contrib/serf/ssltunnel.c

   1 /* Copyright 2011 Justin Erenkrantz and Greg Stein
   2  *
   3  * Licensed under the Apache License, Version 2.0 (the "License");
   4  * you may not use this file except in compliance with the License.
   5  * You may obtain a copy of the License at
   6  *
   7  *     http://www.apache.org/licenses/LICENSE-2.0
   8  *
   9  * Unless required by applicable law or agreed to in writing, software
  10  * distributed under the License is distributed on an "AS IS" BASIS,
  11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12  * See the License for the specific language governing permissions and
  13  * limitations under the License.
  14  */
  15
  16 /*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/
  17
  18 #include <apr_pools.h>
  19 #include <apr_strings.h>
  20
  21 #include "serf.h"
  22 #include "serf_private.h"
  23
  24
  25 /* Structure passed around as baton for the CONNECT request and respone. */
  26 typedef struct {
  27     apr_pool_t *pool;
  28     const char *uri;
  29 } req_ctx_t;
  30
  31 /* forward declaration. */
  32 static apr_status_t setup_request(serf_request_t *request,
  33                                   void *setup_baton,
  34                                   serf_bucket_t **req_bkt,
  35                                   serf_response_acceptor_t *acceptor,
  36                                   void **acceptor_baton,
  37                                   serf_response_handler_t *handler,
  38                                   void **handler_baton,
  39                                   apr_pool_t *pool);
  40
  41 static serf_bucket_t* accept_response(serf_request_t *request,
  42                                       serf_bucket_t *stream,
  43                                       void *acceptor_baton,
  44                                       apr_pool_t *pool)
  45 {
  46     serf_bucket_t *c;
  47     serf_bucket_alloc_t *bkt_alloc;
  48 #if 0
  49     req_ctx_t *ctx = acceptor_baton;
  50 #endif
  51
  52     /* get the per-request bucket allocator */
  53     bkt_alloc = serf_request_get_alloc(request);
  54
  55     /* Create a barrier so the response doesn't eat us! */
  56     c = serf_bucket_barrier_create(stream, bkt_alloc);
  57
  58     return serf_bucket_response_create(c, bkt_alloc);
  59 }
  60
  61 /* If a 200 OK was received for the CONNECT request, consider the connection
  62    as ready for use. */
  63 static apr_status_t handle_response(serf_request_t *request,
  64                                     serf_bucket_t *response,
  65                                     void *handler_baton,
  66                                     apr_pool_t *pool)
  67 {
  68     apr_status_t status;
  69     serf_status_line sl;
  70     req_ctx_t *ctx = handler_baton;
  71     serf_connection_t *conn = request->conn;
  72
  73     if (! response) {
  74         serf_connection_request_create(conn,
  75                                        setup_request,
  76                                        ctx);
  77         return APR_SUCCESS;
  78     }
  79
  80     status = serf_bucket_response_status(response, &sl);
  81     if (SERF_BUCKET_READ_ERROR(status)) {
  82         return status;
  83     }
  84     if (!sl.version && (APR_STATUS_IS_EOF(status) ||
  85                       APR_STATUS_IS_EAGAIN(status)))
  86     {
  87         return status;
  88     }
  89
  90     status = serf_bucket_response_wait_for_headers(response);
  91     if (status && !APR_STATUS_IS_EOF(status)) {
  92         return status;
  93     }
  94
  95     /* RFC 2817:  Any successful (2xx) response to a CONNECT request indicates
  96        that the proxy has established a connection to the requested host and
  97        port, and has switched to tunneling the current connection to that server
  98        connection.
  99     */
 100     if (sl.code >= 200 && sl.code < 300) {
 101         serf_bucket_t *hdrs;
 102         const char *val;
 103
 104         conn->state = SERF_CONN_CONNECTED;
 105
 106         /* Body is supposed to be empty. */
 107         apr_pool_destroy(ctx->pool);
 108         serf_bucket_destroy(conn->ssltunnel_ostream);
 109         serf_bucket_destroy(conn->stream);
 110         conn->stream = NULL;
 111         ctx = NULL;
 112
 113         serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
 114                       "successfully set up ssl tunnel.\n");
 115
 116         /* Fix for issue #123: ignore the "Connection: close" header here,
 117            leaving the header in place would make the serf's main context
 118            loop close this connection immediately after reading the 200 OK
 119            response. */
 120
 121         hdrs = serf_bucket_response_get_headers(response);
 122         val = serf_bucket_headers_get(hdrs, "Connection");
 123         if (val && strcasecmp("close", val) == 0) {
 124             serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
 125                       "Ignore Connection: close header on this reponse, don't "
 126                       "close the connection now that the tunnel is set up.\n");
 127             serf__bucket_headers_remove(hdrs, "Connection");
 128         }
 129
 130         return APR_EOF;
 131     }
 132
 133     /* Authentication failure and 2xx Ok are handled at this point,
 134        the rest are errors. */
 135     return SERF_ERROR_SSLTUNNEL_SETUP_FAILED;
 136 }
 137
 138 /* Prepare the CONNECT request. */
 139 static apr_status_t setup_request(serf_request_t *request,
 140                                   void *setup_baton,
 141                                   serf_bucket_t **req_bkt,
 142                                   serf_response_acceptor_t *acceptor,
 143                                   void **acceptor_baton,
 144                                   serf_response_handler_t *handler,
 145                                   void **handler_baton,
 146                                   apr_pool_t *pool)
 147 {
 148     req_ctx_t *ctx = setup_baton;
 149
 150     *req_bkt =
 151         serf_request_bucket_request_create(request,
 152                                            "CONNECT", ctx->uri,
 153                                            NULL,
 154                                            serf_request_get_alloc(request));
 155     *acceptor = accept_response;
 156     *acceptor_baton = ctx;
 157     *handler = handle_response;
 158     *handler_baton = ctx;
 159
 160     return APR_SUCCESS;
 161 }
 162
 163 static apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket)
 164 {
 165     serf_connection_t *conn = baton;
 166     conn->hit_eof = 1;
 167     return APR_EAGAIN;
 168 }
 169
 170 /* SSL tunnel is needed, push a CONNECT request on the connection. */
 171 apr_status_t serf__ssltunnel_connect(serf_connection_t *conn)
 172 {
 173     req_ctx_t *ctx;
 174     apr_pool_t *ssltunnel_pool;
 175
 176     apr_pool_create(&ssltunnel_pool, conn->pool);
 177
 178     ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx));
 179     ctx->pool = ssltunnel_pool;
 180     ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname,
 181                             conn->host_info.port);
 182
 183     conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator,
 184                                                          detect_eof,
 185                                                          conn);
 186
 187     serf__ssltunnel_request_create(conn,
 188                                    setup_request,
 189                                    ctx);
 190
 191     conn->state = SERF_CONN_SETUP_SSLTUNNEL;
 192     serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
 193                   "setting up ssl tunnel on connection.\n");
 194
 195     return APR_SUCCESS;
 196 }