1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/http/http_network_transaction.h" 6 7#include <set> 8#include <vector> 9 10#include "base/bind.h" 11#include "base/bind_helpers.h" 12#include "base/compiler_specific.h" 13#include "base/format_macros.h" 14#include "base/memory/scoped_ptr.h" 15#include "base/metrics/field_trial.h" 16#include "base/metrics/histogram.h" 17#include "base/metrics/stats_counters.h" 18#include "base/stl_util.h" 19#include "base/strings/string_number_conversions.h" 20#include "base/strings/string_util.h" 21#include "base/strings/stringprintf.h" 22#include "base/time/time.h" 23#include "base/values.h" 24#include "build/build_config.h" 25#include "net/base/auth.h" 26#include "net/base/host_port_pair.h" 27#include "net/base/io_buffer.h" 28#include "net/base/load_flags.h" 29#include "net/base/load_timing_info.h" 30#include "net/base/net_errors.h" 31#include "net/base/net_util.h" 32#include "net/base/upload_data_stream.h" 33#include "net/http/http_auth.h" 34#include "net/http/http_auth_handler.h" 35#include "net/http/http_auth_handler_factory.h" 36#include "net/http/http_basic_stream.h" 37#include "net/http/http_chunked_decoder.h" 38#include "net/http/http_network_session.h" 39#include "net/http/http_proxy_client_socket.h" 40#include "net/http/http_proxy_client_socket_pool.h" 41#include "net/http/http_request_headers.h" 42#include "net/http/http_request_info.h" 43#include "net/http/http_response_headers.h" 44#include "net/http/http_response_info.h" 45#include "net/http/http_server_properties.h" 46#include "net/http/http_status_code.h" 47#include "net/http/http_stream_base.h" 48#include "net/http/http_stream_factory.h" 49#include "net/http/http_util.h" 50#include "net/http/transport_security_state.h" 51#include "net/http/url_security_manager.h" 52#include "net/socket/client_socket_factory.h" 53#include "net/socket/socks_client_socket_pool.h" 54#include "net/socket/ssl_client_socket.h" 55#include "net/socket/ssl_client_socket_pool.h" 56#include "net/socket/transport_client_socket_pool.h" 57#include "net/spdy/spdy_http_stream.h" 58#include "net/spdy/spdy_session.h" 59#include "net/spdy/spdy_session_pool.h" 60#include "net/ssl/ssl_cert_request_info.h" 61#include "net/ssl/ssl_connection_status_flags.h" 62#include "url/gurl.h" 63 64#if defined(SPDY_PROXY_AUTH_ORIGIN) 65#include <algorithm> 66#include "net/proxy/proxy_server.h" 67#endif 68 69 70using base::Time; 71using base::TimeDelta; 72 73namespace net { 74 75namespace { 76 77void ProcessAlternateProtocol( 78 HttpStreamFactory* factory, 79 const base::WeakPtr<HttpServerProperties>& http_server_properties, 80 const HttpResponseHeaders& headers, 81 const HostPortPair& http_host_port_pair) { 82 std::string alternate_protocol_str; 83 84 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader, 85 &alternate_protocol_str)) { 86 // Header is not present. 87 return; 88 } 89 90 factory->ProcessAlternateProtocol(http_server_properties, 91 alternate_protocol_str, 92 http_host_port_pair); 93} 94 95// Returns true if |error| is a client certificate authentication error. 96bool IsClientCertificateError(int error) { 97 switch (error) { 98 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 99 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 100 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 101 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 102 return true; 103 default: 104 return false; 105 } 106} 107 108base::Value* NetLogSSLVersionFallbackCallback( 109 const GURL* url, 110 int net_error, 111 uint16 version_before, 112 uint16 version_after, 113 NetLog::LogLevel /* log_level */) { 114 base::DictionaryValue* dict = new base::DictionaryValue(); 115 dict->SetString("host_and_port", GetHostAndPort(*url)); 116 dict->SetInteger("net_error", net_error); 117 dict->SetInteger("version_before", version_before); 118 dict->SetInteger("version_after", version_after); 119 return dict; 120} 121 122#if defined(SPDY_PROXY_AUTH_ORIGIN) 123// Returns true if |response_headers| contains the data reduction proxy Via 124// header value. 125bool IsChromeProxyResponse(const net::HttpResponseHeaders* response_headers) { 126 if (!response_headers) { 127 return false; 128 } 129 const char kDataReductionProxyViaValue[] = "1.1 Chrome Compression Proxy"; 130 size_t value_len = strlen(kDataReductionProxyViaValue); 131 void* iter = NULL; 132 std::string temp; 133 while (response_headers->EnumerateHeader(&iter, "Via", &temp)) { 134 std::string::const_iterator it = 135 std::search(temp.begin(), temp.end(), 136 kDataReductionProxyViaValue, 137 kDataReductionProxyViaValue + value_len, 138 base::CaseInsensitiveCompareASCII<char>()); 139 if (it != temp.end()) 140 return true; 141 } 142 return false; 143} 144#endif 145 146} // namespace 147 148//----------------------------------------------------------------------------- 149 150HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 151 HttpNetworkSession* session) 152 : pending_auth_target_(HttpAuth::AUTH_NONE), 153 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 154 base::Unretained(this))), 155 session_(session), 156 request_(NULL), 157 priority_(priority), 158 headers_valid_(false), 159 logged_response_time_(false), 160 fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK), 161 request_headers_(), 162 read_buf_len_(0), 163 next_state_(STATE_NONE), 164 establishing_tunnel_(false), 165 websocket_handshake_stream_base_create_helper_(NULL) { 166 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 167 if (session->http_stream_factory()->has_next_protos()) { 168 server_ssl_config_.next_protos = 169 session->http_stream_factory()->next_protos(); 170 } 171 proxy_ssl_config_ = server_ssl_config_; 172} 173 174HttpNetworkTransaction::~HttpNetworkTransaction() { 175 if (stream_.get()) { 176 HttpResponseHeaders* headers = GetResponseHeaders(); 177 // TODO(mbelshe): The stream_ should be able to compute whether or not the 178 // stream should be kept alive. No reason to compute here 179 // and pass it in. 180 bool try_to_keep_alive = 181 next_state_ == STATE_NONE && 182 stream_->CanFindEndOfResponse() && 183 (!headers || headers->IsKeepAlive()); 184 if (!try_to_keep_alive) { 185 stream_->Close(true /* not reusable */); 186 } else { 187 if (stream_->IsResponseBodyComplete()) { 188 // If the response body is complete, we can just reuse the socket. 189 stream_->Close(false /* reusable */); 190 } else if (stream_->IsSpdyHttpStream()) { 191 // Doesn't really matter for SpdyHttpStream. Just close it. 192 stream_->Close(true /* not reusable */); 193 } else { 194 // Otherwise, we try to drain the response body. 195 HttpStreamBase* stream = stream_.release(); 196 stream->Drain(session_); 197 } 198 } 199 } 200 201 if (request_ && request_->upload_data_stream) 202 request_->upload_data_stream->Reset(); // Invalidate pending callbacks. 