+/*********************************************************************
+ *
+ * Function : receive_encrypted_request
+ *
+ * Description : Receives an encrypted request.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ *
+ * Returns : JB_ERR_OK on success,
+ * JB_ERR_PARSE or JB_ERR_MEMORY otherwise
+ *
+ *********************************************************************/
+static jb_err receive_encrypted_request(struct client_state *csp)
+{
+ char buf[BUFFER_SIZE];
+ int len;
+ char *p;
+
+ do
+ {
+ log_error(LOG_LEVEL_HEADER, "Reading encrypted headers");
+ if (!data_is_available(csp->cfd, (int)csp->config->keep_alive_timeout))
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Socket %d timed out while waiting for client headers", csp->cfd);
+ return JB_ERR_PARSE;
+ }
+ len = ssl_recv_data(&(csp->mbedtls_client_attr.ssl),
+ (unsigned char *)buf, sizeof(buf));
+ if (len == -1)
+ {
+ return JB_ERR_PARSE;
+ }
+ if (add_to_iob(csp->client_iob, csp->config->buffer_limit, buf, len))
+ {
+ return JB_ERR_MEMORY;
+ }
+ p = strstr(csp->client_iob->cur, "\r\n\r\n");
+ } while (p == NULL);
+
+ log_error(LOG_LEVEL_HEADER, "Encrypted headers received completely");
+
+ return JB_ERR_OK;
+}
+
+
+/*********************************************************************
+ *
+ * Function : process_encrypted_request
+ *
+ * Description : Receives and parses an encrypted request.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ *
+ * Returns : JB_ERR_OK on success,
+ * JB_ERR_PARSE or JB_ERR_MEMORY otherwise
+ *
+ *********************************************************************/
+static jb_err process_encrypted_request(struct client_state *csp)
+{
+ char *p;
+ char *request_line;
+ jb_err err;
+ /* Temporary copy of the client's headers before they get enlisted in csp->https_headers */
+ struct list header_list;
+ struct list *headers = &header_list;
+
+ err = receive_encrypted_request(csp);
+ if (err != JB_ERR_OK)
+ {
+ /* XXX: Also used for JB_ERR_MEMORY */
+ log_error(LOG_LEVEL_ERROR, "Failed to receive encrypted request: %s",
+ jb_err_to_string(err));
+ ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)CHEADER, strlen(CHEADER));
+ return err;
+ }
+
+ /* We don't need get_request_line() because the whole HTTP head is buffered. */
+ request_line = get_header(csp->client_iob);
+ if (request_line == NULL)
+ {
+ log_error(LOG_LEVEL_ERROR, "Failed to get the encrypted request line");
+ ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)CHEADER, strlen(CHEADER));
+ return JB_ERR_PARSE;
+ }
+ assert(*request_line != '\0');
+
+ if (client_protocol_is_unsupported(csp, request_line))
+ {
+ /*
+ * If the protocol is unsupported we're done here.
+ * client_protocol_is_unsupported() took care of sending
+ * the error response and logging the error message.
+ */
+ return JB_ERR_PARSE;
+ }
+
+#ifdef FEATURE_FORCE_LOAD
+ if (force_required(csp, request_line))
+ {
+ csp->flags |= CSP_FLAG_FORCED;
+ }
+#endif /* def FEATURE_FORCE_LOAD */
+
+ free_http_request(csp->http);
+
+ err = parse_http_request(request_line, csp->http);
+ /* XXX: Restore ssl setting. This is ugly */
+ csp->http->client_ssl = 1;
+ csp->http->server_ssl = 1;
+
+ freez(request_line);
+ if (JB_ERR_OK != err)
+ {
+ ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)CHEADER, strlen(CHEADER));
+ /* XXX: Use correct size */
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0", csp->ip_addr_str);
+ log_error(LOG_LEVEL_ERROR,
+ "Couldn't parse request line received from %s: %s",
+ csp->ip_addr_str, jb_err_to_string(err));
+
+ free_http_request(csp->http);
+ return JB_ERR_PARSE;
+ }
+
+ /* Parse the rest of the client's headers. */
+ init_list(headers);
+ for (;;)
+ {
+ p = get_header(csp->client_iob);
+
+ if (p == NULL)
+ {
+ /* There are no additional headers to read. */
+ break;
+ }
+ enlist(headers, p);
+ freez(p);
+ }
+
+ if (JB_ERR_OK != get_destination_from_https_headers(headers, csp->http))
+ {
+ /*
+ * Our attempts to get the request destination
+ * elsewhere failed.
