| // Copyright 2014 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // TODO: turn off the serve goroutine when idle, so |
| // an idle conn only has the readFrames goroutine active. (which could |
| // also be optimized probably to pin less memory in crypto/tls). This |
| // would involve tracking when the serve goroutine is active (atomic |
| // int32 read/CAS probably?) and starting it up when frames arrive, |
| // and shutting it down when all handlers exit. the occasional PING |
| // packets could use time.AfterFunc to call sc.wakeStartServeLoop() |
| // (which is a no-op if already running) and then queue the PING write |
| // as normal. The serve loop would then exit in most cases (if no |
| // Handlers running) and not be woken up again until the PING packet |
| // returns. |
| |
| // TODO (maybe): add a mechanism for Handlers to going into |
| // half-closed-local mode (rw.(io.Closer) test?) but not exit their |
| // handler, and continue to be able to read from the |
| // Request.Body. This would be a somewhat semantic change from HTTP/1 |
| // (or at least what we expose in net/http), so I'd probably want to |
| // add it there too. For now, this package says that returning from |
| // the Handler ServeHTTP function means you're both done reading and |
| // done writing, without a way to stop just one or the other. |
| |
| package http2 |
| |
| import ( |
| "bufio" |
| "bytes" |
| "context" |
| "crypto/tls" |
| "errors" |
| "fmt" |
| "io" |
| "log" |
| "math" |
| "net" |
| "net/http" |
| "net/textproto" |
| "net/url" |
| "os" |
| "reflect" |
| "runtime" |
| "strconv" |
| "strings" |
| "sync" |
| "time" |
| |
| "golang.org/x/net/http/httpguts" |
| "golang.org/x/net/http2/hpack" |
| ) |
| |
| const ( |
| prefaceTimeout = 10 * time.Second |
| firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway |
| handlerChunkWriteSize = 4 << 10 |
| defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? |
| maxQueuedControlFrames = 10000 |
| ) |
| |
| var ( |
| errClientDisconnected = errors.New("client disconnected") |
| errClosedBody = errors.New("body closed by handler") |
| errHandlerComplete = errors.New("http2: request body closed due to handler exiting") |
| errStreamClosed = errors.New("http2: stream closed") |
| ) |
| |
| var responseWriterStatePool = sync.Pool{ |
| New: func() interface{} { |
| rws := &responseWriterState{} |
| rws.bw = bufio.NewWriterSize(chunkWriter{rws}, handlerChunkWriteSize) |
| return rws |
| }, |
| } |
| |
| // Test hooks. |
| var ( |
| testHookOnConn func() |
| testHookGetServerConn func(*serverConn) |
| testHookOnPanicMu *sync.Mutex // nil except in tests |
| testHookOnPanic func(sc *serverConn, panicVal interface{}) (rePanic bool) |
| ) |
| |
| // Server is an HTTP/2 server. |
| type Server struct { |
| // MaxHandlers limits the number of http.Handler ServeHTTP goroutines |
| // which may run at a time over all connections. |
| // Negative or zero no limit. |
| // TODO: implement |
| MaxHandlers int |
| |
| // MaxConcurrentStreams optionally specifies the number of |
| // concurrent streams that each client may have open at a |
| // time. This is unrelated to the number of http.Handler goroutines |
| // which may be active globally, which is MaxHandlers. |
| // If zero, MaxConcurrentStreams defaults to at least 100, per |
| // the HTTP/2 spec's recommendations. |
| MaxConcurrentStreams uint32 |
| |
| // MaxDecoderHeaderTableSize optionally specifies the http2 |
| // SETTINGS_HEADER_TABLE_SIZE to send in the initial settings frame. It |
| // informs the remote endpoint of the maximum size of the header compression |
| // table used to decode header blocks, in octets. If zero, the default value |
| // of 4096 is used. |
| MaxDecoderHeaderTableSize uint32 |
| |
| // MaxEncoderHeaderTableSize optionally specifies an upper limit for the |
| // header compression table used for encoding request headers. Received |
| // SETTINGS_HEADER_TABLE_SIZE settings are capped at this limit. If zero, |
| // the default value of 4096 is used. |
| MaxEncoderHeaderTableSize uint32 |
| |
| // MaxReadFrameSize optionally specifies the largest frame |
| // this server is willing to read. A valid value is between |
| // 16k and 16M, inclusive. If zero or otherwise invalid, a |
| // default value is used. |
| MaxReadFrameSize uint32 |
| |
| // PermitProhibitedCipherSuites, if true, permits the use of |
| // cipher suites prohibited by the HTTP/2 spec. |
| PermitProhibitedCipherSuites bool |
| |
| // IdleTimeout specifies how long until idle clients should be |
| // closed with a GOAWAY frame. PING frames are not considered |
| // activity for the purposes of IdleTimeout. |
| IdleTimeout time.Duration |
| |
| // MaxUploadBufferPerConnection is the size of the initial flow |
| // control window for each connections. The HTTP/2 spec does not |
| // allow this to be smaller than 65535 or larger than 2^32-1. |
| // If the value is outside this range, a default value will be |
| // used instead. |
| MaxUploadBufferPerConnection int32 |
| |
| // MaxUploadBufferPerStream is the size of the initial flow control |
| // window for each stream. The HTTP/2 spec does not allow this to |
| // be larger than 2^32-1. If the value is zero or larger than the |
| // maximum, a default value will be used instead. |
| MaxUploadBufferPerStream int32 |
| |
| // NewWriteScheduler constructs a write scheduler for a connection. |
| // If nil, a default scheduler is chosen. |
| NewWriteScheduler func() WriteScheduler |
| |
| // CountError, if non-nil, is called on HTTP/2 server errors. |
| // It's intended to increment a metric for monitoring, such |
| // as an expvar or Prometheus metric. |
| // The errType consists of only ASCII word characters. |
| CountError func(errType string) |
| |
| // Internal state. This is a pointer (rather than embedded directly) |
| // so that we don't embed a Mutex in this struct, which will make the |
| // struct non-copyable, which might break some callers. |
| state *serverInternalState |
| } |
| |
| func (s *Server) initialConnRecvWindowSize() int32 { |
| if s.MaxUploadBufferPerConnection >= initialWindowSize { |
| return s.MaxUploadBufferPerConnection |
| } |
| return 1 << 20 |
| } |
| |
| func (s *Server) initialStreamRecvWindowSize() int32 { |
| if s.MaxUploadBufferPerStream > 0 { |
| return s.MaxUploadBufferPerStream |
| } |
| return 1 << 20 |
| } |
| |
| func (s *Server) maxReadFrameSize() uint32 { |
| if v := s.MaxReadFrameSize; v >= minMaxFrameSize && v <= maxFrameSize { |
| return v |
| } |
| return defaultMaxReadFrameSize |
| } |
| |
| func (s *Server) maxConcurrentStreams() uint32 { |
| if v := s.MaxConcurrentStreams; v > 0 { |
| return v |
| } |
| return defaultMaxStreams |
| } |
| |
| func (s *Server) maxDecoderHeaderTableSize() uint32 { |
| if v := s.MaxDecoderHeaderTableSize; v > 0 { |
| return v |
| } |
| return initialHeaderTableSize |
| } |
| |
| func (s *Server) maxEncoderHeaderTableSize() uint32 { |
| if v := s.MaxEncoderHeaderTableSize; v > 0 { |
| return v |
| } |
| return initialHeaderTableSize |
| } |
| |
| // maxQueuedControlFrames is the maximum number of control frames like |
| // SETTINGS, PING and RST_STREAM that will be queued for writing before |
| // the connection is closed to prevent memory exhaustion attacks. |
| func (s *Server) maxQueuedControlFrames() int { |
| // TODO: if anybody asks, add a Server field, and remember to define the |
| // behavior of negative values. |
| return maxQueuedControlFrames |
| } |
| |
| type serverInternalState struct { |
| mu sync.Mutex |
| activeConns map[*serverConn]struct{} |
| } |
| |
| func (s *serverInternalState) registerConn(sc *serverConn) { |
| if s == nil { |
| return // if the Server was used without calling ConfigureServer |
| } |
| s.mu.Lock() |
| s.activeConns[sc] = struct{}{} |
| s.mu.Unlock() |
| } |
| |
| func (s *serverInternalState) unregisterConn(sc *serverConn) { |
| if s == nil { |
| return // if the Server was used without calling ConfigureServer |
| } |
| s.mu.Lock() |
| delete(s.activeConns, sc) |
| s.mu.Unlock() |
| } |
| |
| func (s *serverInternalState) startGracefulShutdown() { |
| if s == nil { |
| return // if the Server was used without calling ConfigureServer |
| } |
| s.mu.Lock() |
| for sc := range s.activeConns { |
| sc.startGracefulShutdown() |
| } |
| s.mu.Unlock() |
| } |
| |
| // ConfigureServer adds HTTP/2 support to a net/http Server. |
| // |
| // The configuration conf may be nil. |
| // |
| // ConfigureServer must be called before s begins serving. |
| func ConfigureServer(s *http.Server, conf *Server) error { |
| if s == nil { |
| panic("nil *http.Server") |
| } |
| if conf == nil { |
| conf = new(Server) |
| } |
| conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})} |
| if h1, h2 := s, conf; h2.IdleTimeout == 0 { |
| if h1.IdleTimeout != 0 { |
| h2.IdleTimeout = h1.IdleTimeout |
| } else { |
| h2.IdleTimeout = h1.ReadTimeout |
| } |
| } |
| s.RegisterOnShutdown(conf.state.startGracefulShutdown) |
| |
| if s.TLSConfig == nil { |
| s.TLSConfig = new(tls.Config) |
| } else if s.TLSConfig.CipherSuites != nil && s.TLSConfig.MinVersion < tls.VersionTLS13 { |
| // If they already provided a TLS 1.0–1.2 CipherSuite list, return an |
| // error if it is missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or |
| // ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. |
| haveRequired := false |
| for _, cs := range s.TLSConfig.CipherSuites { |
| switch cs { |
| case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
| // Alternative MTI cipher to not discourage ECDSA-only servers. |
| // See http://golang.org/cl/30721 for further information. |
| tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
| haveRequired = true |
| } |
| } |
| if !haveRequired { |
| return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)") |
| } |
| } |
| |
| // Note: not setting MinVersion to tls.VersionTLS12, |
| // as we don't want to interfere with HTTP/1.1 traffic |
| // on the user's server. We enforce TLS 1.2 later once |
| // we accept a connection. Ideally this should be done |
| // during next-proto selection, but using TLS <1.2 with |
| // HTTP/2 is still the client's bug. |
| |
| s.TLSConfig.PreferServerCipherSuites = true |
| |
| if !strSliceContains(s.TLSConfig.NextProtos, NextProtoTLS) { |
| s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, NextProtoTLS) |
| } |
| if !strSliceContains(s.TLSConfig.NextProtos, "http/1.1") { |
| s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, "http/1.1") |
| } |
| |
| if s.TLSNextProto == nil { |
| s.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){} |
| } |
| protoHandler := func(hs *http.Server, c *tls.Conn, h http.Handler) { |
| if testHookOnConn != nil { |
| testHookOnConn() |
| } |
| // The TLSNextProto interface predates contexts, so |
| // the net/http package passes down its per-connection |
| // base context via an exported but unadvertised |
| // method on the Handler. This is for internal |
| // net/http<=>http2 use only. |
| var ctx context.Context |
| type baseContexter interface { |
| BaseContext() context.Context |
| } |
| if bc, ok := h.(baseContexter); ok { |
| ctx = bc.BaseContext() |
| } |
| conf.ServeConn(c, &ServeConnOpts{ |
| Context: ctx, |
| Handler: h, |
| BaseConfig: hs, |
| }) |
| } |
| s.TLSNextProto[NextProtoTLS] = protoHandler |
| return nil |
| } |
| |
| // ServeConnOpts are options for the Server.ServeConn method. |
| type ServeConnOpts struct { |
| // Context is the base context to use. |
| // If nil, context.Background is used. |
| Context context.Context |
| |
| // BaseConfig optionally sets the base configuration |
| // for values. If nil, defaults are used. |
| BaseConfig *http.Server |
| |
| // Handler specifies which handler to use for processing |
| // requests. If nil, BaseConfig.Handler is used. If BaseConfig |
| // or BaseConfig.Handler is nil, http.DefaultServeMux is used. |
| Handler http.Handler |
| |
| // UpgradeRequest is an initial request received on a connection |
| // undergoing an h2c upgrade. The request body must have been |
| // completely read from the connection before calling ServeConn, |
| // and the 101 Switching Protocols response written. |
| UpgradeRequest *http.Request |
| |
| // Settings is the decoded contents of the HTTP2-Settings header |
| // in an h2c upgrade request. |
| Settings []byte |
| |
| // SawClientPreface is set if the HTTP/2 connection preface |
| // has already been read from the connection. |
| SawClientPreface bool |
| } |
| |
| func (o *ServeConnOpts) context() context.Context { |
| if o != nil && o.Context != nil { |
| return o.Context |
| } |
| return context.Background() |
| } |
| |
| func (o *ServeConnOpts) baseConfig() *http.Server { |
| if o != nil && o.BaseConfig != nil { |
| return o.BaseConfig |
| } |
| return new(http.Server) |
| } |
| |
| func (o *ServeConnOpts) handler() http.Handler { |
| if o != nil { |
| if o.Handler != nil { |
| return o.Handler |
| } |
| if o.BaseConfig != nil && o.BaseConfig.Handler != nil { |
| return o.BaseConfig.Handler |
| } |
| } |
| return http.DefaultServeMux |
| } |
| |
| // ServeConn serves HTTP/2 requests on the provided connection and |
| // blocks until the connection is no longer readable. |
| // |
| // ServeConn starts speaking HTTP/2 assuming that c has not had any |
| // reads or writes. It writes its initial settings frame and expects |
| // to be able to read the preface and settings frame from the |