203} 204 205int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 206 const CompletionCallback& callback, 207 const BoundNetLog& net_log) { 208 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 209 210 net_log_ = net_log; 211 request_ = request_info; 212 start_time_ = base::Time::Now(); 213 214 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 215 server_ssl_config_.rev_checking_enabled = false; 216 proxy_ssl_config_.rev_checking_enabled = false; 217 } 218 219 // Channel ID is enabled unless --disable-tls-channel-id flag is set, 220 // or if privacy mode is enabled. 221 bool channel_id_enabled = server_ssl_config_.channel_id_enabled && 222 (request_->privacy_mode == kPrivacyModeDisabled); 223 server_ssl_config_.channel_id_enabled = channel_id_enabled; 224 225 next_state_ = STATE_CREATE_STREAM; 226 int rv = DoLoop(OK); 227 if (rv == ERR_IO_PENDING) 228 callback_ = callback; 229 return rv; 230} 231 232int HttpNetworkTransaction::RestartIgnoringLastError( 233 const CompletionCallback& callback) { 234 DCHECK(!stream_.get()); 235 DCHECK(!stream_request_.get()); 236 DCHECK_EQ(STATE_NONE, next_state_); 237 238 next_state_ = STATE_CREATE_STREAM; 239 240 int rv = DoLoop(OK); 241 if (rv == ERR_IO_PENDING) 242 callback_ = callback; 243 return rv; 244} 245 246int HttpNetworkTransaction::RestartWithCertificate( 247 X509Certificate* client_cert, const CompletionCallback& callback) { 248 // In HandleCertificateRequest(), we always tear down existing stream 249 // requests to force a new connection. So we shouldn't have one here. 250 DCHECK(!stream_request_.get()); 251 DCHECK(!stream_.get()); 252 DCHECK_EQ(STATE_NONE, next_state_); 253 254 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 255 &proxy_ssl_config_ : &server_ssl_config_; 256 ssl_config->send_client_cert = true; 257 ssl_config->client_cert = client_cert; 258 session_->ssl_client_auth_cache()->Add( 259 response_.cert_request_info->host_and_port, client_cert); 260 // Reset the other member variables. 261 // Note: this is necessary only with SSL renegotiation. 262 ResetStateForRestart(); 263 next_state_ = STATE_CREATE_STREAM; 264 int rv = DoLoop(OK); 265 if (rv == ERR_IO_PENDING) 266 callback_ = callback; 267 return rv; 268} 269 270int HttpNetworkTransaction::RestartWithAuth( 271 const AuthCredentials& credentials, const CompletionCallback& callback) { 272 HttpAuth::Target target = pending_auth_target_; 273 if (target == HttpAuth::AUTH_NONE) { 274 NOTREACHED(); 275 return ERR_UNEXPECTED; 276 } 277 pending_auth_target_ = HttpAuth::AUTH_NONE; 278 279 auth_controllers_[target]->ResetAuth(credentials); 280 281 DCHECK(callback_.is_null()); 282 283 int rv = OK; 284 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 285 // In this case, we've gathered credentials for use with proxy 286 // authentication of a tunnel. 287 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 288 DCHECK(stream_request_ != NULL); 289 auth_controllers_[target] = NULL; 290 ResetStateForRestart(); 291 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 292 } else { 293 // In this case, we've gathered credentials for the server or the proxy 294 // but it is not during the tunneling phase. 295 DCHECK(stream_request_ == NULL); 296 PrepareForAuthRestart(target); 297 rv = DoLoop(OK); 298 } 299 300 if (rv == ERR_IO_PENDING) 301 callback_ = callback; 302 return rv; 303} 304 305void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 306 DCHECK(HaveAuth(target)); 307 DCHECK(!stream_request_.get()); 308 309 bool keep_alive = false; 310 // Even if the server says the connection is keep-alive, we have to be 311 // able to find the end of each response in order to reuse the connection. 312 if (GetResponseHeaders()->IsKeepAlive() && 313 stream_->CanFindEndOfResponse()) { 314 // If the response body hasn't been completely read, we need to drain 315 // it first. 316 if (!stream_->IsResponseBodyComplete()) { 317 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 318 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 319 read_buf_len_ = kDrainBodyBufferSize; 320 return; 321 } 322 keep_alive = true; 323 } 324 325 // We don't need to drain the response body, so we act as if we had drained 326 // the response body. 327 DidDrainBodyForAuthRestart(keep_alive); 328} 329 330void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 331 DCHECK(!stream_request_.get()); 332 333 if (stream_.get()) { 334 HttpStream* new_stream = NULL; 335 if (keep_alive && stream_->IsConnectionReusable()) { 336 // We should call connection_->set_idle_time(), but this doesn't occur 337 // often enough to be worth the trouble. 338 stream_->SetConnectionReused(); 339 new_stream = 340 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 341 } 342 343 if (!new_stream) { 344 // Close the stream and mark it as not_reusable. Even in the 345 // keep_alive case, we've determined that the stream_ is not 346 // reusable if new_stream is NULL. 347 stream_->Close(true); 348 next_state_ = STATE_CREATE_STREAM; 349 } else { 350 next_state_ = STATE_INIT_STREAM; 351 } 352 stream_.reset(new_stream); 353 } 354 355 // Reset the other member variables. 356 ResetStateForAuthRestart(); 357} 358 359bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 360 return pending_auth_target_ != HttpAuth::AUTH_NONE && 361 HaveAuth(pending_auth_target_); 362} 363 364int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 365 const CompletionCallback& callback) { 366 DCHECK(buf); 367 DCHECK_LT(0, buf_len); 368 369 State next_state = STATE_NONE; 370 371 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 372 if (headers_valid_ && headers.get() && stream_request_.get()) { 373 // We're trying to read the body of the response but we're still trying 374 // to establish an SSL tunnel through an HTTP proxy. We can't read these 375 // bytes when establishing a tunnel because they might be controlled by 376 // an active network attacker. We don't worry about this for HTTP 377 // because an active network attacker can already control HTTP sessions. 378 // We reach this case when the user cancels a 407 proxy auth prompt. We 379 // also don't worry about this for an HTTPS Proxy, because the 380 // communication with the proxy is secure. 381 // See http://crbug.com/8473. 382 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 383 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 384 LOG(WARNING) << "Blocked proxy response with status " 385 << headers->response_code() << " to CONNECT request for " 386 << GetHostAndPort(request_->url) << "."; 387 return ERR_TUNNEL_CONNECTION_FAILED; 388 } 389 390 // Are we using SPDY or HTTP? 391 next_state = STATE_READ_BODY; 392 393 read_buf_ = buf; 394 read_buf_len_ = buf_len; 395 396 next_state_ = next_state; 397 int rv = DoLoop(OK); 398 if (rv == ERR_IO_PENDING) 399 callback_ = callback; 400 return rv; 401} 402 403bool HttpNetworkTransaction::GetFullRequestHeaders( 404 HttpRequestHeaders* headers) const { 405 // TODO(ttuttle): Make sure we've populated request_headers_. 