+ */
+ log_error(LOG_LEVEL_ERROR,
+ "Failed to get the encrypted request destination");
+ ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)CHEADER, strlen(CHEADER));
+ return JB_ERR_PARSE;
+ }
+
+#ifndef FEATURE_EXTENDED_HOST_PATTERNS
+ /* Split the domain we just got for pattern matching */
+ init_domain_components(csp->http);
+#endif
+
+#ifdef FEATURE_TOGGLE
+ if ((csp->flags & CSP_FLAG_TOGGLED_ON) != 0)
+#endif
+ {
+ /* Determine the actions for this URL */
+ get_url_actions(csp, csp->http);
+ }
+
+ enlist(csp->https_headers, csp->http->cmd);
+
+ /* Append the previously read headers */
+ err = list_append_list_unique(csp->https_headers, headers);
+ destroy_list(headers);
+ if (JB_ERR_OK != err)
+ {
+ /* XXX: Send error message */
+ return err;
+ }
+
+ /* XXX: Work around crash */
+ csp->error_message = NULL;
+
+ /* XXX: Why do this here? */
+ csp->http->ssl = 1;
+
+ err = sed_https(csp);
+ if (JB_ERR_OK != err)
+ {
+ ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)CHEADER, strlen(CHEADER));
+ log_error(LOG_LEVEL_ERROR, "Failed to parse client request from %s.",
+ csp->ip_addr_str);
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0",
+ csp->ip_addr_str, csp->http->cmd);
+ return JB_ERR_PARSE;
+ }
+
+ log_error(LOG_LEVEL_HEADER, "Encrypted request processed");
+ log_applied_actions(csp->action);
+ log_error(LOG_LEVEL_GPC, "https://%s%s", csp->http->hostport,
+ csp->http->path);
+
+ return err;
+
+}
+#endif
+
+
+/*********************************************************************
+ *
+ * Function : handle_established_connection
+ *
+ * Description : Shuffle data between client and server once the
+ * connection has been established.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ *
+ * Returns : Nothing.
+ *
+ *********************************************************************/
+static void handle_established_connection(struct client_state *csp)
+{
+ char *hdr;
+ char *p;
+ int n;
+#ifdef HAVE_POLL
+ struct pollfd poll_fds[2];
+#else
+ fd_set rfds;
+ jb_socket maxfd;
+ struct timeval timeout;
+#endif
+ int server_body;
+ int ms_iis5_hack = 0;
+ unsigned long long byte_count = 0;
+ struct http_request *http;
+ long len = 0; /* for buffer sizes (and negative error codes) */
+ int buffer_and_filter_content = 0;
+ unsigned int write_delay;
+#ifdef FEATURE_HTTPS_INSPECTION
+ int ret = 0;
+ int use_ssl_tunnel = 0;
+ csp->dont_verify_certificate = 0;
+
+ if (csp->http->ssl && !(csp->action->flags & ACTION_HTTPS_INSPECTION))
+ {
+ /* Pass encrypted content without filtering. */
+ use_ssl_tunnel = 1;
+ }
+#endif
+
+ /* Skeleton for HTTP response, if we should intercept the request */
+ struct http_response *rsp;
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ int watch_client_socket;
+#endif
+
+ csp->receive_buffer_size = csp->config->receive_buffer_size;
+ csp->receive_buffer = zalloc(csp->receive_buffer_size + 1);
+ if (csp->receive_buffer == NULL)
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "Out of memory. Failed to allocate the receive buffer.");
+ rsp = cgi_error_memory();
+ send_crunch_response(csp, rsp);
+ return;
+ }
+
+ http = csp->http;
+
+#ifndef HAVE_POLL
+ maxfd = (csp->cfd > csp->server_connection.sfd) ?
