_test.cc index 88339045..9a99a3a9 100644 --- a/src/http2_test.cc +++ b/src/http2_test.cc @@ -191,8 +191,7 @@ void check_rewrite_location_uri(const std::string &want, const std::string &uri, const std::string &match_host, const std::string &req_authority, const std::string &upstream_scheme) { - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; CU_ASSERT(0 == http_parser_parse_url(uri.c_str(), uri.size(), 0, &u)); auto got = http2::rewrite_location_uri(uri, u, match_host, req_authority, upstream_scheme); diff --git a/src/nghttp.cc b/src/nghttp.cc index eb423c6d..8f85aaca 100644 --- a/src/nghttp.cc +++ b/src/nghttp.cc @@ -501,9 +501,8 @@ bool HttpClient::need_upgrade() const { int HttpClient::resolve_host(const std::string &host, uint16_t port) { int rv; - addrinfo hints; this->host = host; - memset(&hints, 0, sizeof(hints)); + addrinfo hints{}; hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = 0; @@ -1260,8 +1259,7 @@ bool HttpClient::add_request(const std::string &uri, const nghttp2_data_provider *data_prd, int64_t data_length, const nghttp2_priority_spec &pri_spec, int level) { - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; if (http_parser_parse_url(uri.c_str(), uri.size(), 0, &u) != 0) { return false; } @@ -1485,8 +1483,7 @@ void update_html_parser(HttpClient *client, Request *req, const uint8_t *data, auto uri = strip_fragment(p.first.c_str()); auto res_type = p.second; - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; if (http_parser_parse_url(uri.c_str(), uri.size(), 0, &u) == 0 && util::fieldeq(uri.c_str(), u, req->uri.c_str(), req->u, UF_SCHEMA) && util::fieldeq(uri.c_str(), u, req->uri.c_str(), req->u, UF_HOST) && @@ -1650,8 +1647,7 @@ int on_begin_headers_callback(nghttp2_session *session, } case NGHTTP2_PUSH_PROMISE: { auto stream_id = frame->push_promise.promised_stream_id; - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; // TODO Set pri and level nghttp2_priority_spec pri_spec; @@ -1820,8 +1816,7 @@ int on_frame_recv_callback2(nghttp2_session *session, uri += "://"; uri += authority->value; uri += path->value; - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; if (http_parser_parse_url(uri.c_str(), uri.size(), 0, &u) != 0) { nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE, frame->push_promise.promised_stream_id, @@ -2299,8 +2294,7 @@ int run(char **uris, int n) { std::vector> requests; for (int i = 0; i < n; ++i) { - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; auto uri = strip_fragment(uris[i]); if (http_parser_parse_url(uri.c_str(), uri.size(), 0, &u) != 0) { std::cerr << "[ERROR] Could not parse URI " << uri << std::endl; @@ -2701,8 +2695,7 @@ int main(int argc, char **argv) { nghttp2_option_set_peer_max_concurrent_streams( config.http2_option, config.peer_max_concurrent_streams); - struct sigaction act; - memset(&act, 0, sizeof(struct sigaction)); + struct sigaction act {}; act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, nullptr); reset_timer(); diff --git a/src/nghttpd.cc b/src/nghttpd.cc index e5d7c2e0..7f11efd5 100644 --- a/src/nghttpd.cc +++ b/src/nghttpd.cc @@ -371,8 +371,7 @@ int main(int argc, char **argv) { set_color_output(color || isatty(fileno(stdout))); - struct sigaction act; - memset(&act, 0, sizeof(struct sigaction)); + struct sigaction act {}; act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, nullptr); diff --git a/src/shrpx.cc b/src/shrpx.cc index d3b1c9fb..b346aa99 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -119,12 +119,11 @@ const int GRACEFUL_SHUTDOWN_SIGNAL = SIGQUIT; namespace { int resolve_hostname(sockaddr_union *addr, size_t *addrlen, const char *hostname, uint16_t port, int family) { - addrinfo hints; int rv; auto service = util::utos(port); - memset(&hints, 0, sizeof(addrinfo)); + addrinfo hints{}; hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; #ifdef AI_ADDRCONFIG @@ -279,12 +278,11 @@ std::unique_ptr create_acceptor(ConnectionHandler *handler, } } - addrinfo hints; int fd = -1; int rv; auto service = util::utos(get_config()->port); - memset(&hints, 0, sizeof(addrinfo)); + addrinfo hints{}; hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; @@ -849,7 +847,7 @@ int16_t DEFAULT_DOWNSTREAM_PORT = 80; namespace { void fill_default_config() { - memset(mod_config(), 0, sizeof(*mod_config())); + *mod_config() = {}; mod_config()->verbose = false; mod_config()->daemon = false; @@ -2359,8 +2357,7 @@ int main(int argc, char **argv) { reset_timer(); } - struct sigaction act; - memset(&act, 0, sizeof(struct sigaction)); + struct sigaction act {}; act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, nullptr); diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 5486fda8..b51d44e2 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -1575,8 +1575,7 @@ int parse_config(const char *opt, const char *optarg, return 0; case SHRPX_OPTID_BACKEND_HTTP_PROXY_URI: { // parse URI and get hostname, port and optionally userinfo. - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; int rv = http_parser_parse_url(optarg, strlen(optarg), 0, &u); if (rv == 0) { std::string val; diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc index cbe828b8..91b477d2 100644 --- a/src/shrpx_connection_handler.cc +++ b/src/shrpx_connection_handler.cc @@ -129,9 +129,8 @@ ConnectionHandler::~ConnectionHandler() { } void ConnectionHandler::worker_reopen_log_files() { - WorkerEvent wev; + WorkerEvent wev{}; - memset(&wev, 0, sizeof(wev)); wev.type = REOPEN_LOG; for (auto &worker : workers_) { @@ -141,9 +140,8 @@ void ConnectionHandler::worker_reopen_log_files() { void ConnectionHandler::worker_renew_ticket_keys( const std::shared_ptr &ticket_keys) { - WorkerEvent wev; + WorkerEvent wev{}; - memset(&wev, 0, sizeof(wev)); wev.type = RENEW_TICKET_KEYS; wev.ticket_keys = ticket_keys; @@ -216,8 +214,7 @@ void ConnectionHandler::graceful_shutdown_worker() { return; } - WorkerEvent wev; - memset(&wev, 0, sizeof(wev)); + WorkerEvent wev{}; wev.type = GRACEFUL_SHUTDOWN; if (LOG_ENABLED(INFO)) { @@ -266,8 +263,7 @@ int ConnectionHandler::handle_connection(int fd, sockaddr *addr, int addrlen) { LOG(INFO) << "Dispatch connection to worker #" << idx; } ++worker_round_robin_cnt_; - WorkerEvent wev; - memset(&wev, 0, sizeof(wev)); + WorkerEvent wev{}; wev.type = NEW_CONNECTION; wev.client_fd = fd; memcpy(&wev.client_addr, addr, addrlen); diff --git a/src/shrpx_downstream.cc b/src/shrpx_downstream.cc index 87a2d082..bfd7aa4b 100644 --- a/src/shrpx_downstream.cc +++ b/src/shrpx_downstream.cc @@ -621,8 +621,7 @@ void Downstream::rewrite_location_response_header( if (!hd) { return; } - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; int rv = http_parser_parse_url((*hd).value.c_str(), (*hd).value.size(), 0, &u); if (rv != 0) { diff --git a/src/shrpx_http2_upstream.cc b/src/shrpx_http2_upstream.cc index 87c77d14..51146e8c 100644 --- a/src/shrpx_http2_upstream.cc +++ b/src/shrpx_http2_upstream.cc @@ -1482,8 +1482,7 @@ int Http2Upstream::on_downstream_reset(bool no_retry) { int Http2Upstream::prepare_push_promise(Downstream *downstream) { int rv; - http_parser_url u; - memset(&u, 0, sizeof(u)); + http_parser_url u{}; rv = http_parser_parse_url(downstream->get_request_path().c_str(), downstream->get_request_path().size(), 0, &u); if (rv != 0) { @@ -1513,8 +1512,7 @@ int Http2Upstream::prepare_push_promise(Downstream *downstream) { const char *relq = nullptr; size_t relqlen = 0; - http_parser_url v; - memset(&v, 0, sizeof(v)); + http_parser_url v{}; rv = http_parser_parse_url(link_url, link_urllen, 0, &v); if (rv != 0) { assert(link_urllen); diff --git a/src/shrpx_spdy_upstream.cc b/src/shrpx_spdy_upstream.cc index 5f124296..745cc0b5 100644 --- a/src/shrpx_spdy_upstream.cc +++ b/src/shrpx_spdy_upstream.cc @@ -452,8 +452,7 @@ SpdyUpstream::SpdyUpstream(uint16_t version, ClientHandler *handler) : 0, !get_config()->http2_proxy), handler_(handler), session_(nullptr) { - spdylay_session_callbacks callbacks; - memset(&callbacks, 0, sizeof(callbacks)); + spdylay_session_callbacks callbacks{}; callbacks.send_callback = send_callback; callbacks.recv_callback = recv_callback; callbacks.on_stream_close_callback = on_stream_close_callback; diff --git a/src/util.cc b/src/util.cc index 9586ab77..0f70f0da 100644 --- a/src/util.cc +++ b/src/util.cc @@ -348,8 +348,7 @@ std::string iso8601_date(int64_t ms) { } time_t parse_http_date(const std::string &s) { - tm tm; - memset(&tm, 0, sizeof(tm)); + tm tm{}; char *r = strptime(s.c_str(), "%a, %d %b %Y %H:%M:%S GMT", &tm); if (r == 0) { return 0; @@ -637,9 +636,8 @@ void write_uri_field(std::ostream &o, const char *uri, const http_parser_url &u, } bool numeric_host(const char *hostname) { - struct addrinfo hints; struct addrinfo *res; - memset(&hints, 0, sizeof(hints)); + struct addrinfo hints {}; hints.ai_family = AF_UNSPEC; hints.ai_flags = AI_NUMERICHOST; if (getaddrinfo(hostname, nullptr, &hints, &res)) { From b37716ab6af4dc69d483ebd4c81860ac8259481d Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 18:35:14 +0900 Subject: [PATCH 23/44] h2load: Workaround with clang-3.4 --- src/h2load.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index 32763a0a..ba57e251 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -899,14 +899,12 @@ int client_select_next_proto_cb(SSL *ssl, unsigned char **out, } // namespace namespace { -template -std::vector parse_uris(Iterator first, Iterator last) { +// Use std::vector::iterator explicitly, without that, +// http_parser_url u{} fails with clang-3.4. +std::vector parse_uris(std::vector::iterator first, + std::vector::iterator last) { std::vector reqlines; - // First URI is treated specially. We use scheme, host and port of - // this URI and ignore those in the remaining URIs if present. - http_parser_url u{}; - if (first == last) { std::cerr << "no URI available" << std::endl; exit(EXIT_FAILURE); @@ -915,6 +913,9 @@ std::vector parse_uris(Iterator first, Iterator last) { auto uri = (*first).c_str(); ++first; + // First URI is treated specially. We use scheme, host and port of + // this URI and ignore those in the remaining URIs if present. + http_parser_url u{}; if (http_parser_parse_url(uri, strlen(uri), 0, &u) != 0 || !util::has_uri_field(u, UF_SCHEMA) || !util::has_uri_field(u, UF_HOST)) { std::cerr << "invalid URI: " << uri << std::endl; From fa7a74cfa8c616425244d3aba4d061be9956715f Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 18:37:41 +0900 Subject: [PATCH 24/44] h2load: Use std::string::size instead of strlen --- src/h2load.