1// Copyright 2014 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// TODO: turn off the serve goroutine when idle, so 6// an idle conn only has the readFrames goroutine active. (which could 7// also be optimized probably to pin less memory in crypto/tls). This 8// would involve tracking when the serve goroutine is active (atomic 9// int32 read/CAS probably?) and starting it up when frames arrive, 10// and shutting it down when all handlers exit. the occasional PING 11// packets could use time.AfterFunc to call sc.wakeStartServeLoop() 12// (which is a no-op if already running) and then queue the PING write 13// as normal. The serve loop would then exit in most cases (if no 14// Handlers running) and not be woken up again until the PING packet 15// returns. 16 17// TODO (maybe): add a mechanism for Handlers to going into 18// half-closed-local mode (rw.(io.Closer) test?) but not exit their 19// handler, and continue to be able to read from the 20// Request.Body. This would be a somewhat semantic change from HTTP/1 21// (or at least what we expose in net/http), so I'd probably want to 22// add it there too. For now, this package says that returning from 23// the Handler ServeHTTP function means you're both done reading and 24// done writing, without a way to stop just one or the other. 25 26package http2 27 28import ( 29 "bufio" 30 "bytes" 31 "crypto/tls" 32 "errors" 33 "fmt" 34 "io" 35 "log" 36 "math" 37 "net" 38 "net/http" 39 "net/textproto" 40 "net/url" 41 "os" 42 "reflect" 43 "runtime" 44 "strconv" 45 "strings" 46 "sync" 47 "time" 48 49 "golang.org/x/net/http2/hpack" 50) 51 52const ( 53 prefaceTimeout = 10 * time.Second 54 firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway 55 handlerChunkWriteSize = 4 << 10 56 defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? 57) 58 59var ( 60 errClientDisconnected = errors.New("client disconnected") 61 errClosedBody = errors.New("body closed by handler") 62 errHandlerComplete = errors.New("http2: request body closed due to handler exiting") 63 errStreamClosed = errors.New("http2: stream closed") 64) 65 66var responseWriterStatePool = sync.Pool{ 67 New: func() interface{} { 68 rws := &responseWriterState{} 69 rws.bw = bufio.NewWriterSize(chunkWriter{rws}, handlerChunkWriteSize) 70 return rws 71 }, 72} 73 74// Test hooks. 75var ( 76 testHookOnConn func() 77 testHookGetServerConn func(*serverConn) 78 testHookOnPanicMu *sync.Mutex // nil except in tests 79 testHookOnPanic func(sc *serverConn, panicVal interface{}) (rePanic bool) 80) 81 82// Server is an HTTP/2 server. 83type Server struct { 84 // MaxHandlers limits the number of http.Handler ServeHTTP goroutines 85 // which may run at a time over all connections. 86 // Negative or zero no limit. 87 // TODO: implement 88 MaxHandlers int 89 90 // MaxConcurrentStreams optionally specifies the number of 91 // concurrent streams that each client may have open at a 92 // time. This is unrelated to the number of http.Handler goroutines 93 // which may be active globally, which is MaxHandlers. 94 // If zero, MaxConcurrentStreams defaults to at least 100, per 95 // the HTTP/2 spec's recommendations. 96 MaxConcurrentStreams uint32 97 98 // MaxReadFrameSize optionally specifies the largest frame 99 // this server is willing to read. A valid value is between 100 // 16k and 16M, inclusive. If zero or otherwise invalid, a 101 // default value is used. 102 MaxReadFrameSize uint32 103 104 // PermitProhibitedCipherSuites, if true, permits the use of 105 // cipher suites prohibited by the HTTP/2 spec. 106 PermitProhibitedCipherSuites bool 107 108 // IdleTimeout specifies how long until idle clients should be 109 // closed with a GOAWAY frame. PING frames are not considered 110 // activity for the purposes of IdleTimeout. 111 IdleTimeout time.Duration 112 113 // MaxUploadBufferPerConnection is the size of the initial flow 114 // control window for each connections. The HTTP/2 spec does not 115 // allow this to be smaller than 65535 or larger than 2^32-1. 116 // If the value is outside this range, a default value will be 117 // used instead. 118 MaxUploadBufferPerConnection int32 119 120 // MaxUploadBufferPerStream is the size of the initial flow control 121 // window for each stream. The HTTP/2 spec does not allow this to 122 // be larger than 2^32-1. If the value is zero or larger than the 123 // maximum, a default value will be used instead. 124 MaxUploadBufferPerStream int32 125 126 // NewWriteScheduler constructs a write scheduler for a connection. 127 // If nil, a default scheduler is chosen. 128 NewWriteScheduler func() WriteScheduler 129 130 // Internal state. This is a pointer (rather than embedded directly) 131 // so that we don't embed a Mutex in this struct, which will make the 132 // struct non-copyable, which might break some callers. 133 state *serverInternalState 134} 135 136func (s *Server) initialConnRecvWindowSize() int32 { 137 if s.MaxUploadBufferPerConnection > initialWindowSize { 138 return s.MaxUploadBufferPerConnection 139 } 140 return 1 << 20 141} 142 143func (s *Server) initialStreamRecvWindowSize() int32 { 144 if s.MaxUploadBufferPerStream > 0 { 145 return s.MaxUploadBufferPerStream 146 } 147 return 1 << 20 148} 149 150func (s *Server) maxReadFrameSize() uint32 { 151 if v := s.MaxReadFrameSize; v >= minMaxFrameSize && v <= maxFrameSize { 152 return v 153 } 154 return defaultMaxReadFrameSize 155} 156 157func (s *Server) maxConcurrentStreams() uint32 { 158 if v := s.MaxConcurrentStreams; v > 0 { 159 return v 160 } 161 return defaultMaxStreams 162} 163 164type serverInternalState struct { 165 mu sync.Mutex 166 activeConns map[*serverConn]struct{} 167} 168 169func (s *serverInternalState) registerConn(sc *serverConn) { 170 if s == nil { 171 return // if the Server was used without calling ConfigureServer 172 } 173 s.mu.Lock() 174 s.activeConns[sc] = struct{}{} 175 s.mu.Unlock() 176} 177 178func (s *serverInternalState) unregisterConn(sc *serverConn) { 179 if s == nil { 180 return // if the Server was used without calling ConfigureServer 181 } 182 s.mu.Lock() 183 delete(s.activeConns, sc) 184 s.mu.Unlock() 185} 186 187func (s *serverInternalState) startGracefulShutdown() { 188 if s == nil { 189 return // if the Server was used without calling ConfigureServer 190 } 191 s.mu.Lock() 192 for sc := range s.activeConns { 193 sc.startGracefulShutdown() 194 } 195 s.mu.Unlock() 196} 197 198// ConfigureServer adds HTTP/2 support to a net/http Server. 199// 200// The configuration conf may be nil. 201// 202// ConfigureServer must be called before s begins serving. 203func ConfigureServer(s *http.Server, conf *Server) error { 204 if s == nil { 205 panic("nil *http.Server") 206 } 207 if conf == nil { 208 conf = new(Server) 209 } 210 conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})} 211 if err := configureServer18(s, conf); err != nil { 212 return err 213 } 214 if err := configureServer19(s, conf); err != nil { 215 return err 216 } 217 218 if s.TLSConfig == nil { 219 s.TLSConfig = new(tls.Config) 220 } else if s.TLSConfig.CipherSuites != nil { 221 // If they already provided a CipherSuite list, return 222 // an error if it has a bad order or is missing 223 // ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. 224 haveRequired := false 225 sawBad := false 226 for i, cs := range s.TLSConfig.CipherSuites { 227 switch cs { 228 case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 229 // Alternative MTI cipher to not discourage ECDSA-only servers. 230 // See http://golang.org/cl/30721 for further information. 231 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 232 haveRequired = true 233 } 234 if isBadCipher(cs) { 235 sawBad = true 236 } else if sawBad { 237 return fmt.Errorf("http2: TLSConfig.CipherSuites index %d contains an HTTP/2-approved cipher suite (%#04x), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection.", i, cs) 238 } 239 } 240 if !haveRequired { 241 return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher.") 242 } 243 } 244 245 // Note: not setting MinVersion to tls.VersionTLS12, 246 // as we don't want to interfere with HTTP/1.1 traffic 247 // on the user's server. We enforce TLS 1.2 later once 248 // we accept a connection. Ideally this should be done 249 // during next-proto selection, but using TLS <1.2 with 250 // HTTP/2 is still the client's bug. 251 252 s.TLSConfig.PreferServerCipherSuites = true 253 254 haveNPN := false 255 for _, p := range s.TLSConfig.NextProtos { 256 if p == NextProtoTLS { 257 haveNPN = true 258 break 259 } 260 } 261 if !haveNPN { 262 s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, NextProtoTLS) 263 } 264 265 if s.TLSNextProto == nil { 266 s.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){} 267 } 268 protoHandler := func(hs *http.Server, c *tls.Conn, h http.Handler) { 269 if testHookOnConn != nil { 270 testHookOnConn() 271 } 272 conf.ServeConn(c, &ServeConnOpts{ 273 Handler: h, 274 BaseConfig: hs, 275 }) 276 } 277 s.TLSNextProto[NextProtoTLS] = protoHandler 278 return nil 279} 280 281// ServeConnOpts are options for the Server.ServeConn method. 282type ServeConnOpts struct { 283 // BaseConfig optionally sets the base configuration 284 // for values. If nil, defaults are used. 285 BaseConfig *http.Server 286 287 // Handler specifies which handler to use for processing 288 // requests. If nil, BaseConfig.Handler is used. If BaseConfig 289 // or BaseConfig.Handler is nil, http.DefaultServeMux is used. 290 Handler http.Handler 291} 292 293func (o *ServeConnOpts) baseConfig() *http.Server { 294 if o != nil && o.BaseConfig != nil { 295 return o.BaseConfig 296 } 297 return new(http.Server) 298} 299 300func (o *ServeConnOpts) handler() http.Handler { 301 if o != nil { 302 if o.Handler != nil { 303 return o.Handler 304 } 305 if o.BaseConfig != nil && o.BaseConfig.Handler != nil { 306 return o.BaseConfig.Handler 307 } 308 } 309 return http.DefaultServeMux 310} 311 312// ServeConn serves HTTP/2 requests on the provided connection and 313// blocks until the connection is no longer readable. 314// 315// ServeConn starts speaking HTTP/2 assuming that c has not had any 316// reads or writes. It writes its initial settings frame and expects 317// to be able to read the preface and settings frame from the 318// client. If c has a ConnectionState method like a *tls.Conn, the 319// ConnectionState is used to verify the TLS ciphersuite and to set 320// the Request.TLS field in Handlers. 321// 322// ServeConn does not support h2c by itself. Any h2c support must be 323// implemented in terms of providing a suitably-behaving net.Conn. 324// 325// The opts parameter is optional. If nil, default values are used. 326func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) { 327 baseCtx, cancel := serverConnBaseContext(c, opts) 328 defer cancel() 329 330 sc := &serverConn{ 331 srv: s, 332 hs: opts.baseConfig(), 333 conn: c, 334 baseCtx: baseCtx, 335 remoteAddrStr: c.RemoteAddr().String(), 336 bw: newBufferedWriter(c), 337 handler: opts.handler(), 338 streams: make(map[uint32]*stream), 339 readFrameCh: make(chan readFrameResult), 340 wantWriteFrameCh: make(chan FrameWriteRequest, 8), 341 serveMsgCh: make(chan interface{}, 8), 342 wroteFrameCh: make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync 343 bodyReadCh: make(chan bodyReadMsg), // buffering doesn't matter either way 344 doneServing: make(chan struct{}), 345 clientMaxStreams: math.MaxUint32, // Section 6.5.2: "Initially, there is no limit to this value" 346 advMaxStreams: s.maxConcurrentStreams(), 347 initialStreamSendWindowSize: initialWindowSize, 348 maxFrameSize: initialMaxFrameSize, 349 headerTableSize: initialHeaderTableSize, 350 serveG: newGoroutineLock(), 351 pushEnabled: true, 352 } 353 354 s.state.registerConn(sc) 355 defer s.state.unregisterConn(sc) 356 357 // The net/http package sets the write deadline from the 358 // http.Server.WriteTimeout during the TLS handshake, but then 359 // passes the connection off to us with the deadline already set. 360 // Write deadlines are set per stream in serverConn.newStream. 