406 *headers = request_headers_; 407 return true; 408} 409 410const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 411 return ((headers_valid_ && response_.headers.get()) || 412 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 413 ? &response_ 414 : NULL; 415} 416 417LoadState HttpNetworkTransaction::GetLoadState() const { 418 // TODO(wtc): Define a new LoadState value for the 419 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 420 switch (next_state_) { 421 case STATE_CREATE_STREAM_COMPLETE: 422 return stream_request_->GetLoadState(); 423 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 424 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 425 case STATE_SEND_REQUEST_COMPLETE: 426 return LOAD_STATE_SENDING_REQUEST; 427 case STATE_READ_HEADERS_COMPLETE: 428 return LOAD_STATE_WAITING_FOR_RESPONSE; 429 case STATE_READ_BODY_COMPLETE: 430 return LOAD_STATE_READING_RESPONSE; 431 default: 432 return LOAD_STATE_IDLE; 433 } 434} 435 436UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 437 if (!stream_.get()) 438 return UploadProgress(); 439 440 // TODO(bashi): This cast is temporary. Remove later. 441 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 442} 443 444bool HttpNetworkTransaction::GetLoadTimingInfo( 445 LoadTimingInfo* load_timing_info) const { 446 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 447 return false; 448 449 load_timing_info->proxy_resolve_start = 450 proxy_info_.proxy_resolve_start_time(); 451 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 452 load_timing_info->send_start = send_start_time_; 453 load_timing_info->send_end = send_end_time_; 454 return true; 455} 456 457void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 458 priority_ = priority; 459 if (stream_request_) 460 stream_request_->SetPriority(priority); 461 if (stream_) 462 stream_->SetPriority(priority); 463} 464 465void HttpNetworkTransaction::SetWebSocketHandshakeStreamCreateHelper( 466 WebSocketHandshakeStreamBase::CreateHelper* create_helper) { 467 websocket_handshake_stream_base_create_helper_ = create_helper; 468} 469 470void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 471 const ProxyInfo& used_proxy_info, 472 HttpStreamBase* stream) { 473 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 474 DCHECK(stream_request_.get()); 475 476 stream_.reset(stream); 477 server_ssl_config_ = used_ssl_config; 478 proxy_info_ = used_proxy_info; 479 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 480 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 481 stream_request_->protocol_negotiated()); 482 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 483 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 484 485 OnIOComplete(OK); 486} 487 488void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady( 489 const SSLConfig& used_ssl_config, 490 const ProxyInfo& used_proxy_info, 491 WebSocketHandshakeStreamBase* stream) { 492 OnStreamReady(used_ssl_config, used_proxy_info, stream); 493} 494 495void HttpNetworkTransaction::OnStreamFailed(int result, 496 const SSLConfig& used_ssl_config) { 497 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 498 DCHECK_NE(OK, result); 499 DCHECK(stream_request_.get()); 500 DCHECK(!stream_.get()); 501 server_ssl_config_ = used_ssl_config; 502 503 OnIOComplete(result); 504} 505 506void HttpNetworkTransaction::OnCertificateError( 507 int result, 508 const SSLConfig& used_ssl_config, 509 const SSLInfo& ssl_info) { 510 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 511 DCHECK_NE(OK, result); 512 DCHECK(stream_request_.get()); 513 DCHECK(!stream_.get()); 514 515 response_.ssl_info = ssl_info; 516 server_ssl_config_ = used_ssl_config; 517 518 // TODO(mbelshe): For now, we're going to pass the error through, and that 519 // will close the stream_request in all cases. This means that we're always 520 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 521 // good and the user chooses to ignore the error. This is not ideal, but not 522 // the end of the world either. 523 524 OnIOComplete(result); 525} 526 527void HttpNetworkTransaction::OnNeedsProxyAuth( 528 const HttpResponseInfo& proxy_response, 529 const SSLConfig& used_ssl_config, 530 const ProxyInfo& used_proxy_info, 531 HttpAuthController* auth_controller) { 532 DCHECK(stream_request_.get()); 533 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 534 535 establishing_tunnel_ = true; 536 response_.headers = proxy_response.headers; 537 response_.auth_challenge = proxy_response.auth_challenge; 538 headers_valid_ = true; 539 server_ssl_config_ = used_ssl_config; 540 proxy_info_ = used_proxy_info; 541 542 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 543 pending_auth_target_ = HttpAuth::AUTH_PROXY; 544 545 DoCallback(OK); 546} 547 548void HttpNetworkTransaction::OnNeedsClientAuth( 549 const SSLConfig& used_ssl_config, 550 SSLCertRequestInfo* cert_info) { 551 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 552 553 server_ssl_config_ = used_ssl_config; 554 response_.cert_request_info = cert_info; 555 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 556} 557 558void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 559 const HttpResponseInfo& response_info, 560 const SSLConfig& used_ssl_config, 561 const ProxyInfo& used_proxy_info, 562 HttpStreamBase* stream) { 563 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 564 565 headers_valid_ = true; 566 response_ = response_info; 567 server_ssl_config_ = used_ssl_config; 568 proxy_info_ = used_proxy_info; 569 stream_.reset(stream); 570 stream_request_.reset(); // we're done with the stream request 571 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 572} 573 574bool HttpNetworkTransaction::is_https_request() const { 575 return request_->url.SchemeIs("https"); 576} 577 578void HttpNetworkTransaction::DoCallback(int rv) { 579 DCHECK_NE(rv, ERR_IO_PENDING); 580 DCHECK(!callback_.is_null()); 581 582 // Since Run may result in Read being called, clear user_callback_ up front. 583 CompletionCallback c = callback_; 584 callback_.Reset(); 585 c.Run(rv); 586} 587 588void HttpNetworkTransaction::OnIOComplete(int result) { 589 int rv = DoLoop(result); 590 if (rv != ERR_IO_PENDING) 591 DoCallback(rv); 592} 593 594int HttpNetworkTransaction::DoLoop(int result) { 595 DCHECK(next_state_ != STATE_NONE); 596 597 int rv = result; 598 do { 599 State state = next_state_; 600 next_state_ = STATE_NONE; 601 switch (state) { 602 case STATE_CREATE_STREAM: 603 DCHECK_EQ(OK, rv); 604 rv = DoCreateStream(); 605 break; 606 case STATE_CREATE_STREAM_COMPLETE: 607 rv = DoCreateStreamComplete(rv); 608 break; 609 case STATE_INIT_STREAM: 610 DCHECK_EQ(OK, rv); 611 rv = DoInitStream(); 612 break; 613 case STATE_INIT_STREAM_COMPLETE: 614 rv = DoInitStreamComplete(rv); 615 break; 616 case STATE_GENERATE_PROXY_AUTH_TOKEN: 617 DCHECK_EQ(OK, rv); 618 rv = DoGenerateProxyAuthToken(); 619 break; 620 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 621 rv = DoGenerateProxyAuthTokenComplete(rv); 622 break; 623 case STATE_GENERATE_SERVER_AUTH_TOKEN: 624 DCHECK_EQ(OK, rv); 625 rv = DoGenerateServerAuthToken(); 