| // client. If c has a ConnectionState method like a *tls.Conn, the |
| // ConnectionState is used to verify the TLS ciphersuite and to set |
| // the Request.TLS field in Handlers. |
| // |
| // ServeConn does not support h2c by itself. Any h2c support must be |
| // implemented in terms of providing a suitably-behaving net.Conn. |
| // |
| // The opts parameter is optional. If nil, default values are used. |
| func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) { |
| baseCtx, cancel := serverConnBaseContext(c, opts) |
| defer cancel() |
| |
| sc := &serverConn{ |
| srv: s, |
| hs: opts.baseConfig(), |
| conn: c, |
| baseCtx: baseCtx, |
| remoteAddrStr: c.RemoteAddr().String(), |
| bw: newBufferedWriter(c), |
| handler: opts.handler(), |
| streams: make(map[uint32]*stream), |
| readFrameCh: make(chan readFrameResult), |
| wantWriteFrameCh: make(chan FrameWriteRequest, 8), |
| serveMsgCh: make(chan interface{}, 8), |
| wroteFrameCh: make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync |
| bodyReadCh: make(chan bodyReadMsg), // buffering doesn't matter either way |
| doneServing: make(chan struct{}), |
| clientMaxStreams: math.MaxUint32, // Section 6.5.2: "Initially, there is no limit to this value" |
| advMaxStreams: s.maxConcurrentStreams(), |
| initialStreamSendWindowSize: initialWindowSize, |
| maxFrameSize: initialMaxFrameSize, |
| serveG: newGoroutineLock(), |
| pushEnabled: true, |
| sawClientPreface: opts.SawClientPreface, |
| } |
| |
| s.state.registerConn(sc) |
| defer s.state.unregisterConn(sc) |
| |
| // The net/http package sets the write deadline from the |
| // http.Server.WriteTimeout during the TLS handshake, but then |
| // passes the connection off to us with the deadline already set. |
| // Write deadlines are set per stream in serverConn.newStream. |
| // Disarm the net.Conn write deadline here. |
| if sc.hs.WriteTimeout != 0 { |
| sc.conn.SetWriteDeadline(time.Time{}) |
| } |
| |
| if s.NewWriteScheduler != nil { |
| sc.writeSched = s.NewWriteScheduler() |
| } else { |
| sc.writeSched = NewPriorityWriteScheduler(nil) |
| } |
| |
| // These start at the RFC-specified defaults. If there is a higher |
| // configured value for inflow, that will be updated when we send a |
| // WINDOW_UPDATE shortly after sending SETTINGS. |
| sc.flow.add(initialWindowSize) |
| sc.inflow.init(initialWindowSize) |
| sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf) |
| sc.hpackEncoder.SetMaxDynamicTableSizeLimit(s.maxEncoderHeaderTableSize()) |
| |
| fr := NewFramer(sc.bw, c) |
| if s.CountError != nil { |
| fr.countError = s.CountError |
| } |
| fr.ReadMetaHeaders = hpack.NewDecoder(s.maxDecoderHeaderTableSize(), nil) |
| fr.MaxHeaderListSize = sc.maxHeaderListSize() |
| fr.SetMaxReadFrameSize(s.maxReadFrameSize()) |
| sc.framer = fr |
| |
| if tc, ok := c.(connectionStater); ok { |
| sc.tlsState = new(tls.ConnectionState) |
| *sc.tlsState = tc.ConnectionState() |
| // 9.2 Use of TLS Features |
| // An implementation of HTTP/2 over TLS MUST use TLS |
| // 1.2 or higher with the restrictions on feature set |
| // and cipher suite described in this section. Due to |
| // implementation limitations, it might not be |
| // possible to fail TLS negotiation. An endpoint MUST |
| // immediately terminate an HTTP/2 connection that |
| // does not meet the TLS requirements described in |
| // this section with a connection error (Section |
| // 5.4.1) of type INADEQUATE_SECURITY. |
| if sc.tlsState.Version < tls.VersionTLS12 { |
| sc.rejectConn(ErrCodeInadequateSecurity, "TLS version too low") |
| return |
| } |
| |
| if sc.tlsState.ServerName == "" { |
| // Client must use SNI, but we don't enforce that anymore, |
| // since it was causing problems when connecting to bare IP |
| // addresses during development. |
| // |
| // TODO: optionally enforce? Or enforce at the time we receive |
| // a new request, and verify the ServerName matches the :authority? |
| // But that precludes proxy situations, perhaps. |
| // |
| // So for now, do nothing here again. |
| } |
| |
| if !s.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) { |
| // "Endpoints MAY choose to generate a connection error |
| // (Section 5.4.1) of type INADEQUATE_SECURITY if one of |
| // the prohibited cipher suites are negotiated." |
| // |
| // We choose that. In my opinion, the spec is weak |
| // here. It also says both parties must support at least |
| // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 so there's no |
| // excuses here. If we really must, we could allow an |
| // "AllowInsecureWeakCiphers" option on the server later. |
| // Let's see how it plays out first. |
| sc.rejectConn(ErrCodeInadequateSecurity, fmt.Sprintf("Prohibited TLS 1.2 Cipher Suite: %x", sc.tlsState.CipherSuite)) |
| return |
| } |
| } |
| |
| if opts.Settings != nil { |
| fr := &SettingsFrame{ |
| FrameHeader: FrameHeader{valid: true}, |
| p: opts.Settings, |
| } |
| if err := fr.ForeachSetting(sc.processSetting); err != nil { |
| sc.rejectConn(ErrCodeProtocol, "invalid settings") |
| return |
| } |
| opts.Settings = nil |
| } |
| |
| if hook := testHookGetServerConn; hook != nil { |
| hook(sc) |
| } |
| |
| if opts.UpgradeRequest != nil { |
| sc.upgradeRequest(opts.UpgradeRequest) |
| opts.UpgradeRequest = nil |
| } |
| |
| sc.serve() |
| } |
| |
| func serverConnBaseContext(c net.Conn, opts *ServeConnOpts) (ctx context.Context, cancel func()) { |
| ctx, cancel = context.WithCancel(opts.context()) |
| ctx = context.WithValue(ctx, http.LocalAddrContextKey, c.LocalAddr()) |
| if hs := opts.baseConfig(); hs != nil { |
| ctx = context.WithValue(ctx, http.ServerContextKey, hs) |
| } |
| return |
| } |
| |
| func (sc *serverConn) rejectConn(err ErrCode, debug string) { |
| sc.vlogf("http2: server rejecting conn: %v, %s", err, debug) |
| // ignoring errors. hanging up anyway. |
| sc.framer.WriteGoAway(0, err, []byte(debug)) |
| sc.bw.Flush() |
| sc.conn.Close() |
| } |
| |
| type serverConn struct { |
| // Immutable: |
| srv *Server |
| hs *http.Server |
| conn net.Conn |
| bw *bufferedWriter // writing to conn |
| handler http.Handler |
| baseCtx context.Context |
| framer *Framer |
| doneServing chan struct{} // closed when serverConn.serve ends |
| readFrameCh chan readFrameResult // written by serverConn.readFrames |
| wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve |
| wroteFrameCh chan frameWriteResult // from writeFrameAsync -> serve, tickles more frame writes |
| bodyReadCh chan bodyReadMsg // from handlers -> serve |
| serveMsgCh chan interface{} // misc messages & code to send to / run on the serve loop |
| flow outflow // conn-wide (not stream-specific) outbound flow control |
| inflow inflow // conn-wide inbound flow control |
| tlsState *tls.ConnectionState // shared by all handlers, like net/http |
| remoteAddrStr string |
| writeSched WriteScheduler |
| |
| // Everything following is owned by the serve loop; use serveG.check(): |
| serveG goroutineLock // used to verify funcs are on serve() |
| pushEnabled bool |
| sawClientPreface bool // preface has already been read, used in h2c upgrade |
| sawFirstSettings bool // got the initial SETTINGS frame after the preface |
| needToSendSettingsAck bool |
| unackedSettings int // how many SETTINGS have we sent without ACKs? |
| queuedControlFrames int // control frames in the writeSched queue |
| clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit) |
| advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client |
| curClientStreams uint32 // number of open streams initiated by the client |
| curPushedStreams uint32 // number of open streams initiated by server push |
| maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests |
| maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes |
| streams map[uint32]*stream |
| initialStreamSendWindowSize int32 |
| maxFrameSize int32 |
| peerMaxHeaderListSize uint32 // zero means unknown (default) |
| canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case |
| canonHeaderKeysSize int // canonHeader keys size in bytes |
| writingFrame bool // started writing a frame (on serve goroutine or separate) |
| writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh |
| needsFrameFlush bool // last frame write wasn't a flush |
| inGoAway bool // we've started to or sent GOAWAY |
| inFrameScheduleLoop bool // whether we're in the scheduleFrameWrite loop |
| needToSendGoAway bool // we need to schedule a GOAWAY frame write |
| goAwayCode ErrCode |
| shutdownTimer *time.Timer // nil until used |
| idleTimer *time.Timer // nil if unused |
| |
| // Owned by the writeFrameAsync goroutine: |
| headerWriteBuf bytes.Buffer |
| hpackEncoder *hpack.Encoder |
| |
| // Used by startGracefulShutdown. |
| shutdownOnce sync.Once |
| } |
| |
| func (sc *serverConn) maxHeaderListSize() uint32 { |
| n := sc.hs.MaxHeaderBytes |
| if n <= 0 { |
| n = http.DefaultMaxHeaderBytes |
| } |
| // http2's count is in a slightly different unit and includes 32 bytes per pair. |
| // So, take the net/http.Server value and pad it up a bit, assuming 10 headers. |
| const perFieldOverhead = 32 // per http2 spec |
| const typicalHeaders = 10 // conservative |
| return uint32(n + typicalHeaders*perFieldOverhead) |
| } |
| |
| func (sc *serverConn) curOpenStreams() uint32 { |
| sc.serveG.check() |
| return sc.curClientStreams + sc.curPushedStreams |
| } |
| |
| // stream represents a stream. This is the minimal metadata needed by |
| // the serve goroutine. Most of the actual stream state is owned by |
| // the http.Handler's goroutine in the responseWriter. Because the |
| // responseWriter's responseWriterState is recycled at the end of a |
| // handler, this struct intentionally has no pointer to the |
| // *responseWriter{,State} itself, as the Handler ending nils out the |
| // responseWriter's state field. |
| type stream struct { |
| // immutable: |
| sc *serverConn |
| id uint32 |
| body *pipe // non-nil if expecting DATA frames |
| cw closeWaiter // closed wait stream transitions to closed state |
| ctx context.Context |
| cancelCtx func() |
| |
| // owned by serverConn's serve loop: |
| bodyBytes int64 // body bytes seen so far |
| declBodyBytes int64 // or -1 if undeclared |
| flow outflow // limits writing from Handler to client |
| inflow inflow // what the client is allowed to POST/etc to us |
| state streamState |
| resetQueued bool // RST_STREAM queued for write; set by sc.resetStream |
| gotTrailerHeader bool // HEADER frame for trailers was seen |
| wroteHeaders bool // whether we wrote headers (not status 100) |
| readDeadline *time.Timer // nil if unused |
| writeDeadline *time.Timer // nil if unused |
| closeErr error // set before cw is closed |
| |
| trailer http.Header // accumulated trailers |
| reqTrailer http.Header // handler's Request.Trailer |
| } |
| |
| func (sc *serverConn) Framer() *Framer { return sc.framer } |
| func (sc *serverConn) CloseConn() error { return sc.conn.Close() } |
| func (sc *serverConn) Flush() error { return sc.bw.Flush() } |
| func (sc *serverConn) HeaderEncoder() (*hpack.Encoder, *bytes.Buffer) { |
| return sc.hpackEncoder, &sc.headerWriteBuf |
| } |
| |
| func (sc *serverConn) state(streamID uint32) (streamState, *stream) { |
| sc.serveG.check() |
| // http://tools.ietf.org/html/rfc7540#section-5.1 |
| if st, ok := sc.streams[streamID]; ok { |
| return st.state, st |
| } |
| // "The first use of a new stream identifier implicitly closes all |
| // streams in the "idle" state that might have been initiated by |
| // that peer with a lower-valued stream identifier. For example, if |
| // a client sends a HEADERS frame on stream 7 without ever sending a |
| // frame on stream 5, then stream 5 transitions to the "closed" |
| // state when the first frame for stream 7 is sent or received." |
| if streamID%2 == 1 { |
| if streamID <= sc.maxClientStreamID { |
| return stateClosed, nil |
| } |
| } else { |
| if streamID <= sc.maxPushPromiseID { |
| return stateClosed, nil |
| } |
| } |
| return stateIdle, nil |
| } |
| |
| // setConnState calls the net/http ConnState hook for this connection, if configured. |
| // Note that the net/http package does StateNew and StateClosed for us. |
| // There is currently no plan for StateHijacked or hijacking HTTP/2 connections. |
| func (sc *serverConn) setConnState(state http.ConnState) { |
| if sc.hs.ConnState != nil { |
| sc.hs.ConnState(sc.conn, state) |
| } |
| } |
| |
| func (sc *serverConn) vlogf(format string, args ...interface{}) { |
| if VerboseLogs { |
| sc.logf(format, args...) |
| } |
| } |
| |
| func (sc *serverConn) logf(format string, args ...interface{}) { |
| if lg := sc.hs.ErrorLog; lg != nil { |
| lg.Printf(format, args...) |
| } else { |
| log.Printf(format, args...) |
| } |
| } |
| |
| // errno returns v's underlying uintptr, else 0. |
| // |
| // TODO: remove this helper function once http2 can use build |
| // tags. See comment in isClosedConnError. |
| func errno(v error) uintptr { |
| if rv := reflect.ValueOf(v); rv.Kind() == reflect.Uintptr { |
| return uintptr(rv.Uint()) |
| } |
| return 0 |
| } |
| |
| // isClosedConnError reports whether err is an error from use of a closed |
| // network connection. |
| func isClosedConnError(err error) bool { |
| if err == nil { |
| return false |
| } |
| |
| // TODO: remove this string search and be more like the Windows |
| // case below. That might involve modifying the standard library |
| // to return better error types. |