+ csp->cfd : csp->server_connection.sfd;
+#endif
+
+ /* pass data between the client and server
+ * until one or the other shuts down the connection.
+ */
+
+ server_body = 0;
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ watch_client_socket = 0 == (csp->flags & CSP_FLAG_PIPELINED_REQUEST_WAITING);
+#endif
+ write_delay = get_write_delay(csp);
+
+ for (;;)
+ {
+#ifndef HAVE_POLL
+#ifdef __OS2__
+ /*
+ * FD_ZERO here seems to point to an errant macro which crashes.
+ * So do this by hand for now...
+ */
+ memset(&rfds,0x00,sizeof(fd_set));
+#else
+ FD_ZERO(&rfds);
+#endif
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if (!watch_client_socket)
+ {
+ maxfd = csp->server_connection.sfd;
+ }
+ else
+#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
+ {
+ FD_SET(csp->cfd, &rfds);
+ }
+
+ FD_SET(csp->server_connection.sfd, &rfds);
+#endif /* ndef HAVE_POLL */
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if ((csp->flags & CSP_FLAG_CHUNKED)
+ && !(csp->flags & CSP_FLAG_CONTENT_LENGTH_SET)
+ && ((csp->iob->eod - csp->iob->cur) >= 5)
+ && !memcmp(csp->iob->eod-5, "0\r\n\r\n", 5))
+ {
+ /*
+ * XXX: This check should be obsolete now,
+ * but let's wait a while to be sure.
+ */
+ log_error(LOG_LEVEL_CONNECT,
+ "Looks like we got the last chunk together with "
+ "the server headers but didn't detect it earlier. "
+ "We better stop reading.");
+ byte_count = (unsigned long long)(csp->iob->eod - csp->iob->cur);
+ csp->expected_content_length = byte_count;
+ csp->flags |= CSP_FLAG_CONTENT_LENGTH_SET;
+ }
+ if (server_body && server_response_is_complete(csp, byte_count))
+ {
+ if (csp->expected_content_length == byte_count)
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Done reading from server. Content length: %llu as expected. "
+ "Bytes most recently read: %d.",
+ byte_count, len);
+ }
+ else
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Done reading from server. Expected content length: %llu. "
+ "Actual content length: %llu. Bytes most recently read: %d.",
+ csp->expected_content_length, byte_count, len);
+ }
+ len = 0;
+ /*
+ * XXX: Should not jump around, handle_established_connection()
+ * is complicated enough already.
+ */
+ goto reading_done;
+ }
+#endif /* FEATURE_CONNECTION_KEEP_ALIVE */
+
+#ifdef HAVE_POLL
+ poll_fds[0].fd = csp->cfd;
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if (!watch_client_socket)
+ {
+ /*
+ * Ignore incoming data, but still watch out
+ * for disconnects etc. These flags are always
+ * implied anyway but explicitly setting them
+ * doesn't hurt.
+ */
+ poll_fds[0].events = POLLERR|POLLHUP;
+ }
+ else
+#endif
+ {
+ poll_fds[0].events = POLLIN;
+ }
+ poll_fds[1].fd = csp->server_connection.sfd;
+ poll_fds[1].events = POLLIN;
+ n = poll(poll_fds, 2, csp->config->socket_timeout * 1000);
+#else
+ timeout.tv_sec = csp->config->socket_timeout;
+ timeout.tv_usec = 0;
+ n = select((int)maxfd + 1, &rfds, NULL, NULL, &timeout);
+#endif /* def HAVE_POLL */
+
+ /*server or client not responding in timeout */
+ if (n == 0)
+ {
+ log_error(LOG_LEVEL_CONNECT, "Socket timeout %d reached: %s",
+ csp->config->socket_timeout, http->url);
+ if ((byte_count == 0) && (http->ssl == 0))
+ {
+ send_crunch_response(csp, error_response(csp, "connection-timeout"));
+ }
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+ else if (n < 0)
+ {
+#ifdef HAVE_POLL
+ log_error(LOG_LEVEL_ERROR, "poll() failed!: %E");
+#else
+ log_error(LOG_LEVEL_ERROR, "select() failed!: %E");
+#endif
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+
+ /*
+ * This is the body of the browser's request,
+ * just read and write it.
