1251877Speter/* Copyright 2011 Justin Erenkrantz and Greg Stein
2251877Speter *
3251877Speter * Licensed under the Apache License, Version 2.0 (the "License");
4251877Speter * you may not use this file except in compliance with the License.
5251877Speter * You may obtain a copy of the License at
6251877Speter *
7251877Speter *     http://www.apache.org/licenses/LICENSE-2.0
8251877Speter *
9251877Speter * Unless required by applicable law or agreed to in writing, software
10251877Speter * distributed under the License is distributed on an "AS IS" BASIS,
11251877Speter * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12251877Speter * See the License for the specific language governing permissions and
13251877Speter * limitations under the License.
14251877Speter */
15251877Speter
16251877Speter/*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/
17251877Speter
18251877Speter#include <apr_pools.h>
19251877Speter#include <apr_strings.h>
20251877Speter
21251877Speter#include "serf.h"
22251877Speter#include "serf_private.h"
23251877Speter
24251877Speter
25251877Speter/* Structure passed around as baton for the CONNECT request and respone. */
26251877Spetertypedef struct {
27251877Speter    apr_pool_t *pool;
28251877Speter    const char *uri;
29251877Speter} req_ctx_t;
30251877Speter
31251877Speter/* forward declaration. */
32251877Speterstatic apr_status_t setup_request(serf_request_t *request,
33251877Speter                                  void *setup_baton,
34251877Speter                                  serf_bucket_t **req_bkt,
35251877Speter                                  serf_response_acceptor_t *acceptor,
36251877Speter                                  void **acceptor_baton,
37251877Speter                                  serf_response_handler_t *handler,
38251877Speter                                  void **handler_baton,
39251877Speter                                  apr_pool_t *pool);
40251877Speter
41251877Speterstatic serf_bucket_t* accept_response(serf_request_t *request,
42251877Speter                                      serf_bucket_t *stream,
43251877Speter                                      void *acceptor_baton,
44251877Speter                                      apr_pool_t *pool)
45251877Speter{
46251877Speter    serf_bucket_t *c;
47251877Speter    serf_bucket_alloc_t *bkt_alloc;
48251877Speter#if 0
49251877Speter    req_ctx_t *ctx = acceptor_baton;
50251877Speter#endif
51251877Speter
52251877Speter    /* get the per-request bucket allocator */
53251877Speter    bkt_alloc = serf_request_get_alloc(request);
54251877Speter
55251877Speter    /* Create a barrier so the response doesn't eat us! */
56251877Speter    c = serf_bucket_barrier_create(stream, bkt_alloc);
57251877Speter
58251877Speter    return serf_bucket_response_create(c, bkt_alloc);
59251877Speter}
60251877Speter
61251877Speter/* If a 200 OK was received for the CONNECT request, consider the connection
62251877Speter   as ready for use. */
63251877Speterstatic apr_status_t handle_response(serf_request_t *request,
64251877Speter                                    serf_bucket_t *response,
65251877Speter                                    void *handler_baton,
66251877Speter                                    apr_pool_t *pool)
67251877Speter{
68251877Speter    apr_status_t status;
69251877Speter    serf_status_line sl;
70251877Speter    req_ctx_t *ctx = handler_baton;
71262339Speter    serf_connection_t *conn = request->conn;
72251877Speter
73269847Speter    /* CONNECT request was cancelled. Assuming that this is during connection
74269847Speter       reset, we can safely discard the request as a new one will be created
75269847Speter       when setting up the next connection. */
76269847Speter    if (!response)
77251877Speter        return APR_SUCCESS;
78251877Speter
79251877Speter    status = serf_bucket_response_status(response, &sl);
80251877Speter    if (SERF_BUCKET_READ_ERROR(status)) {
81251877Speter        return status;
82251877Speter    }
83251877Speter    if (!sl.version && (APR_STATUS_IS_EOF(status) ||
84251877Speter                      APR_STATUS_IS_EAGAIN(status)))
85251877Speter    {
86251877Speter        return status;
87251877Speter    }
88251877Speter
89251877Speter    status = serf_bucket_response_wait_for_headers(response);
90251877Speter    if (status && !APR_STATUS_IS_EOF(status)) {
91251877Speter        return status;
92251877Speter    }
93251877Speter
94251877Speter    /* RFC 2817:  Any successful (2xx) response to a CONNECT request indicates
95251877Speter       that the proxy has established a connection to the requested host and
96251877Speter       port, and has switched to tunneling the current connection to that server
97251877Speter       connection.