| str := err.Error() |
| if strings.Contains(str, "use of closed network connection") { |
| return true |
| } |
| |
| // TODO(bradfitz): x/tools/cmd/bundle doesn't really support |
| // build tags, so I can't make an http2_windows.go file with |
| // Windows-specific stuff. Fix that and move this, once we |
| // have a way to bundle this into std's net/http somehow. |
| if runtime.GOOS == "windows" { |
| if oe, ok := err.(*net.OpError); ok && oe.Op == "read" { |
| if se, ok := oe.Err.(*os.SyscallError); ok && se.Syscall == "wsarecv" { |
| const WSAECONNABORTED = 10053 |
| const WSAECONNRESET = 10054 |
| if n := errno(se.Err); n == WSAECONNRESET || n == WSAECONNABORTED { |
| return true |
| } |
| } |
| } |
| } |
| return false |
| } |
| |
| func (sc *serverConn) condlogf(err error, format string, args ...interface{}) { |
| if err == nil { |
| return |
| } |
| if err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) || err == errPrefaceTimeout { |
| // Boring, expected errors. |
| sc.vlogf(format, args...) |
| } else { |
| sc.logf(format, args...) |
| } |
| } |
| |
| // maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size |
| // of the entries in the canonHeader cache. |
| // This should be larger than the size of unique, uncommon header keys likely to |
| // be sent by the peer, while not so high as to permit unreasonable memory usage |
| // if the peer sends an unbounded number of unique header keys. |
| const maxCachedCanonicalHeadersKeysSize = 2048 |
| |
| func (sc *serverConn) canonicalHeader(v string) string { |
| sc.serveG.check() |
| buildCommonHeaderMapsOnce() |
| cv, ok := commonCanonHeader[v] |
| if ok { |
| return cv |
| } |
| cv, ok = sc.canonHeader[v] |
| if ok { |
| return cv |
| } |
| if sc.canonHeader == nil { |
| sc.canonHeader = make(map[string]string) |
| } |
| cv = http.CanonicalHeaderKey(v) |
| size := 100 + len(v)*2 // 100 bytes of map overhead + key + value |
| if sc.canonHeaderKeysSize+size <= maxCachedCanonicalHeadersKeysSize { |
| sc.canonHeader[v] = cv |
| sc.canonHeaderKeysSize += size |
| } |
| return cv |
| } |
| |
| type readFrameResult struct { |
| f Frame // valid until readMore is called |
| err error |
| |
| // readMore should be called once the consumer no longer needs or |
| // retains f. After readMore, f is invalid and more frames can be |
| // read. |
| readMore func() |
| } |
| |
| // readFrames is the loop that reads incoming frames. |
| // It takes care to only read one frame at a time, blocking until the |
| // consumer is done with the frame. |
| // It's run on its own goroutine. |
| func (sc *serverConn) readFrames() { |
| gate := make(gate) |
| gateDone := gate.Done |
| for { |
| f, err := sc.framer.ReadFrame() |
| select { |
| case sc.readFrameCh <- readFrameResult{f, err, gateDone}: |
| case <-sc.doneServing: |
| return |
| } |
| select { |
| case <-gate: |
| case <-sc.doneServing: |
| return |
| } |
| if terminalReadFrameError(err) { |
| return |
| } |
| } |
| } |
| |
| // frameWriteResult is the message passed from writeFrameAsync to the serve goroutine. |
| type frameWriteResult struct { |
| _ incomparable |
| wr FrameWriteRequest // what was written (or attempted) |
| err error // result of the writeFrame call |
| } |
| |
| // writeFrameAsync runs in its own goroutine and writes a single frame |
| // and then reports when it's done. |
| // At most one goroutine can be running writeFrameAsync at a time per |
| // serverConn. |
| func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) { |
| var err error |
| if wd == nil { |
| err = wr.write.writeFrame(sc) |
| } else { |
| err = sc.framer.endWrite() |
| } |
| sc.wroteFrameCh <- frameWriteResult{wr: wr, err: err} |
| } |
| |
| func (sc *serverConn) closeAllStreamsOnConnClose() { |
| sc.serveG.check() |
| for _, st := range sc.streams { |
| sc.closeStream(st, errClientDisconnected) |
| } |
| } |
| |
| func (sc *serverConn) stopShutdownTimer() { |
| sc.serveG.check() |
| if t := sc.shutdownTimer; t != nil { |
| t.Stop() |
| } |
| } |
| |
| func (sc *serverConn) notePanic() { |
| // Note: this is for serverConn.serve panicking, not http.Handler code. |
| if testHookOnPanicMu != nil { |
| testHookOnPanicMu.Lock() |
| defer testHookOnPanicMu.Unlock() |
| } |
| if testHookOnPanic != nil { |
| if e := recover(); e != nil { |
| if testHookOnPanic(sc, e) { |
| panic(e) |
| } |
| } |
| } |
| } |
| |
| func (sc *serverConn) serve() { |
| sc.serveG.check() |
| defer sc.notePanic() |
| defer sc.conn.Close() |
| defer sc.closeAllStreamsOnConnClose() |
| defer sc.stopShutdownTimer() |
| defer close(sc.doneServing) // unblocks handlers trying to send |
| |
| if VerboseLogs { |
| sc.vlogf("http2: server connection from %v on %p", sc.conn.RemoteAddr(), sc.hs) |
| } |
| |
| sc.writeFrame(FrameWriteRequest{ |
| write: writeSettings{ |
| {SettingMaxFrameSize, sc.srv.maxReadFrameSize()}, |
| {SettingMaxConcurrentStreams, sc.advMaxStreams}, |
| {SettingMaxHeaderListSize, sc.maxHeaderListSize()}, |
| {SettingHeaderTableSize, sc.srv.maxDecoderHeaderTableSize()}, |
| {SettingInitialWindowSize, uint32(sc.srv.initialStreamRecvWindowSize())}, |
| }, |
| }) |
| sc.unackedSettings++ |
| |
| // Each connection starts with initialWindowSize inflow tokens. |
| // If a higher value is configured, we add more tokens. |
| if diff := sc.srv.initialConnRecvWindowSize() - initialWindowSize; diff > 0 { |
| sc.sendWindowUpdate(nil, int(diff)) |
| } |
| |
| if err := sc.readPreface(); err != nil { |
| sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err) |
| return |
| } |
| // Now that we've got the preface, get us out of the |
| // "StateNew" state. We can't go directly to idle, though. |
| // Active means we read some data and anticipate a request. We'll |
| // do another Active when we get a HEADERS frame. |
| sc.setConnState(http.StateActive) |
| sc.setConnState(http.StateIdle) |
| |
| if sc.srv.IdleTimeout != 0 { |
| sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer) |
| defer sc.idleTimer.Stop() |
| } |
| |
| go sc.readFrames() // closed by defer sc.conn.Close above |
| |
| settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer) |
| defer settingsTimer.Stop() |
| |
| loopNum := 0 |
| for { |
| loopNum++ |
| select { |
| case wr := <-sc.wantWriteFrameCh: |
| if se, ok := wr.write.(StreamError); ok { |
| sc.resetStream(se) |
| break |
| } |
| sc.writeFrame(wr) |
| case res := <-sc.wroteFrameCh: |
| sc.wroteFrame(res) |
| case res := <-sc.readFrameCh: |
| // Process any written frames before reading new frames from the client since a |
| // written frame could have triggered a new stream to be started. |
| if sc.writingFrameAsync { |
| select { |
| case wroteRes := <-sc.wroteFrameCh: |
| sc.wroteFrame(wroteRes) |
| default: |
| } |
| } |
| if !sc.processFrameFromReader(res) { |
| return |
| } |
| res.readMore() |
| if settingsTimer != nil { |
| settingsTimer.Stop() |
| settingsTimer = nil |
| } |
| case m := <-sc.bodyReadCh: |
| sc.noteBodyRead(m.st, m.n) |
| case msg := <-sc.serveMsgCh: |
| switch v := msg.(type) { |
| case func(int): |
| v(loopNum) // for testing |
| case *serverMessage: |
| switch v { |
| case settingsTimerMsg: |
| sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr()) |
| return |
| case idleTimerMsg: |
| sc.vlogf("connection is idle") |
| sc.goAway(ErrCodeNo) |
| case shutdownTimerMsg: |
| sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr()) |
| return |
| case gracefulShutdownMsg: |
| sc.startGracefulShutdownInternal() |
| default: |
| panic("unknown timer") |
| } |
| case *startPushRequest: |
| sc.startPush(v) |
| case func(*serverConn): |
| v(sc) |
| default: |
| panic(fmt.Sprintf("unexpected type %T", v)) |
| } |
| } |
| |
| // If the peer is causing us to generate a lot of control frames, |
| // but not reading them from us, assume they are trying to make us |
| // run out of memory. |
| if sc.queuedControlFrames > sc.srv.maxQueuedControlFrames() { |
| sc.vlogf("http2: too many control frames in send queue, closing connection") |
| return |
| } |
| |
| // Start the shutdown timer after sending a GOAWAY. When sending GOAWAY |
| // with no error code (graceful shutdown), don't start the timer until |
| // all open streams have been completed. |
| sentGoAway := sc.inGoAway && !sc.needToSendGoAway && !sc.writingFrame |
| gracefulShutdownComplete := sc.goAwayCode == ErrCodeNo && sc.curOpenStreams() == 0 |
| if sentGoAway && sc.shutdownTimer == nil && (sc.goAwayCode != ErrCodeNo || gracefulShutdownComplete) { |
| sc.shutDownIn(goAwayTimeout) |
| } |
| } |
| } |
| |
| func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) { |
| select { |
| case <-sc.doneServing: |
| case <-sharedCh: |
| close(privateCh) |
| } |
| } |
| |
| type serverMessage int |
| |
| // Message values sent to serveMsgCh. |
| var ( |
| settingsTimerMsg = new(serverMessage) |
| idleTimerMsg = new(serverMessage) |
| shutdownTimerMsg = new(serverMessage) |
| gracefulShutdownMsg = new(serverMessage) |
| ) |
| |
| func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } |
| func (sc *serverConn) onIdleTimer() { sc.sendServeMsg(idleTimerMsg) } |
| func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) } |
| |
| func (sc *serverConn) sendServeMsg(msg interface{}) { |
| sc.serveG.checkNotOn() // NOT |
| select { |
| case sc.serveMsgCh <- msg: |
| case <-sc.doneServing: |
| } |
| } |
| |
| var errPrefaceTimeout = errors.New("timeout waiting for client preface") |
| |
| // readPreface reads the ClientPreface greeting from the peer or |
| // returns errPrefaceTimeout on timeout, or an error if the greeting |
| // is invalid. |
| func (sc *serverConn) readPreface() error { |
| if sc.sawClientPreface { |
| return nil |
| } |
| errc := make(chan error, 1) |
| go func() { |
| // Read the client preface |
| buf := make([]byte, len(ClientPreface)) |
| if _, err := io.ReadFull(sc.conn, buf); err != nil { |
| errc <- err |
| } else if !bytes.Equal(buf, clientPreface) { |
| errc <- fmt.Errorf("bogus greeting %q", buf) |
| } else { |
| errc <- nil |
| } |
| }() |
| timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server? |
| defer timer.Stop() |
| select { |
| case <-timer.C: |
| return errPrefaceTimeout |
| case err := <-errc: |
| if err == nil { |
| if VerboseLogs { |
| sc.vlogf("http2: server: client %v said hello", sc.conn.RemoteAddr()) |
| } |
| } |
| return err |
| } |
| } |
| |
| var errChanPool = sync.Pool{ |
| New: func() interface{} { return make(chan error, 1) }, |
| } |
| |
| var writeDataPool = sync.Pool{ |
| New: func() interface{} { return new(writeData) }, |
| } |
| |
| // writeDataFromHandler writes DATA response frames from a handler on |
| // the given stream. |
| func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error { |
| ch := errChanPool.Get().(chan error) |
| writeArg := writeDataPool.Get().(*writeData) |
| *writeArg = writeData{stream.id, data, endStream} |
| err := sc.writeFrameFromHandler(FrameWriteRequest{ |
| write: writeArg, |
| stream: stream, |
| done: ch, |
| }) |
| if err != nil { |
| return err |
| } |
| var frameWriteDone bool // the frame write is done (successfully or not) |
| select { |
| case err = <-ch: |
| frameWriteDone = true |
| case <-sc.doneServing: |
| return errClientDisconnected |
| case <-stream.cw: |
| // If both ch and stream.cw were ready (as might |
| // happen on the final Write after an http.Handler |
| // ends), prefer the write result. Otherwise this |
| // might just be us successfully closing the stream. |
| // The writeFrameAsync and serve goroutines guarantee |
| // that the ch send will happen before the stream.cw |
| // close. |
| select { |
| case err = <-ch: |
| frameWriteDone = true |
| default: |
| return errStreamClosed |
| } |
| } |
| errChanPool.Put(ch) |
| if frameWriteDone { |
| writeDataPool.Put(writeArg) |
| } |
| return err |
| } |
| |
| // writeFrameFromHandler sends wr to sc.wantWriteFrameCh, but aborts |
| // if the connection has gone away. |
| // |
| // This must not be run from the serve goroutine itself, else it might |
| // deadlock writing to sc.wantWriteFrameCh (which is only mildly |
| // buffered and is read by serve itself). If you're on the serve |
| // goroutine, call writeFrame instead. |
| func (sc *serverConn) writeFrameFromHandler(wr FrameWriteRequest) error { |
| sc.serveG.checkNotOn() // NOT |
| select { |
| case sc.wantWriteFrameCh <- wr: |
| return nil |
| case <-sc.doneServing: |
| // Serve loop is gone. |
| // Client has closed their connection to the server. |
| return errClientDisconnected |
| } |
| } |
| |
| // writeFrame schedules a frame to write and sends it if there's nothing |
| // already being written. |
| // |
| // There is no pushback here (the serve goroutine never blocks). It's |
| // the http.Handlers that block, waiting for their previous frames to |
| // make it onto the wire |
| // |
| // If you're not on the serve goroutine, use writeFrameFromHandler instead. |
| func (sc *serverConn) writeFrame(wr FrameWriteRequest) { |
| sc.serveG.check() |
| |
| // If true, wr will not be written and wr.done will not be signaled. |
| var ignoreWrite bool |
| |
| // We are not allowed to write frames on closed streams. RFC 7540 Section |
| // 5.1.1 says: "An endpoint MUST NOT send frames other than PRIORITY on |
| // a closed stream." Our server never sends PRIORITY, so that exception |
| // does not apply. |
| // |
| // The serverConn might close an open stream while the stream's handler |
| // is still running. For example, the server might close a stream when it |
