ssltunnel.c revision 262339
1251877Speter/* Copyright 2011 Justin Erenkrantz and Greg Stein 2251877Speter * 3251877Speter * Licensed under the Apache License, Version 2.0 (the "License"); 4251877Speter * you may not use this file except in compliance with the License. 5251877Speter * You may obtain a copy of the License at 6251877Speter * 7251877Speter * http://www.apache.org/licenses/LICENSE-2.0 8251877Speter * 9251877Speter * Unless required by applicable law or agreed to in writing, software 10251877Speter * distributed under the License is distributed on an "AS IS" BASIS, 11251877Speter * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12251877Speter * See the License for the specific language governing permissions and 13251877Speter * limitations under the License. 14251877Speter */ 15251877Speter 16251877Speter/*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/ 17251877Speter 18251877Speter#include <apr_pools.h> 19251877Speter#include <apr_strings.h> 20251877Speter 21251877Speter#include "serf.h" 22251877Speter#include "serf_private.h" 23251877Speter 24251877Speter 25251877Speter/* Structure passed around as baton for the CONNECT request and respone. */ 26251877Spetertypedef struct { 27251877Speter apr_pool_t *pool; 28251877Speter const char *uri; 29251877Speter} req_ctx_t; 30251877Speter 31251877Speter/* forward declaration. */ 32251877Speterstatic apr_status_t setup_request(serf_request_t *request, 33251877Speter void *setup_baton, 34251877Speter serf_bucket_t **req_bkt, 35251877Speter serf_response_acceptor_t *acceptor, 36251877Speter void **acceptor_baton, 37251877Speter serf_response_handler_t *handler, 38251877Speter void **handler_baton, 39251877Speter apr_pool_t *pool); 40251877Speter 41251877Speterstatic serf_bucket_t* accept_response(serf_request_t *request, 42251877Speter serf_bucket_t *stream, 43251877Speter void *acceptor_baton, 44251877Speter apr_pool_t *pool) 45251877Speter{ 46251877Speter serf_bucket_t *c; 47251877Speter serf_bucket_alloc_t *bkt_alloc; 48251877Speter#if 0 49251877Speter req_ctx_t *ctx = acceptor_baton; 50251877Speter#endif 51251877Speter 52251877Speter /* get the per-request bucket allocator */ 53251877Speter bkt_alloc = serf_request_get_alloc(request); 54251877Speter 55251877Speter /* Create a barrier so the response doesn't eat us! */ 56251877Speter c = serf_bucket_barrier_create(stream, bkt_alloc); 57251877Speter 58251877Speter return serf_bucket_response_create(c, bkt_alloc); 59251877Speter} 60251877Speter 61251877Speter/* If a 200 OK was received for the CONNECT request, consider the connection 62251877Speter as ready for use. */ 63251877Speterstatic apr_status_t handle_response(serf_request_t *request, 64251877Speter serf_bucket_t *response, 65251877Speter void *handler_baton, 66251877Speter apr_pool_t *pool) 67251877Speter{ 68251877Speter apr_status_t status; 69251877Speter serf_status_line sl; 70251877Speter req_ctx_t *ctx = handler_baton; 71262339Speter serf_connection_t *conn = request->conn; 72251877Speter 73251877Speter if (! response) { 74262339Speter serf_connection_request_create(conn, 75251877Speter setup_request, 76251877Speter ctx); 77251877Speter return APR_SUCCESS; 78251877Speter } 79251877Speter 80251877Speter status = serf_bucket_response_status(response, &sl); 81251877Speter if (SERF_BUCKET_READ_ERROR(status)) { 82251877Speter return status; 83251877Speter } 84251877Speter if (!sl.version && (APR_STATUS_IS_EOF(status) || 85251877Speter APR_STATUS_IS_EAGAIN(status))) 86251877Speter { 87251877Speter return status; 88251877Speter } 89251877Speter 90251877Speter status = serf_bucket_response_wait_for_headers(response); 91251877Speter if (status && !APR_STATUS_IS_EOF(status)) { 92251877Speter return status; 93251877Speter } 94251877Speter 95251877Speter /* RFC 2817: Any successful (2xx) response to a CONNECT request indicates 96251877Speter that the proxy has established a connection to the requested host and 97251877Speter port, and has switched to tunneling the current connection to that server 98251877Speter connection. 