98251877Speter    */
99251877Speter    if (sl.code >= 200 && sl.code < 300) {
100262339Speter        serf_bucket_t *hdrs;
101262339Speter        const char *val;
102251877Speter
103262339Speter        conn->state = SERF_CONN_CONNECTED;
104262339Speter
105251877Speter        /* Body is supposed to be empty. */
106251877Speter        apr_pool_destroy(ctx->pool);
107262339Speter        serf_bucket_destroy(conn->ssltunnel_ostream);
108262339Speter        serf_bucket_destroy(conn->stream);
109262339Speter        conn->stream = NULL;
110251877Speter        ctx = NULL;
111251877Speter
112262339Speter        serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
113262339Speter                      "successfully set up ssl tunnel.\n");
114251877Speter
115262339Speter        /* Fix for issue #123: ignore the "Connection: close" header here,
116262339Speter           leaving the header in place would make the serf's main context
117262339Speter           loop close this connection immediately after reading the 200 OK
118262339Speter           response. */
119262339Speter
120262339Speter        hdrs = serf_bucket_response_get_headers(response);
121262339Speter        val = serf_bucket_headers_get(hdrs, "Connection");
122262339Speter        if (val && strcasecmp("close", val) == 0) {
123262339Speter            serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
124262339Speter                      "Ignore Connection: close header on this reponse, don't "
125262339Speter                      "close the connection now that the tunnel is set up.\n");
126262339Speter            serf__bucket_headers_remove(hdrs, "Connection");
127262339Speter        }
128262339Speter
129251877Speter        return APR_EOF;
130251877Speter    }
131251877Speter
132251877Speter    /* Authentication failure and 2xx Ok are handled at this point,
133251877Speter       the rest are errors. */
134251877Speter    return SERF_ERROR_SSLTUNNEL_SETUP_FAILED;
135251877Speter}
136251877Speter
137251877Speter/* Prepare the CONNECT request. */
138251877Speterstatic apr_status_t setup_request(serf_request_t *request,
139251877Speter                                  void *setup_baton,
140251877Speter                                  serf_bucket_t **req_bkt,
141251877Speter                                  serf_response_acceptor_t *acceptor,
142251877Speter                                  void **acceptor_baton,
143251877Speter                                  serf_response_handler_t *handler,
144251877Speter                                  void **handler_baton,
145251877Speter                                  apr_pool_t *pool)
146251877Speter{
147251877Speter    req_ctx_t *ctx = setup_baton;
148251877Speter
149251877Speter    *req_bkt =
150251877Speter        serf_request_bucket_request_create(request,
151251877Speter                                           "CONNECT", ctx->uri,
152251877Speter                                           NULL,
153251877Speter                                           serf_request_get_alloc(request));
154251877Speter    *acceptor = accept_response;
155251877Speter    *acceptor_baton = ctx;
156251877Speter    *handler = handle_response;
157251877Speter    *handler_baton = ctx;
158251877Speter
159251877Speter    return APR_SUCCESS;
160251877Speter}
161251877Speter
162251877Speterstatic apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket)
163251877Speter{
164251877Speter    serf_connection_t *conn = baton;
165251877Speter    conn->hit_eof = 1;
166251877Speter    return APR_EAGAIN;
167251877Speter}
168251877Speter
169251877Speter/* SSL tunnel is needed, push a CONNECT request on the connection. */
170251877Speterapr_status_t serf__ssltunnel_connect(serf_connection_t *conn)
171251877Speter{
172251877Speter    req_ctx_t *ctx;
173251877Speter    apr_pool_t *ssltunnel_pool;
174251877Speter
175251877Speter    apr_pool_create(&ssltunnel_pool, conn->pool);
176251877Speter
177251877Speter    ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx));
178251877Speter    ctx->pool = ssltunnel_pool;
179253895Speter    ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname,
180251877Speter                            conn->host_info.port);
181251877Speter
182251877Speter    conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator,
183251877Speter                                                         detect_eof,
184251877Speter                                                         conn);
185251877Speter
186253895Speter    serf__ssltunnel_request_create(conn,
187253895Speter                                   setup_request,
188253895Speter                                   ctx);
189251877Speter
190251877Speter    conn->state = SERF_CONN_SETUP_SSLTUNNEL;
191262339Speter    serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
192262339Speter                  "setting up ssl tunnel on connection.\n");
193251877Speter
194251877Speter    return APR_SUCCESS;
195251877Speter}
196