626 break; 627 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 628 rv = DoGenerateServerAuthTokenComplete(rv); 629 break; 630 case STATE_INIT_REQUEST_BODY: 631 DCHECK_EQ(OK, rv); 632 rv = DoInitRequestBody(); 633 break; 634 case STATE_INIT_REQUEST_BODY_COMPLETE: 635 rv = DoInitRequestBodyComplete(rv); 636 break; 637 case STATE_BUILD_REQUEST: 638 DCHECK_EQ(OK, rv); 639 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 640 rv = DoBuildRequest(); 641 break; 642 case STATE_BUILD_REQUEST_COMPLETE: 643 rv = DoBuildRequestComplete(rv); 644 break; 645 case STATE_SEND_REQUEST: 646 DCHECK_EQ(OK, rv); 647 rv = DoSendRequest(); 648 break; 649 case STATE_SEND_REQUEST_COMPLETE: 650 rv = DoSendRequestComplete(rv); 651 net_log_.EndEventWithNetErrorCode( 652 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 653 break; 654 case STATE_READ_HEADERS: 655 DCHECK_EQ(OK, rv); 656 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 657 rv = DoReadHeaders(); 658 break; 659 case STATE_READ_HEADERS_COMPLETE: 660 rv = DoReadHeadersComplete(rv); 661 net_log_.EndEventWithNetErrorCode( 662 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 663 break; 664 case STATE_READ_BODY: 665 DCHECK_EQ(OK, rv); 666 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 667 rv = DoReadBody(); 668 break; 669 case STATE_READ_BODY_COMPLETE: 670 rv = DoReadBodyComplete(rv); 671 net_log_.EndEventWithNetErrorCode( 672 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 673 break; 674 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 675 DCHECK_EQ(OK, rv); 676 net_log_.BeginEvent( 677 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 678 rv = DoDrainBodyForAuthRestart(); 679 break; 680 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 681 rv = DoDrainBodyForAuthRestartComplete(rv); 682 net_log_.EndEventWithNetErrorCode( 683 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 684 break; 685 default: 686 NOTREACHED() << "bad state"; 687 rv = ERR_FAILED; 688 break; 689 } 690 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 691 692 return rv; 693} 694 695int HttpNetworkTransaction::DoCreateStream() { 696 next_state_ = STATE_CREATE_STREAM_COMPLETE; 697 698 if (ForWebSocketHandshake()) { 699 stream_request_.reset( 700 session_->http_stream_factory_for_websocket() 701 ->RequestWebSocketHandshakeStream( 702 *request_, 703 priority_, 704 server_ssl_config_, 705 proxy_ssl_config_, 706 this, 707 websocket_handshake_stream_base_create_helper_, 708 net_log_)); 709 } else { 710 stream_request_.reset( 711 session_->http_stream_factory()->RequestStream( 712 *request_, 713 priority_, 714 server_ssl_config_, 715 proxy_ssl_config_, 716 this, 717 net_log_)); 718 } 719 DCHECK(stream_request_.get()); 720 return ERR_IO_PENDING; 721} 722 723int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 724 if (result == OK) { 725 next_state_ = STATE_INIT_STREAM; 726 DCHECK(stream_.get()); 727 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 728 result = HandleCertificateRequest(result); 729 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 730 // Return OK and let the caller read the proxy's error page 731 next_state_ = STATE_NONE; 732 return OK; 733 } 734 735 // Handle possible handshake errors that may have occurred if the stream 736 // used SSL for one or more of the layers. 737 result = HandleSSLHandshakeError(result); 738 739 // At this point we are done with the stream_request_. 740 stream_request_.reset(); 741 return result; 742} 743 744int HttpNetworkTransaction::DoInitStream() { 745 DCHECK(stream_.get()); 746 next_state_ = STATE_INIT_STREAM_COMPLETE; 747 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 748} 749 750int HttpNetworkTransaction::DoInitStreamComplete(int result) { 751 if (result == OK) { 752 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 753 } else { 754 if (result < 0) 755 result = HandleIOError(result); 756 757 // The stream initialization failed, so this stream will never be useful. 758 stream_.reset(); 759 } 760 761 return result; 762} 763 764int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 765 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 766 if (!ShouldApplyProxyAuth()) 767 return OK; 768 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 769 if (!auth_controllers_[target].get()) 770 auth_controllers_[target] = 771 new HttpAuthController(target, 772 AuthURL(target), 773 session_->http_auth_cache(), 774 session_->http_auth_handler_factory()); 775 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 776 io_callback_, 777 net_log_); 778} 779 780int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 781 DCHECK_NE(ERR_IO_PENDING, rv); 782 if (rv == OK) 783 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 784 return rv; 785} 786 787int HttpNetworkTransaction::DoGenerateServerAuthToken() { 788 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 789 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 790 if (!auth_controllers_[target].get()) { 791 auth_controllers_[target] = 792 new HttpAuthController(target, 793 AuthURL(target), 794 session_->http_auth_cache(), 795 session_->http_auth_handler_factory()); 796 if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY) 797 auth_controllers_[target]->DisableEmbeddedIdentity(); 798 } 799 if (!ShouldApplyServerAuth()) 800 return OK; 801 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 802 io_callback_, 803 net_log_); 804} 805 806int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 807 DCHECK_NE(ERR_IO_PENDING, rv); 808 if (rv == OK) 809 next_state_ = STATE_INIT_REQUEST_BODY; 810 return rv; 811} 812 813void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 814 request_headers_.SetHeader(HttpRequestHeaders::kHost, 815 GetHostAndOptionalPort(request_->url)); 816 817 // For compat with HTTP/1.0 servers and proxies: 818 if (using_proxy) { 819 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 820 "keep-alive"); 821 } else { 822 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 823 } 824 825 // Add a content length header? 826 if (request_->upload_data_stream) { 827 if (request_->upload_data_stream->is_chunked()) { 828 request_headers_.SetHeader( 829 HttpRequestHeaders::kTransferEncoding, "chunked"); 830 } else { 831 request_headers_.SetHeader( 832 HttpRequestHeaders::kContentLength, 833 base::Uint64ToString(request_->upload_data_stream->size())); 834 } 835 } else if (request_->method == "POST" || request_->method == "PUT" || 836 request_->method == "HEAD") { 837 // An empty POST/PUT request still needs a content length. As for HEAD, 838 // IE and Safari also add a content length header. Presumably it is to 839 // support sending a HEAD request to an URL that only expects to be sent a 840 // POST or some other method that normally would have a message body. 841 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 842 } 843 844 // Honor load flags that impact proxy caches. 