99251877Speter */ 100251877Speter if (sl.code >= 200 && sl.code < 300) { 101262339Speter serf_bucket_t *hdrs; 102262339Speter const char *val; 103251877Speter 104262339Speter conn->state = SERF_CONN_CONNECTED; 105262339Speter 106251877Speter /* Body is supposed to be empty. */ 107251877Speter apr_pool_destroy(ctx->pool); 108262339Speter serf_bucket_destroy(conn->ssltunnel_ostream); 109262339Speter serf_bucket_destroy(conn->stream); 110262339Speter conn->stream = NULL; 111251877Speter ctx = NULL; 112251877Speter 113262339Speter serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 114262339Speter "successfully set up ssl tunnel.\n"); 115251877Speter 116262339Speter /* Fix for issue #123: ignore the "Connection: close" header here, 117262339Speter leaving the header in place would make the serf's main context 118262339Speter loop close this connection immediately after reading the 200 OK 119262339Speter response. */ 120262339Speter 121262339Speter hdrs = serf_bucket_response_get_headers(response); 122262339Speter val = serf_bucket_headers_get(hdrs, "Connection"); 123262339Speter if (val && strcasecmp("close", val) == 0) { 124262339Speter serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 125262339Speter "Ignore Connection: close header on this reponse, don't " 126262339Speter "close the connection now that the tunnel is set up.\n"); 127262339Speter serf__bucket_headers_remove(hdrs, "Connection"); 128262339Speter } 129262339Speter 130251877Speter return APR_EOF; 131251877Speter } 132251877Speter 133251877Speter /* Authentication failure and 2xx Ok are handled at this point, 134251877Speter the rest are errors. */ 135251877Speter return SERF_ERROR_SSLTUNNEL_SETUP_FAILED; 136251877Speter} 137251877Speter 138251877Speter/* Prepare the CONNECT request. */ 139251877Speterstatic apr_status_t setup_request(serf_request_t *request, 140251877Speter void *setup_baton, 141251877Speter serf_bucket_t **req_bkt, 142251877Speter serf_response_acceptor_t *acceptor, 143251877Speter void **acceptor_baton, 144251877Speter serf_response_handler_t *handler, 145251877Speter void **handler_baton, 146251877Speter apr_pool_t *pool) 147251877Speter{ 148251877Speter req_ctx_t *ctx = setup_baton; 149251877Speter 150251877Speter *req_bkt = 151251877Speter serf_request_bucket_request_create(request, 152251877Speter "CONNECT", ctx->uri, 153251877Speter NULL, 154251877Speter serf_request_get_alloc(request)); 155251877Speter *acceptor = accept_response; 156251877Speter *acceptor_baton = ctx; 157251877Speter *handler = handle_response; 158251877Speter *handler_baton = ctx; 159251877Speter 160251877Speter return APR_SUCCESS; 161251877Speter} 162251877Speter 163251877Speterstatic apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket) 164251877Speter{ 165251877Speter serf_connection_t *conn = baton; 166251877Speter conn->hit_eof = 1; 167251877Speter return APR_EAGAIN; 168251877Speter} 169251877Speter 170251877Speter/* SSL tunnel is needed, push a CONNECT request on the connection. */ 171251877Speterapr_status_t serf__ssltunnel_connect(serf_connection_t *conn) 172251877Speter{ 173251877Speter req_ctx_t *ctx; 174251877Speter apr_pool_t *ssltunnel_pool; 175251877Speter 176251877Speter apr_pool_create(&ssltunnel_pool, conn->pool); 177251877Speter 178251877Speter ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx)); 179251877Speter ctx->pool = ssltunnel_pool; 180253895Speter ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname, 181251877Speter conn->host_info.port); 182251877Speter 183251877Speter conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator, 184251877Speter detect_eof, 185251877Speter conn); 186251877Speter 187253895Speter serf__ssltunnel_request_create(conn, 188253895Speter setup_request, 189253895Speter ctx); 190251877Speter 191251877Speter conn->state = SERF_CONN_SETUP_SSLTUNNEL; 192262339Speter serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 193262339Speter "setting up ssl tunnel on connection.\n"); 194251877Speter 195251877Speter return APR_SUCCESS; 196251877Speter} 197