blob: 0ccbe9b4c2bfb31079ad520343b9a1915ad58a39 [file] [log] [blame]
Don Newton98fd8812019-09-23 15:15:02 -04001// Copyright 2014 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// TODO: turn off the serve goroutine when idle, so
6// an idle conn only has the readFrames goroutine active. (which could
7// also be optimized probably to pin less memory in crypto/tls). This
8// would involve tracking when the serve goroutine is active (atomic
9// int32 read/CAS probably?) and starting it up when frames arrive,
10// and shutting it down when all handlers exit. the occasional PING
11// packets could use time.AfterFunc to call sc.wakeStartServeLoop()
12// (which is a no-op if already running) and then queue the PING write
13// as normal. The serve loop would then exit in most cases (if no
14// Handlers running) and not be woken up again until the PING packet
15// returns.
16
17// TODO (maybe): add a mechanism for Handlers to going into
18// half-closed-local mode (rw.(io.Closer) test?) but not exit their
19// handler, and continue to be able to read from the
20// Request.Body. This would be a somewhat semantic change from HTTP/1
21// (or at least what we expose in net/http), so I'd probably want to
22// add it there too. For now, this package says that returning from
23// the Handler ServeHTTP function means you're both done reading and
24// done writing, without a way to stop just one or the other.
25
26package http2
27
28import (
29 "bufio"
30 "bytes"
31 "context"
32 "crypto/tls"
33 "errors"
34 "fmt"
35 "io"
36 "log"
37 "math"
38 "net"
39 "net/http"
40 "net/textproto"
41 "net/url"
42 "os"
43 "reflect"
44 "runtime"
45 "strconv"
46 "strings"
47 "sync"
48 "time"
49
50 "golang.org/x/net/http/httpguts"
51 "golang.org/x/net/http2/hpack"
52)
53
54const (
55 prefaceTimeout = 10 * time.Second
56 firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway
57 handlerChunkWriteSize = 4 << 10
58 defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to?
59 maxQueuedControlFrames = 10000
60)
61
62var (
63 errClientDisconnected = errors.New("client disconnected")
64 errClosedBody = errors.New("body closed by handler")
65 errHandlerComplete = errors.New("http2: request body closed due to handler exiting")
66 errStreamClosed = errors.New("http2: stream closed")
67)
68
69var responseWriterStatePool = sync.Pool{
70 New: func() interface{} {
71 rws := &responseWriterState{}
72 rws.bw = bufio.NewWriterSize(chunkWriter{rws}, handlerChunkWriteSize)
73 return rws
74 },
75}
76
77// Test hooks.
78var (
79 testHookOnConn func()
80 testHookGetServerConn func(*serverConn)
81 testHookOnPanicMu *sync.Mutex // nil except in tests
82 testHookOnPanic func(sc *serverConn, panicVal interface{}) (rePanic bool)
83)
84
85// Server is an HTTP/2 server.
86type Server struct {
87 // MaxHandlers limits the number of http.Handler ServeHTTP goroutines
88 // which may run at a time over all connections.
89 // Negative or zero no limit.
90 // TODO: implement
91 MaxHandlers int
92
93 // MaxConcurrentStreams optionally specifies the number of
94 // concurrent streams that each client may have open at a
95 // time. This is unrelated to the number of http.Handler goroutines
96 // which may be active globally, which is MaxHandlers.
97 // If zero, MaxConcurrentStreams defaults to at least 100, per
98 // the HTTP/2 spec's recommendations.
99 MaxConcurrentStreams uint32
100
101 // MaxReadFrameSize optionally specifies the largest frame
102 // this server is willing to read. A valid value is between
103 // 16k and 16M, inclusive. If zero or otherwise invalid, a
104 // default value is used.
105 MaxReadFrameSize uint32
106
107 // PermitProhibitedCipherSuites, if true, permits the use of
108 // cipher suites prohibited by the HTTP/2 spec.
109 PermitProhibitedCipherSuites bool
110
111 // IdleTimeout specifies how long until idle clients should be
112 // closed with a GOAWAY frame. PING frames are not considered
113 // activity for the purposes of IdleTimeout.
114 IdleTimeout time.Duration
115
116 // MaxUploadBufferPerConnection is the size of the initial flow
117 // control window for each connections. The HTTP/2 spec does not
118 // allow this to be smaller than 65535 or larger than 2^32-1.
119 // If the value is outside this range, a default value will be
120 // used instead.
121 MaxUploadBufferPerConnection int32
122
123 // MaxUploadBufferPerStream is the size of the initial flow control
124 // window for each stream. The HTTP/2 spec does not allow this to
125 // be larger than 2^32-1. If the value is zero or larger than the
126 // maximum, a default value will be used instead.
127 MaxUploadBufferPerStream int32
128
129 // NewWriteScheduler constructs a write scheduler for a connection.
130 // If nil, a default scheduler is chosen.
131 NewWriteScheduler func() WriteScheduler
132
133 // Internal state. This is a pointer (rather than embedded directly)
134 // so that we don't embed a Mutex in this struct, which will make the
135 // struct non-copyable, which might break some callers.
136 state *serverInternalState
137}
138
139func (s *Server) initialConnRecvWindowSize() int32 {
140 if s.MaxUploadBufferPerConnection > initialWindowSize {
141 return s.MaxUploadBufferPerConnection
142 }
143 return 1 << 20
144}
145
146func (s *Server) initialStreamRecvWindowSize() int32 {
147 if s.MaxUploadBufferPerStream > 0 {
148 return s.MaxUploadBufferPerStream
149 }
150 return 1 << 20
151}
152
153func (s *Server) maxReadFrameSize() uint32 {
154 if v := s.MaxReadFrameSize; v >= minMaxFrameSize && v <= maxFrameSize {
155 return v
156 }
157 return defaultMaxReadFrameSize
158}
159
160func (s *Server) maxConcurrentStreams() uint32 {
161 if v := s.MaxConcurrentStreams; v > 0 {
162 return v
163 }
164 return defaultMaxStreams
165}
166
167// maxQueuedControlFrames is the maximum number of control frames like
168// SETTINGS, PING and RST_STREAM that will be queued for writing before
169// the connection is closed to prevent memory exhaustion attacks.
170func (s *Server) maxQueuedControlFrames() int {
171 // TODO: if anybody asks, add a Server field, and remember to define the
172 // behavior of negative values.
173 return maxQueuedControlFrames
174}
175
176type serverInternalState struct {
177 mu sync.Mutex
178 activeConns map[*serverConn]struct{}
179}
180
181func (s *serverInternalState) registerConn(sc *serverConn) {
182 if s == nil {
183 return // if the Server was used without calling ConfigureServer
184 }
185 s.mu.Lock()
186 s.activeConns[sc] = struct{}{}
187 s.mu.Unlock()
188}
189
190func (s *serverInternalState) unregisterConn(sc *serverConn) {
191 if s == nil {
192 return // if the Server was used without calling ConfigureServer
193 }
194 s.mu.Lock()
195 delete(s.activeConns, sc)
196 s.mu.Unlock()
197}
198
199func (s *serverInternalState) startGracefulShutdown() {
200 if s == nil {
201 return // if the Server was used without calling ConfigureServer
202 }
203 s.mu.Lock()
204 for sc := range s.activeConns {
205 sc.startGracefulShutdown()
206 }
207 s.mu.Unlock()
208}
209
210// ConfigureServer adds HTTP/2 support to a net/http Server.
211//
212// The configuration conf may be nil.
213//
214// ConfigureServer must be called before s begins serving.
215func ConfigureServer(s *http.Server, conf *Server) error {
216 if s == nil {
217 panic("nil *http.Server")
218 }
219 if conf == nil {
220 conf = new(Server)
221 }
222 conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})}
223 if h1, h2 := s, conf; h2.IdleTimeout == 0 {
224 if h1.IdleTimeout != 0 {
225 h2.IdleTimeout = h1.IdleTimeout
226 } else {
227 h2.IdleTimeout = h1.ReadTimeout
228 }
229 }
230 s.RegisterOnShutdown(conf.state.startGracefulShutdown)
231
232 if s.TLSConfig == nil {
233 s.TLSConfig = new(tls.Config)
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000234 } else if s.TLSConfig.CipherSuites != nil && s.TLSConfig.MinVersion < tls.VersionTLS13 {
235 // If they already provided a TLS 1.0–1.2 CipherSuite list, return an
236 // error if it is missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
237 // ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
Don Newton98fd8812019-09-23 15:15:02 -0400238 haveRequired := false
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000239 for _, cs := range s.TLSConfig.CipherSuites {
Don Newton98fd8812019-09-23 15:15:02 -0400240 switch cs {
241 case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
242 // Alternative MTI cipher to not discourage ECDSA-only servers.
243 // See http://golang.org/cl/30721 for further information.
244 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
245 haveRequired = true
246 }
Don Newton98fd8812019-09-23 15:15:02 -0400247 }
248 if !haveRequired {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000249 return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)")
Don Newton98fd8812019-09-23 15:15:02 -0400250 }
251 }
252
253 // Note: not setting MinVersion to tls.VersionTLS12,
254 // as we don't want to interfere with HTTP/1.1 traffic
255 // on the user's server. We enforce TLS 1.2 later once
256 // we accept a connection. Ideally this should be done
257 // during next-proto selection, but using TLS <1.2 with
258 // HTTP/2 is still the client's bug.
259
260 s.TLSConfig.PreferServerCipherSuites = true
261
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000262 if !strSliceContains(s.TLSConfig.NextProtos, NextProtoTLS) {
Don Newton98fd8812019-09-23 15:15:02 -0400263 s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, NextProtoTLS)
264 }
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000265 if !strSliceContains(s.TLSConfig.NextProtos, "http/1.1") {
266 s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, "http/1.1")
267 }
Don Newton98fd8812019-09-23 15:15:02 -0400268
269 if s.TLSNextProto == nil {
270 s.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){}
271 }
272 protoHandler := func(hs *http.Server, c *tls.Conn, h http.Handler) {
273 if testHookOnConn != nil {
274 testHookOnConn()
275 }
276 // The TLSNextProto interface predates contexts, so
277 // the net/http package passes down its per-connection
278 // base context via an exported but unadvertised
279 // method on the Handler. This is for internal
280 // net/http<=>http2 use only.
281 var ctx context.Context
282 type baseContexter interface {
283 BaseContext() context.Context
284 }
285 if bc, ok := h.(baseContexter); ok {
286 ctx = bc.BaseContext()
287 }
288 conf.ServeConn(c, &ServeConnOpts{
289 Context: ctx,
290 Handler: h,
291 BaseConfig: hs,
292 })
293 }
294 s.TLSNextProto[NextProtoTLS] = protoHandler
295 return nil
296}
297
298// ServeConnOpts are options for the Server.ServeConn method.
299type ServeConnOpts struct {
300 // Context is the base context to use.
301 // If nil, context.Background is used.
302 Context context.Context
303
304 // BaseConfig optionally sets the base configuration
305 // for values. If nil, defaults are used.
306 BaseConfig *http.Server
307
308 // Handler specifies which handler to use for processing
309 // requests. If nil, BaseConfig.Handler is used. If BaseConfig
310 // or BaseConfig.Handler is nil, http.DefaultServeMux is used.
311 Handler http.Handler
312}
313
314func (o *ServeConnOpts) context() context.Context {
315 if o != nil && o.Context != nil {
316 return o.Context
317 }
318 return context.Background()
319}
320
321func (o *ServeConnOpts) baseConfig() *http.Server {
322 if o != nil && o.BaseConfig != nil {
323 return o.BaseConfig
324 }
325 return new(http.Server)
326}
327
328func (o *ServeConnOpts) handler() http.Handler {
329 if o != nil {
330 if o.Handler != nil {
331 return o.Handler
332 }
333 if o.BaseConfig != nil && o.BaseConfig.Handler != nil {
334 return o.BaseConfig.Handler
335 }
336 }
337 return http.DefaultServeMux
338}
339
340// ServeConn serves HTTP/2 requests on the provided connection and
341// blocks until the connection is no longer readable.
342//
343// ServeConn starts speaking HTTP/2 assuming that c has not had any
344// reads or writes. It writes its initial settings frame and expects
345// to be able to read the preface and settings frame from the
346// client. If c has a ConnectionState method like a *tls.Conn, the
347// ConnectionState is used to verify the TLS ciphersuite and to set
348// the Request.TLS field in Handlers.
349//
350// ServeConn does not support h2c by itself. Any h2c support must be
351// implemented in terms of providing a suitably-behaving net.Conn.
352//
353// The opts parameter is optional. If nil, default values are used.
354func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
355 baseCtx, cancel := serverConnBaseContext(c, opts)
356 defer cancel()
357
358 sc := &serverConn{
359 srv: s,
360 hs: opts.baseConfig(),
361 conn: c,
362 baseCtx: baseCtx,
363 remoteAddrStr: c.RemoteAddr().String(),
364 bw: newBufferedWriter(c),
365 handler: opts.handler(),
366 streams: make(map[uint32]*stream),
367 readFrameCh: make(chan readFrameResult),
368 wantWriteFrameCh: make(chan FrameWriteRequest, 8),
369 serveMsgCh: make(chan interface{}, 8),
370 wroteFrameCh: make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync
371 bodyReadCh: make(chan bodyReadMsg), // buffering doesn't matter either way
372 doneServing: make(chan struct{}),
373 clientMaxStreams: math.MaxUint32, // Section 6.5.2: "Initially, there is no limit to this value"
374 advMaxStreams: s.maxConcurrentStreams(),
375 initialStreamSendWindowSize: initialWindowSize,
376 maxFrameSize: initialMaxFrameSize,
377 headerTableSize: initialHeaderTableSize,
378 serveG: newGoroutineLock(),
379 pushEnabled: true,
380 }
381
382 s.state.registerConn(sc)
383 defer s.state.unregisterConn(sc)
384
385 // The net/http package sets the write deadline from the
386 // http.Server.WriteTimeout during the TLS handshake, but then
387 // passes the connection off to us with the deadline already set.