845 if (request_->load_flags & LOAD_BYPASS_CACHE) { 846 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 847 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 848 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 849 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 850 } 851 852 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 853 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 854 &request_headers_); 855 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 856 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 857 &request_headers_); 858 859 request_headers_.MergeFrom(request_->extra_headers); 860 response_.did_use_http_auth = 861 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 862 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 863} 864 865int HttpNetworkTransaction::DoInitRequestBody() { 866 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 867 int rv = OK; 868 if (request_->upload_data_stream) 869 rv = request_->upload_data_stream->Init(io_callback_); 870 return rv; 871} 872 873int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 874 if (result == OK) 875 next_state_ = STATE_BUILD_REQUEST; 876 return result; 877} 878 879int HttpNetworkTransaction::DoBuildRequest() { 880 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 881 headers_valid_ = false; 882 883 // This is constructed lazily (instead of within our Start method), so that 884 // we have proxy info available. 885 if (request_headers_.IsEmpty()) { 886 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 887 !is_https_request(); 888 BuildRequestHeaders(using_proxy); 889 } 890 891 return OK; 892} 893 894int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 895 if (result == OK) 896 next_state_ = STATE_SEND_REQUEST; 897 return result; 898} 899 900int HttpNetworkTransaction::DoSendRequest() { 901 send_start_time_ = base::TimeTicks::Now(); 902 next_state_ = STATE_SEND_REQUEST_COMPLETE; 903 904 return stream_->SendRequest(request_headers_, &response_, io_callback_); 905} 906 907int HttpNetworkTransaction::DoSendRequestComplete(int result) { 908 send_end_time_ = base::TimeTicks::Now(); 909 if (result < 0) 910 return HandleIOError(result); 911 response_.network_accessed = true; 912 next_state_ = STATE_READ_HEADERS; 913 return OK; 914} 915 916int HttpNetworkTransaction::DoReadHeaders() { 917 next_state_ = STATE_READ_HEADERS_COMPLETE; 918 return stream_->ReadResponseHeaders(io_callback_); 919} 920 921int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() { 922 if (!response_.headers.get() && !stream_->IsConnectionReused()) { 923 // The connection was closed before any data was sent. Likely an error 924 // rather than empty HTTP/0.9 response. 925 return ERR_EMPTY_RESPONSE; 926 } 927 928 return OK; 929} 930 931int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 932 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 933 // due to SSL renegotiation. 934 if (IsCertificateError(result)) { 935 // We don't handle a certificate error during SSL renegotiation, so we 936 // have to return an error that's not in the certificate error range 937 // (-2xx). 938 LOG(ERROR) << "Got a server certificate with error " << result 939 << " during SSL renegotiation"; 940 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 941 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 942 // TODO(wtc): Need a test case for this code path! 943 DCHECK(stream_.get()); 944 DCHECK(is_https_request()); 945 response_.cert_request_info = new SSLCertRequestInfo; 946 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 947 result = HandleCertificateRequest(result); 948 if (result == OK) 949 return result; 950 } 951 952 if (result == ERR_QUIC_HANDSHAKE_FAILED) { 953 ResetConnectionAndRequestForResend(); 954 return OK; 955 } 956 957 if (result < 0 && result != ERR_CONNECTION_CLOSED) 958 return HandleIOError(result); 959 960 if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) { 961 ResetConnectionAndRequestForResend(); 962 return OK; 963 } 964 965 // After we call RestartWithAuth a new response_time will be recorded, and 966 // we need to be cautious about incorrectly logging the duration across the 967 // authentication activity. 968 if (result == OK) 969 LogTransactionConnectedMetrics(); 970 971 if (result == ERR_CONNECTION_CLOSED) { 972 // For now, if we get at least some data, we do the best we can to make 973 // sense of it and send it back up the stack. 974 int rv = HandleConnectionClosedBeforeEndOfHeaders(); 975 if (rv != OK) 976 return rv; 977 } 978 DCHECK(response_.headers.get()); 979 980#if defined(SPDY_PROXY_AUTH_ORIGIN) 981 // Server-induced fallback; see: http://crbug.com/143712 982 if (response_.was_fetched_via_proxy && response_.headers.get() != NULL) { 983 ProxyService::DataReductionProxyBypassEventType proxy_bypass_event = 984 ProxyService::BYPASS_EVENT_TYPE_MAX; 985 net::HttpResponseHeaders::ChromeProxyInfo chrome_proxy_info; 986 bool chrome_proxy_used = 987 proxy_info_.proxy_server().isDataReductionProxy(); 988 bool chrome_fallback_proxy_used = false; 989#if defined(DATA_REDUCTION_FALLBACK_HOST) 990 if (!chrome_proxy_used) { 991 chrome_fallback_proxy_used = 992 proxy_info_.proxy_server().isDataReductionProxyFallback(); 993 } 994#endif 995 996 if (chrome_proxy_used || chrome_fallback_proxy_used) { 997 // A Via header might not be present in a 304. Since the goal of a 304 998 // response is to minimize information transfer, a sender in general 999 // should not generate representation metadata other than Cache-Control, 1000 // Content-Location, Date, ETag, Expires, and Vary. 1001 if (!IsChromeProxyResponse(response_.headers.get()) && 1002 (response_.headers->response_code() != HTTP_NOT_MODIFIED)) { 1003 proxy_bypass_event = ProxyService::MISSING_VIA_HEADER; 1004 } else if (response_.headers->GetChromeProxyInfo(&chrome_proxy_info)) { 1005 if (chrome_proxy_info.bypass_duration < TimeDelta::FromMinutes(30)) 1006 proxy_bypass_event = ProxyService::SHORT_BYPASS; 1007 else 1008 proxy_bypass_event = ProxyService::LONG_BYPASS; 1009 } else { 1010 // Additionally, fallback if a 500, 502 or 503 is returned via the data 1011 // reduction proxy. This is conservative, as the 500, 502 or 503 might 1012 // have been generated by the origin, and not the proxy. 1013 if (response_.headers->response_code() == HTTP_INTERNAL_SERVER_ERROR || 1014 response_.headers->response_code() == HTTP_BAD_GATEWAY || 1015 response_.headers->response_code() == HTTP_SERVICE_UNAVAILABLE) { 1016 proxy_bypass_event = ProxyService::INTERNAL_SERVER_ERROR_BYPASS; 1017 } 1018 } 1019 1020 if (proxy_bypass_event < ProxyService::BYPASS_EVENT_TYPE_MAX) { 1021 ProxyService* proxy_service = session_->proxy_service(); 1022 1023 proxy_service->RecordDataReductionProxyBypassInfo( 1024 chrome_proxy_used, proxy_info_.proxy_server(), proxy_bypass_event); 1025 1026 ProxyServer proxy_server; 1027#if defined(DATA_REDUCTION_FALLBACK_HOST) 1028 if (chrome_proxy_used && chrome_proxy_info.bypass_all) { 1029 // TODO(bengr): Rename as DATA_REDUCTION_FALLBACK_ORIGIN. 