+ *
+ * Receives data from browser and sends it to server
+ *
+ * XXX: Make sure the client doesn't use pipelining
+ * behind Privoxy's back.
+ */
+#ifdef HAVE_POLL
+ if ((poll_fds[0].revents & (POLLERR|POLLHUP|POLLNVAL)) != 0)
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "The client socket %d has become unusable while "
+ "the server socket %d is still open.",
+ csp->cfd, csp->server_connection.sfd);
+ mark_server_socket_tainted(csp);
+ break;
+ }
+
+ if (poll_fds[0].revents != 0)
+#else
+ if (FD_ISSET(csp->cfd, &rfds))
+#endif /* def HAVE_POLL*/
+ {
+ int max_bytes_to_read = (int)csp->receive_buffer_size;
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if ((csp->flags & CSP_FLAG_CLIENT_REQUEST_COMPLETELY_READ))
+ {
+ if (data_is_available(csp->cfd, 0))
+ {
+ /*
+ * If the next request is already waiting, we have
+ * to stop select()ing the client socket. Otherwise
+ * we would always return right away and get nothing
+ * else done.
+ */
+ watch_client_socket = 0;
+ log_error(LOG_LEVEL_CONNECT,
+ "Stop watching client socket %d. "
+ "There's already another request waiting.",
+ csp->cfd);
+ continue;
+ }
+ /*
+ * If the client socket is set, but there's no data
+ * available on the socket, the client went fishing
+ * and continuing talking to the server makes no sense.
+ */
+ log_error(LOG_LEVEL_CONNECT,
+ "The client closed socket %d while "
+ "the server socket %d is still open.",
+ csp->cfd, csp->server_connection.sfd);
+ mark_server_socket_tainted(csp);
+ break;
+ }
+ if (csp->expected_client_content_length != 0)
+ {
+ if (csp->expected_client_content_length < csp->receive_buffer_size)
+ {
+ max_bytes_to_read = (int)csp->expected_client_content_length;
+ }
+ log_error(LOG_LEVEL_CONNECT,
+ "Waiting for up to %d bytes from the client.",
+ max_bytes_to_read);
+ }
+ assert(max_bytes_to_read <= csp->receive_buffer_size);
+#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ if (client_use_ssl(csp))
+ {
+ log_error(LOG_LEVEL_CONNECT, "Breaking with TLS/SSL.");
+ break;
+ }
+ else
+#endif /* def FEATURE_HTTPS_INSPECTION */
+ {
+ len = read_socket(csp->cfd, csp->receive_buffer, max_bytes_to_read);
+
+ if (len <= 0)
+ {
+ /* XXX: not sure if this is necessary. */
+ mark_server_socket_tainted(csp);
+ break; /* "game over, man" */
+ }
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if (csp->expected_client_content_length != 0)
+ {
+ assert(len <= max_bytes_to_read);
+ csp->expected_client_content_length -= (unsigned)len;
+ log_error(LOG_LEVEL_CONNECT,
+ "Expected client content length set to %llu "
+ "after reading %d bytes.",
+ csp->expected_client_content_length, len);
+ if (csp->expected_client_content_length == 0)
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Done reading from the client.");
+ csp->flags |= CSP_FLAG_CLIENT_REQUEST_COMPLETELY_READ;
+ }
+ }
+#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
+
+ if (write_socket(csp->server_connection.sfd, csp->receive_buffer, (size_t)len))
+ {
+ log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host);
+ mark_server_socket_tainted(csp);
+ return;
+ }
+ }
+ continue;
+ }
+
+ /*
+ * The server wants to talk. It could be the header or the body.
+ * If `hdr' is null, then it's the header otherwise it's the body.
+ * FIXME: Does `hdr' really mean `host'? No.
+ */
+#ifdef HAVE_POLL
+ if (poll_fds[1].revents != 0)
+#else
+ if (FD_ISSET(csp->server_connection.sfd, &rfds))
+#endif /* HAVE_POLL */
+ {
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ /*
+ * If we are buffering content, we don't want to eat up to
+ * buffer-limit bytes if the client no longer cares about them.