388 // Write deadlines are set per stream in serverConn.newStream.
389 // Disarm the net.Conn write deadline here.
390 if sc.hs.WriteTimeout != 0 {
391 sc.conn.SetWriteDeadline(time.Time{})
392 }
393
394 if s.NewWriteScheduler != nil {
395 sc.writeSched = s.NewWriteScheduler()
396 } else {
397 sc.writeSched = NewRandomWriteScheduler()
398 }
399
400 // These start at the RFC-specified defaults. If there is a higher
401 // configured value for inflow, that will be updated when we send a
402 // WINDOW_UPDATE shortly after sending SETTINGS.
403 sc.flow.add(initialWindowSize)
404 sc.inflow.add(initialWindowSize)
405 sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf)
406
407 fr := NewFramer(sc.bw, c)
408 fr.ReadMetaHeaders = hpack.NewDecoder(initialHeaderTableSize, nil)
409 fr.MaxHeaderListSize = sc.maxHeaderListSize()
410 fr.SetMaxReadFrameSize(s.maxReadFrameSize())
411 sc.framer = fr
412
413 if tc, ok := c.(connectionStater); ok {
414 sc.tlsState = new(tls.ConnectionState)
415 *sc.tlsState = tc.ConnectionState()
416 // 9.2 Use of TLS Features
417 // An implementation of HTTP/2 over TLS MUST use TLS
418 // 1.2 or higher with the restrictions on feature set
419 // and cipher suite described in this section. Due to
420 // implementation limitations, it might not be
421 // possible to fail TLS negotiation. An endpoint MUST
422 // immediately terminate an HTTP/2 connection that
423 // does not meet the TLS requirements described in
424 // this section with a connection error (Section
425 // 5.4.1) of type INADEQUATE_SECURITY.
426 if sc.tlsState.Version < tls.VersionTLS12 {
427 sc.rejectConn(ErrCodeInadequateSecurity, "TLS version too low")
428 return
429 }
430
431 if sc.tlsState.ServerName == "" {
432 // Client must use SNI, but we don't enforce that anymore,
433 // since it was causing problems when connecting to bare IP
434 // addresses during development.
435 //
436 // TODO: optionally enforce? Or enforce at the time we receive
437 // a new request, and verify the ServerName matches the :authority?
438 // But that precludes proxy situations, perhaps.
439 //
440 // So for now, do nothing here again.
441 }
442
443 if !s.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) {
444 // "Endpoints MAY choose to generate a connection error
445 // (Section 5.4.1) of type INADEQUATE_SECURITY if one of
446 // the prohibited cipher suites are negotiated."
447 //
448 // We choose that. In my opinion, the spec is weak
449 // here. It also says both parties must support at least
450 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 so there's no
451 // excuses here. If we really must, we could allow an
452 // "AllowInsecureWeakCiphers" option on the server later.
453 // Let's see how it plays out first.
454 sc.rejectConn(ErrCodeInadequateSecurity, fmt.Sprintf("Prohibited TLS 1.2 Cipher Suite: %x", sc.tlsState.CipherSuite))
455 return
456 }
457 }
458
459 if hook := testHookGetServerConn; hook != nil {
460 hook(sc)
461 }
462 sc.serve()
463}
464
465func serverConnBaseContext(c net.Conn, opts *ServeConnOpts) (ctx context.Context, cancel func()) {
466 ctx, cancel = context.WithCancel(opts.context())
467 ctx = context.WithValue(ctx, http.LocalAddrContextKey, c.LocalAddr())
468 if hs := opts.baseConfig(); hs != nil {
469 ctx = context.WithValue(ctx, http.ServerContextKey, hs)
470 }
471 return
472}
473
474func (sc *serverConn) rejectConn(err ErrCode, debug string) {
475 sc.vlogf("http2: server rejecting conn: %v, %s", err, debug)
476 // ignoring errors. hanging up anyway.
477 sc.framer.WriteGoAway(0, err, []byte(debug))
478 sc.bw.Flush()
479 sc.conn.Close()
480}
481
482type serverConn struct {
483 // Immutable:
484 srv *Server
485 hs *http.Server
486 conn net.Conn
487 bw *bufferedWriter // writing to conn
488 handler http.Handler
489 baseCtx context.Context
490 framer *Framer
491 doneServing chan struct{} // closed when serverConn.serve ends
492 readFrameCh chan readFrameResult // written by serverConn.readFrames
493 wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve
494 wroteFrameCh chan frameWriteResult // from writeFrameAsync -> serve, tickles more frame writes
495 bodyReadCh chan bodyReadMsg // from handlers -> serve
496 serveMsgCh chan interface{} // misc messages & code to send to / run on the serve loop
497 flow flow // conn-wide (not stream-specific) outbound flow control
498 inflow flow // conn-wide inbound flow control
499 tlsState *tls.ConnectionState // shared by all handlers, like net/http
500 remoteAddrStr string
501 writeSched WriteScheduler
502
503 // Everything following is owned by the serve loop; use serveG.check():
504 serveG goroutineLock // used to verify funcs are on serve()
505 pushEnabled bool
506 sawFirstSettings bool // got the initial SETTINGS frame after the preface
507 needToSendSettingsAck bool
508 unackedSettings int // how many SETTINGS have we sent without ACKs?
509 queuedControlFrames int // control frames in the writeSched queue
510 clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit)
511 advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
512 curClientStreams uint32 // number of open streams initiated by the client
513 curPushedStreams uint32 // number of open streams initiated by server push
514 maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
515 maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
516 streams map[uint32]*stream
517 initialStreamSendWindowSize int32
518 maxFrameSize int32
519 headerTableSize uint32
520 peerMaxHeaderListSize uint32 // zero means unknown (default)
521 canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case
522 writingFrame bool // started writing a frame (on serve goroutine or separate)
523 writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh
524 needsFrameFlush bool // last frame write wasn't a flush
525 inGoAway bool // we've started to or sent GOAWAY
526 inFrameScheduleLoop bool // whether we're in the scheduleFrameWrite loop
527 needToSendGoAway bool // we need to schedule a GOAWAY frame write
528 goAwayCode ErrCode
529 shutdownTimer *time.Timer // nil until used
530 idleTimer *time.Timer // nil if unused
531
532 // Owned by the writeFrameAsync goroutine:
533 headerWriteBuf bytes.Buffer
534 hpackEncoder *hpack.Encoder
535
536 // Used by startGracefulShutdown.
537 shutdownOnce sync.Once
538}
539
540func (sc *serverConn) maxHeaderListSize() uint32 {
541 n := sc.hs.MaxHeaderBytes
542 if n <= 0 {
543 n = http.DefaultMaxHeaderBytes
544 }
545 // http2's count is in a slightly different unit and includes 32 bytes per pair.
546 // So, take the net/http.Server value and pad it up a bit, assuming 10 headers.
547 const perFieldOverhead = 32 // per http2 spec
548 const typicalHeaders = 10 // conservative
549 return uint32(n + typicalHeaders*perFieldOverhead)
550}
551
552func (sc *serverConn) curOpenStreams() uint32 {
553 sc.serveG.check()
554 return sc.curClientStreams + sc.curPushedStreams
555}
556
557// stream represents a stream. This is the minimal metadata needed by
558// the serve goroutine. Most of the actual stream state is owned by
559// the http.Handler's goroutine in the responseWriter. Because the
560// responseWriter's responseWriterState is recycled at the end of a
561// handler, this struct intentionally has no pointer to the
562// *responseWriter{,State} itself, as the Handler ending nils out the
563// responseWriter's state field.
564type stream struct {
565 // immutable:
566 sc *serverConn
567 id uint32
568 body *pipe // non-nil if expecting DATA frames
569 cw closeWaiter // closed wait stream transitions to closed state
570 ctx context.Context
571 cancelCtx func()
572
573 // owned by serverConn's serve loop:
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000574 bodyBytes int64 // body bytes seen so far
575 declBodyBytes int64 // or -1 if undeclared
576 flow flow // limits writing from Handler to client
577 inflow flow // what the client is allowed to POST/etc to us
Don Newton98fd8812019-09-23 15:15:02 -0400578 state streamState
579 resetQueued bool // RST_STREAM queued for write; set by sc.resetStream
580 gotTrailerHeader bool // HEADER frame for trailers was seen
581 wroteHeaders bool // whether we wrote headers (not status 100)
582 writeDeadline *time.Timer // nil if unused
583
584 trailer http.Header // accumulated trailers
585 reqTrailer http.Header // handler's Request.Trailer
586}
587
588func (sc *serverConn) Framer() *Framer { return sc.framer }
589func (sc *serverConn) CloseConn() error { return sc.conn.Close() }
590func (sc *serverConn) Flush() error { return sc.bw.Flush() }
591func (sc *serverConn) HeaderEncoder() (*hpack.Encoder, *bytes.Buffer) {
592 return sc.hpackEncoder, &sc.headerWriteBuf
593}
594
595func (sc *serverConn) state(streamID uint32) (streamState, *stream) {
596 sc.serveG.check()
597 // http://tools.ietf.org/html/rfc7540#section-5.1
598 if st, ok := sc.streams[streamID]; ok {
599 return st.state, st
600 }
601 // "The first use of a new stream identifier implicitly closes all
602 // streams in the "idle" state that might have been initiated by
603 // that peer with a lower-valued stream identifier. For example, if
604 // a client sends a HEADERS frame on stream 7 without ever sending a
605 // frame on stream 5, then stream 5 transitions to the "closed"
606 // state when the first frame for stream 7 is sent or received."
607 if streamID%2 == 1 {
608 if streamID <= sc.maxClientStreamID {
609 return stateClosed, nil
610 }
611 } else {
612 if streamID <= sc.maxPushPromiseID {
613 return stateClosed, nil
614 }
615 }
616 return stateIdle, nil
617}
618
619// setConnState calls the net/http ConnState hook for this connection, if configured.
620// Note that the net/http package does StateNew and StateClosed for us.
621// There is currently no plan for StateHijacked or hijacking HTTP/2 connections.
622func (sc *serverConn) setConnState(state http.ConnState) {
623 if sc.hs.ConnState != nil {
624 sc.hs.ConnState(sc.conn, state)
625 }
626}
627
628func (sc *serverConn) vlogf(format string, args ...interface{}) {
629 if VerboseLogs {
630 sc.logf(format, args...)
631 }
632}
633
634func (sc *serverConn) logf(format string, args ...interface{}) {
635 if lg := sc.hs.ErrorLog; lg != nil {
636 lg.Printf(format, args...)
637 } else {
638 log.Printf(format, args...)
639 }
640}
641
642// errno returns v's underlying uintptr, else 0.
643//
644// TODO: remove this helper function once http2 can use build
645// tags. See comment in isClosedConnError.
646func errno(v error) uintptr {
647 if rv := reflect.ValueOf(v); rv.Kind() == reflect.Uintptr {
648 return uintptr(rv.Uint())
649 }
650 return 0
651}
652
653// isClosedConnError reports whether err is an error from use of a closed
654// network connection.
655func isClosedConnError(err error) bool {
656 if err == nil {
657 return false
658 }
659
660 // TODO: remove this string search and be more like the Windows
661 // case below. That might involve modifying the standard library
662 // to return better error types.
663 str := err.Error()
664 if strings.Contains(str, "use of closed network connection") {
665 return true
666 }
667
668 // TODO(bradfitz): x/tools/cmd/bundle doesn't really support
669 // build tags, so I can't make an http2_windows.go file with
670 // Windows-specific stuff. Fix that and move this, once we
671 // have a way to bundle this into std's net/http somehow.
672 if runtime.GOOS == "windows" {
673 if oe, ok := err.(*net.OpError); ok && oe.Op == "read" {
674 if se, ok := oe.Err.(*os.SyscallError); ok && se.Syscall == "wsarecv" {
675 const WSAECONNABORTED = 10053
676 const WSAECONNRESET = 10054
677 if n := errno(se.Err); n == WSAECONNRESET || n == WSAECONNABORTED {
678 return true
679 }
680 }
681 }
682 }
683 return false
684}
685
686func (sc *serverConn) condlogf(err error, format string, args ...interface{}) {
687 if err == nil {
688 return
689 }
690 if err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) || err == errPrefaceTimeout {
691 // Boring, expected errors.
692 sc.vlogf(format, args...)
693 } else {
694 sc.logf(format, args...)
695 }
696}
697
698func (sc *serverConn) canonicalHeader(v string) string {
699 sc.serveG.check()
700 buildCommonHeaderMapsOnce()
701 cv, ok := commonCanonHeader[v]
702 if ok {
703 return cv
704 }
705 cv, ok = sc.canonHeader[v]
706 if ok {
707 return cv
708 }
709 if sc.canonHeader == nil {
710 sc.canonHeader = make(map[string]string)
711 }
712 cv = http.CanonicalHeaderKey(v)
713 sc.canonHeader[v] = cv
714 return cv
715}
716
717type readFrameResult struct {
718 f Frame // valid until readMore is called
719 err error
720
721 // readMore should be called once the consumer no longer needs or
722 // retains f. After readMore, f is invalid and more frames can be
723 // read.
724 readMore func()
725}
726
727// readFrames is the loop that reads incoming frames.
728// It takes care to only read one frame at a time, blocking until the
729// consumer is done with the frame.
730// It's run on its own goroutine.
731func (sc *serverConn) readFrames() {
732 gate := make(gate)
733 gateDone := gate.Done
734 for {
735 f, err := sc.framer.ReadFrame()
736 select {
737 case sc.readFrameCh <- readFrameResult{f, err, gateDone}:
738 case <-sc.doneServing:
739 return
740 }
741 select {
742 case <-gate:
743 case <-sc.doneServing:
744 return
745 }
746 if terminalReadFrameError(err) {
747 return
748 }
749 }
750}
751
752// frameWriteResult is the message passed from writeFrameAsync to the serve goroutine.
