1362181Sdim/* ====================================================================
2362181Sdim *    Licensed to the Apache Software Foundation (ASF) under one
3362181Sdim *    or more contributor license agreements.  See the NOTICE file
4362181Sdim *    distributed with this work for additional information
5362181Sdim *    regarding copyright ownership.  The ASF licenses this file
6362181Sdim *    to you under the Apache License, Version 2.0 (the
7362181Sdim *    "License"); you may not use this file except in compliance
8362181Sdim *    with the License.  You may obtain a copy of the License at
9251877Speter *
10362181Sdim *      http://www.apache.org/licenses/LICENSE-2.0
11251877Speter *
12362181Sdim *    Unless required by applicable law or agreed to in writing,
13362181Sdim *    software distributed under the License is distributed on an
14362181Sdim *    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15362181Sdim *    KIND, either express or implied.  See the License for the
16362181Sdim *    specific language governing permissions and limitations
17362181Sdim *    under the License.
18362181Sdim * ====================================================================
19251877Speter */
20251877Speter
21251877Speter/*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/
22251877Speter
23251877Speter#include <apr_pools.h>
24251877Speter#include <apr_strings.h>
25251877Speter
26251877Speter#include "serf.h"
27251877Speter#include "serf_private.h"
28251877Speter
29251877Speter
30251877Speter/* Structure passed around as baton for the CONNECT request and respone. */
31251877Spetertypedef struct {
32251877Speter    apr_pool_t *pool;
33251877Speter    const char *uri;
34251877Speter} req_ctx_t;
35251877Speter
36251877Speter/* forward declaration. */
37251877Speterstatic apr_status_t setup_request(serf_request_t *request,
38251877Speter                                  void *setup_baton,
39251877Speter                                  serf_bucket_t **req_bkt,
40251877Speter                                  serf_response_acceptor_t *acceptor,
41251877Speter                                  void **acceptor_baton,
42251877Speter                                  serf_response_handler_t *handler,
43251877Speter                                  void **handler_baton,
44251877Speter                                  apr_pool_t *pool);
45251877Speter
46251877Speterstatic serf_bucket_t* accept_response(serf_request_t *request,
47251877Speter                                      serf_bucket_t *stream,
48251877Speter                                      void *acceptor_baton,
49251877Speter                                      apr_pool_t *pool)
50251877Speter{
51251877Speter    serf_bucket_t *c;
52251877Speter    serf_bucket_alloc_t *bkt_alloc;
53251877Speter#if 0
54251877Speter    req_ctx_t *ctx = acceptor_baton;
55251877Speter#endif
56251877Speter
57251877Speter    /* get the per-request bucket allocator */
58251877Speter    bkt_alloc = serf_request_get_alloc(request);
59251877Speter
60251877Speter    /* Create a barrier so the response doesn't eat us! */
61251877Speter    c = serf_bucket_barrier_create(stream, bkt_alloc);
62251877Speter
63251877Speter    return serf_bucket_response_create(c, bkt_alloc);
64251877Speter}
65251877Speter
66251877Speter/* If a 200 OK was received for the CONNECT request, consider the connection
67251877Speter   as ready for use. */
68251877Speterstatic apr_status_t handle_response(serf_request_t *request,
69251877Speter                                    serf_bucket_t *response,
70251877Speter                                    void *handler_baton,
71251877Speter                                    apr_pool_t *pool)
72251877Speter{
73251877Speter    apr_status_t status;
74251877Speter    serf_status_line sl;
75251877Speter    req_ctx_t *ctx = handler_baton;
76262324Speter    serf_connection_t *conn = request->conn;
77251877Speter
78266728Speter    /* CONNECT request was cancelled. Assuming that this is during connection
79266728Speter       reset, we can safely discard the request as a new one will be created
80266728Speter       when setting up the next connection. */
81266728Speter    if (!response)
82251877Speter        return APR_SUCCESS;
83251877Speter
84251877Speter    status = serf_bucket_response_status(response, &sl);
85251877Speter    if (SERF_BUCKET_READ_ERROR(status)) {
86251877Speter        return status;
87251877Speter    }
88251877Speter    if (!sl.version && (APR_STATUS_IS_EOF(status) ||
89251877Speter                      APR_STATUS_IS_EAGAIN(status)))
90251877Speter    {
91251877Speter        return status;
92251877Speter    }
93251877Speter
94251877Speter    status = serf_bucket_response_wait_for_headers(response);
95251877Speter    if (status && !APR_STATUS_IS_EOF(status)) {
96251877Speter        return status;
97251877Speter    }
98251877Speter
99251877Speter    /* RFC 2817:  Any successful (2xx) response to a CONNECT request indicates
100251877Speter       that the proxy has established a connection to the requested host and
101251877Speter       port, and has switched to tunneling the current connection to that server
102251877Speter       connection.