361 // Disarm the net.Conn write deadline here. 362 if sc.hs.WriteTimeout != 0 { 363 sc.conn.SetWriteDeadline(time.Time{}) 364 } 365 366 if s.NewWriteScheduler != nil { 367 sc.writeSched = s.NewWriteScheduler() 368 } else { 369 sc.writeSched = NewRandomWriteScheduler() 370 } 371 372 // These start at the RFC-specified defaults. If there is a higher 373 // configured value for inflow, that will be updated when we send a 374 // WINDOW_UPDATE shortly after sending SETTINGS. 375 sc.flow.add(initialWindowSize) 376 sc.inflow.add(initialWindowSize) 377 sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf) 378 379 fr := NewFramer(sc.bw, c) 380 fr.ReadMetaHeaders = hpack.NewDecoder(initialHeaderTableSize, nil) 381 fr.MaxHeaderListSize = sc.maxHeaderListSize() 382 fr.SetMaxReadFrameSize(s.maxReadFrameSize()) 383 sc.framer = fr 384 385 if tc, ok := c.(connectionStater); ok { 386 sc.tlsState = new(tls.ConnectionState) 387 *sc.tlsState = tc.ConnectionState() 388 // 9.2 Use of TLS Features 389 // An implementation of HTTP/2 over TLS MUST use TLS 390 // 1.2 or higher with the restrictions on feature set 391 // and cipher suite described in this section. Due to 392 // implementation limitations, it might not be 393 // possible to fail TLS negotiation. An endpoint MUST 394 // immediately terminate an HTTP/2 connection that 395 // does not meet the TLS requirements described in 396 // this section with a connection error (Section 397 // 5.4.1) of type INADEQUATE_SECURITY. 398 if sc.tlsState.Version < tls.VersionTLS12 { 399 sc.rejectConn(ErrCodeInadequateSecurity, "TLS version too low") 400 return 401 } 402 403 if sc.tlsState.ServerName == "" { 404 // Client must use SNI, but we don't enforce that anymore, 405 // since it was causing problems when connecting to bare IP 406 // addresses during development. 407 // 408 // TODO: optionally enforce? Or enforce at the time we receive 409 // a new request, and verify the ServerName matches the :authority? 410 // But that precludes proxy situations, perhaps. 411 // 412 // So for now, do nothing here again. 413 } 414 415 if !s.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) { 416 // "Endpoints MAY choose to generate a connection error 417 // (Section 5.4.1) of type INADEQUATE_SECURITY if one of 418 // the prohibited cipher suites are negotiated." 419 // 420 // We choose that. In my opinion, the spec is weak 421 // here. It also says both parties must support at least 422 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 so there's no 423 // excuses here. If we really must, we could allow an 424 // "AllowInsecureWeakCiphers" option on the server later. 425 // Let's see how it plays out first. 426 sc.rejectConn(ErrCodeInadequateSecurity, fmt.Sprintf("Prohibited TLS 1.2 Cipher Suite: %x", sc.tlsState.CipherSuite)) 427 return 428 } 429 } 430 431 if hook := testHookGetServerConn; hook != nil { 432 hook(sc) 433 } 434 sc.serve() 435} 436 437func (sc *serverConn) rejectConn(err ErrCode, debug string) { 438 sc.vlogf("http2: server rejecting conn: %v, %s", err, debug) 439 // ignoring errors. hanging up anyway. 440 sc.framer.WriteGoAway(0, err, []byte(debug)) 441 sc.bw.Flush() 442 sc.conn.Close() 443} 444 445type serverConn struct { 446 // Immutable: 447 srv *Server 448 hs *http.Server 449 conn net.Conn 450 bw *bufferedWriter // writing to conn 451 handler http.Handler 452 baseCtx contextContext 453 framer *Framer 454 doneServing chan struct{} // closed when serverConn.serve ends 455 readFrameCh chan readFrameResult // written by serverConn.readFrames 456 wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve 457 wroteFrameCh chan frameWriteResult // from writeFrameAsync -> serve, tickles more frame writes 458 bodyReadCh chan bodyReadMsg // from handlers -> serve 459 serveMsgCh chan interface{} // misc messages & code to send to / run on the serve loop 460 flow flow // conn-wide (not stream-specific) outbound flow control 461 inflow flow // conn-wide inbound flow control 462 tlsState *tls.ConnectionState // shared by all handlers, like net/http 463 remoteAddrStr string 464 writeSched WriteScheduler 465 466 // Everything following is owned by the serve loop; use serveG.check(): 467 serveG goroutineLock // used to verify funcs are on serve() 468 pushEnabled bool 469 sawFirstSettings bool // got the initial SETTINGS frame after the preface 470 needToSendSettingsAck bool 471 unackedSettings int // how many SETTINGS have we sent without ACKs? 472 clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit) 473 advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client 474 curClientStreams uint32 // number of open streams initiated by the client 475 curPushedStreams uint32 // number of open streams initiated by server push 476 maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests 477 maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes 478 streams map[uint32]*stream 479 initialStreamSendWindowSize int32 480 maxFrameSize int32 481 headerTableSize uint32 482 peerMaxHeaderListSize uint32 // zero means unknown (default) 483 canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case 484 writingFrame bool // started writing a frame (on serve goroutine or separate) 485 writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh 486 needsFrameFlush bool // last frame write wasn't a flush 487 inGoAway bool // we've started to or sent GOAWAY 488 inFrameScheduleLoop bool // whether we're in the scheduleFrameWrite loop 489 needToSendGoAway bool // we need to schedule a GOAWAY frame write 490 goAwayCode ErrCode 491 shutdownTimer *time.Timer // nil until used 492 idleTimer *time.Timer // nil if unused 493 494 // Owned by the writeFrameAsync goroutine: 495 headerWriteBuf bytes.Buffer 496 hpackEncoder *hpack.Encoder 497 498 // Used by startGracefulShutdown. 499 shutdownOnce sync.Once 500} 501 502func (sc *serverConn) maxHeaderListSize() uint32 { 503 n := sc.hs.MaxHeaderBytes 504 if n <= 0 { 505 n = http.DefaultMaxHeaderBytes 506 } 507 // http2's count is in a slightly different unit and includes 32 bytes per pair. 508 // So, take the net/http.Server value and pad it up a bit, assuming 10 headers. 509 const perFieldOverhead = 32 // per http2 spec 510 const typicalHeaders = 10 // conservative 511 return uint32(n + typicalHeaders*perFieldOverhead) 512} 513 514func (sc *serverConn) curOpenStreams() uint32 { 515 sc.serveG.check() 516 return sc.curClientStreams + sc.curPushedStreams 517} 518 519// stream represents a stream. This is the minimal metadata needed by 520// the serve goroutine. Most of the actual stream state is owned by 521// the http.Handler's goroutine in the responseWriter. Because the 522// responseWriter's responseWriterState is recycled at the end of a 523// handler, this struct intentionally has no pointer to the 524// *responseWriter{,State} itself, as the Handler ending nils out the 525// responseWriter's state field. 526type stream struct { 527 // immutable: 528 sc *serverConn 529 id uint32 530 body *pipe // non-nil if expecting DATA frames 531 cw closeWaiter // closed wait stream transitions to closed state 532 ctx contextContext 533 cancelCtx func() 534 535 // owned by serverConn's serve loop: 536 bodyBytes int64 // body bytes seen so far 537 declBodyBytes int64 // or -1 if undeclared 538 flow flow // limits writing from Handler to client 539 inflow flow // what the client is allowed to POST/etc to us 540 parent *stream // or nil 541 numTrailerValues int64 542 weight uint8 543 state streamState 544 resetQueued bool // RST_STREAM queued for write; set by sc.resetStream 545 gotTrailerHeader bool // HEADER frame for trailers was seen 546 wroteHeaders bool // whether we wrote headers (not status 100) 547 writeDeadline *time.Timer // nil if unused 548 549 trailer http.Header // accumulated trailers 550 reqTrailer http.Header // handler's Request.Trailer 551} 552 553func (sc *serverConn) Framer() *Framer { return sc.framer } 554func (sc *serverConn) CloseConn() error { return sc.conn.Close() } 555func (sc *serverConn) Flush() error { return sc.bw.Flush() } 556func (sc *serverConn) HeaderEncoder() (*hpack.Encoder, *bytes.Buffer) { 557 return sc.hpackEncoder, &sc.headerWriteBuf 558} 559 560func (sc *serverConn) state(streamID uint32) (streamState, *stream) { 561 sc.serveG.check() 562 // http://tools.ietf.org/html/rfc7540#section-5.1 563 if st, ok := sc.streams[streamID]; ok { 564 return st.state, st 565 } 566 // "The first use of a new stream identifier implicitly closes all 567 // streams in the "idle" state that might have been initiated by 568 // that peer with a lower-valued stream identifier. For example, if 569 // a client sends a HEADERS frame on stream 7 without ever sending a 570 // frame on stream 5, then stream 5 transitions to the "closed" 571 // state when the first frame for stream 7 is sent or received." 572 if streamID%2 == 1 { 573 if streamID <= sc.maxClientStreamID { 574 return stateClosed, nil 575 } 576 } else { 577 if streamID <= sc.maxPushPromiseID { 578 return stateClosed, nil 579 } 580 } 581 return stateIdle, nil 582} 583 584// setConnState calls the net/http ConnState hook for this connection, if configured. 585// Note that the net/http package does StateNew and StateClosed for us. 586// There is currently no plan for StateHijacked or hijacking HTTP/2 connections. 587func (sc *serverConn) setConnState(state http.ConnState) { 588 if sc.hs.ConnState != nil { 589 sc.hs.ConnState(sc.conn, state) 590 } 591} 592 593func (sc *serverConn) vlogf(format string, args ...interface{}) { 594 if VerboseLogs { 595 sc.logf(format, args...) 596 } 597} 598 599func (sc *serverConn) logf(format string, args ...interface{}) { 600 if lg := sc.hs.ErrorLog; lg != nil { 601 lg.Printf(format, args...) 602 } else { 603 log.Printf(format, args...) 604 } 605} 606 607// errno returns v's underlying uintptr, else 0. 608// 609// TODO: remove this helper function once http2 can use build 610// tags. See comment in isClosedConnError. 611func errno(v error) uintptr { 612 if rv := reflect.ValueOf(v); rv.Kind() == reflect.Uintptr { 613 return uintptr(rv.Uint()) 614 } 615 return 0 616} 617 618// isClosedConnError reports whether err is an error from use of a closed 619// network connection. 620func isClosedConnError(err error) bool { 621 if err == nil { 622 return false 623 } 624 625 // TODO: remove this string search and be more like the Windows 626 // case below. That might involve modifying the standard library 627 // to return better error types. 628 str := err.Error() 629 if strings.Contains(str, "use of closed network connection") { 630 return true 631 } 632 633 // TODO(bradfitz): x/tools/cmd/bundle doesn't really support 634 // build tags, so I can't make an http2_windows.go file with 635 // Windows-specific stuff. Fix that and move this, once we 636 // have a way to bundle this into std's net/http somehow. 637 if runtime.GOOS == "windows" { 638 if oe, ok := err.(*net.OpError); ok && oe.Op == "read" { 639 if se, ok := oe.Err.(*os.SyscallError); ok && se.Syscall == "wsarecv" { 640 const WSAECONNABORTED = 10053 641 const WSAECONNRESET = 10054 642 if n := errno(se.Err); n == WSAECONNRESET || n == WSAECONNABORTED { 643 return true 644 } 645 } 646 } 647 } 648 return false 649} 650 651func (sc *serverConn) condlogf(err error, format string, args ...interface{}) { 652 if err == nil { 653 return 654 } 655 if err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) || err == errPrefaceTimeout { 656 // Boring, expected errors. 657 sc.vlogf(format, args...) 658 } else { 659 sc.logf(format, args...) 660 } 661} 662 663func (sc *serverConn) canonicalHeader(v string) string { 664 sc.serveG.check() 665 cv, ok := commonCanonHeader[v] 666 if ok { 667 return cv 668 } 669 cv, ok = sc.canonHeader[v] 670 if ok { 671 return cv 672 } 673 if sc.canonHeader == nil { 674 sc.canonHeader = make(map[string]string) 675 } 676 cv = http.CanonicalHeaderKey(v) 677 sc.canonHeader[v] = cv 678 return cv 679} 680 681type readFrameResult struct { 682 f Frame // valid until readMore is called 683 err error 684 685 // readMore should be called once the consumer no longer needs or 686 // retains f. After readMore, f is invalid and more frames can be 687 // read. 688 readMore func() 689} 690 691// readFrames is the loop that reads incoming frames. 