ssltunnel.c revision 269847
1/* Copyright 2011 Justin Erenkrantz and Greg Stein 2 * 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16/*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/ 17 18#include <apr_pools.h> 19#include <apr_strings.h> 20 21#include "serf.h" 22#include "serf_private.h" 23 24 25/* Structure passed around as baton for the CONNECT request and respone. */ 26typedef struct { 27 apr_pool_t *pool; 28 const char *uri; 29} req_ctx_t; 30 31/* forward declaration. */ 32static apr_status_t setup_request(serf_request_t *request, 33 void *setup_baton, 34 serf_bucket_t **req_bkt, 35 serf_response_acceptor_t *acceptor, 36 void **acceptor_baton, 37 serf_response_handler_t *handler, 38 void **handler_baton, 39 apr_pool_t *pool); 40 41static serf_bucket_t* accept_response(serf_request_t *request, 42 serf_bucket_t *stream, 43 void *acceptor_baton, 44 apr_pool_t *pool) 45{ 46 serf_bucket_t *c; 47 serf_bucket_alloc_t *bkt_alloc; 48#if 0 49 req_ctx_t *ctx = acceptor_baton; 50#endif 51 52 /* get the per-request bucket allocator */ 53 bkt_alloc = serf_request_get_alloc(request); 54 55 /* Create a barrier so the response doesn't eat us! */ 56 c = serf_bucket_barrier_create(stream, bkt_alloc); 57 58 return serf_bucket_response_create(c, bkt_alloc); 59} 60 61/* If a 200 OK was received for the CONNECT request, consider the connection 62 as ready for use. */ 63static apr_status_t handle_response(serf_request_t *request, 64 serf_bucket_t *response, 65 void *handler_baton, 66 apr_pool_t *pool) 67{ 68 apr_status_t status; 69 serf_status_line sl; 70 req_ctx_t *ctx = handler_baton; 71 serf_connection_t *conn = request->conn; 72 73 /* CONNECT request was cancelled. Assuming that this is during connection 74 reset, we can safely discard the request as a new one will be created 75 when setting up the next connection. */ 76 if (!response) 77 return APR_SUCCESS; 78 79 status = serf_bucket_response_status(response, &sl); 80 if (SERF_BUCKET_READ_ERROR(status)) { 81 return status; 82 } 83 if (!sl.version && (APR_STATUS_IS_EOF(status) || 84 APR_STATUS_IS_EAGAIN(status))) 85 { 86 return status; 87 } 88 89 status = serf_bucket_response_wait_for_headers(response); 90 if (status && !APR_STATUS_IS_EOF(status)) { 91 return status; 92 } 93 94 /* RFC 2817: Any successful (2xx) response to a CONNECT request indicates 95 that the proxy has established a connection to the requested host and 96 port, and has switched to tunneling the current connection to that server 97 connection. 98 */ 99 if (sl.code >= 200 && sl.code < 300) { 100 serf_bucket_t *hdrs; 101 const char *val; 102 103 conn->state = SERF_CONN_CONNECTED; 104 105 /* Body is supposed to be empty. */ 106 apr_pool_destroy(ctx->pool); 107 serf_bucket_destroy(conn->ssltunnel_ostream); 108 serf_bucket_destroy(conn->stream); 109 conn->stream = NULL; 110 ctx = NULL; 111 112 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 113 "successfully set up ssl tunnel.\n"); 114 115 /* Fix for issue #123: ignore the "Connection: close" header here, 116 leaving the header in place would make the serf's main context 117 loop close this connection immediately after reading the 200 OK 118 response. */ 119 120 hdrs = serf_bucket_response_get_headers(response); 121 val = serf_bucket_headers_get(hdrs, "Connection"); 122 if (val && strcasecmp("close", val) == 0) { 123 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 124 "Ignore Connection: close header on this reponse, don't " 125 "close the connection now that the tunnel is set up.\n"); 126 serf__bucket_headers_remove(hdrs, "Connection"); 127 } 128 129 return APR_EOF; 130 } 131 132 /* Authentication failure and 2xx Ok are handled at this point, 133 the rest are errors. */ 134 return SERF_ERROR_SSLTUNNEL_SETUP_FAILED; 135} 136 137/* Prepare the CONNECT request. */ 138static apr_status_t setup_request(serf_request_t *request, 139 void *setup_baton, 140 serf_bucket_t **req_bkt, 141 serf_response_acceptor_t *acceptor, 142 void **acceptor_baton, 143 serf_response_handler_t *handler, 144 void **handler_baton, 145 apr_pool_t *pool) 146{ 147 req_ctx_t *ctx = setup_baton; 148 149 *req_bkt = 150 serf_request_bucket_request_create(request, 151 "CONNECT", ctx->uri, 152 NULL, 153 serf_request_get_alloc(request)); 154 *acceptor = accept_response; 155 *acceptor_baton = ctx; 156 *handler = handle_response; 157 *handler_baton = ctx; 158 159 return APR_SUCCESS; 160} 161 162static apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket) 163{ 164 serf_connection_t *conn = baton; 165 conn->hit_eof = 1; 166 return APR_EAGAIN; 167} 168 169/* SSL tunnel is needed, push a CONNECT request on the connection. */ 170apr_status_t serf__ssltunnel_connect(serf_connection_t *conn) 171{ 172 req_ctx_t *ctx; 173 apr_pool_t *ssltunnel_pool; 174 175 apr_pool_create(&ssltunnel_pool, conn->pool); 176 177 ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx)); 178 ctx->pool = ssltunnel_pool; 179 ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname, 180 conn->host_info.port); 181 182 conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator, 183 detect_eof, 184 conn); 185 186 serf__ssltunnel_request_create(conn, 187 setup_request, 188 ctx); 189 190 conn->state = SERF_CONN_SETUP_SSLTUNNEL; 191 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 192 "setting up ssl tunnel on connection.\n"); 193 194 return APR_SUCCESS; 195} 196