753type frameWriteResult struct {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000754 _ incomparable
Don Newton98fd8812019-09-23 15:15:02 -0400755 wr FrameWriteRequest // what was written (or attempted)
756 err error // result of the writeFrame call
757}
758
759// writeFrameAsync runs in its own goroutine and writes a single frame
760// and then reports when it's done.
761// At most one goroutine can be running writeFrameAsync at a time per
762// serverConn.
763func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) {
764 err := wr.write.writeFrame(sc)
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +0000765 sc.wroteFrameCh <- frameWriteResult{wr: wr, err: err}
Don Newton98fd8812019-09-23 15:15:02 -0400766}
767
768func (sc *serverConn) closeAllStreamsOnConnClose() {
769 sc.serveG.check()
770 for _, st := range sc.streams {
771 sc.closeStream(st, errClientDisconnected)
772 }
773}
774
775func (sc *serverConn) stopShutdownTimer() {
776 sc.serveG.check()
777 if t := sc.shutdownTimer; t != nil {
778 t.Stop()
779 }
780}
781
782func (sc *serverConn) notePanic() {
783 // Note: this is for serverConn.serve panicking, not http.Handler code.
784 if testHookOnPanicMu != nil {
785 testHookOnPanicMu.Lock()
786 defer testHookOnPanicMu.Unlock()
787 }
788 if testHookOnPanic != nil {
789 if e := recover(); e != nil {
790 if testHookOnPanic(sc, e) {
791 panic(e)
792 }
793 }
794 }
795}
796
797func (sc *serverConn) serve() {
798 sc.serveG.check()
799 defer sc.notePanic()
800 defer sc.conn.Close()
801 defer sc.closeAllStreamsOnConnClose()
802 defer sc.stopShutdownTimer()
803 defer close(sc.doneServing) // unblocks handlers trying to send
804
805 if VerboseLogs {
806 sc.vlogf("http2: server connection from %v on %p", sc.conn.RemoteAddr(), sc.hs)
807 }
808
809 sc.writeFrame(FrameWriteRequest{
810 write: writeSettings{
811 {SettingMaxFrameSize, sc.srv.maxReadFrameSize()},
812 {SettingMaxConcurrentStreams, sc.advMaxStreams},
813 {SettingMaxHeaderListSize, sc.maxHeaderListSize()},
814 {SettingInitialWindowSize, uint32(sc.srv.initialStreamRecvWindowSize())},
815 },
816 })
817 sc.unackedSettings++
818
819 // Each connection starts with intialWindowSize inflow tokens.
820 // If a higher value is configured, we add more tokens.
821 if diff := sc.srv.initialConnRecvWindowSize() - initialWindowSize; diff > 0 {
822 sc.sendWindowUpdate(nil, int(diff))
823 }
824
825 if err := sc.readPreface(); err != nil {
826 sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err)
827 return
828 }
829 // Now that we've got the preface, get us out of the
830 // "StateNew" state. We can't go directly to idle, though.
831 // Active means we read some data and anticipate a request. We'll
832 // do another Active when we get a HEADERS frame.
833 sc.setConnState(http.StateActive)
834 sc.setConnState(http.StateIdle)
835
836 if sc.srv.IdleTimeout != 0 {
837 sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
838 defer sc.idleTimer.Stop()
839 }
840
841 go sc.readFrames() // closed by defer sc.conn.Close above
842
843 settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer)
844 defer settingsTimer.Stop()
845
846 loopNum := 0
847 for {
848 loopNum++
849 select {
850 case wr := <-sc.wantWriteFrameCh:
851 if se, ok := wr.write.(StreamError); ok {
852 sc.resetStream(se)
853 break
854 }
855 sc.writeFrame(wr)
856 case res := <-sc.wroteFrameCh:
857 sc.wroteFrame(res)
858 case res := <-sc.readFrameCh:
859 if !sc.processFrameFromReader(res) {
860 return
861 }
862 res.readMore()
863 if settingsTimer != nil {
864 settingsTimer.Stop()
865 settingsTimer = nil
866 }
867 case m := <-sc.bodyReadCh:
868 sc.noteBodyRead(m.st, m.n)
869 case msg := <-sc.serveMsgCh:
870 switch v := msg.(type) {
871 case func(int):
872 v(loopNum) // for testing
873 case *serverMessage:
874 switch v {
875 case settingsTimerMsg:
876 sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr())
877 return
878 case idleTimerMsg:
879 sc.vlogf("connection is idle")
880 sc.goAway(ErrCodeNo)
881 case shutdownTimerMsg:
882 sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr())
883 return
884 case gracefulShutdownMsg:
885 sc.startGracefulShutdownInternal()
886 default:
887 panic("unknown timer")
888 }
889 case *startPushRequest:
890 sc.startPush(v)
891 default:
892 panic(fmt.Sprintf("unexpected type %T", v))
893 }
894 }
895
896 // If the peer is causing us to generate a lot of control frames,
897 // but not reading them from us, assume they are trying to make us
898 // run out of memory.
899 if sc.queuedControlFrames > sc.srv.maxQueuedControlFrames() {
900 sc.vlogf("http2: too many control frames in send queue, closing connection")
901 return
902 }
903
904 // Start the shutdown timer after sending a GOAWAY. When sending GOAWAY
905 // with no error code (graceful shutdown), don't start the timer until
906 // all open streams have been completed.
907 sentGoAway := sc.inGoAway && !sc.needToSendGoAway && !sc.writingFrame
908 gracefulShutdownComplete := sc.goAwayCode == ErrCodeNo && sc.curOpenStreams() == 0
909 if sentGoAway && sc.shutdownTimer == nil && (sc.goAwayCode != ErrCodeNo || gracefulShutdownComplete) {
910 sc.shutDownIn(goAwayTimeout)
911 }
912 }
913}
914
915func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) {
916 select {
917 case <-sc.doneServing:
918 case <-sharedCh:
919 close(privateCh)
920 }
921}
922
923type serverMessage int
924
925// Message values sent to serveMsgCh.
926var (
927 settingsTimerMsg = new(serverMessage)
928 idleTimerMsg = new(serverMessage)
929 shutdownTimerMsg = new(serverMessage)
930 gracefulShutdownMsg = new(serverMessage)
931)
932
933func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
934func (sc *serverConn) onIdleTimer() { sc.sendServeMsg(idleTimerMsg) }
935func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) }
936
937func (sc *serverConn) sendServeMsg(msg interface{}) {
938 sc.serveG.checkNotOn() // NOT
939 select {
940 case sc.serveMsgCh <- msg:
941 case <-sc.doneServing:
942 }
943}
944
945var errPrefaceTimeout = errors.New("timeout waiting for client preface")
946
947// readPreface reads the ClientPreface greeting from the peer or
948// returns errPrefaceTimeout on timeout, or an error if the greeting
949// is invalid.
950func (sc *serverConn) readPreface() error {
951 errc := make(chan error, 1)
952 go func() {
953 // Read the client preface
954 buf := make([]byte, len(ClientPreface))
955 if _, err := io.ReadFull(sc.conn, buf); err != nil {
956 errc <- err
957 } else if !bytes.Equal(buf, clientPreface) {
958 errc <- fmt.Errorf("bogus greeting %q", buf)
959 } else {
960 errc <- nil
961 }
962 }()
963 timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server?
964 defer timer.Stop()
965 select {
966 case <-timer.C:
967 return errPrefaceTimeout
968 case err := <-errc:
969 if err == nil {
970 if VerboseLogs {
971 sc.vlogf("http2: server: client %v said hello", sc.conn.RemoteAddr())
972 }
973 }
974 return err
975 }
976}
977
978var errChanPool = sync.Pool{
979 New: func() interface{} { return make(chan error, 1) },
980}
981
982var writeDataPool = sync.Pool{
983 New: func() interface{} { return new(writeData) },
984}
985
986// writeDataFromHandler writes DATA response frames from a handler on
987// the given stream.
988func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error {
989 ch := errChanPool.Get().(chan error)
990 writeArg := writeDataPool.Get().(*writeData)
991 *writeArg = writeData{stream.id, data, endStream}
992 err := sc.writeFrameFromHandler(FrameWriteRequest{
993 write: writeArg,
994 stream: stream,
995 done: ch,
996 })
997 if err != nil {
998 return err
999 }
1000 var frameWriteDone bool // the frame write is done (successfully or not)
1001 select {
1002 case err = <-ch:
1003 frameWriteDone = true
1004 case <-sc.doneServing:
1005 return errClientDisconnected
1006 case <-stream.cw:
1007 // If both ch and stream.cw were ready (as might
1008 // happen on the final Write after an http.Handler
1009 // ends), prefer the write result. Otherwise this
1010 // might just be us successfully closing the stream.
1011 // The writeFrameAsync and serve goroutines guarantee
1012 // that the ch send will happen before the stream.cw
1013 // close.
1014 select {
1015 case err = <-ch:
1016 frameWriteDone = true
1017 default:
1018 return errStreamClosed
1019 }
1020 }
1021 errChanPool.Put(ch)
1022 if frameWriteDone {
1023 writeDataPool.Put(writeArg)
1024 }
1025 return err
1026}
1027
1028// writeFrameFromHandler sends wr to sc.wantWriteFrameCh, but aborts
1029// if the connection has gone away.
1030//
1031// This must not be run from the serve goroutine itself, else it might
1032// deadlock writing to sc.wantWriteFrameCh (which is only mildly
1033// buffered and is read by serve itself). If you're on the serve
1034// goroutine, call writeFrame instead.
1035func (sc *serverConn) writeFrameFromHandler(wr FrameWriteRequest) error {
1036 sc.serveG.checkNotOn() // NOT
1037 select {
1038 case sc.wantWriteFrameCh <- wr:
1039 return nil
1040 case <-sc.doneServing:
1041 // Serve loop is gone.
1042 // Client has closed their connection to the server.
1043 return errClientDisconnected
1044 }
1045}
1046
1047// writeFrame schedules a frame to write and sends it if there's nothing
1048// already being written.
1049//
1050// There is no pushback here (the serve goroutine never blocks). It's
1051// the http.Handlers that block, waiting for their previous frames to
1052// make it onto the wire
1053//
1054// If you're not on the serve goroutine, use writeFrameFromHandler instead.
1055func (sc *serverConn) writeFrame(wr FrameWriteRequest) {
1056 sc.serveG.check()
1057
1058 // If true, wr will not be written and wr.done will not be signaled.
1059 var ignoreWrite bool
1060
1061 // We are not allowed to write frames on closed streams. RFC 7540 Section
1062 // 5.1.1 says: "An endpoint MUST NOT send frames other than PRIORITY on
1063 // a closed stream." Our server never sends PRIORITY, so that exception
1064 // does not apply.
1065 //
1066 // The serverConn might close an open stream while the stream's handler
1067 // is still running. For example, the server might close a stream when it
1068 // receives bad data from the client. If this happens, the handler might
1069 // attempt to write a frame after the stream has been closed (since the
1070 // handler hasn't yet been notified of the close). In this case, we simply
1071 // ignore the frame. The handler will notice that the stream is closed when
1072 // it waits for the frame to be written.
1073 //
1074 // As an exception to this rule, we allow sending RST_STREAM after close.
1075 // This allows us to immediately reject new streams without tracking any
1076 // state for those streams (except for the queued RST_STREAM frame). This
1077 // may result in duplicate RST_STREAMs in some cases, but the client should
1078 // ignore those.
1079 if wr.StreamID() != 0 {
1080 _, isReset := wr.write.(StreamError)
1081 if state, _ := sc.state(wr.StreamID()); state == stateClosed && !isReset {
1082 ignoreWrite = true
1083 }
1084 }
1085
1086 // Don't send a 100-continue response if we've already sent headers.
1087 // See golang.org/issue/14030.
1088 switch wr.write.(type) {
1089 case *writeResHeaders:
1090 wr.stream.wroteHeaders = true
1091 case write100ContinueHeadersFrame:
1092 if wr.stream.wroteHeaders {
1093 // We do not need to notify wr.done because this frame is
1094 // never written with wr.done != nil.
1095 if wr.done != nil {
1096 panic("wr.done != nil for write100ContinueHeadersFrame")
1097 }
1098 ignoreWrite = true
1099 }
1100 }
1101
1102 if !ignoreWrite {
1103 if wr.isControl() {
1104 sc.queuedControlFrames++
1105 // For extra safety, detect wraparounds, which should not happen,
1106 // and pull the plug.
1107 if sc.queuedControlFrames < 0 {
1108 sc.conn.Close()
1109 }
1110 }
1111 sc.writeSched.Push(wr)
1112 }
1113 sc.scheduleFrameWrite()
1114}
1115
1116// startFrameWrite starts a goroutine to write wr (in a separate
1117// goroutine since that might block on the network), and updates the
1118// serve goroutine's state about the world, updated from info in wr.
1119func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
1120 sc.serveG.check()
1121 if sc.writingFrame {
1122 panic("internal error: can only be writing one frame at a time")
1123 }
1124
1125 st := wr.stream
1126 if st != nil {
1127 switch st.state {
1128 case stateHalfClosedLocal:
1129 switch wr.write.(type) {
1130 case StreamError, handlerPanicRST, writeWindowUpdate:
1131 // RFC 7540 Section 5.1 allows sending RST_STREAM, PRIORITY, and WINDOW_UPDATE
1132 // in this state. (We never send PRIORITY from the server, so that is not checked.)