692// It takes care to only read one frame at a time, blocking until the 693// consumer is done with the frame. 694// It's run on its own goroutine. 695func (sc *serverConn) readFrames() { 696 gate := make(gate) 697 gateDone := gate.Done 698 for { 699 f, err := sc.framer.ReadFrame() 700 select { 701 case sc.readFrameCh <- readFrameResult{f, err, gateDone}: 702 case <-sc.doneServing: 703 return 704 } 705 select { 706 case <-gate: 707 case <-sc.doneServing: 708 return 709 } 710 if terminalReadFrameError(err) { 711 return 712 } 713 } 714} 715 716// frameWriteResult is the message passed from writeFrameAsync to the serve goroutine. 717type frameWriteResult struct { 718 wr FrameWriteRequest // what was written (or attempted) 719 err error // result of the writeFrame call 720} 721 722// writeFrameAsync runs in its own goroutine and writes a single frame 723// and then reports when it's done. 724// At most one goroutine can be running writeFrameAsync at a time per 725// serverConn. 726func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) { 727 err := wr.write.writeFrame(sc) 728 sc.wroteFrameCh <- frameWriteResult{wr, err} 729} 730 731func (sc *serverConn) closeAllStreamsOnConnClose() { 732 sc.serveG.check() 733 for _, st := range sc.streams { 734 sc.closeStream(st, errClientDisconnected) 735 } 736} 737 738func (sc *serverConn) stopShutdownTimer() { 739 sc.serveG.check() 740 if t := sc.shutdownTimer; t != nil { 741 t.Stop() 742 } 743} 744 745func (sc *serverConn) notePanic() { 746 // Note: this is for serverConn.serve panicking, not http.Handler code. 747 if testHookOnPanicMu != nil { 748 testHookOnPanicMu.Lock() 749 defer testHookOnPanicMu.Unlock() 750 } 751 if testHookOnPanic != nil { 752 if e := recover(); e != nil { 753 if testHookOnPanic(sc, e) { 754 panic(e) 755 } 756 } 757 } 758} 759 760func (sc *serverConn) serve() { 761 sc.serveG.check() 762 defer sc.notePanic() 763 defer sc.conn.Close() 764 defer sc.closeAllStreamsOnConnClose() 765 defer sc.stopShutdownTimer() 766 defer close(sc.doneServing) // unblocks handlers trying to send 767 768 if VerboseLogs { 769 sc.vlogf("http2: server connection from %v on %p", sc.conn.RemoteAddr(), sc.hs) 770 } 771 772 sc.writeFrame(FrameWriteRequest{ 773 write: writeSettings{ 774 {SettingMaxFrameSize, sc.srv.maxReadFrameSize()}, 775 {SettingMaxConcurrentStreams, sc.advMaxStreams}, 776 {SettingMaxHeaderListSize, sc.maxHeaderListSize()}, 777 {SettingInitialWindowSize, uint32(sc.srv.initialStreamRecvWindowSize())}, 778 }, 779 }) 780 sc.unackedSettings++ 781 782 // Each connection starts with intialWindowSize inflow tokens. 783 // If a higher value is configured, we add more tokens. 784 if diff := sc.srv.initialConnRecvWindowSize() - initialWindowSize; diff > 0 { 785 sc.sendWindowUpdate(nil, int(diff)) 786 } 787 788 if err := sc.readPreface(); err != nil { 789 sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err) 790 return 791 } 792 // Now that we've got the preface, get us out of the 793 // "StateNew" state. We can't go directly to idle, though. 794 // Active means we read some data and anticipate a request. We'll 795 // do another Active when we get a HEADERS frame. 796 sc.setConnState(http.StateActive) 797 sc.setConnState(http.StateIdle) 798 799 if sc.srv.IdleTimeout != 0 { 800 sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer) 801 defer sc.idleTimer.Stop() 802 } 803 804 go sc.readFrames() // closed by defer sc.conn.Close above 805 806 settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer) 807 defer settingsTimer.Stop() 808 809 loopNum := 0 810 for { 811 loopNum++ 812 select { 813 case wr := <-sc.wantWriteFrameCh: 814 if se, ok := wr.write.(StreamError); ok { 815 sc.resetStream(se) 816 break 817 } 818 sc.writeFrame(wr) 819 case res := <-sc.wroteFrameCh: 820 sc.wroteFrame(res) 821 case res := <-sc.readFrameCh: 822 if !sc.processFrameFromReader(res) { 823 return 824 } 825 res.readMore() 826 if settingsTimer != nil { 827 settingsTimer.Stop() 828 settingsTimer = nil 829 } 830 case m := <-sc.bodyReadCh: 831 sc.noteBodyRead(m.st, m.n) 832 case msg := <-sc.serveMsgCh: 833 switch v := msg.(type) { 834 case func(int): 835 v(loopNum) // for testing 836 case *serverMessage: 837 switch v { 838 case settingsTimerMsg: 839 sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr()) 840 return 841 case idleTimerMsg: 842 sc.vlogf("connection is idle") 843 sc.goAway(ErrCodeNo) 844 case shutdownTimerMsg: 845 sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr()) 846 return 847 case gracefulShutdownMsg: 848 sc.startGracefulShutdownInternal() 849 default: 850 panic("unknown timer") 851 } 852 case *startPushRequest: 853 sc.startPush(v) 854 default: 855 panic(fmt.Sprintf("unexpected type %T", v)) 856 } 857 } 858 859 // Start the shutdown timer after sending a GOAWAY. When sending GOAWAY 860 // with no error code (graceful shutdown), don't start the timer until 861 // all open streams have been completed. 862 sentGoAway := sc.inGoAway && !sc.needToSendGoAway && !sc.writingFrame 863 gracefulShutdownComplete := sc.goAwayCode == ErrCodeNo && sc.curOpenStreams() == 0 864 if sentGoAway && sc.shutdownTimer == nil && (sc.goAwayCode != ErrCodeNo || gracefulShutdownComplete) { 865 sc.shutDownIn(goAwayTimeout) 866 } 867 } 868} 869 870func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) { 871 select { 872 case <-sc.doneServing: 873 case <-sharedCh: 874 close(privateCh) 875 } 876} 877 878type serverMessage int 879 880// Message values sent to serveMsgCh. 881var ( 882 settingsTimerMsg = new(serverMessage) 883 idleTimerMsg = new(serverMessage) 884 shutdownTimerMsg = new(serverMessage) 885 gracefulShutdownMsg = new(serverMessage) 886) 887 888func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } 889func (sc *serverConn) onIdleTimer() { sc.sendServeMsg(idleTimerMsg) } 890func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) } 891 892func (sc *serverConn) sendServeMsg(msg interface{}) { 893 sc.serveG.checkNotOn() // NOT 894 select { 895 case sc.serveMsgCh <- msg: 896 case <-sc.doneServing: 897 } 898} 899 900var errPrefaceTimeout = errors.New("timeout waiting for client preface") 901 902// readPreface reads the ClientPreface greeting from the peer or 903// returns errPrefaceTimeout on timeout, or an error if the greeting 904// is invalid. 905func (sc *serverConn) readPreface() error { 906 errc := make(chan error, 1) 907 go func() { 908 // Read the client preface 909 buf := make([]byte, len(ClientPreface)) 910 if _, err := io.ReadFull(sc.conn, buf); err != nil { 911 errc <- err 912 } else if !bytes.Equal(buf, clientPreface) { 913 errc <- fmt.Errorf("bogus greeting %q", buf) 914 } else { 915 errc <- nil 916 } 917 }() 918 timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server? 919 defer timer.Stop() 920 select { 921 case <-timer.C: 922 return errPrefaceTimeout 923 case err := <-errc: 924 if err == nil { 925 if VerboseLogs { 926 sc.vlogf("http2: server: client %v said hello", sc.conn.RemoteAddr()) 927 } 928 } 929 return err 930 } 931} 932 933var errChanPool = sync.Pool{ 934 New: func() interface{} { return make(chan error, 1) }, 935} 936 937var writeDataPool = sync.Pool{ 938 New: func() interface{} { return new(writeData) }, 939} 940 941// writeDataFromHandler writes DATA response frames from a handler on 942// the given stream. 943func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error { 944 ch := errChanPool.Get().(chan error) 945 writeArg := writeDataPool.Get().(*writeData) 946 *writeArg = writeData{stream.id, data, endStream} 947 err := sc.writeFrameFromHandler(FrameWriteRequest{ 948 write: writeArg, 949 stream: stream, 950 done: ch, 951 }) 952 if err != nil { 953 return err 954 } 955 var frameWriteDone bool // the frame write is done (successfully or not) 956 select { 957 case err = <-ch: 958 frameWriteDone = true 959 case <-sc.doneServing: 960 return errClientDisconnected 961 case <-stream.cw: 962 // If both ch and stream.cw were ready (as might 963 // happen on the final Write after an http.Handler 964 // ends), prefer the write result. Otherwise this 965 // might just be us successfully closing the stream. 966 // The writeFrameAsync and serve goroutines guarantee 967 // that the ch send will happen before the stream.cw 968 // close. 969 select { 970 case err = <-ch: 971 frameWriteDone = true 972 default: 973 return errStreamClosed 974 } 975 } 976 errChanPool.Put(ch) 977 if frameWriteDone { 978 writeDataPool.Put(writeArg) 979 } 980 return err 981} 982 983// writeFrameFromHandler sends wr to sc.wantWriteFrameCh, but aborts 984// if the connection has gone away. 985// 986// This must not be run from the serve goroutine itself, else it might 987// deadlock writing to sc.wantWriteFrameCh (which is only mildly 988// buffered and is read by serve itself). If you're on the serve 989// goroutine, call writeFrame instead. 990func (sc *serverConn) writeFrameFromHandler(wr FrameWriteRequest) error { 991 sc.serveG.checkNotOn() // NOT 992 select { 993 case sc.wantWriteFrameCh <- wr: 994 return nil 995 case <-sc.doneServing: 996 // Serve loop is gone. 997 // Client has closed their connection to the server. 998 return errClientDisconnected 999 } 1000} 1001 1002// writeFrame schedules a frame to write and sends it if there's nothing 1003// already being written. 1004// 1005// There is no pushback here (the serve goroutine never blocks). It's 1006// the http.Handlers that block, waiting for their previous frames to 1007// make it onto the wire 1008// 1009// If you're not on the serve goroutine, use writeFrameFromHandler instead. 1010func (sc *serverConn) writeFrame(wr FrameWriteRequest) { 1011 sc.serveG.check() 1012 1013 // If true, wr will not be written and wr.done will not be signaled. 1014 var ignoreWrite bool 1015 1016 // We are not allowed to write frames on closed streams. RFC 7540 Section 1017 // 5.1.1 says: "An endpoint MUST NOT send frames other than PRIORITY on 1018 // a closed stream." Our server never sends PRIORITY, so that exception 1019 // does not apply. 1020 // 1021 // The serverConn might close an open stream while the stream's handler 1022 // is still running. For example, the server might close a stream when it 1023 // receives bad data from the client. If this happens, the handler might 1024 // attempt to write a frame after the stream has been closed (since the 1025 // handler hasn't yet been notified of the close). In this case, we simply 1026 // ignore the frame. The handler will notice that the stream is closed when 1027 // it waits for the frame to be written. 1028 // 1029 // As an exception to this rule, we allow sending RST_STREAM after close. 1030 // This allows us to immediately reject new streams without tracking any 1031 // state for those streams (except for the queued RST_STREAM frame). This 1032 // may result in duplicate RST_STREAMs in some cases, but the client should 1033 // ignore those. 1034 if wr.StreamID() != 0 { 1035 _, isReset := wr.write.(StreamError) 1036 if state, _ := sc.state(wr.StreamID()); state == stateClosed && !isReset { 1037 ignoreWrite = true 1038 } 1039 } 1040 1041 // Don't send a 100-continue response if we've already sent headers. 1042 // See golang.org/issue/14030. 1043 switch wr.write.(type) { 1044 case *writeResHeaders: 1045 wr.stream.wroteHeaders = true 1046 case write100ContinueHeadersFrame: 1047 if wr.stream.wroteHeaders { 1048 // We do not need to notify wr.done because this frame is 1049 // never written with wr.done != nil. 1050 if wr.done != nil { 1051 panic("wr.done != nil for write100ContinueHeadersFrame") 1052 } 1053 ignoreWrite = true 1054 } 1055 } 1056 1057 if !ignoreWrite { 1058 sc.writeSched.Push(wr) 1059 } 1060 sc.scheduleFrameWrite() 1061} 1062 1063// startFrameWrite starts a goroutine to write wr (in a separate 1064// goroutine since that might block on the network), and updates the 1065// serve goroutine's state about the world, updated from info in wr. 1066func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) { 1067 sc.serveG.check() 1068 if sc.writingFrame { 1069 panic("internal error: can only be writing one frame at a time") 1070 } 1071 1072 st := wr.stream 1073 if st != nil { 1074 switch st.state { 1075 case stateHalfClosedLocal: 1076 switch wr.write.