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index ba57e251..efb49c27 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -911,17 +911,18 @@ std::vector parse_uris(std::vector::iterator first, } auto uri = (*first).c_str(); - ++first; // First URI is treated specially. We use scheme, host and port of // this URI and ignore those in the remaining URIs if present. http_parser_url u{}; - if (http_parser_parse_url(uri, strlen(uri), 0, &u) != 0 || + if (http_parser_parse_url(uri, (*first).size(), 0, &u) != 0 || !util::has_uri_field(u, UF_SCHEMA) || !util::has_uri_field(u, UF_HOST)) { std::cerr << "invalid URI: " << uri << std::endl; exit(EXIT_FAILURE); } + ++first; + config.scheme = util::get_uri_field(uri, u, UF_SCHEMA); config.host = util::get_uri_field(uri, u, UF_HOST); config.default_port = util::get_default_port(uri, u); @@ -938,7 +939,7 @@ std::vector parse_uris(std::vector::iterator first, auto uri = (*first).c_str(); - if (http_parser_parse_url(uri, strlen(uri), 0, &u) != 0) { + if (http_parser_parse_url(uri, (*first).size(), 0, &u) != 0) { std::cerr << "invalid URI: " << uri << std::endl; exit(EXIT_FAILURE); } From 5c96ecd77d18ae302d62a2d59841c76381b2a536 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 19:16:09 +0900 Subject: [PATCH 25/44] Dump APIDOC removal failure errors to /dev/null --- doc/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 0eefa442..55042f65 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -223,7 +223,7 @@ $(APIDOC): apidoc.stamp fi clean-local: - -rm $(APIDOCS) + -rm $(APIDOCS) > /dev/null 2>&1 -rm -rf $(BUILDDIR)/* html-local: apiref.rst From ca3444c34cfce8ec16ddc50754058336ada6c503 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 19 Jul 2015 20:50:14 +0900 Subject: [PATCH 26/44] Fix compile error/warnings with gcc-4.7 --- src/shrpx.cc | 3 ++- src/shrpx_config.cc | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index b346aa99..b6f442d7 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -630,7 +630,8 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { new_key.hmac = EVP_sha256(); new_key.hmac_keylen = EVP_MD_size(new_key.hmac); - assert(EVP_CIPHER_key_length(new_key.cipher) <= sizeof(new_key.data.enc_key)); + assert(static_cast(EVP_CIPHER_key_length(new_key.cipher)) <= + sizeof(new_key.data.enc_key)); assert(new_key.hmac_keylen <= sizeof(new_key.data.hmac_key)); if (LOG_ENABLED(INFO)) { diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index b51d44e2..4db9c060 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -171,7 +171,7 @@ read_tls_ticket_key_file(const std::vector &files, return nullptr; } - if (fst.st_size != expectedlen) { + if (static_cast(fst.st_size) != expectedlen) { LOG(ERROR) << "tls-ticket-key-file: the expected file size is " << expectedlen << ", the actual file size is " << fst.st_size; return nullptr; @@ -184,7 +184,7 @@ read_tls_ticket_key_file(const std::vector &files, } f.read(buf, expectedlen); - if (f.gcount() != expectedlen) { + if (static_cast(f.gcount()) != expectedlen) { LOG(ERROR) << "tls-ticket-key-file: want to read " << expectedlen << " bytes but only read " << f.gcount() << " bytes from " << file; @@ -1836,7 +1836,7 @@ int parse_config(const char *opt, const char *optarg, return -1; } - included_set.emplace(optarg); + included_set.insert(optarg); auto rv = load_config(optarg, included_set); included_set.erase(optarg); From dd8ce1e9d2522aa17593666ca4e2dad064cfc71a Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 20 Jul 2015 21:37:23 +0900 Subject: [PATCH 27/44] nghttpx: Use std::unique_ptr instead of raw char pointer --- src/shrpx_config.cc | 74 ++++++++++++++++++------------------- src/shrpx_config.h | 39 ++++++++++--------- src/shrpx_config_test.cc | 27 ++++++-------- src/shrpx_https_upstream.cc | 5 ++- src/shrpx_ssl.cc | 31 ++++++++-------- src/shrpx_ssl.h | 8 ++-- 6 files changed, 90 insertions(+), 94 deletions(-) diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 4db9c060..99f1983d 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -261,35 +261,37 @@ std::string read_passwd_from_file(const char *filename) { return line; } -std::vector parse_config_str_list(const char *s, char delim) { +std::vector> split_config_str_list(const char *s, + char delim) { size_t len = 1; - for (const char *first = s, *p = nullptr; (p = strchr(first, delim)); - ++len, first = p + 1) + auto last = s + strlen(s); + for (const char *first = s, *d = nullptr; + (d = std::find(first, last, delim)) != last; ++len, first = d + 1) ; - auto list = std::vector(len); - auto first = strdup(s); + + auto list = std::vector>(len); + len = 0; - for (;;) { - auto p = strchr(first, delim); - if (p == nullptr) { + for (auto first = s;; ++len) { + auto stop = std::find(first, last, delim); + list[len] = {first, stop}; + if (stop == last) { break; } - list[len++] = first; - *p = '\0'; - first = p + 1; + first = stop + 1; } - list[len++] = first; - return list; } -void clear_config_str_list(std::vector &list) { - if (list.empty()) { - return; +std::vector> parse_config_str_list(const char *s, + char delim) { + auto ranges = split_config_str_list(s, delim); + auto res = std::vector>(); + res.reserve(ranges.size()); + for (const auto &range : ranges) { + res.push_back(strcopy(range.first, range.second)); } - - free(list[0]); - list.clear(); + return res; } std::pair parse_header(const char *optarg) { @@ -590,22 +592,21 @@ namespace { void parse_mapping(const DownstreamAddr &addr, const char *src) { // This returns at least 1 element (it could be empty string). We // will append '/' to all patterns, so it becomes catch-all pattern. - auto mapping = parse_config_str_list(src, ':'); + auto mapping = split_config_str_list(src, ':'); assert(!mapping.empty()); - for (auto raw_pattern : mapping) { + for (const auto &raw_pattern : mapping) { auto done = false; std::string pattern; - auto slash = strchr(raw_pattern, '/'); - if (slash == nullptr) { + auto slash = std::find(raw_pattern.first, raw_pattern.second, '/'); + if (slash == raw_pattern.second) { // This effectively makes empty pattern to "/". - pattern = raw_pattern; + pattern.assign(raw_pattern.first, raw_pattern.second); util::inp_strlower(pattern); pattern += "/"; } else { - pattern.assign(raw_pattern, slash); + pattern.assign(raw_pattern.first, slash); util::inp_strlower(pattern); - pattern += - http2::normalize_path(slash, raw_pattern + strlen(raw_pattern)); + pattern += http2::normalize_path(slash, raw_pattern.second); } for (auto &g : mod_config()->downstream_addr_groups) { if (g.pattern == pattern) { @@ -621,7 +622,6 @@ void parse_mapping(const DownstreamAddr &addr, const char *src) { g.addrs.push_back(addr); mod_config()->downstream_addr_groups.push_back(std::move(g)); } - clear_config_str_list(mapping); } } // namespace @@ -1629,12 +1629,10 @@ int parse_config(const char *opt, const char *optarg, LOG(WARN) << opt << ": not implemented yet"; return parse_uint_with_unit(&mod_config()->worker_write_burst, opt, optarg); case SHRPX_OPTID_NPN_LIST: - clear_config_str_list(mod_config()->npn_list); mod_config()->npn_list = parse_config_str_list(optarg); return 0; case SHRPX_OPTID_TLS_PROTO_LIST: - clear_config_str_list(mod_config()->tls_proto_list); mod_config()->tls_proto_list = parse_config_str_list(optarg); return 0; @@ -1689,13 +1687,13 @@ int parse_config(const char *opt, const char *optarg, int port; - if (parse_uint(&port, opt, tokens[1]) != 0) { + if (parse_uint(&port, opt, tokens[1].get()) != 0) { return -1; } if (port < 1 || port > static_cast(std::numeric_limits::max())) { - LOG(ERROR) << opt << ": port is invalid: " << tokens[1]; + LOG(ERROR) << opt << ": port is invalid: " << tokens[1].get(); return -1; } @@ -1703,16 +1701,16 @@ int parse_config(const char *opt, const char *optarg, altsvc.port = port; - altsvc.protocol_id = tokens[0]; - altsvc.protocol_id_len = strlen(altsvc.protocol_id); + altsvc.protocol_id = std::move(tokens[0]); + altsvc.protocol_id_len = strlen(altsvc.protocol_id.get()); if (tokens.size() > 2) { - altsvc.host = tokens[2]; - altsvc.host_len = strlen(altsvc.host); + altsvc.host = std::move(tokens[2]); + altsvc.host_len = strlen(altsvc.host.get()); if (tokens.size() > 3) { - altsvc.origin = tokens[3]; - altsvc.origin_len = strlen(altsvc.origin); + altsvc.origin = std::move(tokens[3]); + altsvc.origin_len = strlen(altsvc.origin.get()); } } diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 1fee15f4..68840c1d 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -184,13 +184,11 @@ union sockaddr_union { enum shrpx_proto { PROTO_HTTP2, PROTO_HTTP }; struct AltSvc { - AltSvc() - : protocol_id(nullptr), host(nullptr), origin(nullptr), - protocol_id_len(0), host_len(0), origin_len(0), port(0) {} + AltSvc() : protocol_id_len(0), host_len(0), origin_len(0), port(0) {} - char *protocol_id; - char *host; - char *origin; + std::unique_ptr protocol_id; + std::unique_ptr host; + std::unique_ptr origin; size_t protocol_id_len; size_t host_len; @@ -291,10 +289,10 @@ struct Config { // list of supported NPN/ALPN protocol strings in the order of // preference. The each element of this list is a NULL-terminated // string. - std::vector npn_list; + std::vector> npn_list; // list of supported SSL/TLS protocol strings. The each element of // this list is a NULL-terminated string. - std::vector tls_proto_list; + std::vector> tls_proto_list; // Path to file containing CA certificate solely used for client // certificate validation std::unique_ptr verify_client_cacert; @@ -410,19 +408,20 @@ int load_config(const char *filename, std::set &include_set); // Read passwd from |filename| std::string read_passwd_from_file(const char *filename); -// Parses delimited strings in |s| and returns the array of pointers, -// each element points to the each substring in |s|. The delimiter is -// given by |delim. The |s| must be comma delimited list of strings. -// The strings must be delimited by a single comma and any white -// spaces around it are treated as a part of protocol strings. This -// function copies |s| and first element in the return value points to -// it. It is caller's responsibility to deallocate its memory. -std::vector parse_config_str_list(const char *s, char delim = ','); +template using Range = std::pair; -// Clears all elements of |list|, which is returned by -// parse_config_str_list(). If list is not empty, list[0] is freed by -// free(2). After this call, list.empty() must be true. -void clear_config_str_list(std::vector &list); +// Parses delimited strings in |s| and returns the array of substring, +// delimited by |delim|. The any white spaces around substring are +// treated as a part of substring. +std::vector> parse_config_str_list(const char *s, + char delim = ','); + +// Parses delimited strings in |s| and returns the array of pointers, +// each element points to the beginning and one beyond last of +// substring in |s|. The delimiter is given by |delim|. The any +// white spaces around substring are treated as a part of substring. +std::vector> split_config_str_list(const char *s, + char delim); // Parses header field in |optarg|. We expect header field is formed // like "NAME: VALUE". We require that NAME is non empty string. ":" diff --git a/src/shrpx_config_test.cc b/src/shrpx_config_test.cc index d91a706b..decbb50c 100644 --- a/src/shrpx_config_test.cc +++ b/src/shrpx_config_test.cc @@ -39,34 +39,29 @@ namespace shrpx { void test_shrpx_config_parse_config_str_list(void) { auto res = parse_config_str_list("a"); CU_ASSERT(1 == res.size()); - CU_ASSERT(0 == strcmp("a", res[0])); - clear_config_str_list(res); + CU_ASSERT(0 == strcmp("a", res[0].get())); res = parse_config_str_list("a,"); CU_ASSERT(2 == res.size()); - CU_ASSERT(0 == strcmp("a", res[0])); - CU_ASSERT(0 == strcmp("", res[1])); - clear_config_str_list(res); + CU_ASSERT(0 == strcmp("a", res[0].get())); + CU_ASSERT(0 == strcmp("", res[1].get())); res = parse_config_str_list(":a::", ':'); CU_ASSERT(4 == res.size()); - CU_ASSERT(0 == strcmp("", res[0])); - CU_ASSERT(0 == strcmp("a", res[1])); - CU_ASSERT(0 == strcmp("", res[2])); - CU_ASSERT(0 == strcmp("", res[3])); - clear_config_str_list(res); + CU_ASSERT(0 == strcmp("", res[0].get())); + CU_ASSERT(0 == strcmp("a", res[1].get())); + CU_ASSERT(0 == strcmp("", res[2].get())); + CU_ASSERT(0 == strcmp("", res[3].get())); res = parse_config_str_list(""); CU_ASSERT(1 == res.size()); - CU_ASSERT(0 == strcmp("", res[0])); - clear_config_str_list(res); + CU_ASSERT(0 == strcmp("", res[0].get())); res = parse_config_str_list("alpha,bravo,charlie"); CU_ASSERT(3 == res.size()); - CU_ASSERT(0 == strcmp("alpha", res[0])); - CU_ASSERT(0 == strcmp("bravo", res[1])); - CU_ASSERT(0 == strcmp("charlie", res[2])); - clear_config_str_list(res); + CU_ASSERT(0 == strcmp("alpha", res[0].get())); + CU_ASSERT(0 == strcmp("bravo", res[1].get())); + CU_ASSERT(0 == strcmp("charlie", res[2].get())); } void test_shrpx_config_parse_header(void) { diff --git a/src/shrpx_https_upstream.cc b/src/shrpx_https_upstream.cc index 22c048a3..ef2659f8 100644 --- a/src/shrpx_https_upstream.cc +++ b/src/shrpx_https_upstream.cc @@ -845,9 +845,10 @@ int HttpsUpstream::on_downstream_header_complete(Downstream *downstream) { hdrs += "Alt-Svc: "; for (auto &altsvc : get_config()->altsvcs) { - hdrs += util::percent_encode_token(altsvc.protocol_id); + hdrs += util::percent_encode_token(altsvc.protocol_id.get()); hdrs += "=\""; - hdrs += util::quote_string(std::string(altsvc.host, altsvc.host_len)); + hdrs += + util::quote_string(std::string(altsvc.host.get(), altsvc.host_len)); hdrs += ":"; hdrs += util::utos(altsvc.port); hdrs += "\", "; diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 121f4ce3..10981803 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -86,11 +86,12 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { } } // namespace -std::vector set_alpn_prefs(const std::vector &protos) { +std::vector +set_alpn_prefs(const std::vector> &protos) { size_t len = 0; - for (auto proto : protos) { - auto n = strlen(proto); + for (auto &proto : protos) { + auto n = strlen(proto.get()); if (n > 255) { LOG(FATAL) << "Too long ALPN identifier: " << n; @@ -108,11 +109,11 @@ std::vector set_alpn_prefs(const std::vector &protos) { auto out = std::vector(len); auto ptr = out.data(); - for (auto proto : protos) { - auto proto_len = strlen(proto); + for (auto &proto : protos) { + auto proto_len = strlen(proto.get()); *ptr++ = proto_len; - memcpy(ptr, proto, proto_len); + memcpy(ptr, proto.get(), proto_len); ptr += proto_len; } @@ -281,16 +282,15 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out, // We assume that get_config()->npn_list contains ALPN protocol // identifier sorted by preference order. So we just break when we // found the first overlap. - for (auto target_proto_id : get_config()->npn_list) { - auto target_proto_len = - strlen(reinterpret_cast(target_proto_id)); + for (auto &target_proto_id : get_config()->npn_list) { + auto target_proto_len = strlen(target_proto_id.get()); for (auto p = in, end = in + inlen; p < end;) { auto proto_id = p + 1; auto proto_len = *p; if (proto_id + proto_len <= end && target_proto_len == proto_len && - memcmp(target_proto_id, proto_id, proto_len) == 0) { + memcmp(target_proto_id.get(), proto_id, proto_len) == 0) { *out = reinterpret_cast(proto_id); *outlen = proto_len; @@ -314,13 +314,14 @@ constexpr long int tls_masks[] = {SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1}; } // namespace -long int create_tls_proto_mask(const std::vector &tls_proto_list) { +long int create_tls_proto_mask( + const std::vector> &tls_proto_list) { long int res = 0; for (size_t i = 0; i < tls_namelen; ++i) { size_t j; for (j = 0; j < tls_proto_list.size(); ++j) { - if (util::strieq(tls_names[i], tls_proto_list[j])) { + if (util::strieq(tls_names[i], tls_proto_list[j].get())) { break; } } @@ -949,10 +950,10 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, return 0; } -bool in_proto_list(const std::vector &protos, +bool in_proto_list(const std::vector> &protos, const unsigned char *needle, size_t len) { - for (auto proto : protos) { - if (strlen(proto) == len && memcmp(proto, needle, len) == 0) { + for (auto &proto : protos) { + if (strlen(proto.get()) == len && memcmp(proto.get(), needle, len) == 0) { return true; } } diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h index 168b5f95..85b3460d 100644 --- a/src/shrpx_ssl.h +++ b/src/shrpx_ssl.h @@ -140,7 +140,7 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, // Returns true if |needle| which has |len| bytes is included in the // protocol list |protos|. -bool in_proto_list(const std::vector &protos, +bool in_proto_list(const std::vector> &protos, const unsigned char *needle, size_t len); // Returns true if security requirement for HTTP/2 is fulfilled. @@ -149,9 +149,11 @@ bool check_http2_requirement(SSL *ssl); // Returns SSL/TLS option mask to disable SSL/TLS protocol version not // included in |tls_proto_list|. The returned mask can be directly // passed to SSL_CTX_set_options(). -long int create_tls_proto_mask(const std::vector &tls_proto_list); +long int create_tls_proto_mask( + const std::vector> &tls_proto_list); -std::vector set_alpn_prefs(const std::vector &protos); +std::vector +set_alpn_prefs(const std::vector> &protos); // Setups server side SSL_CTX. This function inspects get_config() // and if upstream_no_tls is true, returns nullptr. Otherwise From a8574fdef232df1ee654688593a6013d734af7b0 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 20 Jul 2015 22:37:26 +0900 Subject: [PATCH 28/44] nghttpx: Use Use std::string instead of std::unique_ptr for tls config --- src/shrpx_config.cc | 19 ++++++++---------- src/shrpx_config.h | 25 ++++++++--------------- src/shrpx_config_test.cc | 22 ++++++++++---------- src/shrpx_https_upstream.cc | 9 ++++----- src/shrpx_ssl.cc | 40 ++++++++++++++++--------------------- src/shrpx_ssl.h | 7 +++---- src/util.h | 4 ++++ 7 files changed, 55 insertions(+), 71 deletions(-) diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 99f1983d..3fae2d29 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -283,13 +283,12 @@ std::vector> split_config_str_list(const char *s, return list; } -std::vector> parse_config_str_list(const char *s, - char delim) { +std::vector parse_config_str_list(const char *s, char delim) { auto ranges = split_config_str_list(s, delim); - auto res = std::vector>(); + auto res = std::vector(); res.reserve(ranges.size()); for (const auto &range : ranges) { - res.push_back(strcopy(range.first, range.second)); + res.emplace_back(range.first, range.second); } return res; } @@ -1687,30 +1686,28 @@ int parse_config(const char *opt, const char *optarg, int port; - if (parse_uint(&port, opt, tokens[1].get()) != 0) { + if (parse_uint(&port, opt, tokens[1].c_str()) != 0) { return -1; } if (port < 1 || port > static_cast(std::numeric_limits::max())) { - LOG(ERROR) << opt << ": port is invalid: " << tokens[1].get(); + LOG(ERROR) << opt << ": port is invalid: " << tokens[1]; return -1; } AltSvc altsvc; - altsvc.port = port; - altsvc.protocol_id = std::move(tokens[0]); - altsvc.protocol_id_len = strlen(altsvc.protocol_id.get()); + + altsvc.port = port; + altsvc.service = std::move(tokens[1]); if (tokens.size() > 2) { altsvc.host = std::move(tokens[2]); - altsvc.host_len = strlen(altsvc.host.get()); if (tokens.size() > 3) { altsvc.origin = std::move(tokens[3]); - altsvc.origin_len = strlen(altsvc.origin.get()); } } diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 68840c1d..2ad0297e 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -184,15 +184,9 @@ union sockaddr_union { enum shrpx_proto { PROTO_HTTP2, PROTO_HTTP }; struct AltSvc { - AltSvc() : protocol_id_len(0), host_len(0), origin_len(0), port(0) {} + AltSvc() : port(0) {} - std::unique_ptr protocol_id; - std::unique_ptr host; - std::unique_ptr origin; - - size_t protocol_id_len; - size_t host_len; - size_t origin_len; + std::string protocol_id, host, origin, service; uint16_t port; }; @@ -251,6 +245,11 @@ struct Config { std::vector accesslog_format; std::vector downstream_addr_groups; std::vector tls_ticket_key_files; + // list of supported NPN/ALPN protocol strings in the order of + // preference. + std::vector npn_list; + // list of supported SSL/TLS protocol strings. + std::vector tls_proto_list; // binary form of http proxy host and port sockaddr_union downstream_http_proxy_addr; ev_tstamp http2_upstream_read_timeout; @@ -286,13 +285,6 @@ struct Config { // ev_token_bucket_cfg *rate_limit_cfg; // // Rate limit configuration per worker (thread) // ev_token_bucket_cfg *worker_rate_limit_cfg; - // list of supported NPN/ALPN protocol strings in the order of - // preference. The each element of this list is a NULL-terminated - // string. - std::vector> npn_list; - // list of supported SSL/TLS protocol strings. The each element of - // this list is a NULL-terminated string. - std::vector> tls_proto_list; // Path to file containing CA certificate solely used for client // certificate validation std::unique_ptr verify_client_cacert; @@ -413,8 +405,7 @@ template using Range = std::pair; // Parses delimited strings in |s| and returns the array of substring, // delimited by |delim|. The any white spaces around substring are // treated as a part of substring. -std::vector> parse_config_str_list(const char *s, - char delim = ','); +std::vector parse_config_str_list(const char *s, char delim = ','); // Parses delimited strings in |s| and returns the array of pointers, // each element points to the beginning and one beyond last of diff --git a/src/shrpx_config_test.cc b/src/shrpx_config_test.cc index decbb50c..8ccd458c 100644 --- a/src/shrpx_config_test.cc +++ b/src/shrpx_config_test.cc @@ -39,29 +39,29 @@ namespace shrpx { void test_shrpx_config_parse_config_str_list(void) { auto res = parse_config_str_list("a"); CU_ASSERT(1 == res.size()); - CU_ASSERT(0 == strcmp("a", res[0].get())); + CU_ASSERT("a" == res[0]); res = parse_config_str_list("a,"); CU_ASSERT(2 == res.size()); - CU_ASSERT(0 == strcmp("a", res[0].get())); - CU_ASSERT(0 == strcmp("", res[1].get())); + CU_ASSERT("a" == res[0]); + CU_ASSERT("" == res[1]); res = parse_config_str_list(":a::", ':'); CU_ASSERT(4 == res.size()); - CU_ASSERT(0 == strcmp("", res[0].get())); - CU_ASSERT(0 == strcmp("a", res[1].get())); - CU_ASSERT(0 == strcmp("", res[2].get())); - CU_ASSERT(0 == strcmp("", res[3].get())); + CU_ASSERT("" == res[0]); + CU_ASSERT("a" == res[1]); + CU_ASSERT("" == res[2]); + CU_ASSERT("" == res[3]); res = parse_config_str_list(""); CU_ASSERT(1 == res.size()); - CU_ASSERT(0 == strcmp("", res[0].get())); + CU_ASSERT("" == res[0]); res = parse_config_str_list("alpha,bravo,charlie"); CU_ASSERT(3 == res.size()); - CU_ASSERT(0 == strcmp("alpha", res[0].get())); - CU_ASSERT(0 == strcmp("bravo", res[1].get())); - CU_ASSERT(0 == strcmp("charlie", res[2].get())); + CU_ASSERT("alpha" == res[0]); + CU_ASSERT("bravo" == res[1]); + CU_ASSERT("charlie" == res[2]); } void test_shrpx_config_parse_header(void) { diff --git a/src/shrpx_https_upstream.cc b/src/shrpx_https_upstream.cc index ef2659f8..4893c9fd 100644 --- a/src/shrpx_https_upstream.cc +++ b/src/shrpx_https_upstream.cc @@ -844,13 +844,12 @@ int HttpsUpstream::on_downstream_header_complete(Downstream *downstream) { if (!get_config()->altsvcs.empty()) { hdrs += "Alt-Svc: "; - for (auto &altsvc : get_config()->altsvcs) { - hdrs += util::percent_encode_token(altsvc.protocol_id.get()); + for (const auto &altsvc : get_config()->altsvcs) { + hdrs += util::percent_encode_token(altsvc.protocol_id); hdrs += "=\""; - hdrs += - util::quote_string(std::string(altsvc.host.get(), altsvc.host_len)); + hdrs += util::quote_string(altsvc.host); hdrs += ":"; - hdrs += util::utos(altsvc.port); + hdrs += altsvc.service; hdrs += "\", "; } diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 10981803..ea5a1cc1 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -87,18 +87,16 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { } // namespace std::vector -set_alpn_prefs(const std::vector> &protos) { +set_alpn_prefs(const std::vector &protos) { size_t len = 0; - for (auto &proto : protos) { - auto n = strlen(proto.get()); - - if (n > 255) { - LOG(FATAL) << "Too long ALPN identifier: " << n; + for (const auto &proto : protos) { + if (proto.size() > 255) { + LOG(FATAL) << "Too long ALPN identifier: " << proto.size(); DIE(); } - len += 1 + n; + len += 1 + proto.size(); } if (len > (1 << 16) - 1) { @@ -109,12 +107,10 @@ set_alpn_prefs(const std::vector> &protos) { auto out = std::vector(len); auto ptr = out.data(); - for (auto &proto : protos) { - auto proto_len = strlen(proto.get()); - - *ptr++ = proto_len; - memcpy(ptr, proto.get(), proto_len); - ptr += proto_len; + for (const auto &proto : protos) { + *ptr++ = proto.size(); + memcpy(ptr, proto.c_str(), proto.size()); + ptr += proto.size(); } return out; @@ -282,15 +278,14 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out, // We assume that get_config()->npn_list contains ALPN protocol // identifier sorted by preference order. So