+ * If we aren't buffering, however, a dead client socket will be
+ * noticed pretty much right away anyway, so we can reduce the
+ * overhead by skipping the check.
+ */
+ if (buffer_and_filter_content && !socket_is_still_alive(csp->cfd))
+ {
+#ifdef _WIN32
+ log_error(LOG_LEVEL_CONNECT,
+ "The server still wants to talk, but the client may already have hung up on us.");
+#else
+ log_error(LOG_LEVEL_CONNECT,
+ "The server still wants to talk, but the client hung up on us.");
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+#endif /* def _WIN32 */
+ }
+#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Reading data from standard or secured connection (HTTP/HTTPS)
+ */
+ if (server_use_ssl(csp))
+ {
+ len = ssl_recv_data(&(csp->mbedtls_server_attr.ssl),
+ (unsigned char *)csp->receive_buffer, csp->receive_buffer_size);
+ }
+ else
+#endif
+ {
+ len = read_socket(csp->server_connection.sfd, csp->receive_buffer,
+ (int)csp->receive_buffer_size);
+ }
+
+ if (len < 0)
+ {
+ log_error(LOG_LEVEL_ERROR, "read from: %s failed: %E", http->host);
+
+ if ((http->ssl && (csp->fwd == NULL))
+#ifdef FEATURE_HTTPS_INSPECTION
+ && use_ssl_tunnel
+#endif
+ )
+ {
+ /*
+ * Just hang up. We already confirmed the client's CONNECT
+ * request with status code 200 and unencrypted content is
+ * no longer welcome.
+ */
+ log_error(LOG_LEVEL_ERROR,
+ "CONNECT already confirmed. Unable to tell the client about the problem.");
+ return;
+ }
+ else if (byte_count)
+ {
+ /*
+ * Just hang up. We already transmitted the original headers
+ * and parts of the original content and therefore missed the
+ * chance to send an error message (without risking data corruption).
+ *
+ * XXX: we could retry with a fancy range request here.
+ */
+ log_error(LOG_LEVEL_ERROR, "Already forwarded the original headers. "
+ "Unable to tell the client about the problem.");
+ mark_server_socket_tainted(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_and_server_ssl_connections(csp);
+#endif
+ return;
+ }
+ /*
+ * XXX: Consider handling the cases above the same.
+ */
+ mark_server_socket_tainted(csp);
+ len = 0;
+ }
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if (csp->flags & CSP_FLAG_CHUNKED)
+ {
+ if ((len >= 5) && !memcmp(csp->receive_buffer+len-5, "0\r\n\r\n", 5))
+ {
+ /* XXX: this is a temporary hack */
+ log_error(LOG_LEVEL_CONNECT,
+ "Looks like we reached the end of the last chunk. "
+ "We better stop reading.");
+ csp->expected_content_length = byte_count + (unsigned long long)len;
+ csp->flags |= CSP_FLAG_CONTENT_LENGTH_SET;
+ }
+ }
+ reading_done:
+#endif /* FEATURE_CONNECTION_KEEP_ALIVE */
+
+ /*
+ * This is guaranteed by allocating with zalloc_or_die()
+ * and never (intentionally) writing to the last byte.
+ *
+ * csp->receive_buffer_size is the size of the part of the
+ * buffer we intentionally write to, but we actually
+ * allocated csp->receive_buffer_size+1 bytes so the assertion
+ * stays within the allocated range.
+ */
+ assert(csp->receive_buffer[csp->receive_buffer_size] == '\0');
+
+ /*
+ * Add a trailing zero to let be able to use string operations.
+ * XXX: do we still need this with filter_popups gone?
+ */
+ assert(len <= csp->receive_buffer_size);
+ csp->receive_buffer[len] = '\0';
+
+ /*
+ * Normally, this would indicate that we've read
+ * as much as the server has sent us and we can
+ * close the client connection. However, Microsoft
+ * in its wisdom has released IIS/5 with a bug that
+ * prevents it from sending the trailing \r\n in
+ * a 302 redirect header (and possibly other headers).