(type) { 1077 case StreamError, handlerPanicRST, writeWindowUpdate: 1078 // RFC 7540 Section 5.1 allows sending RST_STREAM, PRIORITY, and WINDOW_UPDATE 1079 // in this state. (We never send PRIORITY from the server, so that is not checked.) 1080 default: 1081 panic(fmt.Sprintf("internal error: attempt to send frame on a half-closed-local stream: %v", wr)) 1082 } 1083 case stateClosed: 1084 panic(fmt.Sprintf("internal error: attempt to send frame on a closed stream: %v", wr)) 1085 } 1086 } 1087 if wpp, ok := wr.write.(*writePushPromise); ok { 1088 var err error 1089 wpp.promisedID, err = wpp.allocatePromisedID() 1090 if err != nil { 1091 sc.writingFrameAsync = false 1092 wr.replyToWriter(err) 1093 return 1094 } 1095 } 1096 1097 sc.writingFrame = true 1098 sc.needsFrameFlush = true 1099 if wr.write.staysWithinBuffer(sc.bw.Available()) { 1100 sc.writingFrameAsync = false 1101 err := wr.write.writeFrame(sc) 1102 sc.wroteFrame(frameWriteResult{wr, err}) 1103 } else { 1104 sc.writingFrameAsync = true 1105 go sc.writeFrameAsync(wr) 1106 } 1107} 1108 1109// errHandlerPanicked is the error given to any callers blocked in a read from 1110// Request.Body when the main goroutine panics. Since most handlers read in the 1111// the main ServeHTTP goroutine, this will show up rarely. 1112var errHandlerPanicked = errors.New("http2: handler panicked") 1113 1114// wroteFrame is called on the serve goroutine with the result of 1115// whatever happened on writeFrameAsync. 1116func (sc *serverConn) wroteFrame(res frameWriteResult) { 1117 sc.serveG.check() 1118 if !sc.writingFrame { 1119 panic("internal error: expected to be already writing a frame") 1120 } 1121 sc.writingFrame = false 1122 sc.writingFrameAsync = false 1123 1124 wr := res.wr 1125 1126 if writeEndsStream(wr.write) { 1127 st := wr.stream 1128 if st == nil { 1129 panic("internal error: expecting non-nil stream") 1130 } 1131 switch st.state { 1132 case stateOpen: 1133 // Here we would go to stateHalfClosedLocal in 1134 // theory, but since our handler is done and 1135 // the net/http package provides no mechanism 1136 // for closing a ResponseWriter while still 1137 // reading data (see possible TODO at top of 1138 // this file), we go into closed state here 1139 // anyway, after telling the peer we're 1140 // hanging up on them. We'll transition to 1141 // stateClosed after the RST_STREAM frame is 1142 // written. 1143 st.state = stateHalfClosedLocal 1144 // Section 8.1: a server MAY request that the client abort 1145 // transmission of a request without error by sending a 1146 // RST_STREAM with an error code of NO_ERROR after sending 1147 // a complete response. 1148 sc.resetStream(streamError(st.id, ErrCodeNo)) 1149 case stateHalfClosedRemote: 1150 sc.closeStream(st, errHandlerComplete) 1151 } 1152 } else { 1153 switch v := wr.write.(type) { 1154 case StreamError: 1155 // st may be unknown if the RST_STREAM was generated to reject bad input. 1156 if st, ok := sc.streams[v.StreamID]; ok { 1157 sc.closeStream(st, v) 1158 } 1159 case handlerPanicRST: 1160 sc.closeStream(wr.stream, errHandlerPanicked) 1161 } 1162 } 1163 1164 // Reply (if requested) to unblock the ServeHTTP goroutine. 1165 wr.replyToWriter(res.err) 1166 1167 sc.scheduleFrameWrite() 1168} 1169 1170// scheduleFrameWrite tickles the frame writing scheduler. 1171// 1172// If a frame is already being written, nothing happens. This will be called again 1173// when the frame is done being written. 1174// 1175// If a frame isn't being written we need to send one, the best frame 1176// to send is selected, preferring first things that aren't 1177// stream-specific (e.g. ACKing settings), and then finding the 1178// highest priority stream. 1179// 1180// If a frame isn't being written and there's nothing else to send, we 1181// flush the write buffer. 1182func (sc *serverConn) scheduleFrameWrite() { 1183 sc.serveG.check() 1184 if sc.writingFrame || sc.inFrameScheduleLoop { 1185 return 1186 } 1187 sc.inFrameScheduleLoop = true 1188 for !sc.writingFrameAsync { 1189 if sc.needToSendGoAway { 1190 sc.needToSendGoAway = false 1191 sc.startFrameWrite(FrameWriteRequest{ 1192 write: &writeGoAway{ 1193 maxStreamID: sc.maxClientStreamID, 1194 code: sc.goAwayCode, 1195 }, 1196 }) 1197 continue 1198 } 1199 if sc.needToSendSettingsAck { 1200 sc.needToSendSettingsAck = false 1201 sc.startFrameWrite(FrameWriteRequest{write: writeSettingsAck{}}) 1202 continue 1203 } 1204 if !sc.inGoAway || sc.goAwayCode == ErrCodeNo { 1205 if wr, ok := sc.writeSched.Pop(); ok { 1206 sc.startFrameWrite(wr) 1207 continue 1208 } 1209 } 1210 if sc.needsFrameFlush { 1211 sc.startFrameWrite(FrameWriteRequest{write: flushFrameWriter{}}) 1212 sc.needsFrameFlush = false // after startFrameWrite, since it sets this true 1213 continue 1214 } 1215 break 1216 } 1217 sc.inFrameScheduleLoop = false 1218} 1219 1220// startGracefulShutdown gracefully shuts down a connection. This 1221// sends GOAWAY with ErrCodeNo to tell the client we're gracefully 1222// shutting down. The connection isn't closed until all current 1223// streams are done. 1224// 1225// startGracefulShutdown returns immediately; it does not wait until 1226// the connection has shut down. 1227func (sc *serverConn) startGracefulShutdown() { 1228 sc.serveG.checkNotOn() // NOT 1229 sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) }) 1230} 1231 1232// After sending GOAWAY, the connection will close after goAwayTimeout. 1233// If we close the connection immediately after sending GOAWAY, there may 1234// be unsent data in our kernel receive buffer, which will cause the kernel 1235// to send a TCP RST on close() instead of a FIN. This RST will abort the 1236// connection immediately, whether or not the client had received the GOAWAY. 1237// 1238// Ideally we should delay for at least 1 RTT + epsilon so the client has 1239// a chance to read the GOAWAY and stop sending messages. Measuring RTT 1240// is hard, so we approximate with 1 second. See golang.org/issue/18701. 1241// 1242// This is a var so it can be shorter in tests, where all requests uses the 1243// loopback interface making the expected RTT very small. 1244// 1245// TODO: configurable? 1246var goAwayTimeout = 1 * time.Second 1247 1248func (sc *serverConn) startGracefulShutdownInternal() { 1249 sc.goAway(ErrCodeNo) 1250} 1251 1252func (sc *serverConn) goAway(code ErrCode) { 1253 sc.serveG.check() 1254 if sc.inGoAway { 1255 return 1256 } 1257 sc.inGoAway = true 1258 sc.needToSendGoAway = true 1259 sc.goAwayCode = code 1260 sc.scheduleFrameWrite() 1261} 1262 1263func (sc *serverConn) shutDownIn(d time.Duration) { 1264 sc.serveG.check() 1265 sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer) 1266} 1267 1268func (sc *serverConn) resetStream(se StreamError) { 1269 sc.serveG.check() 1270 sc.writeFrame(FrameWriteRequest{write: se}) 1271 if st, ok := sc.streams[se.StreamID]; ok { 1272 st.resetQueued = true 1273 } 1274} 1275 1276// processFrameFromReader processes the serve loop's read from readFrameCh from the 1277// frame-reading goroutine. 1278// processFrameFromReader returns whether the connection should be kept open. 1279func (sc *serverConn) processFrameFromReader(res readFrameResult) bool { 1280 sc.serveG.check() 1281 err := res.err 1282 if err != nil { 1283 if err == ErrFrameTooLarge { 1284 sc.goAway(ErrCodeFrameSize) 1285 return true // goAway will close the loop 1286 } 1287 clientGone := err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) 1288 if clientGone { 1289 // TODO: could we also get into this state if 1290 // the peer does a half close 1291 // (e.g. CloseWrite) because they're done 1292 // sending frames but they're still wanting 1293 // our open replies? Investigate. 1294 // TODO: add CloseWrite to crypto/tls.Conn first 1295 // so we have a way to test this? I suppose 1296 // just for testing we could have a non-TLS mode. 1297 return false 1298 } 1299 } else { 1300 f := res.f 1301 if VerboseLogs { 1302 sc.vlogf("http2: server read frame %v", summarizeFrame(f)) 1303 } 1304 err = sc.processFrame(f) 1305 if err == nil { 1306 return true 1307 } 1308 } 1309 1310 switch ev := err.(type) { 1311 case StreamError: 1312 sc.resetStream(ev) 1313 return true 1314 case goAwayFlowError: 1315 sc.goAway(ErrCodeFlowControl) 1316 return true 1317 case ConnectionError: 1318 sc.logf("http2: server connection error from %v: %v", sc.conn.RemoteAddr(), ev) 1319 sc.goAway(ErrCode(ev)) 1320 return true // goAway will handle shutdown 1321 default: 1322 if res.err != nil { 1323 sc.vlogf("http2: server closing client connection; error reading frame from client %s: %v", sc.conn.RemoteAddr(), err) 1324 } else { 1325 sc.logf("http2: server closing client connection: %v", err) 1326 } 1327 return false 1328 } 1329} 1330 1331func (sc *serverConn) processFrame(f Frame) error { 1332 sc.serveG.check() 1333 1334 // First frame received must be SETTINGS. 1335 if !sc.sawFirstSettings { 1336 if _, ok := f.(*SettingsFrame); !ok { 1337 return ConnectionError(ErrCodeProtocol) 1338 } 1339 sc.sawFirstSettings = true 1340 } 1341 1342 switch f := f.(type) { 1343 case *SettingsFrame: 1344 return sc.processSettings(f) 1345 case *MetaHeadersFrame: 1346 return sc.processHeaders(f) 1347 case *WindowUpdateFrame: 1348 return sc.processWindowUpdate(f) 1349 case *PingFrame: 1350 return sc.processPing(f) 1351 case *DataFrame: 1352 return sc.processData(f) 1353 case *RSTStreamFrame: 1354 return sc.processResetStream(f) 1355 case *PriorityFrame: 1356 return sc.processPriority(f) 1357 case *GoAwayFrame: 1358 return sc.processGoAway(f) 1359 case *PushPromiseFrame: 1360 // A client cannot push. Thus, servers MUST treat the receipt of a PUSH_PROMISE 1361 // frame as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. 1362 return ConnectionError(ErrCodeProtocol) 1363 default: 1364 sc.vlogf("http2: server ignoring frame: %v", f.Header()) 1365 return nil 1366 } 1367} 1368 1369func (sc *serverConn) processPing(f *PingFrame) error { 1370 sc.serveG.check() 1371 if f.IsAck() { 1372 // 6.7 PING: " An endpoint MUST NOT respond to PING frames 1373 // containing this flag." 1374 return nil 1375 } 1376 if f.StreamID != 0 { 1377 // "PING frames are not associated with any individual 1378 // stream. If a PING frame is received with a stream 1379 // identifier field value other than 0x0, the recipient MUST 1380 // respond with a connection error (Section 5.4.1) of type 1381 // PROTOCOL_ERROR." 1382 return ConnectionError(ErrCodeProtocol) 1383 } 1384 if sc.inGoAway && sc.goAwayCode != ErrCodeNo { 1385 return nil 1386 } 1387 sc.writeFrame(FrameWriteRequest{write: writePingAck{f}}) 1388 return nil 1389} 1390 1391func (sc *serverConn) processWindowUpdate(f *WindowUpdateFrame) error { 1392 sc.serveG.check() 1393 switch { 1394 case f.StreamID != 0: // stream-level flow control 1395 state, st := sc.state(f.StreamID) 1396 if state == stateIdle { 1397 // Section 5.1: "Receiving any frame other than HEADERS 1398 // or PRIORITY on a stream in this state MUST be 1399 // treated as a connection error (Section 5.4.1) of 1400 // type PROTOCOL_ERROR." 1401 return ConnectionError(ErrCodeProtocol) 1402 } 1403 if st == nil { 1404 // "WINDOW_UPDATE can be sent by a peer that has sent a 1405 // frame bearing the END_STREAM flag. This means that a 1406 // receiver could receive a WINDOW_UPDATE frame on a "half 1407 // closed (remote)" or "closed" stream. A receiver MUST 1408 // NOT treat this as an error, see Section 5.1." 