we just break when we // found the first overlap. - for (auto &target_proto_id : get_config()->npn_list) { - auto target_proto_len = strlen(target_proto_id.get()); - + for (const auto &target_proto_id : get_config()->npn_list) { for (auto p = in, end = in + inlen; p < end;) { auto proto_id = p + 1; auto proto_len = *p; - if (proto_id + proto_len <= end && target_proto_len == proto_len && - memcmp(target_proto_id.get(), proto_id, proto_len) == 0) { + if (proto_id + proto_len <= end && + util::streq(target_proto_id.c_str(), target_proto_id.size(), proto_id, + proto_len)) { *out = reinterpret_cast(proto_id); *outlen = proto_len; @@ -314,14 +309,13 @@ constexpr long int tls_masks[] = {SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1}; } // namespace -long int create_tls_proto_mask( - const std::vector> &tls_proto_list) { +long int create_tls_proto_mask(const std::vector &tls_proto_list) { long int res = 0; for (size_t i = 0; i < tls_namelen; ++i) { size_t j; for (j = 0; j < tls_proto_list.size(); ++j) { - if (util::strieq(tls_names[i], tls_proto_list[j].get())) { + if (util::strieq(tls_names[i], tls_proto_list[j])) { break; } } @@ -950,10 +944,10 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, return 0; } -bool in_proto_list(const std::vector> &protos, +bool in_proto_list(const std::vector &protos, const unsigned char *needle, size_t len) { for (auto &proto : protos) { - if (strlen(proto.get()) == len && memcmp(proto.get(), needle, len) == 0) { + if (util::streq(proto.c_str(), proto.size(), needle, len)) { return true; } } diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h index 85b3460d..de2509a8 100644 --- a/src/shrpx_ssl.h +++ b/src/shrpx_ssl.h @@ -140,7 +140,7 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, // Returns true if |needle| which has |len| bytes is included in the // protocol list |protos|. -bool in_proto_list(const std::vector> &protos, +bool in_proto_list(const std::vector &protos, const unsigned char *needle, size_t len); // Returns true if security requirement for HTTP/2 is fulfilled. @@ -149,11 +149,10 @@ bool check_http2_requirement(SSL *ssl); // Returns SSL/TLS option mask to disable SSL/TLS protocol version not // included in |tls_proto_list|. The returned mask can be directly // passed to SSL_CTX_set_options(). -long int create_tls_proto_mask( - const std::vector> &tls_proto_list); +long int create_tls_proto_mask(const std::vector &tls_proto_list); std::vector -set_alpn_prefs(const std::vector> &protos); +set_alpn_prefs(const std::vector &protos); // Setups server side SSL_CTX. This function inspects get_config() // and if upstream_no_tls is true, returns nullptr. Otherwise diff --git a/src/util.h b/src/util.h index 6c04fef0..1f84c37a 100644 --- a/src/util.h +++ b/src/util.h @@ -349,6 +349,10 @@ inline bool strieq(const std::string &a, const std::string &b) { bool strieq(const char *a, const char *b); +inline bool strieq(const char *a, const std::string &b) { + return strieq(a, b.c_str(), b.size()); +} + template bool strieq_l(const char (&a)[N], InputIt b, size_t blen) { return strieq(a, N - 1, b, blen); From 0ec1b98f27ccf777182180a3131ab139145fbc90 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 20 Jul 2015 22:42:48 +0900 Subject: [PATCH 29/44] nghttpx: Reorder config fields --- src/shrpx_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 2ad0297e..267decf9 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -269,7 +269,6 @@ struct Config { std::unique_ptr private_key_passwd; std::unique_ptr cert_file; std::unique_ptr dh_param_file; - const char *server_name; std::unique_ptr backend_tls_sni_name; std::unique_ptr pid_file; std::unique_ptr conf_path; @@ -293,6 +292,7 @@ struct Config { std::unique_ptr accesslog_file; std::unique_ptr errorlog_file; std::unique_ptr fetch_ocsp_response_file; + std::unique_ptr user; FILE *http2_upstream_dump_request_header; FILE *http2_upstream_dump_response_header; nghttp2_session_callbacks *http2_upstream_callbacks; @@ -300,6 +300,7 @@ struct Config { nghttp2_option *http2_option; nghttp2_option *http2_client_option; const EVP_CIPHER *tls_ticket_cipher; + const char *server_name; char **argv; char *cwd; size_t num_worker; @@ -338,7 +339,6 @@ struct Config { int syslog_facility; int backlog; int argc; - std::unique_ptr user; uid_t uid; gid_t gid; pid_t pid; From 921e393dcd2f171a69fbd7e19005021bef078aba Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 20 Jul 2015 23:50:05 +0900 Subject: [PATCH 30/44] src: Use instead of in usage text --- src/h2load.cc | 6 +++--- src/nghttp.cc | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/h2load.cc b/src/h2load.cc index efb49c27..638a5ee2 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -1022,10 +1022,10 @@ Options: -t, --threads= Number of native threads. Default: )" << config.nthreads << R"( - -i, --input-file= + -i, --input-file= Path of a file with multiple URIs are separated by EOLs. This option will disable URIs getting from command-line. - If '-' is given as , URIs will be read from stdin. + If '-' is given as , URIs will be read from stdin. URIs are used in this order for each client. All URIs are used, then first URI is used and then 2nd URI, and so on. The scheme, host and port in the subsequent @@ -1063,7 +1063,7 @@ Options: #endif // !HAVE_SPDYLAY out << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( Default: )" << NGHTTP2_CLEARTEXT_PROTO_VERSION_ID << R"( - -d, --data= + -d, --data= Post FILE to server. The request method is changed to POST. -r, --rate= diff --git a/src/nghttp.cc b/src/nghttp.cc index 8f85aaca..5bd9c503 100644 --- a/src/nghttp.cc +++ b/src/nghttp.cc @@ -2394,7 +2394,7 @@ Options: must be in PEM format. --key= Use the client private key file. The file must be in PEM format. - -d, --data= + -d, --data= Post FILE to server. If '-' is given, data will be read from stdin. -m, --multiply= @@ -2418,8 +2418,8 @@ Options: -b, --padding= Add at most bytes to a frame payload as padding. Specify 0 to disable padding. - -r, --har= - Output HTTP transactions in HAR format. If '-' + -r, --har= + Output HTTP transactions in HAR format. If '-' is given, data is written to stdout. --color Force colored log output. --continuation From 26b7bee16fbf50b2466431b20fe282c8a3f30243 Mon Sep 17 00:00:00 2001 From: Alexis La Goutte Date: Mon, 20 Jul 2015 17:33:23 +0200 Subject: [PATCH 31/44] =?UTF-8?q?Fix=20rm:=20cannot=20remove=20=E2=80=98*.?= =?UTF-8?q?rst=E2=80=99:=20No=20such=20file=20or=20directory=20when=20"mak?= =?UTF-8?q?e=20clean"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When you don't generated documentation via make html --- doc/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 55042f65..5b6272c1 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -223,7 +223,7 @@ $(APIDOC): apidoc.stamp fi clean-local: - -rm $(APIDOCS) > /dev/null 2>&1 + -rm -f $(APIDOCS) -rm -rf $(BUILDDIR)/* html-local: apiref.rst From f3288092e8d74204f98c05a672b5dbbcfd4f52d7 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 22 Jul 2015 00:11:23 +0900 Subject: [PATCH 32/44] Strictly check occurrence of dynamic table size update RFC 7541 requires that dynamic table size update must occur at the beginning of the first header block, and is signaled as SETTINGS acknowledgement. This commit checks these conditions. If dynamic table size update appears other than the beginning of the first header block, it is treated as error. If SETTINGS ACK is received, and next HEADERS header block does not have dynamic table size update, it is treated as error. --- lib/includes/nghttp2/nghttp2.h | 11 ++++++++ lib/nghttp2_hd.c | 30 +++++++++++++++++++-- lib/nghttp2_hd.h | 2 ++ tests/main.c | 4 +++ tests/nghttp2_hd_test.c | 48 ++++++++++++++++++++++++++++++++++ tests/nghttp2_hd_test.h | 2 ++ 6 files changed, 95 insertions(+), 2 deletions(-) diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h index d8b1cc4e..856bfb1f 100644 --- a/lib/includes/nghttp2/nghttp2.h +++ b/lib/includes/nghttp2/nghttp2.h @@ -3777,11 +3777,22 @@ NGHTTP2_EXTERN void nghttp2_hd_inflate_del(nghttp2_hd_inflater *inflater); * The |settings_hd_table_bufsize_max| should be the value transmitted * in SETTINGS_HEADER_TABLE_SIZE. * + * This function must not be called while header block is being + * inflated. In other words, this function must be called after + * initialization of |inflater|, but before calling + * `nghttp2_hd_inflate_hd()`, or after + * `nghttp2_hd_inflate_end_headers()`. Otherwise, + * `NGHTTP2_ERR_INVALID_STATE` was returned. + * * This function returns 0 if it succeeds, or one of the following * negative error codes: * * :enum:`NGHTTP2_ERR_NOMEM` * Out of memory. + * :enum:`NGHTTP2_ERR_INVALID_STATE` + * The function is called while header block is being inflated. + * Probably, application missed to call + * `nghttp2_hd_inflate_end_headers()`. */ NGHTTP2_EXTERN int nghttp2_hd_inflate_change_table_size(nghttp2_hd_inflater *inflater, diff --git a/lib/nghttp2_hd.c b/lib/nghttp2_hd.c index 83191211..07ce37e0 100644 --- a/lib/nghttp2_hd.c +++ b/lib/nghttp2_hd.c @@ -704,7 +704,7 @@ int nghttp2_hd_inflate_init(nghttp2_hd_inflater *inflater, nghttp2_mem *mem) { inflater->nv_keep = NULL; inflater->opcode = NGHTTP2_HD_OPCODE_NONE; - inflater->state = NGHTTP2_HD_STATE_OPCODE; + inflater->state = NGHTTP2_HD_STATE_INFLATE_START; rv = nghttp2_bufs_init3(&inflater->nvbufs, NGHTTP2_HD_MAX_NV / 8, 8, 1, 0, mem); @@ -1261,6 +1261,15 @@ int nghttp2_hd_deflate_change_table_size(nghttp2_hd_deflater *deflater, int nghttp2_hd_inflate_change_table_size(nghttp2_hd_inflater *inflater, size_t settings_hd_table_bufsize_max) { + switch (inflater->state) { + case NGHTTP2_HD_STATE_EXPECT_TABLE_SIZE: + case NGHTTP2_HD_STATE_INFLATE_START: + break; + default: + return NGHTTP2_ERR_INVALID_STATE; + } + + inflater->state = NGHTTP2_HD_STATE_EXPECT_TABLE_SIZE; inflater->settings_hd_table_bufsize_max = settings_hd_table_bufsize_max; inflater->ctx.hd_table_bufsize_max = settings_hd_table_bufsize_max; hd_context_shrink_table_size(&inflater->ctx); @@ -1951,9 +1960,25 @@ ssize_t nghttp2_hd_inflate_hd2(nghttp2_hd_inflater *inflater, for (; in != last || busy;) { busy = 0; switch (inflater->state) { + case NGHTTP2_HD_STATE_EXPECT_TABLE_SIZE: + if ((*in & 0xe0u) != 0x20u) { + DEBUGF(fprintf(stderr, "inflatehd: header table size change was " + "expected, but saw 0x%02x as first byte", + *in)); + rv = NGHTTP2_ERR_HEADER_COMP; + goto fail; + } + /* fall through */ + case NGHTTP2_HD_STATE_INFLATE_START: case NGHTTP2_HD_STATE_OPCODE: if ((*in & 0xe0u) == 0x20u) { DEBUGF(fprintf(stderr, "inflatehd: header table size change\n")); + if (inflater->state == NGHTTP2_HD_STATE_OPCODE) { + DEBUGF(fprintf(stderr, "inflatehd: header table size change must " + "appear at the head of header block\n")); + rv = NGHTTP2_ERR_HEADER_COMP; + goto fail; + } inflater->opcode = NGHTTP2_HD_OPCODE_INDEXED; inflater->state = NGHTTP2_HD_STATE_READ_TABLE_SIZE; } else if (*in & 0x80u) { @@ -1997,7 +2022,7 @@ ssize_t nghttp2_hd_inflate_hd2(nghttp2_hd_inflater *inflater, DEBUGF(fprintf(stderr, "inflatehd: table_size=%zu\n", inflater->left)); inflater->ctx.hd_table_bufsize_max = inflater->left; hd_context_shrink_table_size(&inflater->ctx); - inflater->state = NGHTTP2_HD_STATE_OPCODE; + inflater->state = NGHTTP2_HD_STATE_INFLATE_START; break; case NGHTTP2_HD_STATE_READ_INDEX: { size_t prefixlen; @@ -2282,6 +2307,7 @@ fail: int nghttp2_hd_inflate_end_headers(nghttp2_hd_inflater *inflater) { hd_inflate_keep_free(inflater); + inflater->state = NGHTTP2_HD_STATE_INFLATE_START; return 0; } diff --git a/lib/nghttp2_hd.h b/lib/nghttp2_hd.h index bf40ab05..12177e8d 100644 --- a/lib/nghttp2_hd.h +++ b/lib/nghttp2_hd.h @@ -151,6 +151,8 @@ typedef enum { } nghttp2_hd_opcode; typedef enum { + NGHTTP2_HD_STATE_EXPECT_TABLE_SIZE, + NGHTTP2_HD_STATE_INFLATE_START, NGHTTP2_HD_STATE_OPCODE, NGHTTP2_HD_STATE_READ_TABLE_SIZE, NGHTTP2_HD_STATE_READ_INDEX, diff --git a/tests/main.c b/tests/main.c index 7353ad74..39cb1327 100644 --- a/tests/main.c +++ b/tests/main.c @@ -326,6 +326,10 @@ int main(int argc _U_, char *argv[] _U_) { test_nghttp2_hd_inflate_clearall_inc) || !CU_add_test(pSuite, "hd_inflate_zero_length_huffman", test_nghttp2_hd_inflate_zero_length_huffman) || + !CU_add_test(pSuite, "hd_inflate_expect_table_size_update", + test_nghttp2_hd_inflate_expect_table_size_update) || + !CU_add_test(pSuite, "hd_inflate_unexpected_table_size_update", + test_nghttp2_hd_inflate_unexpected_table_size_update) || !CU_add_test(pSuite, "hd_ringbuf_reserve", test_nghttp2_hd_ringbuf_reserve) || !CU_add_test(pSuite, "hd_change_table_size", diff --git a/tests/nghttp2_hd_test.c b/tests/nghttp2_hd_test.c index ecd7bc11..db72e3fe 100644 --- a/tests/nghttp2_hd_test.c +++ b/tests/nghttp2_hd_test.c @@ -540,6 +540,54 @@ void test_nghttp2_hd_inflate_zero_length_huffman(void) { nghttp2_hd_inflate_free(&inflater); } +void test_nghttp2_hd_inflate_expect_table_size_update(void) { + nghttp2_hd_inflater inflater; + nghttp2_bufs bufs; + nghttp2_mem *mem; + /* Indexed Header: :method: GET */ + uint8_t data[] = {0x82}; + nva_out out; + + mem = nghttp2_mem_default(); + frame_pack_bufs_init(&bufs); + nva_out_init(&out); + + nghttp2_bufs_add(&bufs, data, sizeof(data)); + nghttp2_hd_inflate_init(&inflater, mem); + /* This will make inflater require table size update in the next + inflation. */ + nghttp2_hd_inflate_change_table_size(&inflater, 4096); + CU_ASSERT(NGHTTP2_ERR_HEADER_COMP == + inflate_hd(&inflater, &out, &bufs, 0, mem)); + + nva_out_reset(&out, mem); + nghttp2_bufs_free(&bufs); + nghttp2_hd_inflate_free(&inflater); +} + +void test_nghttp2_hd_inflate_unexpected_table_size_update(void) { + nghttp2_hd_inflater inflater; + nghttp2_bufs bufs; + nghttp2_mem *mem; + /* Indexed Header: :method: GET, followed by table size update. + This violates RFC 7541. */ + uint8_t data[] = {0x82, 0x20}; + nva_out out; + + mem = nghttp2_mem_default(); + frame_pack_bufs_init(&bufs); + nva_out_init(&out); + + nghttp2_bufs_add(&bufs, data, sizeof(data)); + nghttp2_hd_inflate_init(&inflater, mem); + CU_ASSERT(NGHTTP2_ERR_HEADER_COMP == + inflate_hd(&inflater, &out, &bufs, 0, mem)); + + nva_out_reset(&out, mem); + nghttp2_bufs_free(&bufs); + nghttp2_hd_inflate_free(&inflater); +} + void test_nghttp2_hd_ringbuf_reserve(void) { nghttp2_hd_deflater deflater; nghttp2_hd_inflater inflater; diff --git a/tests/nghttp2_hd_test.h b/tests/nghttp2_hd_test.h index e41fad73..158a98c5 100644 --- a/tests/nghttp2_hd_test.h +++ b/tests/nghttp2_hd_test.h @@ -35,6 +35,8 @@ void test_nghttp2_hd_inflate_newname_noinc(void); void test_nghttp2_hd_inflate_newname_inc(void); void test_nghttp2_hd_inflate_clearall_inc(void); void test_nghttp2_hd_inflate_zero_length_huffman(void); +void test_nghttp2_hd_inflate_expect_table_size_update(void); +void test_nghttp2_hd_inflate_unexpected_table_size_update(void); void test_nghttp2_hd_ringbuf_reserve(void); void test_nghttp2_hd_change_table_size(void); void test_nghttp2_hd_deflate_inflate(void); From 44cbc785fcd116c924dd086c7e78dceb6ad86513 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 22 Jul 2015 21:41:16 +0900 Subject: [PATCH 33/44] nghttpx: Don't reuse backend connection if it is not clean --- src/shrpx_downstream.cc | 6 ++++++ src/shrpx_downstream.h | 3 +++ src/shrpx_http2_upstream.cc | 25 +++++++------------------ src/shrpx_https_upstream.cc | 8 +++----- src/shrpx_spdy_upstream.cc | 22 ++++++---------------- 5 files changed, 25 insertions(+), 39 deletions(-) diff --git a/src/shrpx_downstream.cc b/src/shrpx_downstream.cc index bfd7aa4b..a37c7f2f 100644 --- a/src/shrpx_downstream.cc +++ b/src/shrpx_downstream.cc @@ -1207,4 +1207,10 @@ void Downstream::add_request_headers_sum(size_t amount) { request_headers_sum_ += amount; } +bool Downstream::can_detach_downstream_connection() const { + return dconn_ && response_state_ == Downstream::MSG_COMPLETE && + request_state_ == Downstream::MSG_COMPLETE && !upgraded_ && + !response_connection_close_; +} + } // namespace shrpx diff --git a/src/shrpx_downstream.h b/src/shrpx_downstream.h index 3486621a..c64aba4f 100644 --- a/src/shrpx_downstream.h +++ b/src/shrpx_downstream.h @@ -332,6 +332,9 @@ public: void attach_blocked_link(BlockedLink *l); BlockedLink *detach_blocked_link(); + // Returns true if downstream_connection can be detached and reused. + bool can_detach_downstream_connection() const; + enum { EVENT_ERROR = 0x1, EVENT_TIMEOUT = 0x2, diff --git a/src/shrpx_http2_upstream.cc b/src/shrpx_http2_upstream.cc index 51146e8c..db57b9db 100644 --- a/src/shrpx_http2_upstream.cc +++ b/src/shrpx_http2_upstream.cc @@ -74,22 +74,13 @@ int on_stream_close_callback(nghttp2_session *session, int32_t stream_id, return 0; } - downstream->set_request_state(Downstream::STREAM_CLOSED); - - if (downstream->get_response_state() == Downstream::MSG_COMPLETE) { - // At this point, downstream response was read - if (!downstream->get_upgraded() && - !downstream->get_response_connection_close()) { - // Keep-alive - downstream->detach_downstream_connection(); - } - - upstream->remove_downstream(downstream); - // downstream was deleted - - return 0; + if (downstream->can_detach_downstream_connection()) { + // Keep-alive + downstream->detach_downstream_connection(); } + downstream->set_request_state(Downstream::STREAM_CLOSED); + // At this point, downstream read may be paused. // If shrpx_downstream::push_request_headers() failed, the @@ -915,10 +906,8 @@ int Http2Upstream::downstream_read(DownstreamConnection *dconn) { } return downstream_error(dconn, Downstream::EVENT_ERROR); } - // Detach downstream connection early so that it could be reused - // without hitting server's request timeout. - if (downstream->get_response_state() == Downstream::MSG_COMPLETE && - !downstream->get_response_connection_close()) { + + if (downstream->can_detach_downstream_connection()) { // Keep-alive downstream->detach_downstream_connection(); } diff --git a/src/shrpx_https_upstream.cc b/src/shrpx_https_upstream.cc index 4893c9fd..40a29593 100644 --- a/src/shrpx_https_upstream.cc +++ b/src/shrpx_https_upstream.cc @@ -540,7 +540,8 @@ int HttpsUpstream::on_write() { // We need to postpone detachment until all data are sent so that // we can notify nghttp2 library all data consumed. if (downstream->get_response_state() == Downstream::MSG_COMPLETE) { - if (downstream->get_response_connection_close()) { + if (downstream->get_response_connection_close() || + downstream->get_request_state() != Downstream::MSG_COMPLETE) { // Connection close downstream->pop_downstream_connection(); // dconn was deleted @@ -607,10 +608,7 @@ int HttpsUpstream::downstream_read(DownstreamConnection *dconn) { goto end; } - // Detach downstream connection early so that it could be reused - // without hitting server's request timeout. - if (downstream->get_response_state() == Downstream::MSG_COMPLETE && - !downstream->get_response_connection_close()) { + if (downstream->can_detach_downstream_connection()) { // Keep-alive downstream->detach_downstream_connection(); } diff --git a/src/shrpx_spdy_upstream.cc b/src/shrpx_spdy_upstream.cc index 745cc0b5..89fcb678 100644 --- a/src/shrpx_spdy_upstream.cc +++ b/src/shrpx_spdy_upstream.cc @@ -109,20 +109,13 @@ void on_stream_close_callback(spdylay_session *session, int32_t stream_id, return; } - downstream->set_request_state(Downstream::STREAM_CLOSED); - if (downstream->get_response_state() == Downstream::MSG_COMPLETE) { - // At this point, downstream response was read - if (!downstream->get_upgraded() && - !downstream->get_response_connection_close()) { - // Keep-alive - downstream->detach_downstream_connection(); - } - upstream->remove_downstream(downstream); - // downstrea was deleted - - return; + if (downstream->can_detach_downstream_connection()) { + // Keep-alive + downstream->detach_downstream_connection(); } + downstream->set_request_state(Downstream::STREAM_CLOSED); + // At this point, downstream read may be paused. // If shrpx_downstream::push_request_headers() failed, the @@ -589,10 +582,7 @@ int SpdyUpstream::downstream_read(DownstreamConnection *dconn) { } return downstream_error(dconn, Downstream::EVENT_ERROR); } - // Detach downstream connection early so that it could be reused - // without hitting server's request timeout. - if (downstream->get_response_state() == Downstream::MSG_COMPLETE && - !downstream->get_response_connection_close()) { + if (downstream->can_detach_downstream_connection()) { // Keep-alive downstream->detach_downstream_connection(); } From 7f71fed963e73c88770e29f4aa6419eb91d9148d Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 23 Jul 2015 00:36:00 +0900 Subject: [PATCH 34/44] Allow multiple in-flight SETTINGS --- lib/includes/nghttp2/nghttp2.h | 4 -- lib/nghttp2_session.c | 116 +++++++++++++++++++++++---------- lib/nghttp2_session.h | 20 ++++-- tests/main.c | 2 + tests/nghttp2_session_test.c | 91 +++++++++++++++++++++++--- tests/nghttp2_session_test.h | 1 + 6 files changed, 179 insertions(+), 55 deletions(-) diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h index 856bfb1f..6c3c2c43 100644 --- a/lib/includes/nghttp2/nghttp2.h +++ b/lib/includes/nghttp2/nghttp2.h @@ -3278,10 +3278,6 @@ NGHTTP2_EXTERN int nghttp2_submit_rst_stream(nghttp2_session *session, * :enum:`NGHTTP2_ERR_INVALID_ARGUMENT` * The |iv| contains invalid value (e.g., initial window size * strictly greater than (1 << 31) - 1. - * :enum:`NGHTTP2_ERR_TOO_MANY_INFLIGHT_SETTINGS` - * There is already another in-flight SETTINGS. Note that the - * current implementation only allows 1 in-flight SETTINGS frame - * without ACK flag set. * :enum:`NGHTTP2_ERR_NOMEM` * Out of memory. */ diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index 6285443c..2f74ca4b 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -362,8 +362,6 @@ static int session_new(nghttp2_session **session_ptr, (*session_ptr)->local_last_stream_id = (1u << 31) - 1; (*session_ptr)->remote_last_stream_id = (1u << 31) - 1; - (*session_ptr)->inflight_niv = -1; - (*session_ptr)->pending_local_max_concurrent_stream = NGHTTP2_INITIAL_MAX_CONCURRENT_STREAMS; (*session_ptr)->pending_enable_push = 1; @@ -561,8 +559,42 @@ static void ob_q_free(nghttp2_outbound_queue *q, nghttp2_mem *mem) { } } +static int inflight_settings_new(nghttp2_inflight_settings **settings_ptr, + const nghttp2_settings_entry *iv, size_t niv, + nghttp2_mem *mem) { + *settings_ptr = nghttp2_mem_malloc(mem, sizeof(nghttp2_inflight_settings)); + if (!*settings_ptr) { + return NGHTTP2_ERR_NOMEM; + } + + if (niv > 0) { + (*settings_ptr)->iv = nghttp2_frame_iv_copy(iv, niv, mem); + if (!