1133 default:
1134 panic(fmt.Sprintf("internal error: attempt to send frame on a half-closed-local stream: %v", wr))
1135 }
1136 case stateClosed:
1137 panic(fmt.Sprintf("internal error: attempt to send frame on a closed stream: %v", wr))
1138 }
1139 }
1140 if wpp, ok := wr.write.(*writePushPromise); ok {
1141 var err error
1142 wpp.promisedID, err = wpp.allocatePromisedID()
1143 if err != nil {
1144 sc.writingFrameAsync = false
1145 wr.replyToWriter(err)
1146 return
1147 }
1148 }
1149
1150 sc.writingFrame = true
1151 sc.needsFrameFlush = true
1152 if wr.write.staysWithinBuffer(sc.bw.Available()) {
1153 sc.writingFrameAsync = false
1154 err := wr.write.writeFrame(sc)
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001155 sc.wroteFrame(frameWriteResult{wr: wr, err: err})
Don Newton98fd8812019-09-23 15:15:02 -04001156 } else {
1157 sc.writingFrameAsync = true
1158 go sc.writeFrameAsync(wr)
1159 }
1160}
1161
1162// errHandlerPanicked is the error given to any callers blocked in a read from
1163// Request.Body when the main goroutine panics. Since most handlers read in the
1164// main ServeHTTP goroutine, this will show up rarely.
1165var errHandlerPanicked = errors.New("http2: handler panicked")
1166
1167// wroteFrame is called on the serve goroutine with the result of
1168// whatever happened on writeFrameAsync.
1169func (sc *serverConn) wroteFrame(res frameWriteResult) {
1170 sc.serveG.check()
1171 if !sc.writingFrame {
1172 panic("internal error: expected to be already writing a frame")
1173 }
1174 sc.writingFrame = false
1175 sc.writingFrameAsync = false
1176
1177 wr := res.wr
1178
1179 if writeEndsStream(wr.write) {
1180 st := wr.stream
1181 if st == nil {
1182 panic("internal error: expecting non-nil stream")
1183 }
1184 switch st.state {
1185 case stateOpen:
1186 // Here we would go to stateHalfClosedLocal in
1187 // theory, but since our handler is done and
1188 // the net/http package provides no mechanism
1189 // for closing a ResponseWriter while still
1190 // reading data (see possible TODO at top of
1191 // this file), we go into closed state here
1192 // anyway, after telling the peer we're
1193 // hanging up on them. We'll transition to
1194 // stateClosed after the RST_STREAM frame is
1195 // written.
1196 st.state = stateHalfClosedLocal
1197 // Section 8.1: a server MAY request that the client abort
1198 // transmission of a request without error by sending a
1199 // RST_STREAM with an error code of NO_ERROR after sending
1200 // a complete response.
1201 sc.resetStream(streamError(st.id, ErrCodeNo))
1202 case stateHalfClosedRemote:
1203 sc.closeStream(st, errHandlerComplete)
1204 }
1205 } else {
1206 switch v := wr.write.(type) {
1207 case StreamError:
1208 // st may be unknown if the RST_STREAM was generated to reject bad input.
1209 if st, ok := sc.streams[v.StreamID]; ok {
1210 sc.closeStream(st, v)
1211 }
1212 case handlerPanicRST:
1213 sc.closeStream(wr.stream, errHandlerPanicked)
1214 }
1215 }
1216
1217 // Reply (if requested) to unblock the ServeHTTP goroutine.
1218 wr.replyToWriter(res.err)
1219
1220 sc.scheduleFrameWrite()
1221}
1222
1223// scheduleFrameWrite tickles the frame writing scheduler.
1224//
1225// If a frame is already being written, nothing happens. This will be called again
1226// when the frame is done being written.
1227//
1228// If a frame isn't being written and we need to send one, the best frame
1229// to send is selected by writeSched.
1230//
1231// If a frame isn't being written and there's nothing else to send, we
1232// flush the write buffer.
1233func (sc *serverConn) scheduleFrameWrite() {
1234 sc.serveG.check()
1235 if sc.writingFrame || sc.inFrameScheduleLoop {
1236 return
1237 }
1238 sc.inFrameScheduleLoop = true
1239 for !sc.writingFrameAsync {
1240 if sc.needToSendGoAway {
1241 sc.needToSendGoAway = false
1242 sc.startFrameWrite(FrameWriteRequest{
1243 write: &writeGoAway{
1244 maxStreamID: sc.maxClientStreamID,
1245 code: sc.goAwayCode,
1246 },
1247 })
1248 continue
1249 }
1250 if sc.needToSendSettingsAck {
1251 sc.needToSendSettingsAck = false
1252 sc.startFrameWrite(FrameWriteRequest{write: writeSettingsAck{}})
1253 continue
1254 }
1255 if !sc.inGoAway || sc.goAwayCode == ErrCodeNo {
1256 if wr, ok := sc.writeSched.Pop(); ok {
1257 if wr.isControl() {
1258 sc.queuedControlFrames--
1259 }
1260 sc.startFrameWrite(wr)
1261 continue
1262 }
1263 }
1264 if sc.needsFrameFlush {
1265 sc.startFrameWrite(FrameWriteRequest{write: flushFrameWriter{}})
1266 sc.needsFrameFlush = false // after startFrameWrite, since it sets this true
1267 continue
1268 }
1269 break
1270 }
1271 sc.inFrameScheduleLoop = false
1272}
1273
1274// startGracefulShutdown gracefully shuts down a connection. This
1275// sends GOAWAY with ErrCodeNo to tell the client we're gracefully
1276// shutting down. The connection isn't closed until all current
1277// streams are done.
1278//
1279// startGracefulShutdown returns immediately; it does not wait until
1280// the connection has shut down.
1281func (sc *serverConn) startGracefulShutdown() {
1282 sc.serveG.checkNotOn() // NOT
1283 sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) })
1284}
1285
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001286// After sending GOAWAY with an error code (non-graceful shutdown), the
1287// connection will close after goAwayTimeout.
1288//
Don Newton98fd8812019-09-23 15:15:02 -04001289// If we close the connection immediately after sending GOAWAY, there may
1290// be unsent data in our kernel receive buffer, which will cause the kernel
1291// to send a TCP RST on close() instead of a FIN. This RST will abort the
1292// connection immediately, whether or not the client had received the GOAWAY.
1293//
1294// Ideally we should delay for at least 1 RTT + epsilon so the client has
1295// a chance to read the GOAWAY and stop sending messages. Measuring RTT
1296// is hard, so we approximate with 1 second. See golang.org/issue/18701.
1297//
1298// This is a var so it can be shorter in tests, where all requests uses the
1299// loopback interface making the expected RTT very small.
1300//
1301// TODO: configurable?
1302var goAwayTimeout = 1 * time.Second
1303
1304func (sc *serverConn) startGracefulShutdownInternal() {
1305 sc.goAway(ErrCodeNo)
1306}
1307
1308func (sc *serverConn) goAway(code ErrCode) {
1309 sc.serveG.check()
1310 if sc.inGoAway {
1311 return
1312 }
1313 sc.inGoAway = true
1314 sc.needToSendGoAway = true
1315 sc.goAwayCode = code
1316 sc.scheduleFrameWrite()
1317}
1318
1319func (sc *serverConn) shutDownIn(d time.Duration) {
1320 sc.serveG.check()
1321 sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer)
1322}
1323
1324func (sc *serverConn) resetStream(se StreamError) {
1325 sc.serveG.check()
1326 sc.writeFrame(FrameWriteRequest{write: se})
1327 if st, ok := sc.streams[se.StreamID]; ok {
1328 st.resetQueued = true
1329 }
1330}
1331
1332// processFrameFromReader processes the serve loop's read from readFrameCh from the
1333// frame-reading goroutine.
1334// processFrameFromReader returns whether the connection should be kept open.
1335func (sc *serverConn) processFrameFromReader(res readFrameResult) bool {
1336 sc.serveG.check()
1337 err := res.err
1338 if err != nil {
1339 if err == ErrFrameTooLarge {
1340 sc.goAway(ErrCodeFrameSize)
1341 return true // goAway will close the loop
1342 }
1343 clientGone := err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err)
1344 if clientGone {
1345 // TODO: could we also get into this state if
1346 // the peer does a half close
1347 // (e.g. CloseWrite) because they're done
1348 // sending frames but they're still wanting
1349 // our open replies? Investigate.
1350 // TODO: add CloseWrite to crypto/tls.Conn first
1351 // so we have a way to test this? I suppose
1352 // just for testing we could have a non-TLS mode.
1353 return false
1354 }
1355 } else {
1356 f := res.f
1357 if VerboseLogs {
1358 sc.vlogf("http2: server read frame %v", summarizeFrame(f))
1359 }
1360 err = sc.processFrame(f)
1361 if err == nil {
1362 return true
1363 }
1364 }
1365
1366 switch ev := err.(type) {
1367 case StreamError:
1368 sc.resetStream(ev)
1369 return true
1370 case goAwayFlowError:
1371 sc.goAway(ErrCodeFlowControl)
1372 return true
1373 case ConnectionError:
1374 sc.logf("http2: server connection error from %v: %v", sc.conn.RemoteAddr(), ev)
1375 sc.goAway(ErrCode(ev))
1376 return true // goAway will handle shutdown
1377 default:
1378 if res.err != nil {
1379 sc.vlogf("http2: server closing client connection; error reading frame from client %s: %v", sc.conn.RemoteAddr(), err)
1380 } else {
1381 sc.logf("http2: server closing client connection: %v", err)
1382 }
1383 return false
1384 }
1385}
1386
1387func (sc *serverConn) processFrame(f Frame) error {
1388 sc.serveG.check()
1389
1390 // First frame received must be SETTINGS.
1391 if !sc.sawFirstSettings {
1392 if _, ok := f.(*SettingsFrame); !ok {
1393 return ConnectionError(ErrCodeProtocol)
1394 }
1395 sc.sawFirstSettings = true
1396 }
1397
1398 switch f := f.(type) {
1399 case *SettingsFrame:
1400 return sc.processSettings(f)
1401 case *MetaHeadersFrame:
1402 return sc.processHeaders(f)
1403 case *WindowUpdateFrame:
1404 return sc.processWindowUpdate(f)
1405 case *PingFrame:
1406 return sc.processPing(f)
1407 case *DataFrame:
1408 return sc.processData(f)
1409 case *RSTStreamFrame:
1410 return sc.processResetStream(f)
1411 case *PriorityFrame:
1412 return sc.processPriority(f)
1413 case *GoAwayFrame:
1414 return sc.processGoAway(f)
1415 case *PushPromiseFrame:
1416 // A client cannot push. Thus, servers MUST treat the receipt of a PUSH_PROMISE
1417 // frame as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
1418 return ConnectionError(ErrCodeProtocol)
1419 default:
1420 sc.vlogf("http2: server ignoring frame: %v", f.Header())
1421 return nil
1422 }
1423}
1424
1425func (sc *serverConn) processPing(f *PingFrame) error {
1426 sc.serveG.check()
1427 if f.IsAck() {
1428 // 6.7 PING: " An endpoint MUST NOT respond to PING frames
1429 // containing this flag."
1430 return nil
1431 }
1432 if f.StreamID != 0 {
1433 // "PING frames are not associated with any individual
1434 // stream. If a PING frame is received with a stream
1435 // identifier field value other than 0x0, the recipient MUST
1436 // respond with a connection error (Section 5.4.1) of type
1437 // PROTOCOL_ERROR."
1438 return ConnectionError(ErrCodeProtocol)
1439 }
1440 if sc.inGoAway && sc.goAwayCode != ErrCodeNo {
1441 return nil
1442 }
1443 sc.writeFrame(FrameWriteRequest{write: writePingAck{f}})
1444 return nil
1445}
1446
1447func (sc *serverConn) processWindowUpdate(f *WindowUpdateFrame) error {
1448 sc.serveG.check()
1449 switch {
1450 case f.StreamID != 0: // stream-level flow control
1451 state, st := sc.state(f.StreamID)
1452 if state == stateIdle {
1453 // Section 5.1: "Receiving any frame other than HEADERS
1454 // or PRIORITY on a stream in this state MUST be
1455 // treated as a connection error (Section 5.4.1) of
1456 // type PROTOCOL_ERROR."
1457 return ConnectionError(ErrCodeProtocol)
1458 }
1459 if st == nil {
1460 // "WINDOW_UPDATE can be sent by a peer that has sent a
1461 // frame bearing the END_STREAM flag. This means that a
1462 // receiver could receive a WINDOW_UPDATE frame on a "half
1463 // closed (remote)" or "closed" stream. A receiver MUST
1464 // NOT treat this as an error, see Section 5.1."
1465 return nil
1466 }
1467 if !st.flow.add(int32(f.Increment)) {
1468 return streamError(f.StreamID, ErrCodeFlowControl)
1469 }
1470 default: // connection-level flow control
1471 if !sc.flow.add(int32(f.Increment)) {
1472 return goAwayFlowError{}
1473 }
1474 }
1475 sc.scheduleFrameWrite()
1476 return nil
1477}
1478
1479func (sc *serverConn) processResetStream(f *RSTStreamFrame) error {
1480 sc.serveG.check()
1481
1482 state, st := sc.state(f.StreamID)
1483 if state == stateIdle {
1484 // 6.4 "RST_STREAM frames MUST NOT be sent for a
1485 // stream in the "idle" state. If a RST_STREAM frame
1486 // identifying an idle stream is received, the
1487 // recipient MUST treat this as a connection error
1488 // (Section 5.4.1) of type PROTOCOL_ERROR.
1489 return ConnectionError(ErrCodeProtocol)
1490 }
1491 if st != nil {
1492 st.cancelCtx()
1493 sc.closeStream(st, streamError(f.StreamID, f.ErrCode))
1494 }
1495 return nil
1496}
1497
1498func (sc *serverConn) closeStream(st *stream, err error) {
1499 sc.serveG.check()
1500 if st.state == stateIdle || st.state == stateClosed {
1501 panic(fmt.Sprintf("invariant; can't close stream in state %v", st.state))
1502 }
1503 st.state = stateClosed
1504 if st.writeDeadline != nil {
1505 st.writeDeadline.Stop()
1506 }
1507 if st.isPushed() {
1508 sc.curPushedStreams--
1509 } else {
1510 sc.curClientStreams--
1511 }
1512 delete(sc.streams, st.id)
1513 if len(sc.streams) == 0 {
1514 sc.setConnState(http.StateIdle)
1515 if sc.srv.IdleTimeout != 0 {
1516 sc.idleTimer.Reset(sc.srv.IdleTimeout)
1517 }
1518 if h1ServerKeepAlivesDisabled(sc.hs) {
1519 sc.startGracefulShutdownInternal()
1520 }
1521 }
1522 if p := st.body; p != nil {
1523 // Return any buffered unread bytes worth of conn-level flow control.