1409 return nil 1410 } 1411 if !st.flow.add(int32(f.Increment)) { 1412 return streamError(f.StreamID, ErrCodeFlowControl) 1413 } 1414 default: // connection-level flow control 1415 if !sc.flow.add(int32(f.Increment)) { 1416 return goAwayFlowError{} 1417 } 1418 } 1419 sc.scheduleFrameWrite() 1420 return nil 1421} 1422 1423func (sc *serverConn) processResetStream(f *RSTStreamFrame) error { 1424 sc.serveG.check() 1425 1426 state, st := sc.state(f.StreamID) 1427 if state == stateIdle { 1428 // 6.4 "RST_STREAM frames MUST NOT be sent for a 1429 // stream in the "idle" state. If a RST_STREAM frame 1430 // identifying an idle stream is received, the 1431 // recipient MUST treat this as a connection error 1432 // (Section 5.4.1) of type PROTOCOL_ERROR. 1433 return ConnectionError(ErrCodeProtocol) 1434 } 1435 if st != nil { 1436 st.cancelCtx() 1437 sc.closeStream(st, streamError(f.StreamID, f.ErrCode)) 1438 } 1439 return nil 1440} 1441 1442func (sc *serverConn) closeStream(st *stream, err error) { 1443 sc.serveG.check() 1444 if st.state == stateIdle || st.state == stateClosed { 1445 panic(fmt.Sprintf("invariant; can't close stream in state %v", st.state)) 1446 } 1447 st.state = stateClosed 1448 if st.writeDeadline != nil { 1449 st.writeDeadline.Stop() 1450 } 1451 if st.isPushed() { 1452 sc.curPushedStreams-- 1453 } else { 1454 sc.curClientStreams-- 1455 } 1456 delete(sc.streams, st.id) 1457 if len(sc.streams) == 0 { 1458 sc.setConnState(http.StateIdle) 1459 if sc.srv.IdleTimeout != 0 { 1460 sc.idleTimer.Reset(sc.srv.IdleTimeout) 1461 } 1462 if h1ServerKeepAlivesDisabled(sc.hs) { 1463 sc.startGracefulShutdownInternal() 1464 } 1465 } 1466 if p := st.body; p != nil { 1467 // Return any buffered unread bytes worth of conn-level flow control. 1468 // See golang.org/issue/16481 1469 sc.sendWindowUpdate(nil, p.Len()) 1470 1471 p.CloseWithError(err) 1472 } 1473 st.cw.Close() // signals Handler's CloseNotifier, unblocks writes, etc 1474 sc.writeSched.CloseStream(st.id) 1475} 1476 1477func (sc *serverConn) processSettings(f *SettingsFrame) error { 1478 sc.serveG.check() 1479 if f.IsAck() { 1480 sc.unackedSettings-- 1481 if sc.unackedSettings < 0 { 1482 // Why is the peer ACKing settings we never sent? 1483 // The spec doesn't mention this case, but 1484 // hang up on them anyway. 1485 return ConnectionError(ErrCodeProtocol) 1486 } 1487 return nil 1488 } 1489 if err := f.ForeachSetting(sc.processSetting); err != nil { 1490 return err 1491 } 1492 sc.needToSendSettingsAck = true 1493 sc.scheduleFrameWrite() 1494 return nil 1495} 1496 1497func (sc *serverConn) processSetting(s Setting) error { 1498 sc.serveG.check() 1499 if err := s.Valid(); err != nil { 1500 return err 1501 } 1502 if VerboseLogs { 1503 sc.vlogf("http2: server processing setting %v", s) 1504 } 1505 switch s.ID { 1506 case SettingHeaderTableSize: 1507 sc.headerTableSize = s.Val 1508 sc.hpackEncoder.SetMaxDynamicTableSize(s.Val) 1509 case SettingEnablePush: 1510 sc.pushEnabled = s.Val != 0 1511 case SettingMaxConcurrentStreams: 1512 sc.clientMaxStreams = s.Val 1513 case SettingInitialWindowSize: 1514 return sc.processSettingInitialWindowSize(s.Val) 1515 case SettingMaxFrameSize: 1516 sc.maxFrameSize = int32(s.Val) // the maximum valid s.Val is < 2^31 1517 case SettingMaxHeaderListSize: 1518 sc.peerMaxHeaderListSize = s.Val 1519 default: 1520 // Unknown setting: "An endpoint that receives a SETTINGS 1521 // frame with any unknown or unsupported identifier MUST 1522 // ignore that setting." 1523 if VerboseLogs { 1524 sc.vlogf("http2: server ignoring unknown setting %v", s) 1525 } 1526 } 1527 return nil 1528} 1529 1530func (sc *serverConn) processSettingInitialWindowSize(val uint32) error { 1531 sc.serveG.check() 1532 // Note: val already validated to be within range by 1533 // processSetting's Valid call. 1534 1535 // "A SETTINGS frame can alter the initial flow control window 1536 // size for all current streams. When the value of 1537 // SETTINGS_INITIAL_WINDOW_SIZE changes, a receiver MUST 1538 // adjust the size of all stream flow control windows that it 1539 // maintains by the difference between the new value and the 1540 // old value." 1541 old := sc.initialStreamSendWindowSize 1542 sc.initialStreamSendWindowSize = int32(val) 1543 growth := int32(val) - old // may be negative 1544 for _, st := range sc.streams { 1545 if !st.flow.add(growth) { 1546 // 6.9.2 Initial Flow Control Window Size 1547 // "An endpoint MUST treat a change to 1548 // SETTINGS_INITIAL_WINDOW_SIZE that causes any flow 1549 // control window to exceed the maximum size as a 1550 // connection error (Section 5.4.1) of type 1551 // FLOW_CONTROL_ERROR." 1552 return ConnectionError(ErrCodeFlowControl) 1553 } 1554 } 1555 return nil 1556} 1557 1558func (sc *serverConn) processData(f *DataFrame) error { 1559 sc.serveG.check() 1560 if sc.inGoAway && sc.goAwayCode != ErrCodeNo { 1561 return nil 1562 } 1563 data := f.Data() 1564 1565 // "If a DATA frame is received whose stream is not in "open" 1566 // or "half closed (local)" state, the recipient MUST respond 1567 // with a stream error (Section 5.4.2) of type STREAM_CLOSED." 1568 id := f.Header().StreamID 1569 state, st := sc.state(id) 1570 if id == 0 || state == stateIdle { 1571 // Section 5.1: "Receiving any frame other than HEADERS 1572 // or PRIORITY on a stream in this state MUST be 1573 // treated as a connection error (Section 5.4.1) of 1574 // type PROTOCOL_ERROR." 1575 return ConnectionError(ErrCodeProtocol) 1576 } 1577 if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued { 1578 // This includes sending a RST_STREAM if the stream is 1579 // in stateHalfClosedLocal (which currently means that 1580 // the http.Handler returned, so it's done reading & 1581 // done writing). Try to stop the client from sending 1582 // more DATA. 1583 1584 // But still enforce their connection-level flow control, 1585 // and return any flow control bytes since we're not going 1586 // to consume them. 1587 if sc.inflow.available() < int32(f.Length) { 1588 return streamError(id, ErrCodeFlowControl) 1589 } 1590 // Deduct the flow control from inflow, since we're 1591 // going to immediately add it back in 1592 // sendWindowUpdate, which also schedules sending the 1593 // frames. 1594 sc.inflow.take(int32(f.Length)) 1595 sc.sendWindowUpdate(nil, int(f.Length)) // conn-level 1596 1597 if st != nil && st.resetQueued { 1598 // Already have a stream error in flight. Don't send another. 1599 return nil 1600 } 1601 return streamError(id, ErrCodeStreamClosed) 1602 } 1603 if st.body == nil { 1604 panic("internal error: should have a body in this state") 1605 } 1606 1607 // Sender sending more than they'd declared? 1608 if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes { 1609 st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes)) 1610 return streamError(id, ErrCodeStreamClosed) 1611 } 1612 if f.Length > 0 { 1613 // Check whether the client has flow control quota. 1614 if st.inflow.available() < int32(f.Length) { 1615 return streamError(id, ErrCodeFlowControl) 1616 } 1617 st.inflow.take(int32(f.Length)) 1618 1619 if len(data) > 0 { 1620 wrote, err := st.body.Write(data) 1621 if err != nil { 1622 return streamError(id, ErrCodeStreamClosed) 1623 } 1624 if wrote != len(data) { 1625 panic("internal error: bad Writer") 1626 } 1627 st.bodyBytes += int64(len(data)) 1628 } 1629 1630 // Return any padded flow control now, since we won't 1631 // refund it later on body reads. 1632 if pad := int32(f.Length) - int32(len(data)); pad > 0 { 1633 sc.sendWindowUpdate32(nil, pad) 1634 sc.sendWindowUpdate32(st, pad) 1635 } 1636 } 1637 if f.StreamEnded() { 1638 st.endStream() 1639 } 1640 return nil 1641} 1642 1643func (sc *serverConn) processGoAway(f *GoAwayFrame) error { 1644 sc.serveG.check() 1645 if f.ErrCode != ErrCodeNo { 1646 sc.logf("http2: received GOAWAY %+v, starting graceful shutdown", f) 1647 } else { 1648 sc.vlogf("http2: received GOAWAY %+v, starting graceful shutdown", f) 1649 } 1650 sc.startGracefulShutdownInternal() 1651 // http://tools.ietf.org/html/rfc7540#section-6.8 1652 // We should not create any new streams, which means we should disable push. 1653 sc.pushEnabled = false 1654 return nil 1655} 1656 1657// isPushed reports whether the stream is server-initiated. 1658func (st *stream) isPushed() bool { 1659 return st.id%2 == 0 1660} 1661 1662// endStream closes a Request.Body's pipe. It is called when a DATA 1663// frame says a request body is over (or after trailers). 1664func (st *stream) endStream() { 1665 sc := st.sc 1666 sc.serveG.check() 1667 1668 if st.declBodyBytes != -1 && st.declBodyBytes != st.bodyBytes { 1669 st.body.CloseWithError(fmt.Errorf("request declared a Content-Length of %d but only wrote %d bytes", 1670 st.declBodyBytes, st.bodyBytes)) 1671 } else { 1672 st.body.closeWithErrorAndCode(io.EOF, st.copyTrailersToHandlerRequest) 1673 st.body.CloseWithError(io.EOF) 1674 } 1675 st.state = stateHalfClosedRemote 1676} 1677 1678// copyTrailersToHandlerRequest is run in the Handler's goroutine in 1679// its Request.Body.Read just before it gets io.EOF. 1680func (st *stream) copyTrailersToHandlerRequest() { 1681 for k, vv := range st.trailer { 1682 if _, ok := st.reqTrailer[k]; ok { 1683 // Only copy it over it was pre-declared. 1684 st.reqTrailer[k] = vv 1685 } 1686 } 1687} 1688 1689// onWriteTimeout is run on its own goroutine (from time.AfterFunc) 1690// when the stream's WriteTimeout has fired. 1691func (st *stream) onWriteTimeout() { 1692 st.sc.writeFrameFromHandler(FrameWriteRequest{write: streamError(st.id, ErrCodeInternal)}) 1693} 1694 1695func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { 1696 sc.serveG.check() 1697 id := f.StreamID 1698 if sc.inGoAway { 1699 // Ignore. 1700 return nil 1701 } 1702 // http://tools.ietf.org/html/rfc7540#section-5.1.1 1703 // Streams initiated by a client MUST use odd-numbered stream 1704 // identifiers. [...] An endpoint that receives an unexpected 1705 // stream identifier MUST respond with a connection error 1706 // (Section 5.4.1) of type PROTOCOL_ERROR. 1707 if id%2 != 1 { 1708 return ConnectionError(ErrCodeProtocol) 1709 } 1710 // A HEADERS frame can be used to create a new stream or 1711 // send a trailer for an open one. If we already have a stream 1712 // open, let it process its own HEADERS frame (trailers at this 1713 // point, if it's valid). 1714 if st := sc.streams[f.StreamID]; st != nil { 1715 if st.resetQueued { 1716 // We're sending RST_STREAM to close the stream, so don't bother 1717 // processing this frame. 1718 return nil 1719 } 1720 return st.processTrailerHeaders(f) 1721 } 1722 1723 // [...] The identifier of a newly established stream MUST be 1724 // numerically greater than all streams that the initiating 1725 // endpoint has opened or reserved. [...] An endpoint that 1726 // receives an unexpected stream identifier MUST respond with 1727 // a connection error (Section 5.4.1) of type PROTOCOL_ERROR. 1728 if id <= sc.maxClientStreamID { 1729 return ConnectionError(ErrCodeProtocol) 1730 } 1731 sc.maxClientStreamID = id 1732 1733 if sc.idleTimer != nil { 1734 sc.idleTimer.Stop() 1735 } 1736 1737 // http://tools.ietf.org/html/rfc7540#section-5.1.2 1738 // [...] Endpoints MUST NOT exceed the limit set by their peer. An 1739 // endpoint that receives a HEADERS frame that causes their 1740 // advertised concurrent stream limit to be exceeded MUST treat 1741 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR 1742 // or REFUSED_STREAM. 1743 if sc.curClientStreams+1 > sc.advMaxStreams { 1744 if sc.unackedSettings == 0 { 1745 // They should know better. 1746 return streamError(id, ErrCodeProtocol) 1747 } 1748 // Assume it's a network race, where they just haven't 1749 // received our last SETTINGS update. But actually 1750 // this can't happen yet, because we don't yet provide 1751 // a way for users to adjust server parameters at 1752 // runtime. 