| // receives bad data from the client. If this happens, the handler might |
| // attempt to write a frame after the stream has been closed (since the |
| // handler hasn't yet been notified of the close). In this case, we simply |
| // ignore the frame. The handler will notice that the stream is closed when |
| // it waits for the frame to be written. |
| // |
| // As an exception to this rule, we allow sending RST_STREAM after close. |
| // This allows us to immediately reject new streams without tracking any |
| // state for those streams (except for the queued RST_STREAM frame). This |
| // may result in duplicate RST_STREAMs in some cases, but the client should |
| // ignore those. |
| if wr.StreamID() != 0 { |
| _, isReset := wr.write.(StreamError) |
| if state, _ := sc.state(wr.StreamID()); state == stateClosed && !isReset { |
| ignoreWrite = true |
| } |
| } |
| |
| // Don't send a 100-continue response if we've already sent headers. |
| // See golang.org/issue/14030. |
| switch wr.write.(type) { |
| case *writeResHeaders: |
| wr.stream.wroteHeaders = true |
| case write100ContinueHeadersFrame: |
| if wr.stream.wroteHeaders { |
| // We do not need to notify wr.done because this frame is |
| // never written with wr.done != nil. |
| if wr.done != nil { |
| panic("wr.done != nil for write100ContinueHeadersFrame") |
| } |
| ignoreWrite = true |
| } |
| } |
| |
| if !ignoreWrite { |
| if wr.isControl() { |
| sc.queuedControlFrames++ |
| // For extra safety, detect wraparounds, which should not happen, |
| // and pull the plug. |
| if sc.queuedControlFrames < 0 { |
| sc.conn.Close() |
| } |
| } |
| sc.writeSched.Push(wr) |
| } |
| sc.scheduleFrameWrite() |
| } |
| |
| // startFrameWrite starts a goroutine to write wr (in a separate |
| // goroutine since that might block on the network), and updates the |
| // serve goroutine's state about the world, updated from info in wr. |
| func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) { |
| sc.serveG.check() |
| if sc.writingFrame { |
| panic("internal error: can only be writing one frame at a time") |
| } |
| |
| st := wr.stream |
| if st != nil { |
| switch st.state { |
| case stateHalfClosedLocal: |
| switch wr.write.(type) { |
| case StreamError, handlerPanicRST, writeWindowUpdate: |
| // RFC 7540 Section 5.1 allows sending RST_STREAM, PRIORITY, and WINDOW_UPDATE |
| // in this state. (We never send PRIORITY from the server, so that is not checked.) |
| default: |
| panic(fmt.Sprintf("internal error: attempt to send frame on a half-closed-local stream: %v", wr)) |
| } |
| case stateClosed: |
| panic(fmt.Sprintf("internal error: attempt to send frame on a closed stream: %v", wr)) |
| } |
| } |
| if wpp, ok := wr.write.(*writePushPromise); ok { |
| var err error |
| wpp.promisedID, err = wpp.allocatePromisedID() |
| if err != nil { |
| sc.writingFrameAsync = false |
| wr.replyToWriter(err) |
| return |
| } |
| } |
| |
| sc.writingFrame = true |
| sc.needsFrameFlush = true |
| if wr.write.staysWithinBuffer(sc.bw.Available()) { |
| sc.writingFrameAsync = false |
| err := wr.write.writeFrame(sc) |
| sc.wroteFrame(frameWriteResult{wr: wr, err: err}) |
| } else if wd, ok := wr.write.(*writeData); ok { |
| // Encode the frame in the serve goroutine, to ensure we don't have |
| // any lingering asynchronous references to data passed to Write. |
| // See https://go.dev/issue/58446. |
| sc.framer.startWriteDataPadded(wd.streamID, wd.endStream, wd.p, nil) |
| sc.writingFrameAsync = true |
| go sc.writeFrameAsync(wr, wd) |
| } else { |
| sc.writingFrameAsync = true |
| go sc.writeFrameAsync(wr, nil) |
| } |
| } |
| |
| // errHandlerPanicked is the error given to any callers blocked in a read from |
| // Request.Body when the main goroutine panics. Since most handlers read in the |
| // main ServeHTTP goroutine, this will show up rarely. |
| var errHandlerPanicked = errors.New("http2: handler panicked") |
| |
| // wroteFrame is called on the serve goroutine with the result of |
| // whatever happened on writeFrameAsync. |
| func (sc *serverConn) wroteFrame(res frameWriteResult) { |
| sc.serveG.check() |
| if !sc.writingFrame { |
| panic("internal error: expected to be already writing a frame") |
| } |
| sc.writingFrame = false |
| sc.writingFrameAsync = false |
| |
| wr := res.wr |
| |
| if writeEndsStream(wr.write) { |
| st := wr.stream |
| if st == nil { |
| panic("internal error: expecting non-nil stream") |
| } |
| switch st.state { |
| case stateOpen: |
| // Here we would go to stateHalfClosedLocal in |
| // theory, but since our handler is done and |
| // the net/http package provides no mechanism |
| // for closing a ResponseWriter while still |
| // reading data (see possible TODO at top of |
| // this file), we go into closed state here |
| // anyway, after telling the peer we're |
| // hanging up on them. We'll transition to |
| // stateClosed after the RST_STREAM frame is |
| // written. |
| st.state = stateHalfClosedLocal |
| // Section 8.1: a server MAY request that the client abort |
| // transmission of a request without error by sending a |
| // RST_STREAM with an error code of NO_ERROR after sending |
| // a complete response. |
| sc.resetStream(streamError(st.id, ErrCodeNo)) |
| case stateHalfClosedRemote: |
| sc.closeStream(st, errHandlerComplete) |
| } |
| } else { |
| switch v := wr.write.(type) { |
| case StreamError: |
| // st may be unknown if the RST_STREAM was generated to reject bad input. |
| if st, ok := sc.streams[v.StreamID]; ok { |
| sc.closeStream(st, v) |
| } |
| case handlerPanicRST: |
| sc.closeStream(wr.stream, errHandlerPanicked) |
| } |
| } |
| |
| // Reply (if requested) to unblock the ServeHTTP goroutine. |
| wr.replyToWriter(res.err) |
| |
| sc.scheduleFrameWrite() |
| } |
| |
| // scheduleFrameWrite tickles the frame writing scheduler. |
| // |
| // If a frame is already being written, nothing happens. This will be called again |
| // when the frame is done being written. |
| // |
| // If a frame isn't being written and we need to send one, the best frame |
| // to send is selected by writeSched. |
| // |
| // If a frame isn't being written and there's nothing else to send, we |
| // flush the write buffer. |
| func (sc *serverConn) scheduleFrameWrite() { |
| sc.serveG.check() |
| if sc.writingFrame || sc.inFrameScheduleLoop { |
| return |
| } |
| sc.inFrameScheduleLoop = true |
| for !sc.writingFrameAsync { |
| if sc.needToSendGoAway { |
| sc.needToSendGoAway = false |
| sc.startFrameWrite(FrameWriteRequest{ |
| write: &writeGoAway{ |
| maxStreamID: sc.maxClientStreamID, |
| code: sc.goAwayCode, |
| }, |
| }) |
| continue |
| } |
| if sc.needToSendSettingsAck { |
| sc.needToSendSettingsAck = false |
| sc.startFrameWrite(FrameWriteRequest{write: writeSettingsAck{}}) |
| continue |
| } |
| if !sc.inGoAway || sc.goAwayCode == ErrCodeNo { |
| if wr, ok := sc.writeSched.Pop(); ok { |
| if wr.isControl() { |
| sc.queuedControlFrames-- |
| } |
| sc.startFrameWrite(wr) |
| continue |
| } |
| } |
| if sc.needsFrameFlush { |
| sc.startFrameWrite(FrameWriteRequest{write: flushFrameWriter{}}) |
| sc.needsFrameFlush = false // after startFrameWrite, since it sets this true |
| continue |
| } |
| break |
| } |
| sc.inFrameScheduleLoop = false |
| } |
| |
| // startGracefulShutdown gracefully shuts down a connection. This |
| // sends GOAWAY with ErrCodeNo to tell the client we're gracefully |
| // shutting down. The connection isn't closed until all current |
| // streams are done. |
| // |
| // startGracefulShutdown returns immediately; it does not wait until |
| // the connection has shut down. |
| func (sc *serverConn) startGracefulShutdown() { |
| sc.serveG.checkNotOn() // NOT |
| sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) }) |
| } |
| |
| // After sending GOAWAY with an error code (non-graceful shutdown), the |
| // connection will close after goAwayTimeout. |
| // |
| // If we close the connection immediately after sending GOAWAY, there may |
| // be unsent data in our kernel receive buffer, which will cause the kernel |
| // to send a TCP RST on close() instead of a FIN. This RST will abort the |
| // connection immediately, whether or not the client had received the GOAWAY. |
| // |
| // Ideally we should delay for at least 1 RTT + epsilon so the client has |
| // a chance to read the GOAWAY and stop sending messages. Measuring RTT |
| // is hard, so we approximate with 1 second. See golang.org/issue/18701. |
| // |
| // This is a var so it can be shorter in tests, where all requests uses the |
| // loopback interface making the expected RTT very small. |
| // |
| // TODO: configurable? |
| var goAwayTimeout = 1 * time.Second |
| |
| func (sc *serverConn) startGracefulShutdownInternal() { |
| sc.goAway(ErrCodeNo) |
| } |
| |
| func (sc *serverConn) goAway(code ErrCode) { |
| sc.serveG.check() |
| if sc.inGoAway { |
| if sc.goAwayCode == ErrCodeNo { |
| sc.goAwayCode = code |
| } |
| return |
| } |
| sc.inGoAway = true |
| sc.needToSendGoAway = true |
| sc.goAwayCode = code |
| sc.scheduleFrameWrite() |
| } |
| |
| func (sc *serverConn) shutDownIn(d time.Duration) { |
| sc.serveG.check() |
| sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer) |
| } |
| |
| func (sc *serverConn) resetStream(se StreamError) { |
| sc.serveG.check() |
| sc.writeFrame(FrameWriteRequest{write: se}) |
| if st, ok := sc.streams[se.StreamID]; ok { |
| st.resetQueued = true |
| } |
| } |
| |
| // processFrameFromReader processes the serve loop's read from readFrameCh from the |
| // frame-reading goroutine. |
| // processFrameFromReader returns whether the connection should be kept open. |
| func (sc *serverConn) processFrameFromReader(res readFrameResult) bool { |
| sc.serveG.check() |
| err := res.err |
| if err != nil { |
| if err == ErrFrameTooLarge { |
| sc.goAway(ErrCodeFrameSize) |
| return true // goAway will close the loop |
| } |
| clientGone := err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) |
| if clientGone { |
| // TODO: could we also get into this state if |
| // the peer does a half close |
| // (e.g. CloseWrite) because they're done |
| // sending frames but they're still wanting |
| // our open replies? Investigate. |
| // TODO: add CloseWrite to crypto/tls.Conn first |
| // so we have a way to test this? I suppose |
| // just for testing we could have a non-TLS mode. |
| return false |
| } |
| } else { |
| f := res.f |
| if VerboseLogs { |
| sc.vlogf("http2: server read frame %v", summarizeFrame(f)) |
| } |
| err = sc.processFrame(f) |
| if err == nil { |
| return true |
| } |
| } |
| |
| switch ev := err.(type) { |
| case StreamError: |
| sc.resetStream(ev) |
| return true |
| case goAwayFlowError: |
| sc.goAway(ErrCodeFlowControl) |
| return true |
| case ConnectionError: |
| sc.logf("http2: server connection error from %v: %v", sc.conn.RemoteAddr(), ev) |
| sc.goAway(ErrCode(ev)) |
| return true // goAway will handle shutdown |
| default: |
| if res.err != nil { |
| sc.vlogf("http2: server closing client connection; error reading frame from client %s: %v", sc.conn.RemoteAddr(), err) |
| } else { |
| sc.logf("http2: server closing client connection: %v", err) |
| } |
| return false |
| } |
| } |
| |
| func (sc *serverConn) processFrame(f Frame) error { |
| sc.serveG.check() |
| |
| // First frame received must be SETTINGS. |
| if !sc.sawFirstSettings { |
| if _, ok := f.(*SettingsFrame); !ok { |
| return sc.countError("first_settings", ConnectionError(ErrCodeProtocol)) |
| } |
| sc.sawFirstSettings = true |
| } |
| |
| // Discard frames for streams initiated after the identified last |
| // stream sent in a GOAWAY, or all frames after sending an error. |
| // We still need to return connection-level flow control for DATA frames. |
| // RFC 9113 Section 6.8. |
| if sc.inGoAway && (sc.goAwayCode != ErrCodeNo || f.Header().StreamID > sc.maxClientStreamID) { |
| |
| if f, ok := f.(*DataFrame); ok { |
| if !sc.inflow.take(f.Length) { |
| return sc.countError("data_flow", streamError(f.Header().StreamID, ErrCodeFlowControl)) |
| } |
| sc.sendWindowUpdate(nil, int(f.Length)) // conn-level |
| } |
| return nil |
| } |
| |
| switch f := f.(type) { |
| case *SettingsFrame: |
| return sc.processSettings(f) |
| case *MetaHeadersFrame: |
| return sc.processHeaders(f) |
| case *WindowUpdateFrame: |
| return sc.processWindowUpdate(f) |
| case *PingFrame: |
| return sc.processPing(f) |
| case *DataFrame: |
| return sc.processData(f) |
| case *RSTStreamFrame: |
| return sc.processResetStream(f) |
| case *PriorityFrame: |
| return sc.processPriority(f) |
| case *GoAwayFrame: |
| return sc.processGoAway(f) |
| case *PushPromiseFrame: |
| // A client cannot push. Thus, servers MUST treat the receipt of a PUSH_PROMISE |
| // frame as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. |
| return sc.countError("push_promise", ConnectionError(ErrCodeProtocol)) |
| default: |
| sc.vlogf("http2: server ignoring frame: %v", f.Header()) |
| return nil |
| } |
| } |
| |
| func (sc *serverConn) processPing(f *PingFrame) error { |
| sc.serveG.check() |
| if f.IsAck() { |
| // 6.7 PING: " An endpoint MUST NOT respond to PING frames |
| // containing this flag." |
| return nil |
| } |
| if f.StreamID != 0 { |
| // "PING frames are not associated with any individual |
| // stream. If a PING frame is received with a stream |
| // identifier field value other than 0x0, the recipient MUST |
| // respond with a connection error (Section 5.4.1) of type |