(*settings_ptr)->iv) { + return NGHTTP2_ERR_NOMEM; + } + } else { + (*settings_ptr)->iv = NULL; + } + + (*settings_ptr)->niv = niv; + (*settings_ptr)->next = NULL; + + return 0; +} + +static void inflight_settings_del(nghttp2_inflight_settings *settings, + nghttp2_mem *mem) { + if (!settings) { + return; + } + + nghttp2_mem_free(mem, settings->iv); + nghttp2_mem_free(mem, settings); +} + void nghttp2_session_del(nghttp2_session *session) { nghttp2_mem *mem; + nghttp2_inflight_settings *settings; if (session == NULL) { return; @@ -570,7 +602,11 @@ void nghttp2_session_del(nghttp2_session *session) { mem = &session->mem; - nghttp2_mem_free(mem, session->inflight_iv); + for (settings = session->inflight_settings_head; settings;) { + nghttp2_inflight_settings *next = settings->next; + inflight_settings_del(settings, mem); + settings = next; + } nghttp2_stream_roots_free(&session->roots); @@ -3939,10 +3975,6 @@ int nghttp2_session_update_local_settings(nghttp2_session *session, } } - session->pending_local_max_concurrent_stream = - NGHTTP2_INITIAL_MAX_CONCURRENT_STREAMS; - session->pending_enable_push = 1; - return 0; } @@ -3951,6 +3983,7 @@ int nghttp2_session_on_settings_received(nghttp2_session *session, int rv; size_t i; nghttp2_mem *mem; + nghttp2_inflight_settings *settings; mem = &session->mem; @@ -3964,15 +3997,21 @@ int nghttp2_session_on_settings_received(nghttp2_session *session, session, frame, NGHTTP2_ERR_FRAME_SIZE_ERROR, "SETTINGS: ACK and payload != 0"); } - if (session->inflight_niv == -1) { + + settings = session->inflight_settings_head; + + if (!settings) { return session_handle_invalid_connection( session, frame, NGHTTP2_ERR_PROTO, "SETTINGS: unexpected ACK"); } - rv = nghttp2_session_update_local_settings(session, session->inflight_iv, - session->inflight_niv); - nghttp2_mem_free(mem, session->inflight_iv); - session->inflight_iv = NULL; - session->inflight_niv = -1; + + rv = nghttp2_session_update_local_settings(session, settings->iv, + settings->niv); + + session->inflight_settings_head = settings->next; + + inflight_settings_del(settings, mem); + if (rv != 0) { if (nghttp2_is_fatal(rv)) { return rv; @@ -6091,6 +6130,22 @@ int nghttp2_session_add_window_update(nghttp2_session *session, uint8_t flags, return 0; } +static void +session_append_inflight_settings(nghttp2_session *session, + nghttp2_inflight_settings *settings) { + nghttp2_inflight_settings *i; + + if (!session->inflight_settings_head) { + session->inflight_settings_head = settings; + return; + } + + for (i = session->inflight_settings_head; i->next; i = i->next) + ; + + i->next = settings; +} + int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags, const nghttp2_settings_entry *iv, size_t niv) { nghttp2_outbound_item *item; @@ -6099,15 +6154,12 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags, size_t i; int rv; nghttp2_mem *mem; + nghttp2_inflight_settings *inflight_settings = NULL; mem = &session->mem; - if (flags & NGHTTP2_FLAG_ACK) { - if (niv != 0) { - return NGHTTP2_ERR_INVALID_ARGUMENT; - } - } else if (session->inflight_niv != -1) { - return NGHTTP2_ERR_TOO_MANY_INFLIGHT_SETTINGS; + if ((flags & NGHTTP2_FLAG_ACK) && niv != 0) { + return NGHTTP2_ERR_INVALID_ARGUMENT; } if (!nghttp2_iv_check(iv, niv)) { @@ -6130,19 +6182,13 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags, } if ((flags & NGHTTP2_FLAG_ACK) == 0) { - if (niv > 0) { - session->inflight_iv = nghttp2_frame_iv_copy(iv, niv, mem); - - if (session->inflight_iv == NULL) { - nghttp2_mem_free(mem, iv_copy); - nghttp2_mem_free(mem, item); - return NGHTTP2_ERR_NOMEM; - } - } else { - session->inflight_iv = NULL; + rv = inflight_settings_new(&inflight_settings, iv, niv, mem); + if (rv != 0) { + assert(nghttp2_is_fatal(rv)); + nghttp2_mem_free(mem, iv_copy); + nghttp2_mem_free(mem, item); + return rv; } - - session->inflight_niv = niv; } nghttp2_outbound_item_init(item); @@ -6155,11 +6201,7 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags, /* The only expected error is fatal one */ assert(nghttp2_is_fatal(rv)); - if ((flags & NGHTTP2_FLAG_ACK) == 0) { - nghttp2_mem_free(mem, session->inflight_iv); - session->inflight_iv = NULL; - session->inflight_niv = -1; - } + inflight_settings_del(inflight_settings, mem); nghttp2_frame_settings_free(&frame->settings, mem); nghttp2_mem_free(mem, item); @@ -6167,6 +6209,8 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags, return rv; } + session_append_inflight_settings(session, inflight_settings); + /* Extract NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS and ENABLE_PUSH here. We use it to refuse the incoming stream and PUSH_PROMISE with RST_STREAM. */ diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h index 62c27965..87430bdb 100644 --- a/lib/nghttp2_session.h +++ b/lib/nghttp2_session.h @@ -140,6 +140,17 @@ typedef enum { NGHTTP2_GOAWAY_RECV = 0x8 } nghttp2_goaway_flag; +/* nghttp2_inflight_settings stores the SETTINGS entries which local + endpoint has sent to the remote endpoint, and has not received ACK + yet. */ +struct nghttp2_inflight_settings { + struct nghttp2_inflight_settings *next; + nghttp2_settings_entry *iv; + size_t niv; +}; + +typedef struct nghttp2_inflight_settings nghttp2_inflight_settings; + struct nghttp2_session { nghttp2_map /* */ streams; nghttp2_stream_roots roots; @@ -176,12 +187,9 @@ struct nghttp2_session { /* Points to the oldest idle stream. NULL if there is no idle stream. Only used when session is initialized as erver. */ nghttp2_stream *idle_stream_tail; - /* In-flight SETTINGS values. NULL does not necessarily mean there - is no in-flight SETTINGS. */ - nghttp2_settings_entry *inflight_iv; - /* The number of entries in |inflight_iv|. -1 if there is no - in-flight SETTINGS. */ - ssize_t inflight_niv; + /* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not + considered as in-flight. */ + nghttp2_inflight_settings *inflight_settings_head; /* The number of outgoing streams. This will be capped by remote_settings.max_concurrent_streams. */ size_t num_outgoing_streams; diff --git a/tests/main.c b/tests/main.c index 39cb1327..3bd70f7c 100644 --- a/tests/main.c +++ b/tests/main.c @@ -171,6 +171,8 @@ int main(int argc _U_, char *argv[] _U_) { test_nghttp2_submit_settings) || !CU_add_test(pSuite, "session_submit_settings_update_local_window_size", test_nghttp2_submit_settings_update_local_window_size) || + !CU_add_test(pSuite, "session_submit_settings_multiple_times", + test_nghttp2_submit_settings_multiple_times) || !CU_add_test(pSuite, "session_submit_push_promise", test_nghttp2_submit_push_promise) || !CU_add_test(pSuite, "submit_window_update", diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c index 33f8ef54..457a4128 100644 --- a/tests/nghttp2_session_test.c +++ b/tests/nghttp2_session_test.c @@ -2300,18 +2300,11 @@ void test_nghttp2_session_on_settings_received(void) { nghttp2_session_server_new(&session, &callbacks, NULL); nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_ACK, dup_iv(iv, 1), 1); - /* Specify inflight_iv deliberately */ - session->inflight_iv = frame.settings.iv; - session->inflight_niv = frame.settings.niv; - CU_ASSERT(0 == nghttp2_session_on_settings_received(session, &frame, 0)); item = nghttp2_session_get_next_ob_item(session); CU_ASSERT(item != NULL); CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); - session->inflight_iv = NULL; - session->inflight_niv = -1; - nghttp2_frame_settings_free(&frame.settings, mem); nghttp2_session_del(session); @@ -4041,8 +4034,8 @@ void test_nghttp2_submit_settings(void) { CU_ASSERT(16 * 1024 == session->local_settings.initial_window_size); CU_ASSERT(0 == session->hd_inflater.ctx.hd_table_bufsize_max); CU_ASSERT(50 == session->local_settings.max_concurrent_streams); - CU_ASSERT(NGHTTP2_INITIAL_MAX_CONCURRENT_STREAMS == - session->pending_local_max_concurrent_stream); + /* We just keep the last seen value */ + CU_ASSERT(50 == session->pending_local_max_concurrent_stream); nghttp2_session_del(session); } @@ -4113,6 +4106,86 @@ void test_nghttp2_submit_settings_update_local_window_size(void) { nghttp2_frame_settings_free(&ack_frame.settings, mem); } +void test_nghttp2_submit_settings_multiple_times(void) { + nghttp2_session *session; + nghttp2_session_callbacks callbacks; + nghttp2_settings_entry iv[4]; + nghttp2_frame frame; + nghttp2_mem *mem; + nghttp2_inflight_settings *inflight_settings; + + mem = nghttp2_mem_default(); + + memset(&callbacks, 0, sizeof(callbacks)); + callbacks.send_callback = null_send_callback; + + nghttp2_session_client_new(&session, &callbacks, NULL); + + /* first SETTINGS */ + iv[0].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS; + iv[0].value = 100; + + iv[1].settings_id = NGHTTP2_SETTINGS_ENABLE_PUSH; + iv[1].value = 0; + + CU_ASSERT(0 == nghttp2_submit_settings(session, NGHTTP2_FLAG_NONE, iv, 2)); + + inflight_settings = session->inflight_settings_head; + + CU_ASSERT(NULL != inflight_settings); + CU_ASSERT(NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS == + inflight_settings->iv[0].settings_id); + CU_ASSERT(100 == inflight_settings->iv[0].value); + CU_ASSERT(2 == inflight_settings->niv); + CU_ASSERT(NULL == inflight_settings->next); + + CU_ASSERT(100 == session->pending_local_max_concurrent_stream); + CU_ASSERT(0 == session->pending_enable_push); + + /* second SETTINGS */ + iv[0].settings_id = NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS; + iv[0].value = 99; + + CU_ASSERT(0 == nghttp2_submit_settings(session, NGHTTP2_FLAG_NONE, iv, 1)); + + inflight_settings = session->inflight_settings_head->next; + + CU_ASSERT(NULL != inflight_settings); + CU_ASSERT(NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS == + inflight_settings->iv[0].settings_id); + CU_ASSERT(99 == inflight_settings->iv[0].value); + CU_ASSERT(1 == inflight_settings->niv); + CU_ASSERT(NULL == inflight_settings->next); + + CU_ASSERT(99 == session->pending_local_max_concurrent_stream); + CU_ASSERT(0 == session->pending_enable_push); + + nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_ACK, NULL, 0); + + /* receive SETTINGS ACK */ + CU_ASSERT(0 == nghttp2_session_on_settings_received(session, &frame, 0)); + + inflight_settings = session->inflight_settings_head; + + /* first inflight SETTINGS was removed */ + CU_ASSERT(NULL != inflight_settings); + CU_ASSERT(NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS == + inflight_settings->iv[0].settings_id); + CU_ASSERT(99 == inflight_settings->iv[0].value); + CU_ASSERT(1 == inflight_settings->niv); + CU_ASSERT(NULL == inflight_settings->next); + + CU_ASSERT(100 == session->local_settings.max_concurrent_streams); + + /* receive SETTINGS ACK again */ + CU_ASSERT(0 == nghttp2_session_on_settings_received(session, &frame, 0)); + + CU_ASSERT(NULL == session->inflight_settings_head); + CU_ASSERT(99 == session->local_settings.max_concurrent_streams); + + nghttp2_session_del(session); +} + void test_nghttp2_submit_push_promise(void) { nghttp2_session *session; nghttp2_session_callbacks callbacks; diff --git a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h index b93d848e..fc626ce0 100644 --- a/tests/nghttp2_session_test.h +++ b/tests/nghttp2_session_test.h @@ -79,6 +79,7 @@ void test_nghttp2_submit_headers_continuation(void); void test_nghttp2_submit_priority(void); void test_nghttp2_submit_settings(void); void test_nghttp2_submit_settings_update_local_window_size(void); +void test_nghttp2_submit_settings_multiple_times(void); void test_nghttp2_submit_push_promise(void); void test_nghttp2_submit_window_update(void); void test_nghttp2_submit_window_update_local_window_size(void); From f6a8c8d0786b112bab8a4200eb54f2923ac6a80c Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 23 Jul 2015 00:44:54 +0900 Subject: [PATCH 35/44] Remove unused variable --- tests/nghttp2_session_test.