s_client: Better response success check for CONNECT

Instead of looking for "200" and "established" (and failing all other 2xx responses or "Established"), let's look for a line that's not a header (i.e. doesn't contain a ':') and where the first space is followed by a '2'. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1664)
author: Richard Levitte <levitte@openssl.org> 2016-10-05 12:37:58 +0200
committer: Richard Levitte <levitte@openssl.org> 2017-01-25 00:40:17 +0100
commit: ec2a0e60652c0e61e90dde367756c5d92cd882d3 (patch)
tree: 8a7e8082de6a547b7d2b5b240c2ce8304b7d5b45 /apps
parent: 9d6fcd4295fef7ebc4232aab85718a99d36cc50a (diff)
download: openssl-ec2a0e60652c0e61e90dde367756c5d92cd882d3.tar.gz
1 files changed, 30 insertions, 10 deletions
diff --git a/apps/s_client.c b/apps/s_client.c
index f6b556dd76..5307eab116 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2020,24 +2020,44 @@ int s_client_main(int argc, char **argv)
         break;
     case PROTO_CONNECT:
         {
-            int foundit = 0;
+            enum {
+                error_proto,     /* Wrong protocol, not even HTTP */
+                error_connect,   /* CONNECT failed */
+                success
+            } foundit = error_connect;
             BIO *fbio = BIO_new(BIO_f_buffer());
 
             BIO_push(fbio, sbio);
             BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr);
             (void)BIO_flush(fbio);
-            /* wait for multi-line response to end CONNECT response */
-            do {
-                mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
-                if (strstr(mbuf, "200") != NULL
-                    && strstr(mbuf, "established") != NULL)
-                    foundit++;
-            } while (mbuf_len > 3 && foundit == 0);
+            /*
+             * The first line is the HTTP response.  According to RFC 7230,
+             * it's formated exactly like this:
+             *
+             * HTTP/d.d ddd Reason text\r\n
+             */
+            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+            if (mbuf[8] != ' ') {
+                BIO_printf(bio_err,
+                           "%s: HTTP CONNECT failed, incorrect response "
+                           "from proxy\n", prog);
+                foundit = error_proto;
+            } else if (mbuf[9] != '2') {
+                BIO_printf(bio_err, "%s: HTTP CONNECT failed: %s ", prog,
+                           &mbuf[9]);
+            } else {
+                foundit = success;
+            }
+            if (foundit != error_proto) {
+                /* Read past all following headers */
+                do {
+                    mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+                } while (mbuf_len > 2);
+            }
             (void)BIO_flush(fbio);
             BIO_pop(fbio);
             BIO_free(fbio);
-            if (!foundit) {
-                BIO_printf(bio_err, "%s: HTTP CONNECT failed\n", prog);
+            if (foundit != success) {
                 goto shut;
             }
         }
author	Richard Levitte <levitte@openssl.org>	2016-10-05 12:37:58 +0200
committer	Richard Levitte <levitte@openssl.org>	2017-01-25 00:40:17 +0100
commit	ec2a0e60652c0e61e90dde367756c5d92cd882d3 (patch)
tree	8a7e8082de6a547b7d2b5b240c2ce8304b7d5b45 /apps
parent	9d6fcd4295fef7ebc4232aab85718a99d36cc50a (diff)
download	openssl-ec2a0e60652c0e61e90dde367756c5d92cd882d3.tar.gz