| // PROTOCOL_ERROR." |
| return sc.countError("ping_on_stream", ConnectionError(ErrCodeProtocol)) |
| } |
| sc.writeFrame(FrameWriteRequest{write: writePingAck{f}}) |
| return nil |
| } |
| |
| func (sc *serverConn) processWindowUpdate(f *WindowUpdateFrame) error { |
| sc.serveG.check() |
| switch { |
| case f.StreamID != 0: // stream-level flow control |
| state, st := sc.state(f.StreamID) |
| if state == stateIdle { |
| // Section 5.1: "Receiving any frame other than HEADERS |
| // or PRIORITY on a stream in this state MUST be |
| // treated as a connection error (Section 5.4.1) of |
| // type PROTOCOL_ERROR." |
| return sc.countError("stream_idle", ConnectionError(ErrCodeProtocol)) |
| } |
| if st == nil { |
| // "WINDOW_UPDATE can be sent by a peer that has sent a |
| // frame bearing the END_STREAM flag. This means that a |
| // receiver could receive a WINDOW_UPDATE frame on a "half |
| // closed (remote)" or "closed" stream. A receiver MUST |
| // NOT treat this as an error, see Section 5.1." |
| return nil |
| } |
| if !st.flow.add(int32(f.Increment)) { |
| return sc.countError("bad_flow", streamError(f.StreamID, ErrCodeFlowControl)) |
| } |
| default: // connection-level flow control |
| if !sc.flow.add(int32(f.Increment)) { |
| return goAwayFlowError{} |
| } |
| } |
| sc.scheduleFrameWrite() |
| return nil |
| } |
| |
| func (sc *serverConn) processResetStream(f *RSTStreamFrame) error { |
| sc.serveG.check() |
| |
| state, st := sc.state(f.StreamID) |
| if state == stateIdle { |
| // 6.4 "RST_STREAM frames MUST NOT be sent for a |
| // stream in the "idle" state. If a RST_STREAM frame |
| // identifying an idle stream is received, the |
| // recipient MUST treat this as a connection error |
| // (Section 5.4.1) of type PROTOCOL_ERROR. |
| return sc.countError("reset_idle_stream", ConnectionError(ErrCodeProtocol)) |
| } |
| if st != nil { |
| st.cancelCtx() |
| sc.closeStream(st, streamError(f.StreamID, f.ErrCode)) |
| } |
| return nil |
| } |
| |
| func (sc *serverConn) closeStream(st *stream, err error) { |
| sc.serveG.check() |
| if st.state == stateIdle || st.state == stateClosed { |
| panic(fmt.Sprintf("invariant; can't close stream in state %v", st.state)) |
| } |
| st.state = stateClosed |
| if st.readDeadline != nil { |
| st.readDeadline.Stop() |
| } |
| if st.writeDeadline != nil { |
| st.writeDeadline.Stop() |
| } |
| if st.isPushed() { |
| sc.curPushedStreams-- |
| } else { |
| sc.curClientStreams-- |
| } |
| delete(sc.streams, st.id) |
| if len(sc.streams) == 0 { |
| sc.setConnState(http.StateIdle) |
| if sc.srv.IdleTimeout != 0 { |
| sc.idleTimer.Reset(sc.srv.IdleTimeout) |
| } |
| if h1ServerKeepAlivesDisabled(sc.hs) { |
| sc.startGracefulShutdownInternal() |
| } |
| } |
| if p := st.body; p != nil { |
| // Return any buffered unread bytes worth of conn-level flow control. |
| // See golang.org/issue/16481 |
| sc.sendWindowUpdate(nil, p.Len()) |
| |
| p.CloseWithError(err) |
| } |
| if e, ok := err.(StreamError); ok { |
| if e.Cause != nil { |
| err = e.Cause |
| } else { |
| err = errStreamClosed |
| } |
| } |
| st.closeErr = err |
| st.cw.Close() // signals Handler's CloseNotifier, unblocks writes, etc |
| sc.writeSched.CloseStream(st.id) |
| } |
| |
| func (sc *serverConn) processSettings(f *SettingsFrame) error { |
| sc.serveG.check() |
| if f.IsAck() { |
| sc.unackedSettings-- |
| if sc.unackedSettings < 0 { |
| // Why is the peer ACKing settings we never sent? |
| // The spec doesn't mention this case, but |
| // hang up on them anyway. |
| return sc.countError("ack_mystery", ConnectionError(ErrCodeProtocol)) |
| } |
| return nil |
| } |
| if f.NumSettings() > 100 || f.HasDuplicates() { |
| // This isn't actually in the spec, but hang up on |
| // suspiciously large settings frames or those with |
| // duplicate entries. |
| return sc.countError("settings_big_or_dups", ConnectionError(ErrCodeProtocol)) |
| } |
| if err := f.ForeachSetting(sc.processSetting); err != nil { |
| return err |
| } |
| // TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be |
| // acknowledged individually, even if multiple are received before the ACK. |
| sc.needToSendSettingsAck = true |
| sc.scheduleFrameWrite() |
| return nil |
| } |
| |
| func (sc *serverConn) processSetting(s Setting) error { |
| sc.serveG.check() |
| if err := s.Valid(); err != nil { |
| return err |
| } |
| if VerboseLogs { |
| sc.vlogf("http2: server processing setting %v", s) |
| } |
| switch s.ID { |
| case SettingHeaderTableSize: |
| sc.hpackEncoder.SetMaxDynamicTableSize(s.Val) |
| case SettingEnablePush: |
| sc.pushEnabled = s.Val != 0 |
| case SettingMaxConcurrentStreams: |
| sc.clientMaxStreams = s.Val |
| case SettingInitialWindowSize: |
| return sc.processSettingInitialWindowSize(s.Val) |
| case SettingMaxFrameSize: |
| sc.maxFrameSize = int32(s.Val) // the maximum valid s.Val is < 2^31 |
| case SettingMaxHeaderListSize: |
| sc.peerMaxHeaderListSize = s.Val |
| default: |
| // Unknown setting: "An endpoint that receives a SETTINGS |
| // frame with any unknown or unsupported identifier MUST |
| // ignore that setting." |
| if VerboseLogs { |
| sc.vlogf("http2: server ignoring unknown setting %v", s) |
| } |
| } |
| return nil |
| } |
| |
| func (sc *serverConn) processSettingInitialWindowSize(val uint32) error { |
| sc.serveG.check() |
| // Note: val already validated to be within range by |
| // processSetting's Valid call. |
| |
| // "A SETTINGS frame can alter the initial flow control window |
| // size for all current streams. When the value of |
| // SETTINGS_INITIAL_WINDOW_SIZE changes, a receiver MUST |
| // adjust the size of all stream flow control windows that it |
| // maintains by the difference between the new value and the |
| // old value." |
| old := sc.initialStreamSendWindowSize |
| sc.initialStreamSendWindowSize = int32(val) |
| growth := int32(val) - old // may be negative |
| for _, st := range sc.streams { |
| if !st.flow.add(growth) { |
| // 6.9.2 Initial Flow Control Window Size |
| // "An endpoint MUST treat a change to |
| // SETTINGS_INITIAL_WINDOW_SIZE that causes any flow |
| // control window to exceed the maximum size as a |
| // connection error (Section 5.4.1) of type |
| // FLOW_CONTROL_ERROR." |
| return sc.countError("setting_win_size", ConnectionError(ErrCodeFlowControl)) |
| } |
| } |
| return nil |
| } |
| |
| func (sc *serverConn) processData(f *DataFrame) error { |
| sc.serveG.check() |
| id := f.Header().StreamID |
| |
| data := f.Data() |
| state, st := sc.state(id) |
| if id == 0 || state == stateIdle { |
| // Section 6.1: "DATA frames MUST be associated with a |
| // stream. If a DATA frame is received whose stream |
| // identifier field is 0x0, the recipient MUST respond |
| // with a connection error (Section 5.4.1) of type |
| // PROTOCOL_ERROR." |
| // |
| // Section 5.1: "Receiving any frame other than HEADERS |
| // or PRIORITY on a stream in this state MUST be |
| // treated as a connection error (Section 5.4.1) of |
| // type PROTOCOL_ERROR." |
| return sc.countError("data_on_idle", ConnectionError(ErrCodeProtocol)) |
| } |
| |
| // "If a DATA frame is received whose stream is not in "open" |
| // or "half closed (local)" state, the recipient MUST respond |
| // with a stream error (Section 5.4.2) of type STREAM_CLOSED." |
| if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued { |
| // This includes sending a RST_STREAM if the stream is |
| // in stateHalfClosedLocal (which currently means that |
| // the http.Handler returned, so it's done reading & |
| // done writing). Try to stop the client from sending |
| // more DATA. |
| |
| // But still enforce their connection-level flow control, |
| // and return any flow control bytes since we're not going |
| // to consume them. |
| if !sc.inflow.take(f.Length) { |
| return sc.countError("data_flow", streamError(id, ErrCodeFlowControl)) |
| } |
| sc.sendWindowUpdate(nil, int(f.Length)) // conn-level |
| |
| if st != nil && st.resetQueued { |
| // Already have a stream error in flight. Don't send another. |
| return nil |
| } |
| return sc.countError("closed", streamError(id, ErrCodeStreamClosed)) |
| } |
| if st.body == nil { |
| panic("internal error: should have a body in this state") |
| } |
| |
| // Sender sending more than they'd declared? |
| if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes { |
| if !sc.inflow.take(f.Length) { |
| return sc.countError("data_flow", streamError(id, ErrCodeFlowControl)) |
| } |
| sc.sendWindowUpdate(nil, int(f.Length)) // conn-level |
| |
| st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes)) |
| // RFC 7540, sec 8.1.2.6: A request or response is also malformed if the |
| // value of a content-length header field does not equal the sum of the |
| // DATA frame payload lengths that form the body. |
| return sc.countError("send_too_much", streamError(id, ErrCodeProtocol)) |
| } |
| if f.Length > 0 { |
| // Check whether the client has flow control quota. |
| if !takeInflows(&sc.inflow, &st.inflow, f.Length) { |
| return sc.countError("flow_on_data_length", streamError(id, ErrCodeFlowControl)) |
| } |
| |
| if len(data) > 0 { |
| st.bodyBytes += int64(len(data)) |
| wrote, err := st.body.Write(data) |
| if err != nil { |
| // The handler has closed the request body. |
| // Return the connection-level flow control for the discarded data, |
| // but not the stream-level flow control. |
| sc.sendWindowUpdate(nil, int(f.Length)-wrote) |
| return nil |
| } |
| if wrote != len(data) { |
| panic("internal error: bad Writer") |
| } |
| } |
| |
| // Return any padded flow control now, since we won't |
| // refund it later on body reads. |
| // Call sendWindowUpdate even if there is no padding, |
| // to return buffered flow control credit if the sent |
| // window has shrunk. |
| pad := int32(f.Length) - int32(len(data)) |
| sc.sendWindowUpdate32(nil, pad) |
| sc.sendWindowUpdate32(st, pad) |
| } |
| if f.StreamEnded() { |
| st.endStream() |
| } |
| return nil |
| } |
| |
| func (sc *serverConn) processGoAway(f *GoAwayFrame) error { |
| sc.serveG.check() |
| if f.ErrCode != ErrCodeNo { |
| sc.logf("http2: received GOAWAY %+v, starting graceful shutdown", f) |
| } else { |
| sc.vlogf("http2: received GOAWAY %+v, starting graceful shutdown", f) |
| } |
| sc.startGracefulShutdownInternal() |
| // http://tools.ietf.org/html/rfc7540#section-6.8 |
| // We should not create any new streams, which means we should disable push. |
| sc.pushEnabled = false |
| return nil |
| } |
| |
| // isPushed reports whether the stream is server-initiated. |
| func (st *stream) isPushed() bool { |
| return st.id%2 == 0 |
| } |
| |
| // endStream closes a Request.Body's pipe. It is called when a DATA |
| // frame says a request body is over (or after trailers). |
| func (st *stream) endStream() { |
| sc := st.sc |
| sc.serveG.check() |
| |
| if st.declBodyBytes != -1 && st.declBodyBytes != st.bodyBytes { |
| st.body.CloseWithError(fmt.Errorf("request declared a Content-Length of %d but only wrote %d bytes", |
| st.declBodyBytes, st.bodyBytes)) |
| } else { |
| st.body.closeWithErrorAndCode(io.EOF, st.copyTrailersToHandlerRequest) |
| st.body.CloseWithError(io.EOF) |
| } |
| st.state = stateHalfClosedRemote |
| } |
| |
| // copyTrailersToHandlerRequest is run in the Handler's goroutine in |
| // its Request.Body.Read just before it gets io.EOF. |
| func (st *stream) copyTrailersToHandlerRequest() { |
| for k, vv := range st.trailer { |
| if _, ok := st.reqTrailer[k]; ok { |
| // Only copy it over it was pre-declared. |
| st.reqTrailer[k] = vv |
| } |
| } |
| } |
| |
| // onReadTimeout is run on its own goroutine (from time.AfterFunc) |
| // when the stream's ReadTimeout has fired. |
| func (st *stream) onReadTimeout() { |
| // Wrap the ErrDeadlineExceeded to avoid callers depending on us |
| // returning the bare error. |
| st.body.CloseWithError(fmt.Errorf("%w", os.ErrDeadlineExceeded)) |
| } |
| |
| // onWriteTimeout is run on its own goroutine (from time.AfterFunc) |
| // when the stream's WriteTimeout has fired. |
| func (st *stream) onWriteTimeout() { |
| st.sc.writeFrameFromHandler(FrameWriteRequest{write: StreamError{ |
| StreamID: st.id, |
| Code: ErrCodeInternal, |
| Cause: os.ErrDeadlineExceeded, |
| }}) |
| } |
| |
| func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { |
| sc.serveG.check() |
| id := f.StreamID |
| // http://tools.ietf.org/html/rfc7540#section-5.1.1 |
| // Streams initiated by a client MUST use odd-numbered stream |
| // identifiers. [...] An endpoint that receives an unexpected |
| // stream identifier MUST respond with a connection error |
| // (Section 5.4.1) of type PROTOCOL_ERROR. |
| if id%2 != 1 { |
| return sc.countError("headers_even", ConnectionError(ErrCodeProtocol)) |
| } |
| // A HEADERS frame can be used to create a new stream or |
| // send a trailer for an open one. If we already have a stream |
| // open, let it process its own HEADERS frame (trailers at this |
| // point, if it's valid). |
| if st := sc.streams[f.StreamID]; st != nil { |
| if st.resetQueued { |
| // We're sending RST_STREAM to close the stream, so don't bother |
| // processing this frame. |
| return nil |
| } |
| // RFC 7540, sec 5.1: If an endpoint receives additional frames, other than |
| // WINDOW_UPDATE, PRIORITY, or RST_STREAM, for a stream that is in |
| // this state, it MUST respond with a stream error (Section 5.4.2) of |
| // type STREAM_CLOSED. |