1753 return streamError(id, ErrCodeRefusedStream) 1754 } 1755 1756 initialState := stateOpen 1757 if f.StreamEnded() { 1758 initialState = stateHalfClosedRemote 1759 } 1760 st := sc.newStream(id, 0, initialState) 1761 1762 if f.HasPriority() { 1763 if err := checkPriority(f.StreamID, f.Priority); err != nil { 1764 return err 1765 } 1766 sc.writeSched.AdjustStream(st.id, f.Priority) 1767 } 1768 1769 rw, req, err := sc.newWriterAndRequest(st, f) 1770 if err != nil { 1771 return err 1772 } 1773 st.reqTrailer = req.Trailer 1774 if st.reqTrailer != nil { 1775 st.trailer = make(http.Header) 1776 } 1777 st.body = req.Body.(*requestBody).pipe // may be nil 1778 st.declBodyBytes = req.ContentLength 1779 1780 handler := sc.handler.ServeHTTP 1781 if f.Truncated { 1782 // Their header list was too long. Send a 431 error. 1783 handler = handleHeaderListTooLong 1784 } else if err := checkValidHTTP2RequestHeaders(req.Header); err != nil { 1785 handler = new400Handler(err) 1786 } 1787 1788 // The net/http package sets the read deadline from the 1789 // http.Server.ReadTimeout during the TLS handshake, but then 1790 // passes the connection off to us with the deadline already 1791 // set. Disarm it here after the request headers are read, 1792 // similar to how the http1 server works. Here it's 1793 // technically more like the http1 Server's ReadHeaderTimeout 1794 // (in Go 1.8), though. That's a more sane option anyway. 1795 if sc.hs.ReadTimeout != 0 { 1796 sc.conn.SetReadDeadline(time.Time{}) 1797 } 1798 1799 go sc.runHandler(rw, req, handler) 1800 return nil 1801} 1802 1803func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { 1804 sc := st.sc 1805 sc.serveG.check() 1806 if st.gotTrailerHeader { 1807 return ConnectionError(ErrCodeProtocol) 1808 } 1809 st.gotTrailerHeader = true 1810 if !f.StreamEnded() { 1811 return streamError(st.id, ErrCodeProtocol) 1812 } 1813 1814 if len(f.PseudoFields()) > 0 { 1815 return streamError(st.id, ErrCodeProtocol) 1816 } 1817 if st.trailer != nil { 1818 for _, hf := range f.RegularFields() { 1819 key := sc.canonicalHeader(hf.Name) 1820 if !ValidTrailerHeader(key) { 1821 // TODO: send more details to the peer somehow. But http2 has 1822 // no way to send debug data at a stream level. Discuss with 1823 // HTTP folk. 1824 return streamError(st.id, ErrCodeProtocol) 1825 } 1826 st.trailer[key] = append(st.trailer[key], hf.Value) 1827 } 1828 } 1829 st.endStream() 1830 return nil 1831} 1832 1833func checkPriority(streamID uint32, p PriorityParam) error { 1834 if streamID == p.StreamDep { 1835 // Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat 1836 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR." 1837 // Section 5.3.3 says that a stream can depend on one of its dependencies, 1838 // so it's only self-dependencies that are forbidden. 1839 return streamError(streamID, ErrCodeProtocol) 1840 } 1841 return nil 1842} 1843 1844func (sc *serverConn) processPriority(f *PriorityFrame) error { 1845 if sc.inGoAway { 1846 return nil 1847 } 1848 if err := checkPriority(f.StreamID, f.PriorityParam); err != nil { 1849 return err 1850 } 1851 sc.writeSched.AdjustStream(f.StreamID, f.PriorityParam) 1852 return nil 1853} 1854 1855func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream { 1856 sc.serveG.check() 1857 if id == 0 { 1858 panic("internal error: cannot create stream with id 0") 1859 } 1860 1861 ctx, cancelCtx := contextWithCancel(sc.baseCtx) 1862 st := &stream{ 1863 sc: sc, 1864 id: id, 1865 state: state, 1866 ctx: ctx, 1867 cancelCtx: cancelCtx, 1868 } 1869 st.cw.Init() 1870 st.flow.conn = &sc.flow // link to conn-level counter 1871 st.flow.add(sc.initialStreamSendWindowSize) 1872 st.inflow.conn = &sc.inflow // link to conn-level counter 1873 st.inflow.add(sc.srv.initialStreamRecvWindowSize()) 1874 if sc.hs.WriteTimeout != 0 { 1875 st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout) 1876 } 1877 1878 sc.streams[id] = st 1879 sc.writeSched.OpenStream(st.id, OpenStreamOptions{PusherID: pusherID}) 1880 if st.isPushed() { 1881 sc.curPushedStreams++ 1882 } else { 1883 sc.curClientStreams++ 1884 } 1885 if sc.curOpenStreams() == 1 { 1886 sc.setConnState(http.StateActive) 1887 } 1888 1889 return st 1890} 1891 1892func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *http.Request, error) { 1893 sc.serveG.check() 1894 1895 rp := requestParam{ 1896 method: f.PseudoValue("method"), 1897 scheme: f.PseudoValue("scheme"), 1898 authority: f.PseudoValue("authority"), 1899 path: f.PseudoValue("path"), 1900 } 1901 1902 isConnect := rp.method == "CONNECT" 1903 if isConnect { 1904 if rp.path != "" || rp.scheme != "" || rp.authority == "" { 1905 return nil, nil, streamError(f.StreamID, ErrCodeProtocol) 1906 } 1907 } else if rp.method == "" || rp.path == "" || (rp.scheme != "https" && rp.scheme != "http") { 1908 // See 8.1.2.6 Malformed Requests and Responses: 1909 // 1910 // Malformed requests or responses that are detected 1911 // MUST be treated as a stream error (Section 5.4.2) 1912 // of type PROTOCOL_ERROR." 1913 // 1914 // 8.1.2.3 Request Pseudo-Header Fields 1915 // "All HTTP/2 requests MUST include exactly one valid 1916 // value for the :method, :scheme, and :path 1917 // pseudo-header fields" 1918 return nil, nil, streamError(f.StreamID, ErrCodeProtocol) 1919 } 1920 1921 bodyOpen := !f.StreamEnded() 1922 if rp.method == "HEAD" && bodyOpen { 1923 // HEAD requests can't have bodies 1924 return nil, nil, streamError(f.StreamID, ErrCodeProtocol) 1925 } 1926 1927 rp.header = make(http.Header) 1928 for _, hf := range f.RegularFields() { 1929 rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value) 1930 } 1931 if rp.authority == "" { 1932 rp.authority = rp.header.Get("Host") 1933 } 1934 1935 rw, req, err := sc.newWriterAndRequestNoBody(st, rp) 1936 if err != nil { 1937 return nil, nil, err 1938 } 1939 if bodyOpen { 1940 if vv, ok := rp.header["Content-Length"]; ok { 1941 req.ContentLength, _ = strconv.ParseInt(vv[0], 10, 64) 1942 } else { 1943 req.ContentLength = -1 1944 } 1945 req.Body.(*requestBody).pipe = &pipe{ 1946 b: &dataBuffer{expected: req.ContentLength}, 1947 } 1948 } 1949 return rw, req, nil 1950} 1951 1952type requestParam struct { 1953 method string 1954 scheme, authority, path string 1955 header http.Header 1956} 1957 1958func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*responseWriter, *http.Request, error) { 1959 sc.serveG.check() 1960 1961 var tlsState *tls.ConnectionState // nil if not scheme https 1962 if rp.scheme == "https" { 1963 tlsState = sc.tlsState 1964 } 1965 1966 needsContinue := rp.header.Get("Expect") == "100-continue" 1967 if needsContinue { 1968 rp.header.Del("Expect") 1969 } 1970 // Merge Cookie headers into one "; "-delimited value. 1971 if cookies := rp.header["Cookie"]; len(cookies) > 1 { 1972 rp.header.Set("Cookie", strings.Join(cookies, "; ")) 1973 } 1974 1975 // Setup Trailers 1976 var trailer http.Header 1977 for _, v := range rp.header["Trailer"] { 1978 for _, key := range strings.Split(v, ",") { 1979 key = http.CanonicalHeaderKey(strings.TrimSpace(key)) 1980 switch key { 1981 case "Transfer-Encoding", "Trailer", "Content-Length": 1982 // Bogus. (copy of http1 rules) 1983 // Ignore. 1984 default: 1985 if trailer == nil { 1986 trailer = make(http.Header) 1987 } 1988 trailer[key] = nil 1989 } 1990 } 1991 } 1992 delete(rp.header, "Trailer") 1993 1994 var url_ *url.URL 1995 var requestURI string 1996 if rp.method == "CONNECT" { 1997 url_ = &url.URL{Host: rp.authority} 1998 requestURI = rp.authority // mimic HTTP/1 server behavior 1999 } else { 2000 var err error 2001 url_, err = url.ParseRequestURI(rp.path) 2002 if err != nil { 2003 return nil, nil, streamError(st.id, ErrCodeProtocol) 2004 } 2005 requestURI = rp.path 2006 } 2007 2008 body := &requestBody{ 2009 conn: sc, 2010 stream: st, 2011 needsContinue: needsContinue, 2012 } 2013 req := &http.Request{ 2014 Method: rp.method, 2015 URL: url_, 2016 RemoteAddr: sc.remoteAddrStr, 2017 Header: rp.header, 2018 RequestURI: requestURI, 2019 Proto: "HTTP/2.0", 2020 ProtoMajor: 2, 2021 ProtoMinor: 0, 2022 TLS: tlsState, 2023 Host: rp.authority, 2024 Body: body, 2025 Trailer: trailer, 2026 } 2027 req = requestWithContext(req, st.ctx) 2028 2029 rws := responseWriterStatePool.Get().(*responseWriterState) 2030 bwSave := rws.bw 2031 *rws = responseWriterState{} // zero all the fields 2032 rws.conn = sc 2033 rws.bw = bwSave 2034 rws.bw.Reset(chunkWriter{rws}) 2035 rws.stream = st 2036 rws.req = req 2037 rws.body = body 2038 2039 rw := &responseWriter{rws: rws} 2040 return rw, req, nil 2041} 2042 2043// Run on its own goroutine. 2044func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { 2045 didPanic := true 2046 defer func() { 2047 rw.rws.stream.cancelCtx() 2048 if didPanic { 2049 e := recover() 2050 sc.writeFrameFromHandler(FrameWriteRequest{ 2051 write: handlerPanicRST{rw.rws.stream.id}, 2052 stream: rw.rws.stream, 2053 }) 2054 // Same as net/http: 2055 if shouldLogPanic(e) { 2056 const size = 64 << 10 2057 buf := make([]byte, size) 2058 buf = buf[:runtime.Stack(buf, false)] 2059 sc.logf("http2: panic serving %v: %v\n%s", sc.conn.RemoteAddr(), e, buf) 2060 } 2061 return 2062 } 2063 rw.handlerDone() 2064 }() 2065 handler(rw, req) 2066 didPanic = false 2067} 2068 2069func handleHeaderListTooLong(w http.ResponseWriter, r *http.Request) { 2070 // 10.5.1 Limits on Header Block Size: 2071 // .. "A server that receives a larger header block than it is 2072 // willing to handle can send an HTTP 431 (Request Header Fields Too 2073 // Large) status code" 2074 const statusRequestHeaderFieldsTooLarge = 431 // only in Go 1.6+ 2075 w.WriteHeader(statusRequestHeaderFieldsTooLarge) 2076 io.WriteString(w, "<h1>HTTP Error 431</h1><p>Request Header Field(s) Too Large</p>") 2077} 2078 2079// called from handler goroutines. 2080// h may be nil. 2081func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) error { 2082 sc.serveG.checkNotOn() // NOT on 2083 var errc chan error 2084 if headerData.h != nil { 2085 // If there's a header map (which we don't own), so we have to block on 2086 // waiting for this frame to be written, so an http.Flush mid-handler 2087 // writes out the correct value of keys, before a handler later potentially 2088 // mutates it. 2089 errc = errChanPool.Get().(chan error) 2090 } 2091 if err := sc.writeFrameFromHandler(FrameWriteRequest{ 2092 write: headerData, 2093 stream: st, 2094 done: errc, 2095 }); err != nil { 2096 return err 2097 } 2098 if errc != nil { 2099 select { 2100 case err := <-errc: 2101 errChanPool.Put(errc) 2102 return err 2103 case <-sc.doneServing: 2104 return errClientDisconnected 2105 case <-st.cw: 2106 return errStreamClosed 2107 } 2108 } 2109 return nil 2110} 2111 2112// called from handler goroutines. 2113func (sc *serverConn) write100ContinueHeaders(st *stream) { 2114 sc.writeFrameFromHandler(FrameWriteRequest{ 2115 write: write100ContinueHeadersFrame{st.id}, 2116 stream: st, 2117 }) 2118} 2119 2120// A bodyReadMsg tells the server loop that the http.Handler read n 2121// bytes of the DATA from the client on the given stream. 2122type bodyReadMsg struct { 2123 st *stream 2124 n int 2125} 2126 2127// called from handler goroutines. 2128// Notes that the handler for the given stream ID read n bytes of its body 2129// and schedules flow control tokens to be sent. 2130func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) { 2131 sc.serveG.checkNotOn() // NOT on 2132 if n > 0 { 2133 select { 2134 case sc.bodyReadCh <- bodyReadMsg{st, n}: 2135 case <-sc.doneServing: 2136 } 2137 } 2138} 2139 2140func (sc *serverConn) noteBodyRead(st *stream, n int) { 2141 sc.serveG.check() 2142 sc.sendWindowUpdate(nil, n) // conn-level 2143 if st.state != stateHalfClosedRemote && st.state != stateClosed { 2144 // Don't send this WINDOW_UPDATE if the stream is closed 2145 // remotely. 2146 sc.sendWindowUpdate(st, n) 2147 } 2148} 2149 2150// st may be nil for conn-level 2151func (sc *serverConn) sendWindowUpdate(st *stream, n int) { 2152 sc.serveG.check() 2153 // "The legal range for the increment to the flow control 2154 // window is 1 to 2^31-1 (2,147,483,647) octets." 