1030 GURL proxy_url(DATA_REDUCTION_FALLBACK_HOST); 1031 if (proxy_url.SchemeIsHTTPOrHTTPS()) { 1032 proxy_server = ProxyServer(proxy_url.SchemeIs("http") ? 1033 ProxyServer::SCHEME_HTTP : 1034 ProxyServer::SCHEME_HTTPS, 1035 HostPortPair::FromURL(proxy_url)); 1036 } 1037 } 1038#endif 1039 if (proxy_service->MarkProxiesAsBad(proxy_info_, 1040 chrome_proxy_info.bypass_duration, 1041 proxy_server, 1042 net_log_)) { 1043 // Only retry idempotent methods. We don't want to resubmit a POST 1044 // if the proxy took some action. 1045 if (request_->method == "GET" || 1046 request_->method == "OPTIONS" || 1047 request_->method == "HEAD" || 1048 request_->method == "PUT" || 1049 request_->method == "DELETE" || 1050 request_->method == "TRACE") { 1051 ResetConnectionAndRequestForResend(); 1052 return OK; 1053 } 1054 } 1055 } 1056 } 1057 } 1058#endif // defined(SPDY_PROXY_AUTH_ORIGIN) 1059 1060 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 1061 if (request_->load_flags & LOAD_MAIN_FRAME) { 1062 const int response_code = response_.headers->response_code(); 1063 UMA_HISTOGRAM_ENUMERATION( 1064 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 1065 } 1066 1067 net_log_.AddEvent( 1068 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 1069 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 1070 1071 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 1072 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 1073 // indicates a buggy server. See: 1074 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 1075 if (request_->method == "PUT") 1076 return ERR_METHOD_NOT_SUPPORTED; 1077 } 1078 1079 // Check for an intermediate 100 Continue response. An origin server is 1080 // allowed to send this response even if we didn't ask for it, so we just 1081 // need to skip over it. 1082 // We treat any other 1xx in this same way (although in practice getting 1083 // a 1xx that isn't a 100 is rare). 1084 // Unless this is a WebSocket request, in which case we pass it on up. 1085 if (response_.headers->response_code() / 100 == 1 && 1086 !ForWebSocketHandshake()) { 1087 response_.headers = new HttpResponseHeaders(std::string()); 1088 next_state_ = STATE_READ_HEADERS; 1089 return OK; 1090 } 1091 1092 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 1093 request_->url.EffectiveIntPort()); 1094 ProcessAlternateProtocol(session_->http_stream_factory(), 1095 session_->http_server_properties(), 1096 *response_.headers.get(), 1097 endpoint); 1098 1099 int rv = HandleAuthChallenge(); 1100 if (rv != OK) 1101 return rv; 1102 1103 if (is_https_request()) 1104 stream_->GetSSLInfo(&response_.ssl_info); 1105 1106 headers_valid_ = true; 1107 return OK; 1108} 1109 1110int HttpNetworkTransaction::DoReadBody() { 1111 DCHECK(read_buf_.get()); 1112 DCHECK_GT(read_buf_len_, 0); 1113 DCHECK(stream_ != NULL); 1114 1115 next_state_ = STATE_READ_BODY_COMPLETE; 1116 return stream_->ReadResponseBody( 1117 read_buf_.get(), read_buf_len_, io_callback_); 1118} 1119 1120int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1121 // We are done with the Read call. 1122 bool done = false; 1123 if (result <= 0) { 1124 DCHECK_NE(ERR_IO_PENDING, result); 1125 done = true; 1126 } 1127 1128 bool keep_alive = false; 1129 if (stream_->IsResponseBodyComplete()) { 1130 // Note: Just because IsResponseBodyComplete is true, we're not 1131 // necessarily "done". We're only "done" when it is the last 1132 // read on this HttpNetworkTransaction, which will be signified 1133 // by a zero-length read. 1134 // TODO(mbelshe): The keepalive property is really a property of 1135 // the stream. No need to compute it here just to pass back 1136 // to the stream's Close function. 1137 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1138 // ResponseHeaders. 1139 if (stream_->CanFindEndOfResponse()) { 1140 HttpResponseHeaders* headers = GetResponseHeaders(); 1141 if (headers) 1142 keep_alive = headers->IsKeepAlive(); 1143 } 1144 } 1145 1146 // Clean up connection if we are done. 1147 if (done) { 1148 LogTransactionMetrics(); 1149 stream_->Close(!keep_alive); 1150 // Note: we don't reset the stream here. We've closed it, but we still 1151 // need it around so that callers can call methods such as 1152 // GetUploadProgress() and have them be meaningful. 1153 // TODO(mbelshe): This means we closed the stream here, and we close it 1154 // again in ~HttpNetworkTransaction. Clean that up. 1155 1156 // The next Read call will return 0 (EOF). 1157 } 1158 1159 // Clear these to avoid leaving around old state. 1160 read_buf_ = NULL; 1161 read_buf_len_ = 0; 1162 1163 return result; 1164} 1165 1166int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1167 // This method differs from DoReadBody only in the next_state_. So we just 1168 // call DoReadBody and override the next_state_. Perhaps there is a more 1169 // elegant way for these two methods to share code. 1170 int rv = DoReadBody(); 1171 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1172 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1173 return rv; 1174} 1175 1176// TODO(wtc): This method and the DoReadBodyComplete method are almost 1177// the same. Figure out a good way for these two methods to share code. 1178int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1179 // keep_alive defaults to true because the very reason we're draining the 1180 // response body is to reuse the connection for auth restart. 1181 bool done = false, keep_alive = true; 1182 if (result < 0) { 1183 // Error or closed connection while reading the socket. 1184 done = true; 1185 keep_alive = false; 1186 } else if (stream_->IsResponseBodyComplete()) { 1187 done = true; 1188 } 1189 1190 if (done) { 1191 DidDrainBodyForAuthRestart(keep_alive); 1192 } else { 1193 // Keep draining. 1194 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1195 } 1196 1197 return OK; 1198} 1199 1200void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1201 if (logged_response_time_) 1202 return; 1203 1204 logged_response_time_ = true; 1205 1206 base::TimeDelta total_duration = response_.response_time - start_time_; 1207 1208 UMA_HISTOGRAM_CUSTOM_TIMES( 1209 "Net.Transaction_Connected", 1210 total_duration, 1211 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1212 100); 1213 1214 bool reused_socket = stream_->IsConnectionReused(); 1215 if (!reused_socket) { 1216 UMA_HISTOGRAM_CUSTOM_TIMES( 1217 "Net.Transaction_Connected_New_b", 1218 total_duration, 1219 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1220 100); 1221 } 1222 1223 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1224 // types. This will change when we also prioritize certain subresources like 1225 // css, js, etc. 1226 if (priority_ != HIGHEST) { 1227 UMA_HISTOGRAM_CUSTOM_TIMES( 1228 "Net.Priority_High_Latency_b", 1229 total_duration, 1230 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1231 100); 1232 } else { 1233 UMA_HISTOGRAM_CUSTOM_TIMES( 1234 "Net.Priority_Low_Latency_b", 1235 total_duration, 1236 