1524 // See golang.org/issue/16481
1525 sc.sendWindowUpdate(nil, p.Len())
1526
1527 p.CloseWithError(err)
1528 }
1529 st.cw.Close() // signals Handler's CloseNotifier, unblocks writes, etc
1530 sc.writeSched.CloseStream(st.id)
1531}
1532
1533func (sc *serverConn) processSettings(f *SettingsFrame) error {
1534 sc.serveG.check()
1535 if f.IsAck() {
1536 sc.unackedSettings--
1537 if sc.unackedSettings < 0 {
1538 // Why is the peer ACKing settings we never sent?
1539 // The spec doesn't mention this case, but
1540 // hang up on them anyway.
1541 return ConnectionError(ErrCodeProtocol)
1542 }
1543 return nil
1544 }
1545 if f.NumSettings() > 100 || f.HasDuplicates() {
1546 // This isn't actually in the spec, but hang up on
1547 // suspiciously large settings frames or those with
1548 // duplicate entries.
1549 return ConnectionError(ErrCodeProtocol)
1550 }
1551 if err := f.ForeachSetting(sc.processSetting); err != nil {
1552 return err
1553 }
1554 // TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be
1555 // acknowledged individually, even if multiple are received before the ACK.
1556 sc.needToSendSettingsAck = true
1557 sc.scheduleFrameWrite()
1558 return nil
1559}
1560
1561func (sc *serverConn) processSetting(s Setting) error {
1562 sc.serveG.check()
1563 if err := s.Valid(); err != nil {
1564 return err
1565 }
1566 if VerboseLogs {
1567 sc.vlogf("http2: server processing setting %v", s)
1568 }
1569 switch s.ID {
1570 case SettingHeaderTableSize:
1571 sc.headerTableSize = s.Val
1572 sc.hpackEncoder.SetMaxDynamicTableSize(s.Val)
1573 case SettingEnablePush:
1574 sc.pushEnabled = s.Val != 0
1575 case SettingMaxConcurrentStreams:
1576 sc.clientMaxStreams = s.Val
1577 case SettingInitialWindowSize:
1578 return sc.processSettingInitialWindowSize(s.Val)
1579 case SettingMaxFrameSize:
1580 sc.maxFrameSize = int32(s.Val) // the maximum valid s.Val is < 2^31
1581 case SettingMaxHeaderListSize:
1582 sc.peerMaxHeaderListSize = s.Val
1583 default:
1584 // Unknown setting: "An endpoint that receives a SETTINGS
1585 // frame with any unknown or unsupported identifier MUST
1586 // ignore that setting."
1587 if VerboseLogs {
1588 sc.vlogf("http2: server ignoring unknown setting %v", s)
1589 }
1590 }
1591 return nil
1592}
1593
1594func (sc *serverConn) processSettingInitialWindowSize(val uint32) error {
1595 sc.serveG.check()
1596 // Note: val already validated to be within range by
1597 // processSetting's Valid call.
1598
1599 // "A SETTINGS frame can alter the initial flow control window
1600 // size for all current streams. When the value of
1601 // SETTINGS_INITIAL_WINDOW_SIZE changes, a receiver MUST
1602 // adjust the size of all stream flow control windows that it
1603 // maintains by the difference between the new value and the
1604 // old value."
1605 old := sc.initialStreamSendWindowSize
1606 sc.initialStreamSendWindowSize = int32(val)
1607 growth := int32(val) - old // may be negative
1608 for _, st := range sc.streams {
1609 if !st.flow.add(growth) {
1610 // 6.9.2 Initial Flow Control Window Size
1611 // "An endpoint MUST treat a change to
1612 // SETTINGS_INITIAL_WINDOW_SIZE that causes any flow
1613 // control window to exceed the maximum size as a
1614 // connection error (Section 5.4.1) of type
1615 // FLOW_CONTROL_ERROR."
1616 return ConnectionError(ErrCodeFlowControl)
1617 }
1618 }
1619 return nil
1620}
1621
1622func (sc *serverConn) processData(f *DataFrame) error {
1623 sc.serveG.check()
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001624 id := f.Header().StreamID
1625 if sc.inGoAway && (sc.goAwayCode != ErrCodeNo || id > sc.maxClientStreamID) {
1626 // Discard all DATA frames if the GOAWAY is due to an
1627 // error, or:
1628 //
1629 // Section 6.8: After sending a GOAWAY frame, the sender
1630 // can discard frames for streams initiated by the
1631 // receiver with identifiers higher than the identified
1632 // last stream.
Don Newton98fd8812019-09-23 15:15:02 -04001633 return nil
1634 }
Don Newton98fd8812019-09-23 15:15:02 -04001635
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001636 data := f.Data()
Don Newton98fd8812019-09-23 15:15:02 -04001637 state, st := sc.state(id)
1638 if id == 0 || state == stateIdle {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001639 // Section 6.1: "DATA frames MUST be associated with a
1640 // stream. If a DATA frame is received whose stream
1641 // identifier field is 0x0, the recipient MUST respond
1642 // with a connection error (Section 5.4.1) of type
1643 // PROTOCOL_ERROR."
1644 //
Don Newton98fd8812019-09-23 15:15:02 -04001645 // Section 5.1: "Receiving any frame other than HEADERS
1646 // or PRIORITY on a stream in this state MUST be
1647 // treated as a connection error (Section 5.4.1) of
1648 // type PROTOCOL_ERROR."
1649 return ConnectionError(ErrCodeProtocol)
1650 }
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001651
1652 // "If a DATA frame is received whose stream is not in "open"
1653 // or "half closed (local)" state, the recipient MUST respond
1654 // with a stream error (Section 5.4.2) of type STREAM_CLOSED."
Don Newton98fd8812019-09-23 15:15:02 -04001655 if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued {
1656 // This includes sending a RST_STREAM if the stream is
1657 // in stateHalfClosedLocal (which currently means that
1658 // the http.Handler returned, so it's done reading &
1659 // done writing). Try to stop the client from sending
1660 // more DATA.
1661
1662 // But still enforce their connection-level flow control,
1663 // and return any flow control bytes since we're not going
1664 // to consume them.
1665 if sc.inflow.available() < int32(f.Length) {
1666 return streamError(id, ErrCodeFlowControl)
1667 }
1668 // Deduct the flow control from inflow, since we're
1669 // going to immediately add it back in
1670 // sendWindowUpdate, which also schedules sending the
1671 // frames.
1672 sc.inflow.take(int32(f.Length))
1673 sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
1674
1675 if st != nil && st.resetQueued {
1676 // Already have a stream error in flight. Don't send another.
1677 return nil
1678 }
1679 return streamError(id, ErrCodeStreamClosed)
1680 }
1681 if st.body == nil {
1682 panic("internal error: should have a body in this state")
1683 }
1684
1685 // Sender sending more than they'd declared?
1686 if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes {
1687 st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes))
1688 // RFC 7540, sec 8.1.2.6: A request or response is also malformed if the
1689 // value of a content-length header field does not equal the sum of the
1690 // DATA frame payload lengths that form the body.
1691 return streamError(id, ErrCodeProtocol)
1692 }
1693 if f.Length > 0 {
1694 // Check whether the client has flow control quota.
1695 if st.inflow.available() < int32(f.Length) {
1696 return streamError(id, ErrCodeFlowControl)
1697 }
1698 st.inflow.take(int32(f.Length))
1699
1700 if len(data) > 0 {
1701 wrote, err := st.body.Write(data)
1702 if err != nil {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00001703 sc.sendWindowUpdate(nil, int(f.Length)-wrote)
Don Newton98fd8812019-09-23 15:15:02 -04001704 return streamError(id, ErrCodeStreamClosed)
1705 }
1706 if wrote != len(data) {
1707 panic("internal error: bad Writer")
1708 }
1709 st.bodyBytes += int64(len(data))
1710 }
1711
1712 // Return any padded flow control now, since we won't
1713 // refund it later on body reads.
1714 if pad := int32(f.Length) - int32(len(data)); pad > 0 {
1715 sc.sendWindowUpdate32(nil, pad)
1716 sc.sendWindowUpdate32(st, pad)
1717 }
1718 }
1719 if f.StreamEnded() {
1720 st.endStream()
1721 }
1722 return nil
1723}
1724
1725func (sc *serverConn) processGoAway(f *GoAwayFrame) error {
1726 sc.serveG.check()
1727 if f.ErrCode != ErrCodeNo {
1728 sc.logf("http2: received GOAWAY %+v, starting graceful shutdown", f)
1729 } else {
1730 sc.vlogf("http2: received GOAWAY %+v, starting graceful shutdown", f)
1731 }
1732 sc.startGracefulShutdownInternal()
1733 // http://tools.ietf.org/html/rfc7540#section-6.8
1734 // We should not create any new streams, which means we should disable push.
1735 sc.pushEnabled = false
1736 return nil
1737}
1738
1739// isPushed reports whether the stream is server-initiated.
1740func (st *stream) isPushed() bool {
1741 return st.id%2 == 0
1742}
1743
1744// endStream closes a Request.Body's pipe. It is called when a DATA
1745// frame says a request body is over (or after trailers).
1746func (st *stream) endStream() {
1747 sc := st.sc
1748 sc.serveG.check()
1749
1750 if st.declBodyBytes != -1 && st.declBodyBytes != st.bodyBytes {
1751 st.body.CloseWithError(fmt.Errorf("request declared a Content-Length of %d but only wrote %d bytes",
1752 st.declBodyBytes, st.bodyBytes))
1753 } else {
1754 st.body.closeWithErrorAndCode(io.EOF, st.copyTrailersToHandlerRequest)
1755 st.body.CloseWithError(io.EOF)
1756 }
1757 st.state = stateHalfClosedRemote
1758}
1759
1760// copyTrailersToHandlerRequest is run in the Handler's goroutine in
1761// its Request.Body.Read just before it gets io.EOF.
1762func (st *stream) copyTrailersToHandlerRequest() {
1763 for k, vv := range st.trailer {
1764 if _, ok := st.reqTrailer[k]; ok {
1765 // Only copy it over it was pre-declared.
1766 st.reqTrailer[k] = vv
1767 }
1768 }
1769}
1770
1771// onWriteTimeout is run on its own goroutine (from time.AfterFunc)
1772// when the stream's WriteTimeout has fired.
1773func (st *stream) onWriteTimeout() {
1774 st.sc.writeFrameFromHandler(FrameWriteRequest{write: streamError(st.id, ErrCodeInternal)})
1775}
1776
1777func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
1778 sc.serveG.check()
1779 id := f.StreamID
1780 if sc.inGoAway {
1781 // Ignore.
1782 return nil
1783 }
1784 // http://tools.ietf.org/html/rfc7540#section-5.1.1
1785 // Streams initiated by a client MUST use odd-numbered stream
1786 // identifiers. [...] An endpoint that receives an unexpected
1787 // stream identifier MUST respond with a connection error
1788 // (Section 5.4.1) of type PROTOCOL_ERROR.
1789 if id%2 != 1 {
1790 return ConnectionError(ErrCodeProtocol)
1791 }
1792 // A HEADERS frame can be used to create a new stream or
1793 // send a trailer for an open one. If we already have a stream
1794 // open, let it process its own HEADERS frame (trailers at this
1795 // point, if it's valid).
1796 if st := sc.streams[f.StreamID]; st != nil {
1797 if st.resetQueued {
1798 // We're sending RST_STREAM to close the stream, so don't bother
1799 // processing this frame.
1800 return nil
1801 }
1802 // RFC 7540, sec 5.1: If an endpoint receives additional frames, other than
1803 // WINDOW_UPDATE, PRIORITY, or RST_STREAM, for a stream that is in
1804 // this state, it MUST respond with a stream error (Section 5.4.2) of
1805 // type STREAM_CLOSED.
1806 if st.state == stateHalfClosedRemote {
1807 return streamError(id, ErrCodeStreamClosed)
1808 }
1809 return st.processTrailerHeaders(f)
1810 }
1811
1812 // [...] The identifier of a newly established stream MUST be
1813 // numerically greater than all streams that the initiating
1814 // endpoint has opened or reserved. [...] An endpoint that
1815 // receives an unexpected stream identifier MUST respond with
1816 // a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
1817 if id <= sc.maxClientStreamID {
1818 return ConnectionError(ErrCodeProtocol)
1819 }
1820 sc.maxClientStreamID = id
1821
1822 if sc.idleTimer != nil {
1823 sc.idleTimer.Stop()
1824 }
1825
1826 // http://tools.ietf.org/html/rfc7540#section-5.1.2
1827 // [...] Endpoints MUST NOT exceed the limit set by their peer. An
1828 // endpoint that receives a HEADERS frame that causes their
1829 // advertised concurrent stream limit to be exceeded MUST treat
1830 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR
1831 // or REFUSED_STREAM.
1832 if sc.curClientStreams+1 > sc.advMaxStreams {
1833 if sc.unackedSettings == 0 {
1834 // They should know better.
1835 return streamError(id, ErrCodeProtocol)
1836 }
1837 // Assume it's a network race, where they just haven't
1838 // received our last SETTINGS update. But actually
1839 // this can't happen yet, because we don't yet provide
1840 // a way for users to adjust server parameters at
1841 // runtime.