+ * To work around this if we've haven't parsed
+ * a full header we'll append a trailing \r\n
+ * and see if this now generates a valid one.
+ *
+ * This hack shouldn't have any impacts. If we've
+ * already transmitted the header or if this is a
+ * SSL connection, then we won't bother with this
+ * hack. So we only work on partially received
+ * headers. If we append a \r\n and this still
+ * doesn't generate a valid header, then we won't
+ * transmit anything to the client.
+ */
+ if (len == 0)
+ {
+
+ if (server_body || (http->ssl
+#ifdef FEATURE_HTTPS_INSPECTION
+ && use_ssl_tunnel
+#endif
+ ))
+ {
+ /*
+ * If we have been buffering up the document,
+ * now is the time to apply content modification
+ * and send the result to the client.
+ */
+ if (buffer_and_filter_content)
+ {
+ p = execute_content_filters(csp);
+ /*
+ * If content filtering fails, use the original
+ * buffer and length.
+ * (see p != NULL ? p : csp->iob->cur below)
+ */
+ if (NULL == p)
+ {
+ csp->content_length = (size_t)(csp->iob->eod - csp->iob->cur);
+ }
+#ifdef FEATURE_COMPRESSION
+ else if ((csp->flags & CSP_FLAG_CLIENT_SUPPORTS_DEFLATE)
+ && (csp->content_length > LOWER_LENGTH_LIMIT_FOR_COMPRESSION))
+ {
+ char *compressed_content = compress_buffer(p,
+ (size_t *)&csp->content_length, csp->config->compression_level);
+ if (compressed_content != NULL)
+ {
+ freez(p);
+ p = compressed_content;
+ csp->flags |= CSP_FLAG_BUFFERED_CONTENT_DEFLATED;
+ }
+ }
+#endif
+
+ if (JB_ERR_OK != update_server_headers(csp))
+ {
+ log_error(LOG_LEVEL_FATAL,
+ "Failed to update server headers. after filtering.");
+ }
+
+ hdr = list_to_text(csp->headers);
+ if (hdr == NULL)
+ {
+ /* FIXME Should handle error properly */
+ log_error(LOG_LEVEL_FATAL, "Out of memory parsing server header");
+ }
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ /*
+ * Sending data with standard or secured connection (HTTP/HTTPS)
+ */
+ if (client_use_ssl(csp))
+ {
+ if ((ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *)hdr, strlen(hdr)) < 0)
+ || (ssl_send_data(&(csp->mbedtls_client_attr.ssl),
+ (const unsigned char *) ((p != NULL) ? p : csp->iob->cur),
+ csp->content_length) < 0))
+ {
+ log_error(LOG_LEVEL_ERROR, "write modified content to "
+ "client over TLS/SSL failed");
+ freez(hdr);
+ freez(p);
+ mark_server_socket_tainted(csp);
+ close_client_and_server_ssl_connections(csp);
+ return;
+ }
+ }
+ else
+#endif /* def FEATURE_HTTPS_INSPECTION */
+ {
+ if (write_socket_delayed(csp->cfd, hdr, strlen(hdr), write_delay)
+ || write_socket_delayed(csp->cfd, ((p != NULL) ? p : csp->iob->cur),
+ (size_t)csp->content_length, write_delay))
+ {
+ log_error(LOG_LEVEL_ERROR, "write modified content to client failed: %E");
+ freez(hdr);
+ freez(p);
+ mark_server_socket_tainted(csp);
+ return;
+ }
+ }
+
+ freez(hdr);
+ freez(p);
+ }
+
+ break; /* "game over, man" */
+ }
+
+ /*
+ * This is NOT the body, so
+ * Let's pretend the server just sent us a blank line.
+ */
+ snprintf(csp->receive_buffer, csp->receive_buffer_size, "\r\n");
+ len = (int)strlen(csp->receive_buffer);
+
+ /*
+ * Now, let the normal header parsing algorithm below do its
+ * job. If it fails, we'll exit instead of continuing.
+ */
+
+ ms_iis5_hack = 1;
+ }