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1237 100); 1238 } 1239} 1240 1241void HttpNetworkTransaction::LogTransactionMetrics() const { 1242 base::TimeDelta duration = base::Time::Now() - 1243 response_.request_time; 1244 if (60 < duration.InMinutes()) 1245 return; 1246 1247 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1248 1249 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1250 base::TimeDelta::FromMilliseconds(1), 1251 base::TimeDelta::FromMinutes(10), 1252 100); 1253 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1254 total_duration, 1255 base::TimeDelta::FromMilliseconds(1), 1256 base::TimeDelta::FromMinutes(10), 100); 1257 1258 if (!stream_->IsConnectionReused()) { 1259 UMA_HISTOGRAM_CUSTOM_TIMES( 1260 "Net.Transaction_Latency_Total_New_Connection", 1261 total_duration, base::TimeDelta::FromMilliseconds(1), 1262 base::TimeDelta::FromMinutes(10), 100); 1263 } 1264} 1265 1266int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1267 // There are two paths through which the server can request a certificate 1268 // from us. The first is during the initial handshake, the second is 1269 // during SSL renegotiation. 1270 // 1271 // In both cases, we want to close the connection before proceeding. 1272 // We do this for two reasons: 1273 // First, we don't want to keep the connection to the server hung for a 1274 // long time while the user selects a certificate. 1275 // Second, even if we did keep the connection open, NSS has a bug where 1276 // restarting the handshake for ClientAuth is currently broken. 1277 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1278 1279 if (stream_.get()) { 1280 // Since we already have a stream, we're being called as part of SSL 1281 // renegotiation. 1282 DCHECK(!stream_request_.get()); 1283 stream_->Close(true); 1284 stream_.reset(); 1285 } 1286 1287 // The server is asking for a client certificate during the initial 1288 // handshake. 1289 stream_request_.reset(); 1290 1291 // If the user selected one of the certificates in client_certs or declined 1292 // to provide one for this server before, use the past decision 1293 // automatically. 1294 scoped_refptr<X509Certificate> client_cert; 1295 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1296 response_.cert_request_info->host_and_port, &client_cert); 1297 if (!found_cached_cert) 1298 return error; 1299 1300 // Check that the certificate selected is still a certificate the server 1301 // is likely to accept, based on the criteria supplied in the 1302 // CertificateRequest message. 1303 if (client_cert.get()) { 1304 const std::vector<std::string>& cert_authorities = 1305 response_.cert_request_info->cert_authorities; 1306 1307 bool cert_still_valid = cert_authorities.empty() || 1308 client_cert->IsIssuedByEncoded(cert_authorities); 1309 if (!cert_still_valid) 1310 return error; 1311 } 1312 1313 // TODO(davidben): Add a unit test which covers this path; we need to be 1314 // able to send a legitimate certificate and also bypass/clear the 1315 // SSL session cache. 1316 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1317 &proxy_ssl_config_ : &server_ssl_config_; 1318 ssl_config->send_client_cert = true; 1319 ssl_config->client_cert = client_cert; 1320 next_state_ = STATE_CREATE_STREAM; 1321 // Reset the other member variables. 1322 // Note: this is necessary only with SSL renegotiation. 1323 ResetStateForRestart(); 1324 return OK; 1325} 1326 1327void HttpNetworkTransaction::HandleClientAuthError(int error) { 1328 if (server_ssl_config_.send_client_cert && 1329 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1330 session_->ssl_client_auth_cache()->Remove( 1331 GetHostAndPort(request_->url)); 1332 } 1333} 1334 1335// TODO(rch): This does not correctly handle errors when an SSL proxy is 1336// being used, as all of the errors are handled as if they were generated 1337// by the endpoint host, request_->url, rather than considering if they were 1338// generated by the SSL proxy. http://crbug.com/69329 1339int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1340 DCHECK(request_); 1341 HandleClientAuthError(error); 1342 1343 bool should_fallback = false; 1344 uint16 version_max = server_ssl_config_.version_max; 1345 1346 switch (error) { 1347 case ERR_SSL_PROTOCOL_ERROR: 1348 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1349 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1350 version_max > server_ssl_config_.version_min) { 1351 // This could be a TLS-intolerant server or a server that chose a 1352 // cipher suite defined only for higher protocol versions (such as 1353 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1354 // back to the next lower version and retry. 1355 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1356 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1357 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1358 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1359 // version_max should match the maximum protocol version supported 1360 // by the SSLClientSocket class. 1361 version_max--; 1362 1363 // Fallback to the lower SSL version. 1364 // While SSL 3.0 fallback should be eliminated because of security 1365 // reasons, there is a high risk of breaking the servers if this is 1366 // done in general. 1367 should_fallback = true; 1368 } 1369 break; 1370 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1371 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1372 version_max > server_ssl_config_.version_min) { 1373 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1374 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1375 // crbug.com/260358. In order to make the fallback as minimal as 1376 // possible, this fallback is only triggered for >= TLS 1.1. 1377 version_max--; 1378 should_fallback = true; 1379 } 1380 break; 1381 case ERR_SSL_INAPPROPRIATE_FALLBACK: 1382 // The server told us that we should not have fallen back. A buggy server 1383 // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial 1384 // connection. |fallback_error_code_| is initialised to 1385 // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case. 1386 error = fallback_error_code_; 1387 break; 1388 } 1389 1390 if (should_fallback) { 1391 net_log_.AddEvent( 1392 NetLog::TYPE_SSL_VERSION_FALLBACK, 1393 base::Bind(&NetLogSSLVersionFallbackCallback, 1394 &request_->url, error, server_ssl_config_.version_max, 1395 version_max)); 1396 fallback_error_code_ = error; 1397 server_ssl_config_.version_max = version_max; 1398 server_ssl_config_.version_fallback = true; 1399 ResetConnectionAndRequestForResend(); 1400 error = OK; 1401 } 1402 1403 return error; 1404} 1405 1406// This method determines whether it is safe to resend the request after an 1407// IO error. It can only be called in response to request header or body 1408// write errors or response header read errors. It should not be used in 1409// other cases, such as a Connect error. 