| if st.state == stateHalfClosedRemote { |
| return sc.countError("headers_half_closed", streamError(id, ErrCodeStreamClosed)) |
| } |
| return st.processTrailerHeaders(f) |
| } |
| |
| // [...] The identifier of a newly established stream MUST be |
| // numerically greater than all streams that the initiating |
| // endpoint has opened or reserved. [...] An endpoint that |
| // receives an unexpected stream identifier MUST respond with |
| // a connection error (Section 5.4.1) of type PROTOCOL_ERROR. |
| if id <= sc.maxClientStreamID { |
| return sc.countError("stream_went_down", ConnectionError(ErrCodeProtocol)) |
| } |
| sc.maxClientStreamID = id |
| |
| if sc.idleTimer != nil { |
| sc.idleTimer.Stop() |
| } |
| |
| // http://tools.ietf.org/html/rfc7540#section-5.1.2 |
| // [...] Endpoints MUST NOT exceed the limit set by their peer. An |
| // endpoint that receives a HEADERS frame that causes their |
| // advertised concurrent stream limit to be exceeded MUST treat |
| // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR |
| // or REFUSED_STREAM. |
| if sc.curClientStreams+1 > sc.advMaxStreams { |
| if sc.unackedSettings == 0 { |
| // They should know better. |
| return sc.countError("over_max_streams", streamError(id, ErrCodeProtocol)) |
| } |
| // Assume it's a network race, where they just haven't |
| // received our last SETTINGS update. But actually |
| // this can't happen yet, because we don't yet provide |
| // a way for users to adjust server parameters at |
| // runtime. |
| return sc.countError("over_max_streams_race", streamError(id, ErrCodeRefusedStream)) |
| } |
| |
| initialState := stateOpen |
| if f.StreamEnded() { |
| initialState = stateHalfClosedRemote |
| } |
| st := sc.newStream(id, 0, initialState) |
| |
| if f.HasPriority() { |
| if err := sc.checkPriority(f.StreamID, f.Priority); err != nil { |
| return err |
| } |
| sc.writeSched.AdjustStream(st.id, f.Priority) |
| } |
| |
| rw, req, err := sc.newWriterAndRequest(st, f) |
| if err != nil { |
| return err |
| } |
| st.reqTrailer = req.Trailer |
| if st.reqTrailer != nil { |
| st.trailer = make(http.Header) |
| } |
| st.body = req.Body.(*requestBody).pipe // may be nil |
| st.declBodyBytes = req.ContentLength |
| |
| handler := sc.handler.ServeHTTP |
| if f.Truncated { |
| // Their header list was too long. Send a 431 error. |
| handler = handleHeaderListTooLong |
| } else if err := checkValidHTTP2RequestHeaders(req.Header); err != nil { |
| handler = new400Handler(err) |
| } |
| |
| // The net/http package sets the read deadline from the |
| // http.Server.ReadTimeout during the TLS handshake, but then |
| // passes the connection off to us with the deadline already |
| // set. Disarm it here after the request headers are read, |
| // similar to how the http1 server works. Here it's |
| // technically more like the http1 Server's ReadHeaderTimeout |
| // (in Go 1.8), though. That's a more sane option anyway. |
| if sc.hs.ReadTimeout != 0 { |
| sc.conn.SetReadDeadline(time.Time{}) |
| if st.body != nil { |
| st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout, st.onReadTimeout) |
| } |
| } |
| |
| go sc.runHandler(rw, req, handler) |
| return nil |
| } |
| |
| func (sc *serverConn) upgradeRequest(req *http.Request) { |
| sc.serveG.check() |
| id := uint32(1) |
| sc.maxClientStreamID = id |
| st := sc.newStream(id, 0, stateHalfClosedRemote) |
| st.reqTrailer = req.Trailer |
| if st.reqTrailer != nil { |
| st.trailer = make(http.Header) |
| } |
| rw := sc.newResponseWriter(st, req) |
| |
| // Disable any read deadline set by the net/http package |
| // prior to the upgrade. |
| if sc.hs.ReadTimeout != 0 { |
| sc.conn.SetReadDeadline(time.Time{}) |
| } |
| |
| go sc.runHandler(rw, req, sc.handler.ServeHTTP) |
| } |
| |
| func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { |
| sc := st.sc |
| sc.serveG.check() |
| if st.gotTrailerHeader { |
| return sc.countError("dup_trailers", ConnectionError(ErrCodeProtocol)) |
| } |
| st.gotTrailerHeader = true |
| if !f.StreamEnded() { |
| return sc.countError("trailers_not_ended", streamError(st.id, ErrCodeProtocol)) |
| } |
| |
| if len(f.PseudoFields()) > 0 { |
| return sc.countError("trailers_pseudo", streamError(st.id, ErrCodeProtocol)) |
| } |
| if st.trailer != nil { |
| for _, hf := range f.RegularFields() { |
| key := sc.canonicalHeader(hf.Name) |
| if !httpguts.ValidTrailerHeader(key) { |
| // TODO: send more details to the peer somehow. But http2 has |
| // no way to send debug data at a stream level. Discuss with |
| // HTTP folk. |
| return sc.countError("trailers_bogus", streamError(st.id, ErrCodeProtocol)) |
| } |
| st.trailer[key] = append(st.trailer[key], hf.Value) |
| } |
| } |
| st.endStream() |
| return nil |
| } |
| |
| func (sc *serverConn) checkPriority(streamID uint32, p PriorityParam) error { |
| if streamID == p.StreamDep { |
| // Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat |
| // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR." |
| // Section 5.3.3 says that a stream can depend on one of its dependencies, |
| // so it's only self-dependencies that are forbidden. |
| return sc.countError("priority", streamError(streamID, ErrCodeProtocol)) |
| } |
| return nil |
| } |
| |
| func (sc *serverConn) processPriority(f *PriorityFrame) error { |
| if err := sc.checkPriority(f.StreamID, f.PriorityParam); err != nil { |
| return err |
| } |
| sc.writeSched.AdjustStream(f.StreamID, f.PriorityParam) |
| return nil |
| } |
| |
| func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream { |
| sc.serveG.check() |
| if id == 0 { |
| panic("internal error: cannot create stream with id 0") |
| } |
| |
| ctx, cancelCtx := context.WithCancel(sc.baseCtx) |
| st := &stream{ |
| sc: sc, |
| id: id, |
| state: state, |
| ctx: ctx, |
| cancelCtx: cancelCtx, |
| } |
| st.cw.Init() |
| st.flow.conn = &sc.flow // link to conn-level counter |
| st.flow.add(sc.initialStreamSendWindowSize) |
| st.inflow.init(sc.srv.initialStreamRecvWindowSize()) |
| if sc.hs.WriteTimeout != 0 { |
| st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout) |
| } |
| |
| sc.streams[id] = st |
| sc.writeSched.OpenStream(st.id, OpenStreamOptions{PusherID: pusherID}) |
| if st.isPushed() { |
| sc.curPushedStreams++ |
| } else { |
| sc.curClientStreams++ |
| } |
| if sc.curOpenStreams() == 1 { |
| sc.setConnState(http.StateActive) |
| } |
| |
| return st |
| } |
| |
| func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *http.Request, error) { |
| sc.serveG.check() |
| |
| rp := requestParam{ |
| method: f.PseudoValue("method"), |
| scheme: f.PseudoValue("scheme"), |
| authority: f.PseudoValue("authority"), |
| path: f.PseudoValue("path"), |
| } |
| |
| isConnect := rp.method == "CONNECT" |
| if isConnect { |
| if rp.path != "" || rp.scheme != "" || rp.authority == "" { |
| return nil, nil, sc.countError("bad_connect", streamError(f.StreamID, ErrCodeProtocol)) |
| } |
| } else if rp.method == "" || rp.path == "" || (rp.scheme != "https" && rp.scheme != "http") { |
| // See 8.1.2.6 Malformed Requests and Responses: |
| // |
| // Malformed requests or responses that are detected |
| // MUST be treated as a stream error (Section 5.4.2) |
| // of type PROTOCOL_ERROR." |
| // |
| // 8.1.2.3 Request Pseudo-Header Fields |
| // "All HTTP/2 requests MUST include exactly one valid |
| // value for the :method, :scheme, and :path |
| // pseudo-header fields" |
| return nil, nil, sc.countError("bad_path_method", streamError(f.StreamID, ErrCodeProtocol)) |
| } |
| |
| rp.header = make(http.Header) |
| for _, hf := range f.RegularFields() { |
| rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value) |
| } |
| if rp.authority == "" { |
| rp.authority = rp.header.Get("Host") |
| } |
| |
| rw, req, err := sc.newWriterAndRequestNoBody(st, rp) |
| if err != nil { |
| return nil, nil, err |
| } |
| bodyOpen := !f.StreamEnded() |
| if bodyOpen { |
| if vv, ok := rp.header["Content-Length"]; ok { |
| if cl, err := strconv.ParseUint(vv[0], 10, 63); err == nil { |
| req.ContentLength = int64(cl) |
| } else { |
| req.ContentLength = 0 |
| } |
| } else { |
| req.ContentLength = -1 |
| } |
| req.Body.(*requestBody).pipe = &pipe{ |
| b: &dataBuffer{expected: req.ContentLength}, |
| } |
| } |
| return rw, req, nil |
| } |
| |
| type requestParam struct { |
| method string |
| scheme, authority, path string |
| header http.Header |
| } |
| |
| func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*responseWriter, *http.Request, error) { |
| sc.serveG.check() |
| |
| var tlsState *tls.ConnectionState // nil if not scheme https |
| if rp.scheme == "https" { |
| tlsState = sc.tlsState |
| } |
| |
| needsContinue := httpguts.HeaderValuesContainsToken(rp.header["Expect"], "100-continue") |
| if needsContinue { |
| rp.header.Del("Expect") |
| } |
| // Merge Cookie headers into one "; "-delimited value. |
| if cookies := rp.header["Cookie"]; len(cookies) > 1 { |
| rp.header.Set("Cookie", strings.Join(cookies, "; ")) |
| } |
| |
| // Setup Trailers |
| var trailer http.Header |
| for _, v := range rp.header["Trailer"] { |
| for _, key := range strings.Split(v, ",") { |
| key = http.CanonicalHeaderKey(textproto.TrimString(key)) |
| switch key { |
| case "Transfer-Encoding", "Trailer", "Content-Length": |
| // Bogus. (copy of http1 rules) |
| // Ignore. |
| default: |
| if trailer == nil { |
| trailer = make(http.Header) |
| } |
| trailer[key] = nil |
| } |
| } |
| } |
| delete(rp.header, "Trailer") |
| |
| var url_ *url.URL |
| var requestURI string |
| if rp.method == "CONNECT" { |
| url_ = &url.URL{Host: rp.authority} |
| requestURI = rp.authority // mimic HTTP/1 server behavior |
| } else { |
| var err error |
| url_, err = url.ParseRequestURI(rp.path) |
| if err != nil { |
| return nil, nil, sc.countError("bad_path", streamError(st.id, ErrCodeProtocol)) |
| } |
| requestURI = rp.path |
| } |
| |
| body := &requestBody{ |
| conn: sc, |
| stream: st, |
| needsContinue: needsContinue, |
| } |
| req := &http.Request{ |
| Method: rp.method, |
| URL: url_, |
| RemoteAddr: sc.remoteAddrStr, |
| Header: rp.header, |
| RequestURI: requestURI, |
| Proto: "HTTP/2.0", |
| ProtoMajor: 2, |
| ProtoMinor: 0, |
| TLS: tlsState, |
| Host: rp.authority, |
| Body: body, |
| Trailer: trailer, |
| } |
| req = req.WithContext(st.ctx) |
| |
| rw := sc.newResponseWriter(st, req) |
| return rw, req, nil |
| } |
| |
| func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *responseWriter { |
| rws := responseWriterStatePool.Get().(*responseWriterState) |
| bwSave := rws.bw |
| *rws = responseWriterState{} // zero all the fields |
| rws.conn = sc |
| rws.bw = bwSave |
| rws.bw.Reset(chunkWriter{rws}) |
| rws.stream = st |
| rws.req = req |
| return &responseWriter{rws: rws} |
| } |
| |
| // Run on its own goroutine. |
| func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { |
| didPanic := true |
| defer func() { |
| rw.rws.stream.cancelCtx() |
| if req.MultipartForm != nil { |
| req.MultipartForm.RemoveAll() |
| } |
| if didPanic { |
| e := recover() |
| sc.writeFrameFromHandler(FrameWriteRequest{ |
| write: handlerPanicRST{rw.rws.stream.id}, |
| stream: rw.rws.stream, |
| }) |
| // Same as net/http: |
| if e != nil && e != http.ErrAbortHandler { |
| const size = 64 << 10 |
| buf := make([]byte, size) |
| buf = buf[:runtime.Stack(buf, false)] |
| sc.logf("http2: panic serving %v: %v\n%s", sc.conn.RemoteAddr(), e, buf) |
| } |
| return |
| } |
| rw.handlerDone() |
| }() |
| handler(rw, req) |
| didPanic = false |
| } |
| |
| func handleHeaderListTooLong(w http.ResponseWriter, r *http.Request) { |
| // 10.5.1 Limits on Header Block Size: |
| // .. "A server that receives a larger header block than it is |
| // willing to handle can send an HTTP 431 (Request Header Fields Too |
| // Large) status code" |
| const statusRequestHeaderFieldsTooLarge = 431 // only in Go 1.6+ |
| w.WriteHeader(statusRequestHeaderFieldsTooLarge) |
| io.WriteString(w, "<h1>HTTP Error 431</h1><p>Request Header Field(s) Too Large</p>") |
| } |
| |
| // called from handler goroutines. |
| // h may be nil. |
| func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) error { |
| sc.serveG.checkNotOn() // NOT on |
| var errc chan error |
| if headerData.h != nil { |
| // If there's a header map (which we don't own), so we have to block on |
| // waiting for this frame to be written, so an http.Flush mid-handler |
| // writes out the correct value of keys, before a handler later potentially |
| // mutates it. |
| errc = errChanPool.Get().(chan error) |
| } |
| if err := sc.writeFrameFromHandler(FrameWriteRequest{ |
| write: headerData, |
| stream: st, |
| done: errc, |
| }); err != nil { |
| return err |
| } |
| if errc != nil { |
| select { |
| case err := <-errc: |
| errChanPool.Put(errc) |
| return err |
| case <-sc.doneServing: |
| return errClientDisconnected |
| case <-st.cw: |
| return errStreamClosed |
| } |
| } |
| return nil |
| } |
| |
| // called from handler goroutines. |
| func (sc *serverConn) write100ContinueHeaders(st *stream) { |
| sc.writeFrameFromHandler(FrameWriteRequest{ |
| write: write100ContinueHeadersFrame{st.id}, |
| stream: st, |
| }) |
| } |
| |
| // A bodyReadMsg tells the server loop that the http.Handler read n |
| // bytes of the DATA from the client on the given stream. |
| type bodyReadMsg struct { |
| st *stream |
| n int |
| } |
| |
| // called from handler goroutines. |
| // Notes that the handler for the given stream ID read n bytes of its body |