2155 // A Go Read call on 64-bit machines could in theory read 2156 // a larger Read than this. Very unlikely, but we handle it here 2157 // rather than elsewhere for now. 2158 const maxUint31 = 1<<31 - 1 2159 for n >= maxUint31 { 2160 sc.sendWindowUpdate32(st, maxUint31) 2161 n -= maxUint31 2162 } 2163 sc.sendWindowUpdate32(st, int32(n)) 2164} 2165 2166// st may be nil for conn-level 2167func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) { 2168 sc.serveG.check() 2169 if n == 0 { 2170 return 2171 } 2172 if n < 0 { 2173 panic("negative update") 2174 } 2175 var streamID uint32 2176 if st != nil { 2177 streamID = st.id 2178 } 2179 sc.writeFrame(FrameWriteRequest{ 2180 write: writeWindowUpdate{streamID: streamID, n: uint32(n)}, 2181 stream: st, 2182 }) 2183 var ok bool 2184 if st == nil { 2185 ok = sc.inflow.add(n) 2186 } else { 2187 ok = st.inflow.add(n) 2188 } 2189 if !ok { 2190 panic("internal error; sent too many window updates without decrements?") 2191 } 2192} 2193 2194// requestBody is the Handler's Request.Body type. 2195// Read and Close may be called concurrently. 2196type requestBody struct { 2197 stream *stream 2198 conn *serverConn 2199 closed bool // for use by Close only 2200 sawEOF bool // for use by Read only 2201 pipe *pipe // non-nil if we have a HTTP entity message body 2202 needsContinue bool // need to send a 100-continue 2203} 2204 2205func (b *requestBody) Close() error { 2206 if b.pipe != nil && !b.closed { 2207 b.pipe.BreakWithError(errClosedBody) 2208 } 2209 b.closed = true 2210 return nil 2211} 2212 2213func (b *requestBody) Read(p []byte) (n int, err error) { 2214 if b.needsContinue { 2215 b.needsContinue = false 2216 b.conn.write100ContinueHeaders(b.stream) 2217 } 2218 if b.pipe == nil || b.sawEOF { 2219 return 0, io.EOF 2220 } 2221 n, err = b.pipe.Read(p) 2222 if err == io.EOF { 2223 b.sawEOF = true 2224 } 2225 if b.conn == nil && inTests { 2226 return 2227 } 2228 b.conn.noteBodyReadFromHandler(b.stream, n, err) 2229 return 2230} 2231 2232// responseWriter is the http.ResponseWriter implementation. It's 2233// intentionally small (1 pointer wide) to minimize garbage. The 2234// responseWriterState pointer inside is zeroed at the end of a 2235// request (in handlerDone) and calls on the responseWriter thereafter 2236// simply crash (caller's mistake), but the much larger responseWriterState 2237// and buffers are reused between multiple requests. 2238type responseWriter struct { 2239 rws *responseWriterState 2240} 2241 2242// Optional http.ResponseWriter interfaces implemented. 2243var ( 2244 _ http.CloseNotifier = (*responseWriter)(nil) 2245 _ http.Flusher = (*responseWriter)(nil) 2246 _ stringWriter = (*responseWriter)(nil) 2247) 2248 2249type responseWriterState struct { 2250 // immutable within a request: 2251 stream *stream 2252 req *http.Request 2253 body *requestBody // to close at end of request, if DATA frames didn't 2254 conn *serverConn 2255 2256 // TODO: adjust buffer writing sizes based on server config, frame size updates from peer, etc 2257 bw *bufio.Writer // writing to a chunkWriter{this *responseWriterState} 2258 2259 // mutated by http.Handler goroutine: 2260 handlerHeader http.Header // nil until called 2261 snapHeader http.Header // snapshot of handlerHeader at WriteHeader time 2262 trailers []string // set in writeChunk 2263 status int // status code passed to WriteHeader 2264 wroteHeader bool // WriteHeader called (explicitly or implicitly). Not necessarily sent to user yet. 2265 sentHeader bool // have we sent the header frame? 2266 handlerDone bool // handler has finished 2267 dirty bool // a Write failed; don't reuse this responseWriterState 2268 2269 sentContentLen int64 // non-zero if handler set a Content-Length header 2270 wroteBytes int64 2271 2272 closeNotifierMu sync.Mutex // guards closeNotifierCh 2273 closeNotifierCh chan bool // nil until first used 2274} 2275 2276type chunkWriter struct{ rws *responseWriterState } 2277 2278func (cw chunkWriter) Write(p []byte) (n int, err error) { return cw.rws.writeChunk(p) } 2279 2280func (rws *responseWriterState) hasTrailers() bool { return len(rws.trailers) != 0 } 2281 2282// declareTrailer is called for each Trailer header when the 2283// response header is written. It notes that a header will need to be 2284// written in the trailers at the end of the response. 2285func (rws *responseWriterState) declareTrailer(k string) { 2286 k = http.CanonicalHeaderKey(k) 2287 if !ValidTrailerHeader(k) { 2288 // Forbidden by RFC 7230, section 4.1.2. 2289 rws.conn.logf("ignoring invalid trailer %q", k) 2290 return 2291 } 2292 if !strSliceContains(rws.trailers, k) { 2293 rws.trailers = append(rws.trailers, k) 2294 } 2295} 2296 2297// writeChunk writes chunks from the bufio.Writer. But because 2298// bufio.Writer may bypass its chunking, sometimes p may be 2299// arbitrarily large. 2300// 2301// writeChunk is also responsible (on the first chunk) for sending the 2302// HEADER response. 2303func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { 2304 if !rws.wroteHeader { 2305 rws.writeHeader(200) 2306 } 2307 2308 isHeadResp := rws.req.Method == "HEAD" 2309 if !rws.sentHeader { 2310 rws.sentHeader = true 2311 var ctype, clen string 2312 if clen = rws.snapHeader.Get("Content-Length"); clen != "" { 2313 rws.snapHeader.Del("Content-Length") 2314 clen64, err := strconv.ParseInt(clen, 10, 64) 2315 if err == nil && clen64 >= 0 { 2316 rws.sentContentLen = clen64 2317 } else { 2318 clen = "" 2319 } 2320 } 2321 if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) { 2322 clen = strconv.Itoa(len(p)) 2323 } 2324 _, hasContentType := rws.snapHeader["Content-Type"] 2325 if !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 { 2326 ctype = http.DetectContentType(p) 2327 } 2328 var date string 2329 if _, ok := rws.snapHeader["Date"]; !ok { 2330 // TODO(bradfitz): be faster here, like net/http? measure. 2331 date = time.Now().UTC().Format(http.TimeFormat) 2332 } 2333 2334 for _, v := range rws.snapHeader["Trailer"] { 2335 foreachHeaderElement(v, rws.declareTrailer) 2336 } 2337 2338 endStream := (rws.handlerDone && !rws.hasTrailers() && len(p) == 0) || isHeadResp 2339 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{ 2340 streamID: rws.stream.id, 2341 httpResCode: rws.status, 2342 h: rws.snapHeader, 2343 endStream: endStream, 2344 contentType: ctype, 2345 contentLength: clen, 2346 date: date, 2347 }) 2348 if err != nil { 2349 rws.dirty = true 2350 return 0, err 2351 } 2352 if endStream { 2353 return 0, nil 2354 } 2355 } 2356 if isHeadResp { 2357 return len(p), nil 2358 } 2359 if len(p) == 0 && !rws.handlerDone { 2360 return 0, nil 2361 } 2362 2363 if rws.handlerDone { 2364 rws.promoteUndeclaredTrailers() 2365 } 2366 2367 endStream := rws.handlerDone && !rws.hasTrailers() 2368 if len(p) > 0 || endStream { 2369 // only send a 0 byte DATA frame if we're ending the stream. 2370 if err := rws.conn.writeDataFromHandler(rws.stream, p, endStream); err != nil { 2371 rws.dirty = true 2372 return 0, err 2373 } 2374 } 2375 2376 if rws.handlerDone && rws.hasTrailers() { 2377 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{ 2378 streamID: rws.stream.id, 2379 h: rws.handlerHeader, 2380 trailers: rws.trailers, 2381 endStream: true, 2382 }) 2383 if err != nil { 2384 rws.dirty = true 2385 } 2386 return len(p), err 2387 } 2388 return len(p), nil 2389} 2390 2391// TrailerPrefix is a magic prefix for ResponseWriter.Header map keys 2392// that, if present, signals that the map entry is actually for 2393// the response trailers, and not the response headers. The prefix 2394// is stripped after the ServeHTTP call finishes and the values are 2395// sent in the trailers. 2396// 2397// This mechanism is intended only for trailers that are not known 2398// prior to the headers being written. If the set of trailers is fixed 2399// or known before the header is written, the normal Go trailers mechanism 2400// is preferred: 2401// https://golang.org/pkg/net/http/#ResponseWriter 2402// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers 2403const TrailerPrefix = "Trailer:" 2404 2405// promoteUndeclaredTrailers permits http.Handlers to set trailers 2406// after the header has already been flushed. Because the Go 2407// ResponseWriter interface has no way to set Trailers (only the 2408// Header), and because we didn't want to expand the ResponseWriter 2409// interface, and because nobody used trailers, and because RFC 7230 2410// says you SHOULD (but not must) predeclare any trailers in the 2411// header, the official ResponseWriter rules said trailers in Go must 2412// be predeclared, and then we reuse the same ResponseWriter.Header() 2413// map to mean both Headers and Trailers. When it's time to write the 2414// Trailers, we pick out the fields of Headers that were declared as 2415// trailers. That worked for a while, until we found the first major 2416// user of Trailers in the wild: gRPC (using them only over http2), 2417// and gRPC libraries permit setting trailers mid-stream without 2418// predeclarnig them. So: change of plans. We still permit the old 2419// way, but we also permit this hack: if a Header() key begins with 2420// "Trailer:", the suffix of that key is a Trailer. Because ':' is an 2421// invalid token byte anyway, there is no ambiguity. (And it's already 2422// filtered out) It's mildly hacky, but not terrible. 2423// 2424// This method runs after the Handler is done and promotes any Header 2425// fields to be trailers. 2426func (rws *responseWriterState) promoteUndeclaredTrailers() { 2427 for k, vv := range rws.handlerHeader { 2428 if !strings.HasPrefix(k, TrailerPrefix) { 2429 continue 2430 } 2431 trailerKey := strings.TrimPrefix(k, TrailerPrefix) 2432 rws.declareTrailer(trailerKey) 2433 rws.handlerHeader[http.CanonicalHeaderKey(trailerKey)] = vv 2434 } 2435 2436 if len(rws.trailers) > 1 { 2437 sorter := sorterPool.Get().(*sorter) 2438 sorter.SortStrings(rws.trailers) 2439 sorterPool.Put(sorter) 2440 } 2441} 2442 2443func (w *responseWriter) Flush() { 2444 rws := w.rws 2445 if rws == nil { 2446 panic("Header called after Handler finished") 2447 } 2448 if rws.bw.Buffered() > 0 { 2449 if err := rws.bw.Flush(); err != nil { 2450 // Ignore the error. The frame writer already knows. 2451 return 2452 } 2453 } else { 2454 // The bufio.Writer won't call chunkWriter.Write 2455 // (writeChunk with zero bytes, so we have to do it 2456 // ourselves to force the HTTP response header and/or 2457 // final DATA frame (with END_STREAM) to be sent. 2458 rws.writeChunk(nil) 2459 } 2460} 2461 2462func (w *responseWriter) CloseNotify() <-chan bool { 2463 rws := w.rws 2464 if rws == nil { 2465 panic("CloseNotify called after Handler finished") 2466 } 2467 rws.closeNotifierMu.Lock() 2468 ch := rws.closeNotifierCh 2469 if ch == nil { 2470 ch = make(chan bool, 1) 2471 rws.closeNotifierCh = ch 2472 cw := rws.stream.cw 2473 go func() { 2474 cw.Wait() // wait for close 2475 ch <- true 2476 }() 2477 } 2478 rws.closeNotifierMu.Unlock() 2479 return ch 2480} 2481 2482func (w *responseWriter) Header() http.Header { 2483 rws := w.rws 2484 if rws == nil { 2485 panic("Header called after Handler finished") 2486 } 2487 if rws.handlerHeader == nil { 2488 rws.handlerHeader = make(http.Header) 2489 } 2490 return rws.handlerHeader 2491} 2492 2493// checkWriteHeaderCode is a copy of net/http's checkWriteHeaderCode. 2494func checkWriteHeaderCode(code int) { 2495 // Issue 22880: require valid WriteHeader status codes. 2496 // For now we only enforce that it's three digits. 2497 // In the future we might block things over 599 (600 and above aren't defined 2498 // at http://httpwg.org/specs/rfc7231.html#status.codes) 2499 // and we might block under 200 (once we have more mature 1xx support). 2500 // But for now any three digits. 