1842 return streamError(id, ErrCodeRefusedStream)
1843 }
1844
1845 initialState := stateOpen
1846 if f.StreamEnded() {
1847 initialState = stateHalfClosedRemote
1848 }
1849 st := sc.newStream(id, 0, initialState)
1850
1851 if f.HasPriority() {
1852 if err := checkPriority(f.StreamID, f.Priority); err != nil {
1853 return err
1854 }
1855 sc.writeSched.AdjustStream(st.id, f.Priority)
1856 }
1857
1858 rw, req, err := sc.newWriterAndRequest(st, f)
1859 if err != nil {
1860 return err
1861 }
1862 st.reqTrailer = req.Trailer
1863 if st.reqTrailer != nil {
1864 st.trailer = make(http.Header)
1865 }
1866 st.body = req.Body.(*requestBody).pipe // may be nil
1867 st.declBodyBytes = req.ContentLength
1868
1869 handler := sc.handler.ServeHTTP
1870 if f.Truncated {
1871 // Their header list was too long. Send a 431 error.
1872 handler = handleHeaderListTooLong
1873 } else if err := checkValidHTTP2RequestHeaders(req.Header); err != nil {
1874 handler = new400Handler(err)
1875 }
1876
1877 // The net/http package sets the read deadline from the
1878 // http.Server.ReadTimeout during the TLS handshake, but then
1879 // passes the connection off to us with the deadline already
1880 // set. Disarm it here after the request headers are read,
1881 // similar to how the http1 server works. Here it's
1882 // technically more like the http1 Server's ReadHeaderTimeout
1883 // (in Go 1.8), though. That's a more sane option anyway.
1884 if sc.hs.ReadTimeout != 0 {
1885 sc.conn.SetReadDeadline(time.Time{})
1886 }
1887
1888 go sc.runHandler(rw, req, handler)
1889 return nil
1890}
1891
1892func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
1893 sc := st.sc
1894 sc.serveG.check()
1895 if st.gotTrailerHeader {
1896 return ConnectionError(ErrCodeProtocol)
1897 }
1898 st.gotTrailerHeader = true
1899 if !f.StreamEnded() {
1900 return streamError(st.id, ErrCodeProtocol)
1901 }
1902
1903 if len(f.PseudoFields()) > 0 {
1904 return streamError(st.id, ErrCodeProtocol)
1905 }
1906 if st.trailer != nil {
1907 for _, hf := range f.RegularFields() {
1908 key := sc.canonicalHeader(hf.Name)
1909 if !httpguts.ValidTrailerHeader(key) {
1910 // TODO: send more details to the peer somehow. But http2 has
1911 // no way to send debug data at a stream level. Discuss with
1912 // HTTP folk.
1913 return streamError(st.id, ErrCodeProtocol)
1914 }
1915 st.trailer[key] = append(st.trailer[key], hf.Value)
1916 }
1917 }
1918 st.endStream()
1919 return nil
1920}
1921
1922func checkPriority(streamID uint32, p PriorityParam) error {
1923 if streamID == p.StreamDep {
1924 // Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat
1925 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR."
1926 // Section 5.3.3 says that a stream can depend on one of its dependencies,
1927 // so it's only self-dependencies that are forbidden.
1928 return streamError(streamID, ErrCodeProtocol)
1929 }
1930 return nil
1931}
1932
1933func (sc *serverConn) processPriority(f *PriorityFrame) error {
1934 if sc.inGoAway {
1935 return nil
1936 }
1937 if err := checkPriority(f.StreamID, f.PriorityParam); err != nil {
1938 return err
1939 }
1940 sc.writeSched.AdjustStream(f.StreamID, f.PriorityParam)
1941 return nil
1942}
1943
1944func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream {
1945 sc.serveG.check()
1946 if id == 0 {
1947 panic("internal error: cannot create stream with id 0")
1948 }
1949
1950 ctx, cancelCtx := context.WithCancel(sc.baseCtx)
1951 st := &stream{
1952 sc: sc,
1953 id: id,
1954 state: state,
1955 ctx: ctx,
1956 cancelCtx: cancelCtx,
1957 }
1958 st.cw.Init()
1959 st.flow.conn = &sc.flow // link to conn-level counter
1960 st.flow.add(sc.initialStreamSendWindowSize)
1961 st.inflow.conn = &sc.inflow // link to conn-level counter
1962 st.inflow.add(sc.srv.initialStreamRecvWindowSize())
1963 if sc.hs.WriteTimeout != 0 {
1964 st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
1965 }
1966
1967 sc.streams[id] = st
1968 sc.writeSched.OpenStream(st.id, OpenStreamOptions{PusherID: pusherID})
1969 if st.isPushed() {
1970 sc.curPushedStreams++
1971 } else {
1972 sc.curClientStreams++
1973 }
1974 if sc.curOpenStreams() == 1 {
1975 sc.setConnState(http.StateActive)
1976 }
1977
1978 return st
1979}
1980
1981func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *http.Request, error) {
1982 sc.serveG.check()
1983
1984 rp := requestParam{
1985 method: f.PseudoValue("method"),
1986 scheme: f.PseudoValue("scheme"),
1987 authority: f.PseudoValue("authority"),
1988 path: f.PseudoValue("path"),
1989 }
1990
1991 isConnect := rp.method == "CONNECT"
1992 if isConnect {
1993 if rp.path != "" || rp.scheme != "" || rp.authority == "" {
1994 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1995 }
1996 } else if rp.method == "" || rp.path == "" || (rp.scheme != "https" && rp.scheme != "http") {
1997 // See 8.1.2.6 Malformed Requests and Responses:
1998 //
1999 // Malformed requests or responses that are detected
2000 // MUST be treated as a stream error (Section 5.4.2)
2001 // of type PROTOCOL_ERROR."
2002 //
2003 // 8.1.2.3 Request Pseudo-Header Fields
2004 // "All HTTP/2 requests MUST include exactly one valid
2005 // value for the :method, :scheme, and :path
2006 // pseudo-header fields"
2007 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
2008 }
2009
2010 bodyOpen := !f.StreamEnded()
2011 if rp.method == "HEAD" && bodyOpen {
2012 // HEAD requests can't have bodies
2013 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
2014 }
2015
2016 rp.header = make(http.Header)
2017 for _, hf := range f.RegularFields() {
2018 rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value)
2019 }
2020 if rp.authority == "" {
2021 rp.authority = rp.header.Get("Host")
2022 }
2023
2024 rw, req, err := sc.newWriterAndRequestNoBody(st, rp)
2025 if err != nil {
2026 return nil, nil, err
2027 }
2028 if bodyOpen {
2029 if vv, ok := rp.header["Content-Length"]; ok {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00002030 if cl, err := strconv.ParseUint(vv[0], 10, 63); err == nil {
2031 req.ContentLength = int64(cl)
2032 } else {
2033 req.ContentLength = 0
2034 }
Don Newton98fd8812019-09-23 15:15:02 -04002035 } else {
2036 req.ContentLength = -1
2037 }
2038 req.Body.(*requestBody).pipe = &pipe{
2039 b: &dataBuffer{expected: req.ContentLength},
2040 }
2041 }
2042 return rw, req, nil
2043}
2044
2045type requestParam struct {
2046 method string
2047 scheme, authority, path string
2048 header http.Header
2049}
2050
2051func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*responseWriter, *http.Request, error) {
2052 sc.serveG.check()
2053
2054 var tlsState *tls.ConnectionState // nil if not scheme https
2055 if rp.scheme == "https" {
2056 tlsState = sc.tlsState
2057 }
2058
2059 needsContinue := rp.header.Get("Expect") == "100-continue"
2060 if needsContinue {
2061 rp.header.Del("Expect")
2062 }
2063 // Merge Cookie headers into one "; "-delimited value.
2064 if cookies := rp.header["Cookie"]; len(cookies) > 1 {
2065 rp.header.Set("Cookie", strings.Join(cookies, "; "))
2066 }
2067
2068 // Setup Trailers
2069 var trailer http.Header
2070 for _, v := range rp.header["Trailer"] {
2071 for _, key := range strings.Split(v, ",") {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00002072 key = http.CanonicalHeaderKey(textproto.TrimString(key))
Don Newton98fd8812019-09-23 15:15:02 -04002073 switch key {
2074 case "Transfer-Encoding", "Trailer", "Content-Length":
2075 // Bogus. (copy of http1 rules)
2076 // Ignore.
2077 default:
2078 if trailer == nil {
2079 trailer = make(http.Header)
2080 }
2081 trailer[key] = nil
2082 }
2083 }
2084 }
2085 delete(rp.header, "Trailer")
2086
2087 var url_ *url.URL
2088 var requestURI string
2089 if rp.method == "CONNECT" {
2090 url_ = &url.URL{Host: rp.authority}
2091 requestURI = rp.authority // mimic HTTP/1 server behavior
2092 } else {
2093 var err error
2094 url_, err = url.ParseRequestURI(rp.path)
2095 if err != nil {
2096 return nil, nil, streamError(st.id, ErrCodeProtocol)
2097 }
2098 requestURI = rp.path
2099 }
2100
2101 body := &requestBody{
2102 conn: sc,
2103 stream: st,
2104 needsContinue: needsContinue,
2105 }
2106 req := &http.Request{
2107 Method: rp.method,
2108 URL: url_,
2109 RemoteAddr: sc.remoteAddrStr,
2110 Header: rp.header,
2111 RequestURI: requestURI,
2112 Proto: "HTTP/2.0",
2113 ProtoMajor: 2,
2114 ProtoMinor: 0,
2115 TLS: tlsState,
2116 Host: rp.authority,
2117 Body: body,
2118 Trailer: trailer,
2119 }
2120 req = req.WithContext(st.ctx)
2121
2122 rws := responseWriterStatePool.Get().(*responseWriterState)
2123 bwSave := rws.bw
2124 *rws = responseWriterState{} // zero all the fields
2125 rws.conn = sc
2126 rws.bw = bwSave
2127 rws.bw.Reset(chunkWriter{rws})
2128 rws.stream = st
2129 rws.req = req
2130 rws.body = body
2131
2132 rw := &responseWriter{rws: rws}
2133 return rw, req, nil
2134}
2135
2136// Run on its own goroutine.
2137func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
2138 didPanic := true
2139 defer func() {
2140 rw.rws.stream.cancelCtx()
2141 if didPanic {
2142 e := recover()
2143 sc.writeFrameFromHandler(FrameWriteRequest{
2144 write: handlerPanicRST{rw.rws.stream.id},
2145 stream: rw.rws.stream,
2146 })
2147 // Same as net/http:
2148 if e != nil && e != http.ErrAbortHandler {
2149 const size = 64 << 10
2150 buf := make([]byte, size)
2151 buf = buf[:runtime.Stack(buf, false)]
2152 sc.logf("http2: panic serving %v: %v\n%s", sc.conn.RemoteAddr(), e, buf)
2153 }
2154 return
2155 }
2156 rw.handlerDone()
2157 }()
2158 handler(rw, req)
2159 didPanic = false
2160}
2161
2162func handleHeaderListTooLong(w http.ResponseWriter, r *http.Request) {
2163 // 10.5.1 Limits on Header Block Size:
2164 // .. "A server that receives a larger header block than it is
2165 // willing to handle can send an HTTP 431 (Request Header Fields Too
2166 // Large) status code"
2167 const statusRequestHeaderFieldsTooLarge = 431 // only in Go 1.6+
2168 w.WriteHeader(statusRequestHeaderFieldsTooLarge)
2169 io.WriteString(w, "<h1>HTTP Error 431</h1><p>Request Header Field(s) Too Large</p>")
2170}
2171
2172// called from handler goroutines.
2173// h may be nil.
2174func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) error {
2175 sc.serveG.checkNotOn() // NOT on
2176 var errc chan error
2177 if headerData.h != nil {
2178 // If there's a header map (which we don't own), so we have to block on
2179 // waiting for this frame to be written, so an http.Flush mid-handler
2180 // writes out the correct value of keys, before a handler later potentially
2181 // mutates it.
2182 errc = errChanPool.Get().(chan error)
2183 }
2184 if err := sc.writeFrameFromHandler(FrameWriteRequest{
2185 write: headerData,
2186 stream: st,
2187 done: errc,
2188 }); err != nil {
2189 return err
2190 }
2191 if errc != nil {
2192 select {
2193 case err := <-errc:
2194 errChanPool.Put(errc)
2195 return err
2196 case <-sc.doneServing:
2197 return errClientDisconnected
2198 case <-st.cw:
2199 return errStreamClosed
2200 }
2201 }
2202 return nil
2203}
2204
2205// called from handler goroutines.
2206func (sc *serverConn) write100ContinueHeaders(st *stream) {
2207 sc.writeFrameFromHandler(FrameWriteRequest{
2208 write: write100ContinueHeadersFrame{st.id},
2209 stream: st,
2210 })
2211}
2212
2213// A bodyReadMsg tells the server loop that the http.Handler read n
2214// bytes of the DATA from the client on the given stream.
2215type bodyReadMsg struct {
2216 st *stream
2217 n int
2218}
2219
2220// called from handler goroutines.
2221// Notes that the handler for the given stream ID read n bytes of its body
2222// and schedules flow control tokens to be sent.
2223func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) {
2224 sc.serveG.checkNotOn() // NOT on
2225 if n > 0 {
2226 select {
2227 case sc.bodyReadCh <- bodyReadMsg{st, n}:
2228 case <-sc.doneServing:
2229 }
2230 }
2231}
2232
2233func (sc *serverConn) noteBodyRead(st *stream, n int) {
2234 sc.serveG.check()
2235 sc.sendWindowUpdate(nil, n) // conn-level
2236 if st.state != stateHalfClosedRemote && st.state != stateClosed {
2237 // Don't send this WINDOW_UPDATE if the stream is closed
2238 // remotely.