| // and schedules flow control tokens to be sent. |
| func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) { |
| sc.serveG.checkNotOn() // NOT on |
| if n > 0 { |
| select { |
| case sc.bodyReadCh <- bodyReadMsg{st, n}: |
| case <-sc.doneServing: |
| } |
| } |
| } |
| |
| func (sc *serverConn) noteBodyRead(st *stream, n int) { |
| sc.serveG.check() |
| sc.sendWindowUpdate(nil, n) // conn-level |
| if st.state != stateHalfClosedRemote && st.state != stateClosed { |
| // Don't send this WINDOW_UPDATE if the stream is closed |
| // remotely. |
| sc.sendWindowUpdate(st, n) |
| } |
| } |
| |
| // st may be nil for conn-level |
| func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) { |
| sc.sendWindowUpdate(st, int(n)) |
| } |
| |
| // st may be nil for conn-level |
| func (sc *serverConn) sendWindowUpdate(st *stream, n int) { |
| sc.serveG.check() |
| var streamID uint32 |
| var send int32 |
| if st == nil { |
| send = sc.inflow.add(n) |
| } else { |
| streamID = st.id |
| send = st.inflow.add(n) |
| } |
| if send == 0 { |
| return |
| } |
| sc.writeFrame(FrameWriteRequest{ |
| write: writeWindowUpdate{streamID: streamID, n: uint32(send)}, |
| stream: st, |
| }) |
| } |
| |
| // requestBody is the Handler's Request.Body type. |
| // Read and Close may be called concurrently. |
| type requestBody struct { |
| _ incomparable |
| stream *stream |
| conn *serverConn |
| closeOnce sync.Once // for use by Close only |
| sawEOF bool // for use by Read only |
| pipe *pipe // non-nil if we have a HTTP entity message body |
| needsContinue bool // need to send a 100-continue |
| } |
| |
| func (b *requestBody) Close() error { |
| b.closeOnce.Do(func() { |
| if b.pipe != nil { |
| b.pipe.BreakWithError(errClosedBody) |
| } |
| }) |
| return nil |
| } |
| |
| func (b *requestBody) Read(p []byte) (n int, err error) { |
| if b.needsContinue { |
| b.needsContinue = false |
| b.conn.write100ContinueHeaders(b.stream) |
| } |
| if b.pipe == nil || b.sawEOF { |
| return 0, io.EOF |
| } |
| n, err = b.pipe.Read(p) |
| if err == io.EOF { |
| b.sawEOF = true |
| } |
| if b.conn == nil && inTests { |
| return |
| } |
| b.conn.noteBodyReadFromHandler(b.stream, n, err) |
| return |
| } |
| |
| // responseWriter is the http.ResponseWriter implementation. It's |
| // intentionally small (1 pointer wide) to minimize garbage. The |
| // responseWriterState pointer inside is zeroed at the end of a |
| // request (in handlerDone) and calls on the responseWriter thereafter |
| // simply crash (caller's mistake), but the much larger responseWriterState |
| // and buffers are reused between multiple requests. |
| type responseWriter struct { |
| rws *responseWriterState |
| } |
| |
| // Optional http.ResponseWriter interfaces implemented. |
| var ( |
| _ http.CloseNotifier = (*responseWriter)(nil) |
| _ http.Flusher = (*responseWriter)(nil) |
| _ stringWriter = (*responseWriter)(nil) |
| ) |
| |
| type responseWriterState struct { |
| // immutable within a request: |
| stream *stream |
| req *http.Request |
| conn *serverConn |
| |
| // TODO: adjust buffer writing sizes based on server config, frame size updates from peer, etc |
| bw *bufio.Writer // writing to a chunkWriter{this *responseWriterState} |
| |
| // mutated by http.Handler goroutine: |
| handlerHeader http.Header // nil until called |
| snapHeader http.Header // snapshot of handlerHeader at WriteHeader time |
| trailers []string // set in writeChunk |
| status int // status code passed to WriteHeader |
| wroteHeader bool // WriteHeader called (explicitly or implicitly). Not necessarily sent to user yet. |
| sentHeader bool // have we sent the header frame? |
| handlerDone bool // handler has finished |
| dirty bool // a Write failed; don't reuse this responseWriterState |
| |
| sentContentLen int64 // non-zero if handler set a Content-Length header |
| wroteBytes int64 |
| |
| closeNotifierMu sync.Mutex // guards closeNotifierCh |
| closeNotifierCh chan bool // nil until first used |
| } |
| |
| type chunkWriter struct{ rws *responseWriterState } |
| |
| func (cw chunkWriter) Write(p []byte) (n int, err error) { |
| n, err = cw.rws.writeChunk(p) |
| if err == errStreamClosed { |
| // If writing failed because the stream has been closed, |
| // return the reason it was closed. |
| err = cw.rws.stream.closeErr |
| } |
| return n, err |
| } |
| |
| func (rws *responseWriterState) hasTrailers() bool { return len(rws.trailers) > 0 } |
| |
| func (rws *responseWriterState) hasNonemptyTrailers() bool { |
| for _, trailer := range rws.trailers { |
| if _, ok := rws.handlerHeader[trailer]; ok { |
| return true |
| } |
| } |
| return false |
| } |
| |
| // declareTrailer is called for each Trailer header when the |
| // response header is written. It notes that a header will need to be |
| // written in the trailers at the end of the response. |
| func (rws *responseWriterState) declareTrailer(k string) { |
| k = http.CanonicalHeaderKey(k) |
| if !httpguts.ValidTrailerHeader(k) { |
| // Forbidden by RFC 7230, section 4.1.2. |
| rws.conn.logf("ignoring invalid trailer %q", k) |
| return |
| } |
| if !strSliceContains(rws.trailers, k) { |
| rws.trailers = append(rws.trailers, k) |
| } |
| } |
| |
| // writeChunk writes chunks from the bufio.Writer. But because |
| // bufio.Writer may bypass its chunking, sometimes p may be |
| // arbitrarily large. |
| // |
| // writeChunk is also responsible (on the first chunk) for sending the |
| // HEADER response. |
| func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { |
| if !rws.wroteHeader { |
| rws.writeHeader(200) |
| } |
| |
| if rws.handlerDone { |
| rws.promoteUndeclaredTrailers() |
| } |
| |
| isHeadResp := rws.req.Method == "HEAD" |
| if !rws.sentHeader { |
| rws.sentHeader = true |
| var ctype, clen string |
| if clen = rws.snapHeader.Get("Content-Length"); clen != "" { |
| rws.snapHeader.Del("Content-Length") |
| if cl, err := strconv.ParseUint(clen, 10, 63); err == nil { |
| rws.sentContentLen = int64(cl) |
| } else { |
| clen = "" |
| } |
| } |
| if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) { |
| clen = strconv.Itoa(len(p)) |
| } |
| _, hasContentType := rws.snapHeader["Content-Type"] |
| // If the Content-Encoding is non-blank, we shouldn't |
| // sniff the body. See Issue golang.org/issue/31753. |
| ce := rws.snapHeader.Get("Content-Encoding") |
| hasCE := len(ce) > 0 |
| if !hasCE && !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 { |
| ctype = http.DetectContentType(p) |
| } |
| var date string |
| if _, ok := rws.snapHeader["Date"]; !ok { |
| // TODO(bradfitz): be faster here, like net/http? measure. |
| date = time.Now().UTC().Format(http.TimeFormat) |
| } |
| |
| for _, v := range rws.snapHeader["Trailer"] { |
| foreachHeaderElement(v, rws.declareTrailer) |
| } |
| |
| // "Connection" headers aren't allowed in HTTP/2 (RFC 7540, 8.1.2.2), |
| // but respect "Connection" == "close" to mean sending a GOAWAY and tearing |
| // down the TCP connection when idle, like we do for HTTP/1. |
| // TODO: remove more Connection-specific header fields here, in addition |
| // to "Connection". |
| if _, ok := rws.snapHeader["Connection"]; ok { |
| v := rws.snapHeader.Get("Connection") |
| delete(rws.snapHeader, "Connection") |
| if v == "close" { |
| rws.conn.startGracefulShutdown() |
| } |
| } |
| |
| endStream := (rws.handlerDone && !rws.hasTrailers() && len(p) == 0) || isHeadResp |
| err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{ |
| streamID: rws.stream.id, |
| httpResCode: rws.status, |
| h: rws.snapHeader, |
| endStream: endStream, |
| contentType: ctype, |
| contentLength: clen, |
| date: date, |
| }) |
| if err != nil { |
| rws.dirty = true |
| return 0, err |
| } |
| if endStream { |
| return 0, nil |
| } |
| } |
| if isHeadResp { |
| return len(p), nil |
| } |
| if len(p) == 0 && !rws.handlerDone { |
| return 0, nil |
| } |
| |
| // only send trailers if they have actually been defined by the |
| // server handler. |
| hasNonemptyTrailers := rws.hasNonemptyTrailers() |
| endStream := rws.handlerDone && !hasNonemptyTrailers |
| if len(p) > 0 || endStream { |
| // only send a 0 byte DATA frame if we're ending the stream. |
| if err := rws.conn.writeDataFromHandler(rws.stream, p, endStream); err != nil { |
| rws.dirty = true |
| return 0, err |
| } |
| } |
| |
| if rws.handlerDone && hasNonemptyTrailers { |
| err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{ |
| streamID: rws.stream.id, |
| h: rws.handlerHeader, |
| trailers: rws.trailers, |
| endStream: true, |
| }) |
| if err != nil { |
| rws.dirty = true |
| } |
| return len(p), err |
| } |
| return len(p), nil |
| } |
| |
| // TrailerPrefix is a magic prefix for ResponseWriter.Header map keys |
| // that, if present, signals that the map entry is actually for |
| // the response trailers, and not the response headers. The prefix |
| // is stripped after the ServeHTTP call finishes and the values are |
| // sent in the trailers. |
| // |
| // This mechanism is intended only for trailers that are not known |
| // prior to the headers being written. If the set of trailers is fixed |
| // or known before the header is written, the normal Go trailers mechanism |
| // is preferred: |
| // |
| // https://golang.org/pkg/net/http/#ResponseWriter |
| // https://golang.org/pkg/net/http/#example_ResponseWriter_trailers |
| const TrailerPrefix = "Trailer:" |
| |
| // promoteUndeclaredTrailers permits http.Handlers to set trailers |
| // after the header has already been flushed. Because the Go |
| // ResponseWriter interface has no way to set Trailers (only the |
| // Header), and because we didn't want to expand the ResponseWriter |
| // interface, and because nobody used trailers, and because RFC 7230 |
| // says you SHOULD (but not must) predeclare any trailers in the |
| // header, the official ResponseWriter rules said trailers in Go must |
| // be predeclared, and then we reuse the same ResponseWriter.Header() |
| // map to mean both Headers and Trailers. When it's time to write the |
| // Trailers, we pick out the fields of Headers that were declared as |
| // trailers. That worked for a while, until we found the first major |
| // user of Trailers in the wild: gRPC (using them only over http2), |
| // and gRPC libraries permit setting trailers mid-stream without |
| // predeclaring them. So: change of plans. We still permit the old |
| // way, but we also permit this hack: if a Header() key begins with |
| // "Trailer:", the suffix of that key is a Trailer. Because ':' is an |
| // invalid token byte anyway, there is no ambiguity. (And it's already |
| // filtered out) It's mildly hacky, but not terrible. |
| // |
| // This method runs after the Handler is done and promotes any Header |
| // fields to be trailers. |
| func (rws *responseWriterState) promoteUndeclaredTrailers() { |
| for k, vv := range rws.handlerHeader { |
| if !strings.HasPrefix(k, TrailerPrefix) { |
| continue |
| } |
| trailerKey := strings.TrimPrefix(k, TrailerPrefix) |
| rws.declareTrailer(trailerKey) |
| rws.handlerHeader[http.CanonicalHeaderKey(trailerKey)] = vv |
| } |
| |
| if len(rws.trailers) > 1 { |
| sorter := sorterPool.Get().(*sorter) |
| sorter.SortStrings(rws.trailers) |
| sorterPool.Put(sorter) |
| } |
| } |
| |
| func (w *responseWriter) SetReadDeadline(deadline time.Time) error { |
| st := w.rws.stream |
| if !deadline.IsZero() && deadline.Before(time.Now()) { |
| // If we're setting a deadline in the past, reset the stream immediately |
| // so writes after SetWriteDeadline returns will fail. |
| st.onReadTimeout() |
| return nil |
| } |
| w.rws.conn.sendServeMsg(func(sc *serverConn) { |
| if st.readDeadline != nil { |
| if !st.readDeadline.Stop() { |
| // Deadline already exceeded, or stream has been closed. |
| return |
| } |
| } |
| if deadline.IsZero() { |
| st.readDeadline = nil |
| } else if st.readDeadline == nil { |
| st.readDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onReadTimeout) |
| } else { |
| st.readDeadline.Reset(deadline.Sub(time.Now())) |
| } |
| }) |
| return nil |
| } |
| |
| func (w *responseWriter) SetWriteDeadline(deadline time.Time) error { |
| st := w.rws.stream |
| if !deadline.IsZero() && deadline.Before(time.Now()) { |
| // If we're setting a deadline in the past, reset the stream immediately |
| // so writes after SetWriteDeadline returns will fail. |
| st.onWriteTimeout() |
| return nil |
| } |
| w.rws.conn.sendServeMsg(func(sc *serverConn) { |
| if st.writeDeadline != nil { |
| if !st.writeDeadline.Stop() { |
| // Deadline already exceeded, or stream has been closed. |
| return |
| } |
| } |
| if deadline.IsZero() { |
| st.writeDeadline = nil |
| } else if st.writeDeadline == nil { |
| st.writeDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onWriteTimeout) |
| } else { |
| st.writeDeadline.Reset(deadline.Sub(time.Now())) |
| } |
| }) |
| return nil |
| } |
| |
| func (w *responseWriter) Flush() { |
| w.FlushError() |
| } |
| |
| func (w *responseWriter) FlushError() error { |
| rws := w.rws |
| if rws == nil { |
| panic("Header called after Handler finished") |
| } |
| var err error |
| if rws.bw.Buffered() > 0 { |
| err = rws.bw.Flush() |
| } else { |
| // The bufio.Writer won't call chunkWriter.Write |
| // (writeChunk with zero bytes, so we have to do it |
| // ourselves to force the HTTP response header and/or |
| // final DATA frame (with END_STREAM) to be sent. |
| _, err = chunkWriter{rws}.Write(nil) |
| if err == nil { |
| select { |