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c index 457a4128..5b05b88e 100644 --- a/tests/nghttp2_session_test.c +++ b/tests/nghttp2_session_test.c @@ -4111,11 +4111,8 @@ void test_nghttp2_submit_settings_multiple_times(void) { nghttp2_session_callbacks callbacks; nghttp2_settings_entry iv[4]; nghttp2_frame frame; - nghttp2_mem *mem; nghttp2_inflight_settings *inflight_settings; - mem = nghttp2_mem_default(); - memset(&callbacks, 0, sizeof(callbacks)); callbacks.send_callback = null_send_callback; From aa012f7a58ae535c38ad6de8e359513df3501e93 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 23 Jul 2015 02:02:27 +0900 Subject: [PATCH 36/44] Use PROTOCOL_ERROR against DATA sent to idle stream --- lib/nghttp2_session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index 2f74ca4b..d9a74264 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -4672,7 +4672,7 @@ static int session_on_data_received_fail_fast(nghttp2_session *session) { if (!stream) { if (session_detect_idle_stream(session, stream_id)) { failure_reason = "DATA: stream in idle"; - error_code = NGHTTP2_STREAM_CLOSED; + error_code = NGHTTP2_PROTOCOL_ERROR; goto fail; } return NGHTTP2_ERR_IGN_PAYLOAD; From cd2c751f827bc0a3f76a6cfbb8b65e14bcdbabf1 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 23 Jul 2015 21:09:16 +0900 Subject: [PATCH 37/44] nghttpx: Generate new ticket key every 1hr and its life time is now 12hrs --- src/shrpx.cc | 104 +++++++++++++++++++++++++++++++++++---------------- 1 file changed, 71 insertions(+), 33 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index b6f442d7..8b171ae1 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -604,54 +604,91 @@ void graceful_shutdown_signal_cb(struct ev_loop *loop, ev_signal *w, } } // namespace +namespace { +int generate_ticket_key(TicketKey &ticket_key) { + ticket_key.cipher = get_config()->tls_ticket_cipher; + ticket_key.hmac = EVP_sha256(); + ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac); + + assert(static_cast(EVP_CIPHER_key_length(ticket_key.cipher)) <= + sizeof(ticket_key.data.enc_key)); + assert(ticket_key.hmac_keylen <= sizeof(ticket_key.data.hmac_key)); + + if (LOG_ENABLED(INFO)) { + LOG(INFO) << "enc_keylen=" << EVP_CIPHER_key_length(ticket_key.cipher) + << ", hmac_keylen=" << ticket_key.hmac_keylen; + } + + if (RAND_bytes(reinterpret_cast(&ticket_key.data), + sizeof(ticket_key.data)) == 0) { + return -1; + } + + return 0; +} +} // namespace + namespace { void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { auto conn_handler = static_cast(w->data); const auto &old_ticket_keys = conn_handler->get_ticket_keys(); auto ticket_keys = std::make_shared(); - LOG(NOTICE) << "Renew ticket keys: main"; + LOG(NOTICE) << "Renew new ticket keys"; - // We store at most 2 ticket keys + // If old_ticket_keys is not empty, it should contain at least 2 + // keys: one for encryption, and last one for the next encryption + // key but decryption only. The keys in between are old keys and + // decryption only. The next key is provided to ensure to mitigate + // possible problem when one worker encrypt new key, but one worker, + // which did not take the that key yet, and cannot decrypt it. + // + // We keep keys for 12 hours. Thus the maximum ticket vector size + // is 12 + 1. if (old_ticket_keys) { auto &old_keys = old_ticket_keys->keys; auto &new_keys = ticket_keys->keys; - assert(!old_keys.empty()); + assert(old_keys.size() >= 2); - new_keys.resize(2); - new_keys[1] = old_keys[0]; + new_keys.resize(std::min(13ul, old_keys.size() + 1)); + std::copy_n(std::begin(old_keys), new_keys.size() - 2, + std::begin(new_keys) + 1); + new_keys[0] = old_keys.back(); } else { - ticket_keys->keys.resize(1); - } - - auto &new_key = ticket_keys->keys[0]; - new_key.cipher = get_config()->tls_ticket_cipher; - new_key.hmac = EVP_sha256(); - new_key.hmac_keylen = EVP_MD_size(new_key.hmac); - - assert(static_cast(EVP_CIPHER_key_length(new_key.cipher)) <= - sizeof(new_key.data.enc_key)); - assert(new_key.hmac_keylen <= sizeof(new_key.data.hmac_key)); - - if (LOG_ENABLED(INFO)) { - LOG(INFO) << "enc_keylen=" << EVP_CIPHER_key_length(new_key.cipher) - << ", hmac_keylen=" << new_key.hmac_keylen; - } - - if (RAND_bytes(reinterpret_cast(&new_key.data), - sizeof(new_key.data)) == 0) { - if (LOG_ENABLED(INFO)) { - LOG(INFO) << "failed to renew ticket key"; + ticket_keys->keys.resize(2); + if (generate_ticket_key(ticket_keys->keys[0]) != 0) { + if (LOG_ENABLED(INFO)) { + LOG(INFO) << "failed to generate ticket key"; + } + conn_handler->set_ticket_keys(nullptr); + conn_handler->worker_renew_ticket_keys(nullptr); + return; } + } + + auto &new_key = ticket_keys->keys.back(); + + if (generate_ticket_key(new_key) != 0) { + if (LOG_ENABLED(INFO)) { + LOG(INFO) << "failed to generate ticket key"; + } + conn_handler->set_ticket_keys(nullptr); + conn_handler->worker_renew_ticket_keys(nullptr); return; } if (LOG_ENABLED(INFO)) { LOG(INFO) << "ticket keys generation done"; - for (auto &key : ticket_keys->keys) { - LOG(INFO) << "name: " << util::format_hex(key.data.name); + assert(ticket_keys->keys.size() >= 2); + LOG(INFO) << "enc+dec: " + << util::format_hex(ticket_keys->keys[0].data.name); + for (size_t i = 1; i < ticket_keys->keys.size() - 1; ++i) { + auto &key = ticket_keys->keys[i]; + LOG(INFO) << "dec: " << util::format_hex(key.data.name); } + LOG(INFO) << "dec, next enc: " + << util::format_hex(ticket_keys->keys.back().data.name); } conn_handler->set_ticket_keys(ticket_keys); @@ -740,8 +777,8 @@ int event_loop() { } } if (auto_tls_ticket_key) { - // Renew ticket key every 12hrs - ev_timer_init(&renew_ticket_key_timer, renew_ticket_key_cb, 0., 12_h); + // Generate new ticket key every 1hr. + ev_timer_init(&renew_ticket_key_timer, renew_ticket_key_cb, 0., 1_h); renew_ticket_key_timer.data = conn_handler.get(); ev_timer_again(loop, &renew_ticket_key_timer); @@ -1317,9 +1354,10 @@ SSL/TLS: opening or reading given file fails, all loaded keys are discarded and it is treated as if none of this option is given. If this option is not given or an error occurred - while opening or reading a file, key is generated - automatically and renewed every 12hrs. At most 2 keys - are stored in memory. + while opening or reading a file, key is generated every + 1 hour internally and they are valid for 12 hours. This + is recommended if ticket key sharing between nghttpx + instances is not required. --tls-ticket-cipher= Specify cipher to encrypt TLS session ticket. Specify either aes-128-cbc or aes-256-cbc. By default, From 04bd25d468aee33c03555146cf456505a0cfa9d2 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 23 Jul 2015 23:13:29 +0900 Subject: [PATCH 38/44] nghttpx: Simplify ticket handling between workers just using mutex --- src/shrpx.cc | 33 +++++++++++---------------------- src/shrpx_connection_handler.cc | 19 +++++++------------ src/shrpx_connection_handler.h | 3 ++- src/shrpx_ssl.cc | 2 +- src/shrpx_worker.cc | 10 +++------- src/shrpx_worker.h | 7 +++++-- 6 files changed, 29 insertions(+), 45 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index 8b171ae1..aa97762e 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -649,50 +649,39 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { auto &old_keys = old_ticket_keys->keys; auto &new_keys = ticket_keys->keys; - assert(old_keys.size() >= 2); + assert(!old_keys.empty()); - new_keys.resize(std::min(13ul, old_keys.size() + 1)); - std::copy_n(std::begin(old_keys), new_keys.size() - 2, + new_keys.resize(std::min(12ul, old_keys.size() + 1)); + std::copy_n(std::begin(old_keys), new_keys.size() - 1, std::begin(new_keys) + 1); - new_keys[0] = old_keys.back(); } else { - ticket_keys->keys.resize(2); - if (generate_ticket_key(ticket_keys->keys[0]) != 0) { - if (LOG_ENABLED(INFO)) { - LOG(INFO) << "failed to generate ticket key"; - } - conn_handler->set_ticket_keys(nullptr); - conn_handler->worker_renew_ticket_keys(nullptr); - return; - } + ticket_keys->keys.resize(1); } - auto &new_key = ticket_keys->keys.back(); + auto &new_key = ticket_keys->keys[0]; if (generate_ticket_key(new_key) != 0) { if (LOG_ENABLED(INFO)) { LOG(INFO) << "failed to generate ticket key"; } conn_handler->set_ticket_keys(nullptr); - conn_handler->worker_renew_ticket_keys(nullptr); + conn_handler->set_ticket_keys_to_worker(nullptr); return; } if (LOG_ENABLED(INFO)) { LOG(INFO) << "ticket keys generation done"; - assert(ticket_keys->keys.size() >= 2); - LOG(INFO) << "enc+dec: " + assert(ticket_keys->keys.size() >= 1); + LOG(INFO) << 0 << " enc+dec: " << util::format_hex(ticket_keys->keys[0].data.name); - for (size_t i = 1; i < ticket_keys->keys.size() - 1; ++i) { + for (size_t i = 1; i < ticket_keys->keys.size(); ++i) { auto &key = ticket_keys->keys[i]; - LOG(INFO) << "dec: " << util::format_hex(key.data.name); + LOG(INFO) << i << " dec: " << util::format_hex(key.data.name); } - LOG(INFO) << "dec, next enc: " - << util::format_hex(ticket_keys->keys.back().data.name); } conn_handler->set_ticket_keys(ticket_keys); - conn_handler->worker_renew_ticket_keys(ticket_keys); + conn_handler->set_ticket_keys_to_worker(ticket_keys); } } // namespace diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc index 91b477d2..64260e9d 100644 --- a/src/shrpx_connection_handler.cc +++ b/src/shrpx_connection_handler.cc @@ -128,6 +128,13 @@ ConnectionHandler::~ConnectionHandler() { } } +void ConnectionHandler::set_ticket_keys_to_worker( + const std::shared_ptr &ticket_keys) { + for (auto &worker : workers_) { + worker->set_ticket_keys(ticket_keys); + } +} + void ConnectionHandler::worker_reopen_log_files() { WorkerEvent wev{}; @@ -138,18 +145,6 @@ void ConnectionHandler::worker_reopen_log_files() { } } -void ConnectionHandler::worker_renew_ticket_keys( - const std::shared_ptr &ticket_keys) { - WorkerEvent wev{}; - - wev.type = RENEW_TICKET_KEYS; - wev.ticket_keys = ticket_keys; - - for (auto &worker : workers_) { - worker->send(wev); - } -} - void ConnectionHandler::create_single_worker() { auto cert_tree = ssl::create_cert_lookup_tree(); auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree); diff --git a/src/shrpx_connection_handler.h b/src/shrpx_connection_handler.h index 5b17fef2..c6488854 100644 --- a/src/shrpx_connection_handler.h +++ b/src/shrpx_connection_handler.h @@ -76,8 +76,9 @@ public: // Creates |num| Worker objects for multi threaded configuration. // The |num| must be strictly more than 1. void create_worker_thread(size_t num); + void + set_ticket_keys_to_worker(const std::shared_ptr &ticket_keys); void worker_reopen_log_files(); - void worker_renew_ticket_keys(const std::shared_ptr &ticket_keys); void set_ticket_keys(std::shared_ptr ticket_keys); const std::shared_ptr &get_ticket_keys() const; struct ev_loop *get_loop() const; diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index ea5a1cc1..2d4635cd 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -188,7 +188,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) { auto handler = static_cast(SSL_get_app_data(ssl)); auto worker = handler->get_worker(); - const auto &ticket_keys = worker->get_ticket_keys(); + auto ticket_keys = worker->get_ticket_keys(); if (!ticket_keys) { // No ticket keys available. diff --git a/src/shrpx_worker.cc b/src/shrpx_worker.cc index ecf55b51..449d4c48 100644 --- a/src/shrpx_worker.cc +++ b/src/shrpx_worker.cc @@ -172,12 +172,6 @@ void Worker::process_events() { break; } - case RENEW_TICKET_KEYS: - WLOG(NOTICE, this) << "Renew ticket keys: worker(" << this << ")"; - - ticket_keys_ = wev.ticket_keys; - - break; case REOPEN_LOG: WLOG(NOTICE, this) << "Reopening log files: worker(" << this << ")"; @@ -206,11 +200,13 @@ void Worker::process_events() { ssl::CertLookupTree *Worker::get_cert_lookup_tree() const { return cert_tree_; } -const std::shared_ptr &Worker::get_ticket_keys() const { +std::shared_ptr Worker::get_ticket_keys() { + std::lock_guard g(m_); return ticket_keys_; } void Worker::set_ticket_keys(std::shared_ptr ticket_keys) { + std::lock_guard g(m_); ticket_keys_ = std::move(ticket_keys); } diff --git a/src/shrpx_worker.h b/src/shrpx_worker.h index b5f820b4..1ad7e3b1 100644 --- a/src/shrpx_worker.h +++ b/src/shrpx_worker.h @@ -75,7 +75,6 @@ enum WorkerEventType { NEW_CONNECTION = 0x01, REOPEN_LOG = 0x02, GRACEFUL_SHUTDOWN = 0x03, - RENEW_TICKET_KEYS = 0x04, }; struct WorkerEvent { @@ -100,8 +99,12 @@ public: void send(const WorkerEvent &event); ssl::CertLookupTree *get_cert_lookup_tree() const; - const std::shared_ptr &get_ticket_keys() const; + + // These 2 functions make a lock m_ to get/set ticket keys + // atomically. + std::shared_ptr get_ticket_keys(); void set_ticket_keys(std::shared_ptr ticket_keys); + WorkerStat *get_worker_stat(); DownstreamConnectionPool *get_dconn_pool(); Http2Session *next_http2_session(size_t group); From cab6c7871cbc73be7f31710e3537e812eab1a902 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 23 Jul 2015 23:54:56 +0900 Subject: [PATCH 39/44] nghttpx: Don't rewrite host header field by default In reverse proxy usage, backend server most likely wants to see