1362181Sdim/* ==================================================================== 2362181Sdim * Licensed to the Apache Software Foundation (ASF) under one 3362181Sdim * or more contributor license agreements. See the NOTICE file 4362181Sdim * distributed with this work for additional information 5362181Sdim * regarding copyright ownership. The ASF licenses this file 6362181Sdim * to you under the Apache License, Version 2.0 (the 7362181Sdim * "License"); you may not use this file except in compliance 8362181Sdim * with the License. You may obtain a copy of the License at 9251877Speter * 10362181Sdim * http://www.apache.org/licenses/LICENSE-2.0 11251877Speter * 12362181Sdim * Unless required by applicable law or agreed to in writing, 13362181Sdim * software distributed under the License is distributed on an 14362181Sdim * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15362181Sdim * KIND, either express or implied. See the License for the 16362181Sdim * specific language governing permissions and limitations 17362181Sdim * under the License. 18362181Sdim * ==================================================================== 19251877Speter */ 20251877Speter 21251877Speter/*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/ 22251877Speter 23251877Speter#include <apr_pools.h> 24251877Speter#include <apr_strings.h> 25251877Speter 26251877Speter#include "serf.h" 27251877Speter#include "serf_private.h" 28251877Speter 29251877Speter 30251877Speter/* Structure passed around as baton for the CONNECT request and respone. */ 31251877Spetertypedef struct { 32251877Speter apr_pool_t *pool; 33251877Speter const char *uri; 34251877Speter} req_ctx_t; 35251877Speter 36251877Speter/* forward declaration. */ 37251877Speterstatic apr_status_t setup_request(serf_request_t *request, 38251877Speter void *setup_baton, 39251877Speter serf_bucket_t **req_bkt, 40251877Speter serf_response_acceptor_t *acceptor, 41251877Speter void **acceptor_baton, 42251877Speter serf_response_handler_t *handler, 43251877Speter void **handler_baton, 44251877Speter apr_pool_t *pool); 45251877Speter 46251877Speterstatic serf_bucket_t* accept_response(serf_request_t *request, 47251877Speter serf_bucket_t *stream, 48251877Speter void *acceptor_baton, 49251877Speter apr_pool_t *pool) 50251877Speter{ 51251877Speter serf_bucket_t *c; 52251877Speter serf_bucket_alloc_t *bkt_alloc; 53251877Speter#if 0 54251877Speter req_ctx_t *ctx = acceptor_baton; 55251877Speter#endif 56251877Speter 57251877Speter /* get the per-request bucket allocator */ 58251877Speter bkt_alloc = serf_request_get_alloc(request); 59251877Speter 60251877Speter /* Create a barrier so the response doesn't eat us! */ 61251877Speter c = serf_bucket_barrier_create(stream, bkt_alloc); 62251877Speter 63251877Speter return serf_bucket_response_create(c, bkt_alloc); 64251877Speter} 65251877Speter 66251877Speter/* If a 200 OK was received for the CONNECT request, consider the connection 67251877Speter as ready for use. */ 68251877Speterstatic apr_status_t handle_response(serf_request_t *request, 69251877Speter serf_bucket_t *response, 70251877Speter void *handler_baton, 71251877Speter apr_pool_t *pool) 72251877Speter{ 73251877Speter apr_status_t status; 74251877Speter serf_status_line sl; 75251877Speter req_ctx_t *ctx = handler_baton; 76262324Speter serf_connection_t *conn = request->conn; 77251877Speter 78266728Speter /* CONNECT request was cancelled. Assuming that this is during connection 79266728Speter reset, we can safely discard the request as a new one will be created 80266728Speter when setting up the next connection. */ 81266728Speter if (!response) 82251877Speter return APR_SUCCESS; 83251877Speter 84251877Speter status = serf_bucket_response_status(response, &sl); 85251877Speter if (SERF_BUCKET_READ_ERROR(status)) { 86251877Speter return status; 87251877Speter } 88251877Speter if (!sl.version && (APR_STATUS_IS_EOF(status) || 89251877Speter APR_STATUS_IS_EAGAIN(status))) 90251877Speter { 91251877Speter return status; 92251877Speter } 93251877Speter 94251877Speter status = serf_bucket_response_wait_for_headers(response); 95251877Speter if (status && !APR_STATUS_IS_EOF(status)) { 96251877Speter return status; 97251877Speter } 98251877Speter 99251877Speter /* RFC 2817: Any successful (2xx) response to a CONNECT request indicates 100251877Speter that the proxy has established a connection to the requested host and 101251877Speter port, and has switched to tunneling the current connection to that server 102251877Speter connection. 