2239 sc.sendWindowUpdate(st, n)
2240 }
2241}
2242
2243// st may be nil for conn-level
2244func (sc *serverConn) sendWindowUpdate(st *stream, n int) {
2245 sc.serveG.check()
2246 // "The legal range for the increment to the flow control
2247 // window is 1 to 2^31-1 (2,147,483,647) octets."
2248 // A Go Read call on 64-bit machines could in theory read
2249 // a larger Read than this. Very unlikely, but we handle it here
2250 // rather than elsewhere for now.
2251 const maxUint31 = 1<<31 - 1
2252 for n >= maxUint31 {
2253 sc.sendWindowUpdate32(st, maxUint31)
2254 n -= maxUint31
2255 }
2256 sc.sendWindowUpdate32(st, int32(n))
2257}
2258
2259// st may be nil for conn-level
2260func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) {
2261 sc.serveG.check()
2262 if n == 0 {
2263 return
2264 }
2265 if n < 0 {
2266 panic("negative update")
2267 }
2268 var streamID uint32
2269 if st != nil {
2270 streamID = st.id
2271 }
2272 sc.writeFrame(FrameWriteRequest{
2273 write: writeWindowUpdate{streamID: streamID, n: uint32(n)},
2274 stream: st,
2275 })
2276 var ok bool
2277 if st == nil {
2278 ok = sc.inflow.add(n)
2279 } else {
2280 ok = st.inflow.add(n)
2281 }
2282 if !ok {
2283 panic("internal error; sent too many window updates without decrements?")
2284 }
2285}
2286
2287// requestBody is the Handler's Request.Body type.
2288// Read and Close may be called concurrently.
2289type requestBody struct {
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00002290 _ incomparable
Don Newton98fd8812019-09-23 15:15:02 -04002291 stream *stream
2292 conn *serverConn
2293 closed bool // for use by Close only
2294 sawEOF bool // for use by Read only
2295 pipe *pipe // non-nil if we have a HTTP entity message body
2296 needsContinue bool // need to send a 100-continue
2297}
2298
2299func (b *requestBody) Close() error {
2300 if b.pipe != nil && !b.closed {
2301 b.pipe.BreakWithError(errClosedBody)
2302 }
2303 b.closed = true
2304 return nil
2305}
2306
2307func (b *requestBody) Read(p []byte) (n int, err error) {
2308 if b.needsContinue {
2309 b.needsContinue = false
2310 b.conn.write100ContinueHeaders(b.stream)
2311 }
2312 if b.pipe == nil || b.sawEOF {
2313 return 0, io.EOF
2314 }
2315 n, err = b.pipe.Read(p)
2316 if err == io.EOF {
2317 b.sawEOF = true
2318 }
2319 if b.conn == nil && inTests {
2320 return
2321 }
2322 b.conn.noteBodyReadFromHandler(b.stream, n, err)
2323 return
2324}
2325
2326// responseWriter is the http.ResponseWriter implementation. It's
2327// intentionally small (1 pointer wide) to minimize garbage. The
2328// responseWriterState pointer inside is zeroed at the end of a
2329// request (in handlerDone) and calls on the responseWriter thereafter
2330// simply crash (caller's mistake), but the much larger responseWriterState
2331// and buffers are reused between multiple requests.
2332type responseWriter struct {
2333 rws *responseWriterState
2334}
2335
2336// Optional http.ResponseWriter interfaces implemented.
2337var (
2338 _ http.CloseNotifier = (*responseWriter)(nil)
2339 _ http.Flusher = (*responseWriter)(nil)
2340 _ stringWriter = (*responseWriter)(nil)
2341)
2342
2343type responseWriterState struct {
2344 // immutable within a request:
2345 stream *stream
2346 req *http.Request
2347 body *requestBody // to close at end of request, if DATA frames didn't
2348 conn *serverConn
2349
2350 // TODO: adjust buffer writing sizes based on server config, frame size updates from peer, etc
2351 bw *bufio.Writer // writing to a chunkWriter{this *responseWriterState}
2352
2353 // mutated by http.Handler goroutine:
2354 handlerHeader http.Header // nil until called
2355 snapHeader http.Header // snapshot of handlerHeader at WriteHeader time
2356 trailers []string // set in writeChunk
2357 status int // status code passed to WriteHeader
2358 wroteHeader bool // WriteHeader called (explicitly or implicitly). Not necessarily sent to user yet.
2359 sentHeader bool // have we sent the header frame?
2360 handlerDone bool // handler has finished
2361 dirty bool // a Write failed; don't reuse this responseWriterState
2362
2363 sentContentLen int64 // non-zero if handler set a Content-Length header
2364 wroteBytes int64
2365
2366 closeNotifierMu sync.Mutex // guards closeNotifierCh
2367 closeNotifierCh chan bool // nil until first used
2368}
2369
2370type chunkWriter struct{ rws *responseWriterState }
2371
2372func (cw chunkWriter) Write(p []byte) (n int, err error) { return cw.rws.writeChunk(p) }
2373
2374func (rws *responseWriterState) hasTrailers() bool { return len(rws.trailers) > 0 }
2375
2376func (rws *responseWriterState) hasNonemptyTrailers() bool {
2377 for _, trailer := range rws.trailers {
2378 if _, ok := rws.handlerHeader[trailer]; ok {
2379 return true
2380 }
2381 }
2382 return false
2383}
2384
2385// declareTrailer is called for each Trailer header when the
2386// response header is written. It notes that a header will need to be
2387// written in the trailers at the end of the response.
2388func (rws *responseWriterState) declareTrailer(k string) {
2389 k = http.CanonicalHeaderKey(k)
2390 if !httpguts.ValidTrailerHeader(k) {
2391 // Forbidden by RFC 7230, section 4.1.2.
2392 rws.conn.logf("ignoring invalid trailer %q", k)
2393 return
2394 }
2395 if !strSliceContains(rws.trailers, k) {
2396 rws.trailers = append(rws.trailers, k)
2397 }
2398}
2399
2400// writeChunk writes chunks from the bufio.Writer. But because
2401// bufio.Writer may bypass its chunking, sometimes p may be
2402// arbitrarily large.
2403//
2404// writeChunk is also responsible (on the first chunk) for sending the
2405// HEADER response.
2406func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
2407 if !rws.wroteHeader {
2408 rws.writeHeader(200)
2409 }
2410
2411 isHeadResp := rws.req.Method == "HEAD"
2412 if !rws.sentHeader {
2413 rws.sentHeader = true
2414 var ctype, clen string
2415 if clen = rws.snapHeader.Get("Content-Length"); clen != "" {
2416 rws.snapHeader.Del("Content-Length")
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00002417 if cl, err := strconv.ParseUint(clen, 10, 63); err == nil {
2418 rws.sentContentLen = int64(cl)
Don Newton98fd8812019-09-23 15:15:02 -04002419 } else {
2420 clen = ""
2421 }
2422 }
2423 if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
2424 clen = strconv.Itoa(len(p))
2425 }
2426 _, hasContentType := rws.snapHeader["Content-Type"]
Don Newtone0d34a82019-11-14 10:58:06 -05002427 // If the Content-Encoding is non-blank, we shouldn't
2428 // sniff the body. See Issue golang.org/issue/31753.
2429 ce := rws.snapHeader.Get("Content-Encoding")
2430 hasCE := len(ce) > 0
2431 if !hasCE && !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 {
Don Newton98fd8812019-09-23 15:15:02 -04002432 ctype = http.DetectContentType(p)
2433 }
2434 var date string
2435 if _, ok := rws.snapHeader["Date"]; !ok {
2436 // TODO(bradfitz): be faster here, like net/http? measure.
2437 date = time.Now().UTC().Format(http.TimeFormat)
2438 }
2439
2440 for _, v := range rws.snapHeader["Trailer"] {
2441 foreachHeaderElement(v, rws.declareTrailer)
2442 }
2443
2444 // "Connection" headers aren't allowed in HTTP/2 (RFC 7540, 8.1.2.2),
2445 // but respect "Connection" == "close" to mean sending a GOAWAY and tearing
2446 // down the TCP connection when idle, like we do for HTTP/1.
2447 // TODO: remove more Connection-specific header fields here, in addition
2448 // to "Connection".
2449 if _, ok := rws.snapHeader["Connection"]; ok {
2450 v := rws.snapHeader.Get("Connection")
2451 delete(rws.snapHeader, "Connection")
2452 if v == "close" {
2453 rws.conn.startGracefulShutdown()
2454 }
2455 }
2456
2457 endStream := (rws.handlerDone && !rws.hasTrailers() && len(p) == 0) || isHeadResp
2458 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
2459 streamID: rws.stream.id,
2460 httpResCode: rws.status,
2461 h: rws.snapHeader,
2462 endStream: endStream,
2463 contentType: ctype,
2464 contentLength: clen,
2465 date: date,
2466 })
2467 if err != nil {
2468 rws.dirty = true
2469 return 0, err
2470 }
2471 if endStream {
2472 return 0, nil
2473 }
2474 }
2475 if isHeadResp {
2476 return len(p), nil
2477 }
2478 if len(p) == 0 && !rws.handlerDone {
2479 return 0, nil
2480 }
2481
2482 if rws.handlerDone {
2483 rws.promoteUndeclaredTrailers()
2484 }
2485
2486 // only send trailers if they have actually been defined by the
2487 // server handler.
2488 hasNonemptyTrailers := rws.hasNonemptyTrailers()
2489 endStream := rws.handlerDone && !hasNonemptyTrailers
2490 if len(p) > 0 || endStream {
2491 // only send a 0 byte DATA frame if we're ending the stream.
2492 if err := rws.conn.writeDataFromHandler(rws.stream, p, endStream); err != nil {
2493 rws.dirty = true
2494 return 0, err
2495 }
2496 }
2497
2498 if rws.handlerDone && hasNonemptyTrailers {
2499 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
2500 streamID: rws.stream.id,
2501 h: rws.handlerHeader,
2502 trailers: rws.trailers,
2503 endStream: true,
2504 })
2505 if err != nil {
2506 rws.dirty = true
2507 }
2508 return len(p), err
2509 }
2510 return len(p), nil
2511}
2512
2513// TrailerPrefix is a magic prefix for ResponseWriter.Header map keys
2514// that, if present, signals that the map entry is actually for
2515// the response trailers, and not the response headers. The prefix
2516// is stripped after the ServeHTTP call finishes and the values are
2517// sent in the trailers.
2518//
2519// This mechanism is intended only for trailers that are not known
2520// prior to the headers being written. If the set of trailers is fixed
2521// or known before the header is written, the normal Go trailers mechanism
2522// is preferred:
2523// https://golang.org/pkg/net/http/#ResponseWriter
2524// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
2525const TrailerPrefix = "Trailer:"
2526
2527// promoteUndeclaredTrailers permits http.Handlers to set trailers
2528// after the header has already been flushed. Because the Go
2529// ResponseWriter interface has no way to set Trailers (only the
2530// Header), and because we didn't want to expand the ResponseWriter
2531// interface, and because nobody used trailers, and because RFC 7230
2532// says you SHOULD (but not must) predeclare any trailers in the
2533// header, the official ResponseWriter rules said trailers in Go must
2534// be predeclared, and then we reuse the same ResponseWriter.Header()
2535// map to mean both Headers and Trailers. When it's time to write the
2536// Trailers, we pick out the fields of Headers that were declared as
2537// trailers. That worked for a while, until we found the first major
2538// user of Trailers in the wild: gRPC (using them only over http2),
2539// and gRPC libraries permit setting trailers mid-stream without
2540// predeclaring them. So: change of plans. We still permit the old
2541// way, but we also permit this hack: if a Header() key begins with
2542// "Trailer:", the suffix of that key is a Trailer. Because ':' is an
2543// invalid token byte anyway, there is no ambiguity. (And it's already
2544// filtered out) It's mildly hacky, but not terrible.
2545//
2546// This method runs after the Handler is done and promotes any Header
2547// fields to be trailers.
2548func (rws *responseWriterState) promoteUndeclaredTrailers() {
2549 for k, vv := range rws.handlerHeader {
2550 if !strings.HasPrefix(k, TrailerPrefix) {
2551 continue
2552 }
2553 trailerKey := strings.TrimPrefix(k, TrailerPrefix)
2554 rws.declareTrailer(trailerKey)
2555 rws.handlerHeader[http.CanonicalHeaderKey(trailerKey)] = vv
2556 }
2557
2558 if len(rws.trailers) > 1 {
2559 sorter := sorterPool.Get().(*sorter)
2560 sorter.SortStrings(rws.trailers)
2561 sorterPool.Put(sorter)
2562 }
2563}
2564
2565func (w *responseWriter) Flush() {
2566 rws := w.rws
2567 if rws == nil {
2568 panic("Header called after Handler finished")
2569 }
2570 if rws.bw.Buffered() > 0 {
2571 if err := rws.bw.Flush(); err != nil {
2572 // Ignore the error. The frame writer already knows.
2573 return
2574 }
2575 } else {
2576 // The bufio.Writer won't call chunkWriter.Write
2577 // (writeChunk with zero bytes, so we have to do it
2578 // ourselves to force the HTTP response header and/or
2579 // final DATA frame (with END_STREAM) to be sent.
2580 rws.writeChunk(nil)
2581 }
2582}
2583
2584func (w *responseWriter) CloseNotify() <-chan bool {
2585 rws := w.rws
2586 if rws == nil {
2587 panic("CloseNotify called after Handler finished")
2588 }
2589 rws.closeNotifierMu.Lock()
2590 ch := rws.closeNotifierCh
2591 if ch == nil {
2592 ch = make(chan bool, 1)
2593 rws.closeNotifierCh = ch
2594 cw := rws.stream.cw
2595 go func() {
2596 cw.Wait() // wait for close
2597 ch <- true
2598 }()
2599 }
2600 rws.closeNotifierMu.Unlock()
2601 return ch
2602}
2603
2604func (w *responseWriter) Header() http.Header {
2605 rws := w.rws
2606 if rws == nil {
2607 panic("Header called after Handler finished")
2608 }
2609 if rws.handlerHeader == nil {
2610 rws.handlerHeader = make(http.Header)
2611 }
2612 return rws.handlerHeader
2613}
2614
2615// checkWriteHeaderCode is a copy of net/http's checkWriteHeaderCode.