1410int HttpNetworkTransaction::HandleIOError(int error) { 1411 // Because the peer may request renegotiation with client authentication at 1412 // any time, check and handle client authentication errors. 1413 HandleClientAuthError(error); 1414 1415 switch (error) { 1416 // If we try to reuse a connection that the server is in the process of 1417 // closing, we may end up successfully writing out our request (or a 1418 // portion of our request) only to find a connection error when we try to 1419 // read from (or finish writing to) the socket. 1420 case ERR_CONNECTION_RESET: 1421 case ERR_CONNECTION_CLOSED: 1422 case ERR_CONNECTION_ABORTED: 1423 // There can be a race between the socket pool checking checking whether a 1424 // socket is still connected, receiving the FIN, and sending/reading data 1425 // on a reused socket. If we receive the FIN between the connectedness 1426 // check and writing/reading from the socket, we may first learn the socket 1427 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1428 // likely happen when trying to retrieve its IP address. 1429 // See http://crbug.com/105824 for more details. 1430 case ERR_SOCKET_NOT_CONNECTED: 1431 if (ShouldResendRequest(error)) { 1432 net_log_.AddEventWithNetErrorCode( 1433 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1434 ResetConnectionAndRequestForResend(); 1435 error = OK; 1436 } 1437 break; 1438 case ERR_PIPELINE_EVICTION: 1439 if (!session_->force_http_pipelining()) { 1440 net_log_.AddEventWithNetErrorCode( 1441 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1442 ResetConnectionAndRequestForResend(); 1443 error = OK; 1444 } 1445 break; 1446 case ERR_SPDY_PING_FAILED: 1447 case ERR_SPDY_SERVER_REFUSED_STREAM: 1448 case ERR_QUIC_HANDSHAKE_FAILED: 1449 net_log_.AddEventWithNetErrorCode( 1450 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1451 ResetConnectionAndRequestForResend(); 1452 error = OK; 1453 break; 1454 } 1455 return error; 1456} 1457 1458void HttpNetworkTransaction::ResetStateForRestart() { 1459 ResetStateForAuthRestart(); 1460 stream_.reset(); 1461} 1462 1463void HttpNetworkTransaction::ResetStateForAuthRestart() { 1464 send_start_time_ = base::TimeTicks(); 1465 send_end_time_ = base::TimeTicks(); 1466 1467 pending_auth_target_ = HttpAuth::AUTH_NONE; 1468 read_buf_ = NULL; 1469 read_buf_len_ = 0; 1470 headers_valid_ = false; 1471 request_headers_.Clear(); 1472 response_ = HttpResponseInfo(); 1473 establishing_tunnel_ = false; 1474} 1475 1476HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1477 return response_.headers.get(); 1478} 1479 1480bool HttpNetworkTransaction::ShouldResendRequest(int error) const { 1481 bool connection_is_proven = stream_->IsConnectionReused(); 1482 bool has_received_headers = GetResponseHeaders() != NULL; 1483 1484 // NOTE: we resend a request only if we reused a keep-alive connection. 1485 // This automatically prevents an infinite resend loop because we'll run 1486 // out of the cached keep-alive connections eventually. 1487 if (connection_is_proven && !has_received_headers) 1488 return true; 1489 return false; 1490} 1491 1492void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1493 if (stream_.get()) { 1494 stream_->Close(true); 1495 stream_.reset(); 1496 } 1497 1498 // We need to clear request_headers_ because it contains the real request 1499 // headers, but we may need to resend the CONNECT request first to recreate 1500 // the SSL tunnel. 1501 request_headers_.Clear(); 1502 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1503} 1504 1505bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1506 return !is_https_request() && 1507 (proxy_info_.is_https() || proxy_info_.is_http()); 1508} 1509 1510bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1511 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1512} 1513 1514int HttpNetworkTransaction::HandleAuthChallenge() { 1515 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1516 DCHECK(headers.get()); 1517 1518 int status = headers->response_code(); 1519 if (status != HTTP_UNAUTHORIZED && 1520 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1521 return OK; 1522 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1523 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1524 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1525 return ERR_UNEXPECTED_PROXY_AUTH; 1526 1527 // This case can trigger when an HTTPS server responds with a "Proxy 1528 // authentication required" status code through a non-authenticating 1529 // proxy. 1530 if (!auth_controllers_[target].get()) 1531 return ERR_UNEXPECTED_PROXY_AUTH; 1532 1533 int rv = auth_controllers_[target]->HandleAuthChallenge( 1534 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1535 net_log_); 1536 if (auth_controllers_[target]->HaveAuthHandler()) 1537 pending_auth_target_ = target; 1538 1539 scoped_refptr<AuthChallengeInfo> auth_info = 1540 auth_controllers_[target]->auth_info(); 1541 if (auth_info.get()) 1542 response_.auth_challenge = auth_info; 1543 1544 return rv; 1545} 1546 1547bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1548 return auth_controllers_[target].get() && 1549 auth_controllers_[target]->HaveAuth(); 1550} 1551 1552GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1553 switch (target) { 1554 case HttpAuth::AUTH_PROXY: { 1555 if (!proxy_info_.proxy_server().is_valid() || 1556 proxy_info_.proxy_server().is_direct()) { 1557 return GURL(); // There is no proxy server. 1558 } 1559 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1560 return GURL(scheme + 1561 proxy_info_.proxy_server().host_port_pair().ToString()); 1562 } 1563 case HttpAuth::AUTH_SERVER: 1564 return request_->url; 1565 default: 1566 return GURL(); 1567 } 1568} 1569 1570bool HttpNetworkTransaction::ForWebSocketHandshake() const { 1571 return websocket_handshake_stream_base_create_helper_ && 1572 request_->url.SchemeIsWSOrWSS(); 1573} 1574 1575#define STATE_CASE(s) \ 1576 case s: \ 1577 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1578 break 1579 1580std::string HttpNetworkTransaction::DescribeState(State state) { 1581 std::string description; 1582 switch (state) { 1583 STATE_CASE(STATE_CREATE_STREAM); 1584 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1585 STATE_CASE(STATE_INIT_REQUEST_BODY); 1586 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1587 STATE_CASE(STATE_BUILD_REQUEST); 1588 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1589 STATE_CASE(STATE_SEND_REQUEST); 1590 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1591 STATE_CASE(STATE_READ_HEADERS); 1592 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1593 STATE_CASE(STATE_READ_BODY); 1594 STATE_CASE(STATE_READ_BODY_COMPLETE); 1595 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1596 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1597 STATE_CASE(STATE_NONE); 1598 default: 1599 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1600 state); 1601 break; 1602 } 1603 return description; 1604} 1605 1606#undef STATE_CASE 1607 1608} // namespace net 1609