103251877Speter */ 104251877Speter if (sl.code >= 200 && sl.code < 300) { 105262324Speter serf_bucket_t *hdrs; 106262324Speter const char *val; 107251877Speter 108262324Speter conn->state = SERF_CONN_CONNECTED; 109262324Speter 110251877Speter /* Body is supposed to be empty. */ 111251877Speter apr_pool_destroy(ctx->pool); 112262324Speter serf_bucket_destroy(conn->ssltunnel_ostream); 113262324Speter serf_bucket_destroy(conn->stream); 114262324Speter conn->stream = NULL; 115251877Speter ctx = NULL; 116251877Speter 117262324Speter serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 118262324Speter "successfully set up ssl tunnel.\n"); 119251877Speter 120262324Speter /* Fix for issue #123: ignore the "Connection: close" header here, 121262324Speter leaving the header in place would make the serf's main context 122262324Speter loop close this connection immediately after reading the 200 OK 123262324Speter response. */ 124262324Speter 125262324Speter hdrs = serf_bucket_response_get_headers(response); 126262324Speter val = serf_bucket_headers_get(hdrs, "Connection"); 127262324Speter if (val && strcasecmp("close", val) == 0) { 128262324Speter serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 129262324Speter "Ignore Connection: close header on this reponse, don't " 130262324Speter "close the connection now that the tunnel is set up.\n"); 131262324Speter serf__bucket_headers_remove(hdrs, "Connection"); 132262324Speter } 133262324Speter 134251877Speter return APR_EOF; 135251877Speter } 136251877Speter 137251877Speter /* Authentication failure and 2xx Ok are handled at this point, 138251877Speter the rest are errors. */ 139251877Speter return SERF_ERROR_SSLTUNNEL_SETUP_FAILED; 140251877Speter} 141251877Speter 142251877Speter/* Prepare the CONNECT request. */ 143251877Speterstatic apr_status_t setup_request(serf_request_t *request, 144251877Speter void *setup_baton, 145251877Speter serf_bucket_t **req_bkt, 146251877Speter serf_response_acceptor_t *acceptor, 147251877Speter void **acceptor_baton, 148251877Speter serf_response_handler_t *handler, 149251877Speter void **handler_baton, 150251877Speter apr_pool_t *pool) 151251877Speter{ 152251877Speter req_ctx_t *ctx = setup_baton; 153251877Speter 154251877Speter *req_bkt = 155251877Speter serf_request_bucket_request_create(request, 156251877Speter "CONNECT", ctx->uri, 157251877Speter NULL, 158251877Speter serf_request_get_alloc(request)); 159251877Speter *acceptor = accept_response; 160251877Speter *acceptor_baton = ctx; 161251877Speter *handler = handle_response; 162251877Speter *handler_baton = ctx; 163251877Speter 164251877Speter return APR_SUCCESS; 165251877Speter} 166251877Speter 167251877Speterstatic apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket) 168251877Speter{ 169251877Speter serf_connection_t *conn = baton; 170251877Speter conn->hit_eof = 1; 171251877Speter return APR_EAGAIN; 172251877Speter} 173251877Speter 174251877Speter/* SSL tunnel is needed, push a CONNECT request on the connection. */ 175251877Speterapr_status_t serf__ssltunnel_connect(serf_connection_t *conn) 176251877Speter{ 177251877Speter req_ctx_t *ctx; 178251877Speter apr_pool_t *ssltunnel_pool; 179251877Speter 180251877Speter apr_pool_create(&ssltunnel_pool, conn->pool); 181251877Speter 182251877Speter ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx)); 183251877Speter ctx->pool = ssltunnel_pool; 184253895Speter ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname, 185251877Speter conn->host_info.port); 186251877Speter 187251877Speter conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator, 188251877Speter detect_eof, 189251877Speter conn); 190251877Speter 191253895Speter serf__ssltunnel_request_create(conn, 192253895Speter setup_request, 193253895Speter ctx); 194251877Speter 195251877Speter conn->state = SERF_CONN_SETUP_SSLTUNNEL; 196262324Speter serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt, 197262324Speter "setting up ssl tunnel on connection.\n"); 198251877Speter 199251877Speter return APR_SUCCESS; 200251877Speter} 201