2616func checkWriteHeaderCode(code int) {
2617 // Issue 22880: require valid WriteHeader status codes.
2618 // For now we only enforce that it's three digits.
2619 // In the future we might block things over 599 (600 and above aren't defined
2620 // at http://httpwg.org/specs/rfc7231.html#status.codes)
2621 // and we might block under 200 (once we have more mature 1xx support).
2622 // But for now any three digits.
2623 //
2624 // We used to send "HTTP/1.1 000 0" on the wire in responses but there's
2625 // no equivalent bogus thing we can realistically send in HTTP/2,
2626 // so we'll consistently panic instead and help people find their bugs
2627 // early. (We can't return an error from WriteHeader even if we wanted to.)
2628 if code < 100 || code > 999 {
2629 panic(fmt.Sprintf("invalid WriteHeader code %v", code))
2630 }
2631}
2632
2633func (w *responseWriter) WriteHeader(code int) {
2634 rws := w.rws
2635 if rws == nil {
2636 panic("WriteHeader called after Handler finished")
2637 }
2638 rws.writeHeader(code)
2639}
2640
2641func (rws *responseWriterState) writeHeader(code int) {
2642 if !rws.wroteHeader {
2643 checkWriteHeaderCode(code)
2644 rws.wroteHeader = true
2645 rws.status = code
2646 if len(rws.handlerHeader) > 0 {
2647 rws.snapHeader = cloneHeader(rws.handlerHeader)
2648 }
2649 }
2650}
2651
2652func cloneHeader(h http.Header) http.Header {
2653 h2 := make(http.Header, len(h))
2654 for k, vv := range h {
2655 vv2 := make([]string, len(vv))
2656 copy(vv2, vv)
2657 h2[k] = vv2
2658 }
2659 return h2
2660}
2661
2662// The Life Of A Write is like this:
2663//
2664// * Handler calls w.Write or w.WriteString ->
2665// * -> rws.bw (*bufio.Writer) ->
2666// * (Handler might call Flush)
2667// * -> chunkWriter{rws}
2668// * -> responseWriterState.writeChunk(p []byte)
2669// * -> responseWriterState.writeChunk (most of the magic; see comment there)
2670func (w *responseWriter) Write(p []byte) (n int, err error) {
2671 return w.write(len(p), p, "")
2672}
2673
2674func (w *responseWriter) WriteString(s string) (n int, err error) {
2675 return w.write(len(s), nil, s)
2676}
2677
2678// either dataB or dataS is non-zero.
2679func (w *responseWriter) write(lenData int, dataB []byte, dataS string) (n int, err error) {
2680 rws := w.rws
2681 if rws == nil {
2682 panic("Write called after Handler finished")
2683 }
2684 if !rws.wroteHeader {
2685 w.WriteHeader(200)
2686 }
2687 if !bodyAllowedForStatus(rws.status) {
2688 return 0, http.ErrBodyNotAllowed
2689 }
2690 rws.wroteBytes += int64(len(dataB)) + int64(len(dataS)) // only one can be set
2691 if rws.sentContentLen != 0 && rws.wroteBytes > rws.sentContentLen {
2692 // TODO: send a RST_STREAM
2693 return 0, errors.New("http2: handler wrote more than declared Content-Length")
2694 }
2695
2696 if dataB != nil {
2697 return rws.bw.Write(dataB)
2698 } else {
2699 return rws.bw.WriteString(dataS)
2700 }
2701}
2702
2703func (w *responseWriter) handlerDone() {
2704 rws := w.rws
2705 dirty := rws.dirty
2706 rws.handlerDone = true
2707 w.Flush()
2708 w.rws = nil
2709 if !dirty {
2710 // Only recycle the pool if all prior Write calls to
2711 // the serverConn goroutine completed successfully. If
2712 // they returned earlier due to resets from the peer
2713 // there might still be write goroutines outstanding
2714 // from the serverConn referencing the rws memory. See
2715 // issue 20704.
2716 responseWriterStatePool.Put(rws)
2717 }
2718}
2719
2720// Push errors.
2721var (
2722 ErrRecursivePush = errors.New("http2: recursive push not allowed")
2723 ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS")
2724)
2725
2726var _ http.Pusher = (*responseWriter)(nil)
2727
2728func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
2729 st := w.rws.stream
2730 sc := st.sc
2731 sc.serveG.checkNotOn()
2732
2733 // No recursive pushes: "PUSH_PROMISE frames MUST only be sent on a peer-initiated stream."
2734 // http://tools.ietf.org/html/rfc7540#section-6.6
2735 if st.isPushed() {
2736 return ErrRecursivePush
2737 }
2738
2739 if opts == nil {
2740 opts = new(http.PushOptions)
2741 }
2742
2743 // Default options.
2744 if opts.Method == "" {
2745 opts.Method = "GET"
2746 }
2747 if opts.Header == nil {
2748 opts.Header = http.Header{}
2749 }
2750 wantScheme := "http"
2751 if w.rws.req.TLS != nil {
2752 wantScheme = "https"
2753 }
2754
2755 // Validate the request.
2756 u, err := url.Parse(target)
2757 if err != nil {
2758 return err
2759 }
2760 if u.Scheme == "" {
2761 if !strings.HasPrefix(target, "/") {
2762 return fmt.Errorf("target must be an absolute URL or an absolute path: %q", target)
2763 }
2764 u.Scheme = wantScheme
2765 u.Host = w.rws.req.Host
2766 } else {
2767 if u.Scheme != wantScheme {
2768 return fmt.Errorf("cannot push URL with scheme %q from request with scheme %q", u.Scheme, wantScheme)
2769 }
2770 if u.Host == "" {
2771 return errors.New("URL must have a host")
2772 }
2773 }
2774 for k := range opts.Header {
2775 if strings.HasPrefix(k, ":") {
2776 return fmt.Errorf("promised request headers cannot include pseudo header %q", k)
2777 }
2778 // These headers are meaningful only if the request has a body,
2779 // but PUSH_PROMISE requests cannot have a body.
2780 // http://tools.ietf.org/html/rfc7540#section-8.2
2781 // Also disallow Host, since the promised URL must be absolute.
David K. Bainbridgee05cf0c2021-08-19 03:16:50 +00002782 if asciiEqualFold(k, "content-length") ||
2783 asciiEqualFold(k, "content-encoding") ||
2784 asciiEqualFold(k, "trailer") ||
2785 asciiEqualFold(k, "te") ||
2786 asciiEqualFold(k, "expect") ||
2787 asciiEqualFold(k, "host") {
Don Newton98fd8812019-09-23 15:15:02 -04002788 return fmt.Errorf("promised request headers cannot include %q", k)
2789 }
2790 }
2791 if err := checkValidHTTP2RequestHeaders(opts.Header); err != nil {
2792 return err
2793 }
2794
2795 // The RFC effectively limits promised requests to GET and HEAD:
2796 // "Promised requests MUST be cacheable [GET, HEAD, or POST], and MUST be safe [GET or HEAD]"
2797 // http://tools.ietf.org/html/rfc7540#section-8.2
2798 if opts.Method != "GET" && opts.Method != "HEAD" {
2799 return fmt.Errorf("method %q must be GET or HEAD", opts.Method)
2800 }
2801
2802 msg := &startPushRequest{
2803 parent: st,
2804 method: opts.Method,
2805 url: u,
2806 header: cloneHeader(opts.Header),
2807 done: errChanPool.Get().(chan error),
2808 }
2809
2810 select {
2811 case <-sc.doneServing:
2812 return errClientDisconnected
2813 case <-st.cw:
2814 return errStreamClosed
2815 case sc.serveMsgCh <- msg:
2816 }
2817
2818 select {
2819 case <-sc.doneServing:
2820 return errClientDisconnected
2821 case <-st.cw:
2822 return errStreamClosed
2823 case err := <-msg.done:
2824 errChanPool.Put(msg.done)
2825 return err
2826 }
2827}
2828
2829type startPushRequest struct {
2830 parent *stream
2831 method string
2832 url *url.URL
2833 header http.Header
2834 done chan error
2835}
2836
2837func (sc *serverConn) startPush(msg *startPushRequest) {
2838 sc.serveG.check()
2839
2840 // http://tools.ietf.org/html/rfc7540#section-6.6.
2841 // PUSH_PROMISE frames MUST only be sent on a peer-initiated stream that
2842 // is in either the "open" or "half-closed (remote)" state.
2843 if msg.parent.state != stateOpen && msg.parent.state != stateHalfClosedRemote {
2844 // responseWriter.Push checks that the stream is peer-initiated.
2845 msg.done <- errStreamClosed
2846 return
2847 }
2848
2849 // http://tools.ietf.org/html/rfc7540#section-6.6.
2850 if !sc.pushEnabled {
2851 msg.done <- http.ErrNotSupported
2852 return
2853 }
2854
2855 // PUSH_PROMISE frames must be sent in increasing order by stream ID, so
2856 // we allocate an ID for the promised stream lazily, when the PUSH_PROMISE
2857 // is written. Once the ID is allocated, we start the request handler.
2858 allocatePromisedID := func() (uint32, error) {
2859 sc.serveG.check()
2860
2861 // Check this again, just in case. Technically, we might have received
2862 // an updated SETTINGS by the time we got around to writing this frame.
2863 if !sc.pushEnabled {
2864 return 0, http.ErrNotSupported
2865 }
2866 // http://tools.ietf.org/html/rfc7540#section-6.5.2.
2867 if sc.curPushedStreams+1 > sc.clientMaxStreams {
2868 return 0, ErrPushLimitReached
2869 }
2870
2871 // http://tools.ietf.org/html/rfc7540#section-5.1.1.
2872 // Streams initiated by the server MUST use even-numbered identifiers.
2873 // A server that is unable to establish a new stream identifier can send a GOAWAY
2874 // frame so that the client is forced to open a new connection for new streams.
2875 if sc.maxPushPromiseID+2 >= 1<<31 {
2876 sc.startGracefulShutdownInternal()
2877 return 0, ErrPushLimitReached
2878 }
2879 sc.maxPushPromiseID += 2
2880 promisedID := sc.maxPushPromiseID
2881
2882 // http://tools.ietf.org/html/rfc7540#section-8.2.
2883 // Strictly speaking, the new stream should start in "reserved (local)", then
2884 // transition to "half closed (remote)" after sending the initial HEADERS, but
2885 // we start in "half closed (remote)" for simplicity.
2886 // See further comments at the definition of stateHalfClosedRemote.
2887 promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote)
2888 rw, req, err := sc.newWriterAndRequestNoBody(promised, requestParam{
2889 method: msg.method,
2890 scheme: msg.url.Scheme,
2891 authority: msg.url.Host,
2892 path: msg.url.RequestURI(),
2893 header: cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE
2894 })
2895 if err != nil {
2896 // Should not happen, since we've already validated msg.url.
2897 panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
2898 }
2899
2900 go sc.runHandler(rw, req, sc.handler.ServeHTTP)
2901 return promisedID, nil
2902 }
2903
2904 sc.writeFrame(FrameWriteRequest{
2905 write: &writePushPromise{
2906 streamID: msg.parent.id,
2907 method: msg.method,
2908 url: msg.url,
2909 h: msg.header,
2910 allocatePromisedID: allocatePromisedID,
2911 },
2912 stream: msg.parent,
2913 done: msg.done,
2914 })
2915}
2916
2917// foreachHeaderElement splits v according to the "#rule" construction
2918// in RFC 7230 section 7 and calls fn for each non-empty element.
2919func foreachHeaderElement(v string, fn func(string)) {
2920 v = textproto.TrimString(v)
2921 if v == "" {
2922 return
2923 }
2924 if !strings.Contains(v, ",") {
2925 fn(v)
2926 return
2927 }
2928 for _, f := range strings.Split(v, ",") {
2929 if f = textproto.TrimString(f); f != "" {
2930 fn(f)
2931 }
2932 }
2933}
2934
2935// From http://httpwg.org/specs/rfc7540.html#rfc.section.8.1.2.2
2936var connHeaders = []string{
2937 "Connection",
2938 "Keep-Alive",
2939 "Proxy-Connection",
2940 "Transfer-Encoding",
2941 "Upgrade",
2942}
2943
2944// checkValidHTTP2RequestHeaders checks whether h is a valid HTTP/2 request,
2945// per RFC 7540 Section 8.1.2.2.
2946// The returned error is reported to users.
2947func checkValidHTTP2RequestHeaders(h http.Header) error {
2948 for _, k := range connHeaders {
2949 if _, ok := h[k]; ok {
2950 return fmt.Errorf("request header %q is not valid in HTTP/2", k)
2951 }
2952 }
2953 te := h["Te"]
2954 if len(te) > 0 && (len(te) > 1 || (te[0] != "trailers" && te[0] != "")) {
2955 return errors.New(`request header "TE" may only be "trailers" in HTTP/2`)
2956 }
2957 return nil
2958}
2959
2960func new400Handler(err error) http.HandlerFunc {
2961 return func(w http.ResponseWriter, r *http.Request) {
2962 http.Error(w, err.Error(), http.StatusBadRequest)
2963 }
2964}
2965
2966// h1ServerKeepAlivesDisabled reports whether hs has its keep-alives
2967// disabled. See comments on h1ServerShutdownChan above for why
2968// the code is written this way.
2969func h1ServerKeepAlivesDisabled(hs *http.Server) bool {
2970 var x interface{} = hs
2971 type I interface {
2972 doKeepAlives() bool
2973 }
2974 if hs, ok := x.(I); ok {
2975 return !hs.doKeepAlives()
2976 }
2977 return false
2978}