the original header field. So this commit turns off host header rewrite by default. --no-host-rewrite option is deprecated, and if it is used, warning message is displayed. --host-rewrite option is added to enable host rewrite. --- gennghttpxfun.py | 1 + src/shrpx.cc | 11 ++++++++--- src/shrpx_config.cc | 13 ++++++++++++- src/shrpx_config.h | 1 + 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/gennghttpxfun.py b/gennghttpxfun.py index 9bf1c012..2c04e7d5 100755 --- a/gennghttpxfun.py +++ b/gennghttpxfun.py @@ -92,6 +92,7 @@ OPTIONS = [ "max-header-fields", "include", "tls-ticket-cipher", + "host-rewrite", "conf", ] diff --git a/src/shrpx.cc b/src/shrpx.cc index aa97762e..4c59167f 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -995,7 +995,7 @@ void fill_default_config() { mod_config()->tls_proto_mask = 0; mod_config()->no_location_rewrite = false; - mod_config()->no_host_rewrite = false; + mod_config()->no_host_rewrite = true; mod_config()->argc = 0; mod_config()->argv = nullptr; mod_config()->downstream_connections_per_host = 8; @@ -1498,8 +1498,8 @@ HTTP: --client and default mode. For --http2-proxy and --client-proxy mode, location header field will not be altered regardless of this option. - --no-host-rewrite - Don't rewrite host and :authority header fields on + --host-rewrite + Rewrite host and :authority header fields on --http2-bridge, --client and default mode. For --http2-proxy and --client-proxy mode, these headers will not be altered regardless of this option. @@ -1718,6 +1718,7 @@ int main(int argc, char **argv) { {SHRPX_OPT_ADD_REQUEST_HEADER, required_argument, &flag, 82}, {SHRPX_OPT_INCLUDE, required_argument, &flag, 83}, {SHRPX_OPT_TLS_TICKET_CIPHER, required_argument, &flag, 84}, + {SHRPX_OPT_HOST_REWRITE, no_argument, &flag, 85}, {nullptr, 0, nullptr, 0}}; int option_index = 0; @@ -2088,6 +2089,10 @@ int main(int argc, char **argv) { // --tls-ticket-cipher cmdcfgs.emplace_back(SHRPX_OPT_TLS_TICKET_CIPHER, optarg); break; + case 85: + // --host-rewrite + cmdcfgs.emplace_back(SHRPX_OPT_HOST_REWRITE, "yes"); + break; default: break; } diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 3fae2d29..8029d0bb 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -674,6 +674,7 @@ enum { SHRPX_OPTID_FRONTEND_READ_TIMEOUT, SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT, SHRPX_OPTID_HEADER_FIELD_BUFFER, + SHRPX_OPTID_HOST_REWRITE, SHRPX_OPTID_HTTP2_BRIDGE, SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS, SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING, @@ -881,6 +882,9 @@ int option_lookup_token(const char *name, size_t namelen) { } break; case 'e': + if (util::strieq_l("host-rewrit", name, 11)) { + return SHRPX_OPTID_HOST_REWRITE; + } if (util::strieq_l("http2-bridg", name, 11)) { return SHRPX_OPTID_HTTP2_BRIDGE; } @@ -1736,7 +1740,10 @@ int parse_config(const char *opt, const char *optarg, return 0; case SHRPX_OPTID_NO_HOST_REWRITE: - mod_config()->no_host_rewrite = util::strieq(optarg, "yes"); + LOG(WARN) << SHRPX_OPT_NO_HOST_REWRITE + << ": deprecated. :authority and host header fields are NOT " + "altered by default. To rewrite these headers, use " + "--host-rewrite option."; return 0; case SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST: { @@ -1853,6 +1860,10 @@ int parse_config(const char *opt, const char *optarg, } mod_config()->tls_ticket_cipher_given = true; + return 0; + case SHRPX_OPTID_HOST_REWRITE: + mod_config()->no_host_rewrite = !util::strieq(optarg, "yes"); + return 0; case SHRPX_OPTID_CONF: LOG(WARN) << "conf: ignored"; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 267decf9..749c7399 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -172,6 +172,7 @@ constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer"; constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields"; constexpr char SHRPX_OPT_INCLUDE[] = "include"; constexpr char SHRPX_OPT_TLS_TICKET_CIPHER[] = "tls-ticket-cipher"; +constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite"; union sockaddr_union { sockaddr_storage storage; From 9b63fc011ea648ab85d832b6cc49c43b02d297e1 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 24 Jul 2015 00:32:19 +0900 Subject: [PATCH 40/44] nghttpx: Open log files by default configuration --- src/shrpx.cc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index 4c59167f..c17f604e 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1601,6 +1601,10 @@ int main(int argc, char **argv) { create_config(); fill_default_config(); + // First open log files with default configuration, so that we can + // log errors/warnings while reading configuration files. + reopen_log_files(); + // We have to copy argv, since getopt_long may change its content. mod_config()->argc = argc; mod_config()->argv = new char *[argc]; @@ -2117,8 +2121,7 @@ int main(int argc, char **argv) { cmdcfgs.emplace_back(SHRPX_OPT_CERTIFICATE_FILE, argv[optind++]); } - // First open default log files to deal with errors occurred while - // parsing option values. + // Reopen log files using configurations in file reopen_log_files(); { From abce7c7210306dae8cfebab17c572b2e8882e6c4 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 24 Jul 2015 23:25:10 +0900 Subject: [PATCH 41/44] nghttpd: Fix the bug that 304 response has non-empty body --- src/HttpServer.cc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/HttpServer.cc b/src/HttpServer.cc index 6936bc85..5241aec6 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -1102,7 +1102,7 @@ void prepare_response(Stream *stream, Http2Handler *hd, if (last_mod_found && static_cast(buf.st_mtime) <= last_mod) { close(file); - prepare_status_response(stream, hd, 304); + hd->submit_response("304", stream->stream_id, nullptr); return; } @@ -1111,7 +1111,7 @@ void prepare_response(Stream *stream, Http2Handler *hd, path, FileEntry(path, buf.st_size, buf.st_mtime, file)); } else if (last_mod_found && file_ent->mtime <= last_mod) { sessions->release_fd(file_ent->path); - prepare_status_response(stream, hd, 304); + hd->submit_response("304", stream->stream_id, nullptr); return; } @@ -1630,7 +1630,6 @@ FileEntry make_status_body(int status, uint16_t port) { enum { IDX_200, IDX_301, - IDX_304, IDX_400, IDX_404, }; @@ -1639,7 +1638,6 @@ HttpServer::HttpServer(const Config *config) : config_(config) { status_pages_ = std::vector{ {"200", make_status_body(200, config_->port)}, {"301", make_status_body(301, config_->port)}, - {"304", make_status_body(304, config_->port)}, {"400", make_status_body(400, config_->port)}, {"404", make_status_body(404, config_->port)}, }; @@ -1884,8 +1882,6 @@ const StatusPage *HttpServer::get_status_page(int status) const { return &status_pages_[IDX_200]; case 301: return &status_pages_[IDX_301]; - case 304: - return &status_pages_[IDX_304]; case 400: return &status_pages_[IDX_400]; case 404: From afbb99ecf7804413a0ec0347714a04d23de40c0f Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 24 Jul 2015 23:40:27 +0900 Subject: [PATCH 42/44] nghttpx: Enable session resumption on HTTP/2 backend --- src/shrpx_connection.cc | 17 +++++++++++++---- src/shrpx_http2_session.cc | 13 ++++++++----- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index 30c2ec98..1ba8dfdb 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -62,7 +62,13 @@ Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl, tls.last_write_time = 0.; } -Connection::~Connection() { disconnect(); } +Connection::~Connection() { + disconnect(); + + if (tls.ssl) { + SSL_free(tls.ssl); + } +} void Connection::disconnect() { ev_timer_stop(loop, &rt); @@ -75,9 +81,12 @@ void Connection::disconnect() { SSL_set_app_data(tls.ssl, nullptr); SSL_set_shutdown(tls.ssl, SSL_RECEIVED_SHUTDOWN); ERR_clear_error(); - SSL_shutdown(tls.ssl); - SSL_free(tls.ssl); - tls.ssl = nullptr; + // To reuse SSL/TLS session, we have to shutdown, and don't free + // tls.ssl. + if (SSL_shutdown(tls.ssl) != 1) { + SSL_free(tls.ssl); + tls.ssl = nullptr; + } } if (fd != -1) { diff --git a/src/shrpx_http2_session.cc b/src/shrpx_http2_session.cc index e2b4e2ee..164a57da 100644 --- a/src/shrpx_http2_session.cc +++ b/src/shrpx_http2_session.cc @@ -320,12 +320,15 @@ int Http2Session::initiate_connection() { SSLOG(INFO, this) << "Connecting to downstream server"; } if (ssl_ctx_) { - // We are establishing TLS connection. - conn_.tls.ssl = SSL_new(ssl_ctx_); + // We are establishing TLS connection. If conn_.tls.ssl, we may + // reuse the previous session. if (!conn_.tls.ssl) { - SSLOG(ERROR, this) << "SSL_new() failed: " - << ERR_error_string(ERR_get_error(), NULL); - return -1; + conn_.tls.ssl = SSL_new(ssl_ctx_); + if (!conn_.tls.ssl) { + SSLOG(ERROR, this) << "SSL_new() failed: " + << ERR_error_string(ERR_get_error(), NULL); + return -1; + } } const char *sni_name = nullptr; From 6c8243f6d2e1766a80df6fe72c378dd8a461aa9d Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 24 Jul 2015 23:40:44 +0900 Subject: [PATCH 43/44] nghttpd: Add verbose output when SSL/TLS session is reused --- src/HttpServer.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/HttpServer.cc b/src/HttpServer.cc index 5241aec6..01624d33 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -571,6 +571,12 @@ int Http2Handler::tls_handshake() { return -1; } + if (sessions_->get_config()->verbose) { + if (SSL_session_reused(ssl_)) { + std::cerr << "SSL/TLS session reused" << std::endl; + } + } + return 0; } From adec2c06bf72f44da109219102374bf25a6919e0 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 24 Jul 2015 23:59:19 +0900 Subject: [PATCH 44/44] nghttpx: Set SSL/TLS session timeout to 12 hours --- src/shrpx.cc | 11 ++++++++--- src/shrpx_config.h | 1 + src/shrpx_ssl.cc | 1 + 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index c17f604e..01d15205 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -643,15 +643,19 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { // possible problem when one worker encrypt new key, but one worker, // which did not take the that key yet, and cannot decrypt it. // - // We keep keys for 12 hours. Thus the maximum ticket vector size - // is 12 + 1. + // We keep keys for get_config()->tls_session_timeout seconds. The + // default is 12 hours. Thus the maximum ticket vector size is 12. if (old_ticket_keys) { auto &old_keys = old_ticket_keys->keys; auto &new_keys = ticket_keys->keys; assert(!old_keys.empty()); - new_keys.resize(std::min(12ul, old_keys.size() + 1)); + auto max_tickets = + static_cast(std::chrono::duration_cast( + get_config()->tls_session_timeout).count()); + + new_keys.resize(std::min(max_tickets, old_keys.size() + 1)); std::copy_n(std::begin(old_keys), new_keys.size() - 1, std::begin(new_keys) + 1); } else { @@ -1016,6 +1020,7 @@ void fill_default_config() { mod_config()->downstream_addr_group_catch_all = 0; mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); mod_config()->tls_ticket_cipher_given = false; + mod_config()->tls_session_timeout = std::chrono::hours(12); } } // namespace diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 749c7399..9f0e52f8 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -253,6 +253,7 @@ struct Config { std::vector tls_proto_list; // binary form of http proxy host and port sockaddr_union downstream_http_proxy_addr; + std::chrono::seconds tls_session_timeout; ev_tstamp http2_upstream_read_timeout; ev_tstamp upstream_read_timeout; ev_tstamp upstream_write_timeout; diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 2d4635cd..0681888e 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -346,6 +346,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const unsigned char sid_ctx[] = "shrpx"; SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1); SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER); + SSL_CTX_set_timeout(ssl_ctx, get_config()->tls_session_timeout.count()); const char *ciphers; if (get_config()->ciphers) {