| case <-rws.stream.cw: |
| err = rws.stream.closeErr |
| default: |
| } |
| } |
| } |
| return err |
| } |
| |
| func (w *responseWriter) CloseNotify() <-chan bool { |
| rws := w.rws |
| if rws == nil { |
| panic("CloseNotify called after Handler finished") |
| } |
| rws.closeNotifierMu.Lock() |
| ch := rws.closeNotifierCh |
| if ch == nil { |
| ch = make(chan bool, 1) |
| rws.closeNotifierCh = ch |
| cw := rws.stream.cw |
| go func() { |
| cw.Wait() // wait for close |
| ch <- true |
| }() |
| } |
| rws.closeNotifierMu.Unlock() |
| return ch |
| } |
| |
| func (w *responseWriter) Header() http.Header { |
| rws := w.rws |
| if rws == nil { |
| panic("Header called after Handler finished") |
| } |
| if rws.handlerHeader == nil { |
| rws.handlerHeader = make(http.Header) |
| } |
| return rws.handlerHeader |
| } |
| |
| // checkWriteHeaderCode is a copy of net/http's checkWriteHeaderCode. |
| func checkWriteHeaderCode(code int) { |
| // Issue 22880: require valid WriteHeader status codes. |
| // For now we only enforce that it's three digits. |
| // In the future we might block things over 599 (600 and above aren't defined |
| // at http://httpwg.org/specs/rfc7231.html#status.codes). |
| // But for now any three digits. |
| // |
| // We used to send "HTTP/1.1 000 0" on the wire in responses but there's |
| // no equivalent bogus thing we can realistically send in HTTP/2, |
| // so we'll consistently panic instead and help people find their bugs |
| // early. (We can't return an error from WriteHeader even if we wanted to.) |
| if code < 100 || code > 999 { |
| panic(fmt.Sprintf("invalid WriteHeader code %v", code)) |
| } |
| } |
| |
| func (w *responseWriter) WriteHeader(code int) { |
| rws := w.rws |
| if rws == nil { |
| panic("WriteHeader called after Handler finished") |
| } |
| rws.writeHeader(code) |
| } |
| |
| func (rws *responseWriterState) writeHeader(code int) { |
| if rws.wroteHeader { |
| return |
| } |
| |
| checkWriteHeaderCode(code) |
| |
| // Handle informational headers |
| if code >= 100 && code <= 199 { |
| // Per RFC 8297 we must not clear the current header map |
| h := rws.handlerHeader |
| |
| _, cl := h["Content-Length"] |
| _, te := h["Transfer-Encoding"] |
| if cl || te { |
| h = h.Clone() |
| h.Del("Content-Length") |
| h.Del("Transfer-Encoding") |
| } |
| |
| if rws.conn.writeHeaders(rws.stream, &writeResHeaders{ |
| streamID: rws.stream.id, |
| httpResCode: code, |
| h: h, |
| endStream: rws.handlerDone && !rws.hasTrailers(), |
| }) != nil { |
| rws.dirty = true |
| } |
| |
| return |
| } |
| |
| rws.wroteHeader = true |
| rws.status = code |
| if len(rws.handlerHeader) > 0 { |
| rws.snapHeader = cloneHeader(rws.handlerHeader) |
| } |
| } |
| |
| func cloneHeader(h http.Header) http.Header { |
| h2 := make(http.Header, len(h)) |
| for k, vv := range h { |
| vv2 := make([]string, len(vv)) |
| copy(vv2, vv) |
| h2[k] = vv2 |
| } |
| return h2 |
| } |
| |
| // The Life Of A Write is like this: |
| // |
| // * Handler calls w.Write or w.WriteString -> |
| // * -> rws.bw (*bufio.Writer) -> |
| // * (Handler might call Flush) |
| // * -> chunkWriter{rws} |
| // * -> responseWriterState.writeChunk(p []byte) |
| // * -> responseWriterState.writeChunk (most of the magic; see comment there) |
| func (w *responseWriter) Write(p []byte) (n int, err error) { |
| return w.write(len(p), p, "") |
| } |
| |
| func (w *responseWriter) WriteString(s string) (n int, err error) { |
| return w.write(len(s), nil, s) |
| } |
| |
| // either dataB or dataS is non-zero. |
| func (w *responseWriter) write(lenData int, dataB []byte, dataS string) (n int, err error) { |
| rws := w.rws |
| if rws == nil { |
| panic("Write called after Handler finished") |
| } |
| if !rws.wroteHeader { |
| w.WriteHeader(200) |
| } |
| if !bodyAllowedForStatus(rws.status) { |
| return 0, http.ErrBodyNotAllowed |
| } |
| rws.wroteBytes += int64(len(dataB)) + int64(len(dataS)) // only one can be set |
| if rws.sentContentLen != 0 && rws.wroteBytes > rws.sentContentLen { |
| // TODO: send a RST_STREAM |
| return 0, errors.New("http2: handler wrote more than declared Content-Length") |
| } |
| |
| if dataB != nil { |
| return rws.bw.Write(dataB) |
| } else { |
| return rws.bw.WriteString(dataS) |
| } |
| } |
| |
| func (w *responseWriter) handlerDone() { |
| rws := w.rws |
| dirty := rws.dirty |
| rws.handlerDone = true |
| w.Flush() |
| w.rws = nil |
| if !dirty { |
| // Only recycle the pool if all prior Write calls to |
| // the serverConn goroutine completed successfully. If |
| // they returned earlier due to resets from the peer |
| // there might still be write goroutines outstanding |
| // from the serverConn referencing the rws memory. See |
| // issue 20704. |
| responseWriterStatePool.Put(rws) |
| } |
| } |
| |
| // Push errors. |
| var ( |
| ErrRecursivePush = errors.New("http2: recursive push not allowed") |
| ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS") |
| ) |
| |
| var _ http.Pusher = (*responseWriter)(nil) |
| |
| func (w *responseWriter) Push(target string, opts *http.PushOptions) error { |
| st := w.rws.stream |
| sc := st.sc |
| sc.serveG.checkNotOn() |
| |
| // No recursive pushes: "PUSH_PROMISE frames MUST only be sent on a peer-initiated stream." |
| // http://tools.ietf.org/html/rfc7540#section-6.6 |
| if st.isPushed() { |
| return ErrRecursivePush |
| } |
| |
| if opts == nil { |
| opts = new(http.PushOptions) |
| } |
| |
| // Default options. |
| if opts.Method == "" { |
| opts.Method = "GET" |
| } |
| if opts.Header == nil { |
| opts.Header = http.Header{} |
| } |
| wantScheme := "http" |
| if w.rws.req.TLS != nil { |
| wantScheme = "https" |
| } |
| |
| // Validate the request. |
| u, err := url.Parse(target) |
| if err != nil { |
| return err |
| } |
| if u.Scheme == "" { |
| if !strings.HasPrefix(target, "/") { |
| return fmt.Errorf("target must be an absolute URL or an absolute path: %q", target) |
| } |
| u.Scheme = wantScheme |
| u.Host = w.rws.req.Host |
| } else { |
| if u.Scheme != wantScheme { |
| return fmt.Errorf("cannot push URL with scheme %q from request with scheme %q", u.Scheme, wantScheme) |
| } |
| if u.Host == "" { |
| return errors.New("URL must have a host") |
| } |
| } |
| for k := range opts.Header { |
| if strings.HasPrefix(k, ":") { |
| return fmt.Errorf("promised request headers cannot include pseudo header %q", k) |
| } |
| // These headers are meaningful only if the request has a body, |
| // but PUSH_PROMISE requests cannot have a body. |
| // http://tools.ietf.org/html/rfc7540#section-8.2 |
| // Also disallow Host, since the promised URL must be absolute. |
| if asciiEqualFold(k, "content-length") || |
| asciiEqualFold(k, "content-encoding") || |
| asciiEqualFold(k, "trailer") || |
| asciiEqualFold(k, "te") || |
| asciiEqualFold(k, "expect") || |
| asciiEqualFold(k, "host") { |
| return fmt.Errorf("promised request headers cannot include %q", k) |
| } |
| } |
| if err := checkValidHTTP2RequestHeaders(opts.Header); err != nil { |
| return err |
| } |
| |
| // The RFC effectively limits promised requests to GET and HEAD: |
| // "Promised requests MUST be cacheable [GET, HEAD, or POST], and MUST be safe [GET or HEAD]" |
| // http://tools.ietf.org/html/rfc7540#section-8.2 |
| if opts.Method != "GET" && opts.Method != "HEAD" { |
| return fmt.Errorf("method %q must be GET or HEAD", opts.Method) |
| } |
| |
| msg := &startPushRequest{ |
| parent: st, |
| method: opts.Method, |
| url: u, |
| header: cloneHeader(opts.Header), |
| done: errChanPool.Get().(chan error), |
| } |
| |
| select { |
| case <-sc.doneServing: |
| return errClientDisconnected |
| case <-st.cw: |
| return errStreamClosed |
| case sc.serveMsgCh <- msg: |
| } |
| |
| select { |
| case <-sc.doneServing: |
| return errClientDisconnected |
| case <-st.cw: |
| return errStreamClosed |
| case err := <-msg.done: |
| errChanPool.Put(msg.done) |
| return err |
| } |
| } |
| |
| type startPushRequest struct { |
| parent *stream |
| method string |
| url *url.URL |
| header http.Header |
| done chan error |
| } |
| |
| func (sc *serverConn) startPush(msg *startPushRequest) { |
| sc.serveG.check() |
| |
| // http://tools.ietf.org/html/rfc7540#section-6.6. |
| // PUSH_PROMISE frames MUST only be sent on a peer-initiated stream that |
| // is in either the "open" or "half-closed (remote)" state. |
| if msg.parent.state != stateOpen && msg.parent.state != stateHalfClosedRemote { |
| // responseWriter.Push checks that the stream is peer-initiated. |
| msg.done <- errStreamClosed |
| return |
| } |
| |
| // http://tools.ietf.org/html/rfc7540#section-6.6. |
| if !sc.pushEnabled { |
| msg.done <- http.ErrNotSupported |
| return |
| } |
| |
| // PUSH_PROMISE frames must be sent in increasing order by stream ID, so |
| // we allocate an ID for the promised stream lazily, when the PUSH_PROMISE |
| // is written. Once the ID is allocated, we start the request handler. |
| allocatePromisedID := func() (uint32, error) { |
| sc.serveG.check() |
| |
| // Check this again, just in case. Technically, we might have received |
| // an updated SETTINGS by the time we got around to writing this frame. |
| if !sc.pushEnabled { |
| return 0, http.ErrNotSupported |
| } |
| // http://tools.ietf.org/html/rfc7540#section-6.5.2. |
| if sc.curPushedStreams+1 > sc.clientMaxStreams { |
| return 0, ErrPushLimitReached |
| } |
| |
| // http://tools.ietf.org/html/rfc7540#section-5.1.1. |
| // Streams initiated by the server MUST use even-numbered identifiers. |
| // A server that is unable to establish a new stream identifier can send a GOAWAY |
| // frame so that the client is forced to open a new connection for new streams. |
| if sc.maxPushPromiseID+2 >= 1<<31 { |
| sc.startGracefulShutdownInternal() |
| return 0, ErrPushLimitReached |
| } |
| sc.maxPushPromiseID += 2 |
| promisedID := sc.maxPushPromiseID |
| |
| // http://tools.ietf.org/html/rfc7540#section-8.2. |
| // Strictly speaking, the new stream should start in "reserved (local)", then |
| // transition to "half closed (remote)" after sending the initial HEADERS, but |
| // we start in "half closed (remote)" for simplicity. |
| // See further comments at the definition of stateHalfClosedRemote. |
| promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote) |
| rw, req, err := sc.newWriterAndRequestNoBody(promised, requestParam{ |
| method: msg.method, |
| scheme: msg.url.Scheme, |
| authority: msg.url.Host, |
| path: msg.url.RequestURI(), |
| header: cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE |
| }) |
| if err != nil { |
| // Should not happen, since we've already validated msg.url. |
| panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) |
| } |
| |
| go sc.runHandler(rw, req, sc.handler.ServeHTTP) |
| return promisedID, nil |
| } |
| |
| sc.writeFrame(FrameWriteRequest{ |
| write: &writePushPromise{ |
| streamID: msg.parent.id, |
| method: msg.method, |
| url: msg.url, |
| h: msg.header, |
| allocatePromisedID: allocatePromisedID, |
| }, |
| stream: msg.parent, |
| done: msg.done, |
| }) |
| } |
| |
| // foreachHeaderElement splits v according to the "#rule" construction |
| // in RFC 7230 section 7 and calls fn for each non-empty element. |
| func foreachHeaderElement(v string, fn func(string)) { |
| v = textproto.TrimString(v) |
| if v == "" { |
| return |
| } |
| if !strings.Contains(v, ",") { |
| fn(v) |
| return |
| } |
| for _, f := range strings.Split(v, ",") { |
| if f = textproto.TrimString(f); f != "" { |
| fn(f) |
| } |
| } |
| } |
| |
| // From http://httpwg.org/specs/rfc7540.html#rfc.section.8.1.2.2 |
| var connHeaders = []string{ |
| "Connection", |
| "Keep-Alive", |
| "Proxy-Connection", |
| "Transfer-Encoding", |
| "Upgrade", |
| } |
| |
| // checkValidHTTP2RequestHeaders checks whether h is a valid HTTP/2 request, |
| // per RFC 7540 Section 8.1.2.2. |
| // The returned error is reported to users. |
| func checkValidHTTP2RequestHeaders(h http.Header) error { |
| for _, k := range connHeaders { |
| if _, ok := h[k]; ok { |
| return fmt.Errorf("request header %q is not valid in HTTP/2", k) |
| } |
| } |
| te := h["Te"] |
| if len(te) > 0 && (len(te) > 1 || (te[0] != "trailers" && te[0] != "")) { |
| return errors.New(`request header "TE" may only be "trailers" in HTTP/2`) |
| } |
| return nil |
| } |
| |
| func new400Handler(err error) http.HandlerFunc { |
| return func(w http.ResponseWriter, r *http.Request) { |
| http.Error(w, err.Error(), http.StatusBadRequest) |
| } |
| } |
| |
| // h1ServerKeepAlivesDisabled reports whether hs has its keep-alives |
| // disabled. See comments on h1ServerShutdownChan above for why |
| // the code is written this way. |
| func h1ServerKeepAlivesDisabled(hs *http.Server) bool { |
| var x interface{} = hs |
| type I interface { |
| doKeepAlives() bool |
| } |
| if hs, ok := x.(I); ok { |
| return !hs.doKeepAlives() |
| } |
| return false |
| } |
| |
| func (sc *serverConn) countError(name string, err error) error { |
| if sc == nil || sc.srv == nil { |
| return err |
| } |
| f := sc.srv.CountError |
| if f == nil { |
| return err |
| } |
| var typ string |
| var code ErrCode |
| switch e := err.(type) { |
| case ConnectionError: |
| typ = "conn" |
| code = ErrCode(e) |
| case StreamError: |
| typ = "stream" |
| code = ErrCode(e.Code) |
| default: |
| return err |
| } |
| codeStr := errCodeName[code] |
| if codeStr == "" { |
| codeStr = strconv.Itoa(int(code)) |
| } |
| f(fmt.Sprintf("%s_%s_%s", typ, codeStr, name)) |
| return err |
| } |