2501 // 2502 // We used to send "HTTP/1.1 000 0" on the wire in responses but there's 2503 // no equivalent bogus thing we can realistically send in HTTP/2, 2504 // so we'll consistently panic instead and help people find their bugs 2505 // early. (We can't return an error from WriteHeader even if we wanted to.) 2506 if code < 100 || code > 999 { 2507 panic(fmt.Sprintf("invalid WriteHeader code %v", code)) 2508 } 2509} 2510 2511func (w *responseWriter) WriteHeader(code int) { 2512 rws := w.rws 2513 if rws == nil { 2514 panic("WriteHeader called after Handler finished") 2515 } 2516 rws.writeHeader(code) 2517} 2518 2519func (rws *responseWriterState) writeHeader(code int) { 2520 if !rws.wroteHeader { 2521 checkWriteHeaderCode(code) 2522 rws.wroteHeader = true 2523 rws.status = code 2524 if len(rws.handlerHeader) > 0 { 2525 rws.snapHeader = cloneHeader(rws.handlerHeader) 2526 } 2527 } 2528} 2529 2530func cloneHeader(h http.Header) http.Header { 2531 h2 := make(http.Header, len(h)) 2532 for k, vv := range h { 2533 vv2 := make([]string, len(vv)) 2534 copy(vv2, vv) 2535 h2[k] = vv2 2536 } 2537 return h2 2538} 2539 2540// The Life Of A Write is like this: 2541// 2542// * Handler calls w.Write or w.WriteString -> 2543// * -> rws.bw (*bufio.Writer) -> 2544// * (Handler might call Flush) 2545// * -> chunkWriter{rws} 2546// * -> responseWriterState.writeChunk(p []byte) 2547// * -> responseWriterState.writeChunk (most of the magic; see comment there) 2548func (w *responseWriter) Write(p []byte) (n int, err error) { 2549 return w.write(len(p), p, "") 2550} 2551 2552func (w *responseWriter) WriteString(s string) (n int, err error) { 2553 return w.write(len(s), nil, s) 2554} 2555 2556// either dataB or dataS is non-zero. 2557func (w *responseWriter) write(lenData int, dataB []byte, dataS string) (n int, err error) { 2558 rws := w.rws 2559 if rws == nil { 2560 panic("Write called after Handler finished") 2561 } 2562 if !rws.wroteHeader { 2563 w.WriteHeader(200) 2564 } 2565 if !bodyAllowedForStatus(rws.status) { 2566 return 0, http.ErrBodyNotAllowed 2567 } 2568 rws.wroteBytes += int64(len(dataB)) + int64(len(dataS)) // only one can be set 2569 if rws.sentContentLen != 0 && rws.wroteBytes > rws.sentContentLen { 2570 // TODO: send a RST_STREAM 2571 return 0, errors.New("http2: handler wrote more than declared Content-Length") 2572 } 2573 2574 if dataB != nil { 2575 return rws.bw.Write(dataB) 2576 } else { 2577 return rws.bw.WriteString(dataS) 2578 } 2579} 2580 2581func (w *responseWriter) handlerDone() { 2582 rws := w.rws 2583 dirty := rws.dirty 2584 rws.handlerDone = true 2585 w.Flush() 2586 w.rws = nil 2587 if !dirty { 2588 // Only recycle the pool if all prior Write calls to 2589 // the serverConn goroutine completed successfully. If 2590 // they returned earlier due to resets from the peer 2591 // there might still be write goroutines outstanding 2592 // from the serverConn referencing the rws memory. See 2593 // issue 20704. 2594 responseWriterStatePool.Put(rws) 2595 } 2596} 2597 2598// Push errors. 2599var ( 2600 ErrRecursivePush = errors.New("http2: recursive push not allowed") 2601 ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS") 2602) 2603 2604// pushOptions is the internal version of http.PushOptions, which we 2605// cannot include here because it's only defined in Go 1.8 and later. 2606type pushOptions struct { 2607 Method string 2608 Header http.Header 2609} 2610 2611func (w *responseWriter) push(target string, opts pushOptions) error { 2612 st := w.rws.stream 2613 sc := st.sc 2614 sc.serveG.checkNotOn() 2615 2616 // No recursive pushes: "PUSH_PROMISE frames MUST only be sent on a peer-initiated stream." 2617 // http://tools.ietf.org/html/rfc7540#section-6.6 2618 if st.isPushed() { 2619 return ErrRecursivePush 2620 } 2621 2622 // Default options. 2623 if opts.Method == "" { 2624 opts.Method = "GET" 2625 } 2626 if opts.Header == nil { 2627 opts.Header = http.Header{} 2628 } 2629 wantScheme := "http" 2630 if w.rws.req.TLS != nil { 2631 wantScheme = "https" 2632 } 2633 2634 // Validate the request. 2635 u, err := url.Parse(target) 2636 if err != nil { 2637 return err 2638 } 2639 if u.Scheme == "" { 2640 if !strings.HasPrefix(target, "/") { 2641 return fmt.Errorf("target must be an absolute URL or an absolute path: %q", target) 2642 } 2643 u.Scheme = wantScheme 2644 u.Host = w.rws.req.Host 2645 } else { 2646 if u.Scheme != wantScheme { 2647 return fmt.Errorf("cannot push URL with scheme %q from request with scheme %q", u.Scheme, wantScheme) 2648 } 2649 if u.Host == "" { 2650 return errors.New("URL must have a host") 2651 } 2652 } 2653 for k := range opts.Header { 2654 if strings.HasPrefix(k, ":") { 2655 return fmt.Errorf("promised request headers cannot include pseudo header %q", k) 2656 } 2657 // These headers are meaningful only if the request has a body, 2658 // but PUSH_PROMISE requests cannot have a body. 2659 // http://tools.ietf.org/html/rfc7540#section-8.2 2660 // Also disallow Host, since the promised URL must be absolute. 2661 switch strings.ToLower(k) { 2662 case "content-length", "content-encoding", "trailer", "te", "expect", "host": 2663 return fmt.Errorf("promised request headers cannot include %q", k) 2664 } 2665 } 2666 if err := checkValidHTTP2RequestHeaders(opts.Header); err != nil { 2667 return err 2668 } 2669 2670 // The RFC effectively limits promised requests to GET and HEAD: 2671 // "Promised requests MUST be cacheable [GET, HEAD, or POST], and MUST be safe [GET or HEAD]" 2672 // http://tools.ietf.org/html/rfc7540#section-8.2 2673 if opts.Method != "GET" && opts.Method != "HEAD" { 2674 return fmt.Errorf("method %q must be GET or HEAD", opts.Method) 2675 } 2676 2677 msg := &startPushRequest{ 2678 parent: st, 2679 method: opts.Method, 2680 url: u, 2681 header: cloneHeader(opts.Header), 2682 done: errChanPool.Get().(chan error), 2683 } 2684 2685 select { 2686 case <-sc.doneServing: 2687 return errClientDisconnected 2688 case <-st.cw: 2689 return errStreamClosed 2690 case sc.serveMsgCh <- msg: 2691 } 2692 2693 select { 2694 case <-sc.doneServing: 2695 return errClientDisconnected 2696 case <-st.cw: 2697 return errStreamClosed 2698 case err := <-msg.done: 2699 errChanPool.Put(msg.done) 2700 return err 2701 } 2702} 2703 2704type startPushRequest struct { 2705 parent *stream 2706 method string 2707 url *url.URL 2708 header http.Header 2709 done chan error 2710} 2711 2712func (sc *serverConn) startPush(msg *startPushRequest) { 2713 sc.serveG.check() 2714 2715 // http://tools.ietf.org/html/rfc7540#section-6.6. 2716 // PUSH_PROMISE frames MUST only be sent on a peer-initiated stream that 2717 // is in either the "open" or "half-closed (remote)" state. 2718 if msg.parent.state != stateOpen && msg.parent.state != stateHalfClosedRemote { 2719 // responseWriter.Push checks that the stream is peer-initiaed. 2720 msg.done <- errStreamClosed 2721 return 2722 } 2723 2724 // http://tools.ietf.org/html/rfc7540#section-6.6. 2725 if !sc.pushEnabled { 2726 msg.done <- http.ErrNotSupported 2727 return 2728 } 2729 2730 // PUSH_PROMISE frames must be sent in increasing order by stream ID, so 2731 // we allocate an ID for the promised stream lazily, when the PUSH_PROMISE 2732 // is written. Once the ID is allocated, we start the request handler. 2733 allocatePromisedID := func() (uint32, error) { 2734 sc.serveG.check() 2735 2736 // Check this again, just in case. Technically, we might have received 2737 // an updated SETTINGS by the time we got around to writing this frame. 2738 if !sc.pushEnabled { 2739 return 0, http.ErrNotSupported 2740 } 2741 // http://tools.ietf.org/html/rfc7540#section-6.5.2. 2742 if sc.curPushedStreams+1 > sc.clientMaxStreams { 2743 return 0, ErrPushLimitReached 2744 } 2745 2746 // http://tools.ietf.org/html/rfc7540#section-5.1.1. 2747 // Streams initiated by the server MUST use even-numbered identifiers. 2748 // A server that is unable to establish a new stream identifier can send a GOAWAY 2749 // frame so that the client is forced to open a new connection for new streams. 2750 if sc.maxPushPromiseID+2 >= 1<<31 { 2751 sc.startGracefulShutdownInternal() 2752 return 0, ErrPushLimitReached 2753 } 2754 sc.maxPushPromiseID += 2 2755 promisedID := sc.maxPushPromiseID 2756 2757 // http://tools.ietf.org/html/rfc7540#section-8.2. 2758 // Strictly speaking, the new stream should start in "reserved (local)", then 2759 // transition to "half closed (remote)" after sending the initial HEADERS, but 2760 // we start in "half closed (remote)" for simplicity. 2761 // See further comments at the definition of stateHalfClosedRemote. 2762 promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote) 2763 rw, req, err := sc.newWriterAndRequestNoBody(promised, requestParam{ 2764 method: msg.method, 2765 scheme: msg.url.Scheme, 2766 authority: msg.url.Host, 2767 path: msg.url.RequestURI(), 2768 header: cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE 2769 }) 2770 if err != nil { 2771 // Should not happen, since we've already validated msg.url. 2772 panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) 2773 } 2774 2775 go sc.runHandler(rw, req, sc.handler.ServeHTTP) 2776 return promisedID, nil 2777 } 2778 2779 sc.writeFrame(FrameWriteRequest{ 2780 write: &writePushPromise{ 2781 streamID: msg.parent.id, 2782 method: msg.method, 2783 url: msg.url, 2784 h: msg.header, 2785 allocatePromisedID: allocatePromisedID, 2786 }, 2787 stream: msg.parent, 2788 done: msg.done, 2789 }) 2790} 2791 2792// foreachHeaderElement splits v according to the "#rule" construction 2793// in RFC 7230 section 7 and calls fn for each non-empty element. 2794func foreachHeaderElement(v string, fn func(string)) { 2795 v = textproto.TrimString(v) 2796 if v == "" { 2797 return 2798 } 2799 if !strings.Contains(v, ",") { 2800 fn(v) 2801 return 2802 } 2803 for _, f := range strings.Split(v, ",") { 2804 if f = textproto.TrimString(f); f != "" { 2805 fn(f) 2806 } 2807 } 2808} 2809 2810// From http://httpwg.org/specs/rfc7540.html#rfc.section.8.1.2.2 2811var connHeaders = []string{ 2812 "Connection", 2813 "Keep-Alive", 2814 "Proxy-Connection", 2815 "Transfer-Encoding", 2816 "Upgrade", 2817} 2818 2819// checkValidHTTP2RequestHeaders checks whether h is a valid HTTP/2 request, 2820// per RFC 7540 Section 8.1.2.2. 2821// The returned error is reported to users. 2822func checkValidHTTP2RequestHeaders(h http.Header) error { 2823 for _, k := range connHeaders { 2824 if _, ok := h[k]; ok { 2825 return fmt.Errorf("request header %q is not valid in HTTP/2", k) 2826 } 2827 } 2828 te := h["Te"] 2829 if len(te) > 0 && (len(te) > 1 || (te[0] != "trailers" && te[0] != "")) { 2830 return errors.New(`request header "TE" may only be "trailers" in HTTP/2`) 2831 } 2832 return nil 2833} 2834 2835func new400Handler(err error) http.HandlerFunc { 2836 return func(w http.ResponseWriter, r *http.Request) { 2837 http.Error(w, err.Error(), http.StatusBadRequest) 2838 } 2839} 2840 2841// ValidTrailerHeader reports whether name is a valid header field name to appear 2842// in trailers. 2843// See: http://tools.ietf.org/html/rfc7230#section-4.1.2 2844func ValidTrailerHeader(name string) bool { 2845 name = http.CanonicalHeaderKey(name) 2846 if strings.HasPrefix(name, "If-") || badTrailer[name] { 2847 return false 2848 } 2849 return true 2850} 2851 2852var badTrailer = map[string]bool{ 2853 "Authorization": true, 2854 "Cache-Control": true, 2855 "Connection": true, 2856 "Content-Encoding": true, 2857 "Content-Length": true, 2858 "Content-Range": true, 2859 "Content-Type": true, 2860 "Expect": true, 2861 "Host": true, 2862 "Keep-Alive": true, 2863 "Max-Forwards": true, 2864 "Pragma": true, 2865 "Proxy-Authenticate": true, 2866 "Proxy-Authorization": true, 2867 "Proxy-Connection": true, 2868 "Range": true, 2869 "Realm": true, 2870 "Te": true, 2871 "Trailer": true, 2872 "Transfer-Encoding": true, 2873 "Www-Authenticate": true, 2874} 2875 2876// h1ServerKeepAlivesDisabled reports whether hs has its keep-alives 2877// disabled. See comments on h1ServerShutdownChan above for why 2878// the code is written this way. 2879func h1ServerKeepAlivesDisabled(hs *http.Server) bool { 2880 var x interface{} = hs 2881 type I interface { 2882 doKeepAlives() bool 2883 } 2884 if hs, ok := x.(I); ok { 2885 return !hs.doKeepAlives() 2886 } 2887 return false 2888} 2889