1 /* Copyright 2011 Justin Erenkrantz and Greg Stein
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 /*** Setup a SSL tunnel over a HTTP proxy, according to RFC 2817. ***/
18 #include <apr_pools.h>
19 #include <apr_strings.h>
22 #include "serf_private.h"
25 /* Structure passed around as baton for the CONNECT request and respone. */
31 /* forward declaration. */
32 static apr_status_t setup_request(serf_request_t *request,
34 serf_bucket_t **req_bkt,
35 serf_response_acceptor_t *acceptor,
36 void **acceptor_baton,
37 serf_response_handler_t *handler,
41 static serf_bucket_t* accept_response(serf_request_t *request,
42 serf_bucket_t *stream,
47 serf_bucket_alloc_t *bkt_alloc;
49 req_ctx_t *ctx = acceptor_baton;
52 /* get the per-request bucket allocator */
53 bkt_alloc = serf_request_get_alloc(request);
55 /* Create a barrier so the response doesn't eat us! */
56 c = serf_bucket_barrier_create(stream, bkt_alloc);
58 return serf_bucket_response_create(c, bkt_alloc);
61 /* If a 200 OK was received for the CONNECT request, consider the connection
63 static apr_status_t handle_response(serf_request_t *request,
64 serf_bucket_t *response,
70 req_ctx_t *ctx = handler_baton;
71 serf_connection_t *conn = request->conn;
74 serf_connection_request_create(conn,
80 status = serf_bucket_response_status(response, &sl);
81 if (SERF_BUCKET_READ_ERROR(status)) {
84 if (!sl.version && (APR_STATUS_IS_EOF(status) ||
85 APR_STATUS_IS_EAGAIN(status)))
90 status = serf_bucket_response_wait_for_headers(response);
91 if (status && !APR_STATUS_IS_EOF(status)) {
95 /* RFC 2817: Any successful (2xx) response to a CONNECT request indicates
96 that the proxy has established a connection to the requested host and
97 port, and has switched to tunneling the current connection to that server
100 if (sl.code >= 200 && sl.code < 300) {
104 conn->state = SERF_CONN_CONNECTED;
106 /* Body is supposed to be empty. */
107 apr_pool_destroy(ctx->pool);
108 serf_bucket_destroy(conn->ssltunnel_ostream);
109 serf_bucket_destroy(conn->stream);
113 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
114 "successfully set up ssl tunnel.\n");
116 /* Fix for issue #123: ignore the "Connection: close" header here,
117 leaving the header in place would make the serf's main context
118 loop close this connection immediately after reading the 200 OK
121 hdrs = serf_bucket_response_get_headers(response);
122 val = serf_bucket_headers_get(hdrs, "Connection");
123 if (val && strcasecmp("close", val) == 0) {
124 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
125 "Ignore Connection: close header on this reponse, don't "
126 "close the connection now that the tunnel is set up.\n");
127 serf__bucket_headers_remove(hdrs, "Connection");
133 /* Authentication failure and 2xx Ok are handled at this point,
134 the rest are errors. */
135 return SERF_ERROR_SSLTUNNEL_SETUP_FAILED;
138 /* Prepare the CONNECT request. */
139 static apr_status_t setup_request(serf_request_t *request,
141 serf_bucket_t **req_bkt,
142 serf_response_acceptor_t *acceptor,
143 void **acceptor_baton,
144 serf_response_handler_t *handler,
145 void **handler_baton,
148 req_ctx_t *ctx = setup_baton;
151 serf_request_bucket_request_create(request,
154 serf_request_get_alloc(request));
155 *acceptor = accept_response;
156 *acceptor_baton = ctx;
157 *handler = handle_response;
158 *handler_baton = ctx;
163 static apr_status_t detect_eof(void *baton, serf_bucket_t *aggregate_bucket)
165 serf_connection_t *conn = baton;
170 /* SSL tunnel is needed, push a CONNECT request on the connection. */
171 apr_status_t serf__ssltunnel_connect(serf_connection_t *conn)
174 apr_pool_t *ssltunnel_pool;
176 apr_pool_create(&ssltunnel_pool, conn->pool);
178 ctx = apr_palloc(ssltunnel_pool, sizeof(*ctx));
179 ctx->pool = ssltunnel_pool;
180 ctx->uri = apr_psprintf(ctx->pool, "%s:%d", conn->host_info.hostname,
181 conn->host_info.port);
183 conn->ssltunnel_ostream = serf__bucket_stream_create(conn->allocator,
187 serf__ssltunnel_request_create(conn,
191 conn->state = SERF_CONN_SETUP_SSLTUNNEL;
192 serf__log_skt(CONN_VERBOSE, __FILE__, conn->skt,
193 "setting up ssl tunnel on connection.\n");