103251877Speter    */
104251877Speter    if (sl.code >= 200 && sl.code < 300) {
105262324Speter        serf_bucket_t *hdrs;
106262324Speter        const char *val;
107251877Speter
108262324Speter        conn->state = SERF_CONN_CONNECTED;
109262324Speter
110251877Speter        /* Body is supposed to be empty. */
111251877Speter        apr_pool_destroy(ctx->pool);
112262324Speter        serf_bucket_destroy(conn->ssltunnel_ostream);
113262324Speter        serf_bucket_destroy(conn->stream);
114262324Speter        conn->stream = NULL;
115251877Speter        ctx = NULL;
116251877Speter
117262324Speter        serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
118262324Speter                      "successfully set up ssl tunnel.\n");
119251877Speter
120262324Speter        /* Fix for issue #123: ignore the "Connection: close" header here,
121262324Speter           leaving the header in place would make the serf's main context
122262324Speter           loop close this connection immediately after reading the 200 OK
123262324Speter           response. */
124262324Speter
125262324Speter        hdrs = serf_bucket_response_get_headers(response);
126262324Speter        val = serf_bucket_headers_get(hdrs, "Connection");
127262324Speter        if (val && strcasecmp("close", val) == 0) {
128262324Speter            serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
129262324Speter                      "Ignore Connection: close header on this reponse, don't "
130262324Speter                      "close the connection now that the tunnel is set up.\n");
131262324Speter            serf__bucket_headers_remove(hdrs, "Connection");
132262324Speter        }
133262324Speter
134251877Speter        return APR_EOF;
135251877Speter    }
136251877Speter
137251877Speter    /* Authentication failure and 2xx Ok are handled at this point,
138251877Speter       the rest are errors. */
139251877Speter    return SERF_ERROR_SSLTUNNEL_SETUP_FAILED;
140251877Speter}
141251877Speter
142251877Speter/* Prepare the CONNECT request. */
143251877Speterstatic apr_status_t setup_request(serf_request_t *request,
144251877Speter                                  void *setup_baton,
145251877Speter                                  serf_bucket_t **req_bkt,
146251877Speter                                  serf_response_acceptor_t *acceptor,
147251877Speter                                  void **acceptor_baton,
148251877Speter                                  serf_response_handler_t *handler,
149251877Speter                                  void **handler_baton,
150251877Speter                                  apr_pool_t *pool)
151251877Speter{
152251877Speter    req_ctx_t *ctx = setup_baton;
153251877Speter
154251877Speter    *req_bkt =
155251877Speter        serf_request_bucket_request_create(request,
156251877Speter                                           "CONNECT", ctx->uri,
157251877Speter                                           NULL,
158251877Speter                                           serf_request_get_alloc(request));
159251877Speter    *acceptor = accept_response;
160251877Speter    *acceptor_baton = ctx;
161251877Speter    *handler = handle_response;
162251877Speter    *handler_baton = ctx;
163251877Speter
164251877Speter    return APR_SUCCESS;
165251877Speter}
166251877Speter
167251877Speterstatic apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket)
168251877Speter{
169251877Speter    serf_connection_t *conn = baton;
170251877Speter    conn->hit_eof = 1;
171251877Speter    return APR_EAGAIN;
172251877Speter}
173251877Speter
174251877Speter/* SSL tunnel is needed, push a CONNECT request on the connection. */
175251877Speterapr_status_t serf__ssltunnel_connect(serf_connection_t *conn)
176251877Speter{
177251877Speter    req_ctx_t *ctx;
178251877Speter    apr_pool_t *ssltunnel_pool;
179251877Speter
180251877Speter    apr_pool_create(&ssltunnel_pool, conn->pool);
181251877Speter
182251877Speter    ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx));
183251877Speter    ctx->pool = ssltunnel_pool;
184253895Speter    ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname,
185251877Speter                            conn->host_info.port);
186251877Speter
187251877Speter    conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator,
188251877Speter                                                         detect_eof,
189251877Speter                                                         conn);
190251877Speter
191253895Speter    serf__ssltunnel_request_create(conn,
192253895Speter                                   setup_request,
193253895Speter                                   ctx);
194251877Speter
195251877Speter    conn->state = SERF_CONN_SETUP_SSLTUNNEL;
196262324Speter    serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
197262324Speter                  "setting up ssl tunnel on connection.\n");
198251877Speter
199251877Speter    return APR_SUCCESS;
200251877Speter}
201