1 /* ====================================================================
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
18 * ====================================================================
21 /*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/
23 #include <apr_pools.h>
24 #include <apr_strings.h>
27 #include "serf_private.h"
30 /* Structure passed around as baton for the CONNECT request and respone. */
36 /* forward declaration. */
37 static apr_status_t setup_request(serf_request_t *request,
39 serf_bucket_t **req_bkt,
40 serf_response_acceptor_t *acceptor,
41 void **acceptor_baton,
42 serf_response_handler_t *handler,
46 static serf_bucket_t* accept_response(serf_request_t *request,
47 serf_bucket_t *stream,
52 serf_bucket_alloc_t *bkt_alloc;
54 req_ctx_t *ctx = acceptor_baton;
57 /* get the per-request bucket allocator */
58 bkt_alloc = serf_request_get_alloc(request);
60 /* Create a barrier so the response doesn't eat us! */
61 c = serf_bucket_barrier_create(stream, bkt_alloc);
63 return serf_bucket_response_create(c, bkt_alloc);
66 /* If a 200 OK was received for the CONNECT request, consider the connection
68 static apr_status_t handle_response(serf_request_t *request,
69 serf_bucket_t *response,
75 req_ctx_t *ctx = handler_baton;
76 serf_connection_t *conn = request->conn;
78 /* CONNECT request was cancelled. Assuming that this is during connection
79 reset, we can safely discard the request as a new one will be created
80 when setting up the next connection. */
84 status = serf_bucket_response_status(response, &sl);
85 if (SERF_BUCKET_READ_ERROR(status)) {
88 if (!sl.version && (APR_STATUS_IS_EOF(status) ||
89 APR_STATUS_IS_EAGAIN(status)))
94 status = serf_bucket_response_wait_for_headers(response);
95 if (status && !APR_STATUS_IS_EOF(status)) {
99 /* RFC 2817: Any successful (2xx) response to a CONNECT request indicates
100 that the proxy has established a connection to the requested host and
101 port, and has switched to tunneling the current connection to that server
104 if (sl.code >= 200 && sl.code < 300) {
108 conn->state = SERF_CONN_CONNECTED;
110 /* Body is supposed to be empty. */
111 apr_pool_destroy(ctx->pool);
112 serf_bucket_destroy(conn->ssltunnel_ostream);
113 serf_bucket_destroy(conn->stream);
117 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
118 "successfully set up ssl tunnel.\n");
120 /* Fix for issue #123: ignore the "Connection: close" header here,
121 leaving the header in place would make the serf's main context
122 loop close this connection immediately after reading the 200 OK
125 hdrs = serf_bucket_response_get_headers(response);
126 val = serf_bucket_headers_get(hdrs, "Connection");
127 if (val && strcasecmp("close", val) == 0) {
128 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
129 "Ignore Connection: close header on this reponse, don't "
130 "close the connection now that the tunnel is set up.\n");
131 serf__bucket_headers_remove(hdrs, "Connection");
137 /* Authentication failure and 2xx Ok are handled at this point,
138 the rest are errors. */
139 return SERF_ERROR_SSLTUNNEL_SETUP_FAILED;
142 /* Prepare the CONNECT request. */
143 static apr_status_t setup_request(serf_request_t *request,
145 serf_bucket_t **req_bkt,
146 serf_response_acceptor_t *acceptor,
147 void **acceptor_baton,
148 serf_response_handler_t *handler,
149 void **handler_baton,
152 req_ctx_t *ctx = setup_baton;
155 serf_request_bucket_request_create(request,
158 serf_request_get_alloc(request));
159 *acceptor = accept_response;
160 *acceptor_baton = ctx;
161 *handler = handle_response;
162 *handler_baton = ctx;
167 static apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket)
169 serf_connection_t *conn = baton;
174 /* SSL tunnel is needed, push a CONNECT request on the connection. */
175 apr_status_t serf__ssltunnel_connect(serf_connection_t *conn)
178 apr_pool_t *ssltunnel_pool;
180 apr_pool_create(&ssltunnel_pool, conn->pool);
182 ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx));
183 ctx->pool = ssltunnel_pool;
184 ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname,
185 conn->host_info.port);
187 conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator,
191 serf__ssltunnel_request_create(conn,
195 conn->state = SERF_CONN_SETUP_SSLTUNNEL;
196 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
197 "setting up ssl tunnel on connection.\n");