http_network_transaction.cc revision 1e9bf3e0803691d0a228da41fc608347b6db4340
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/http/http_network_transaction.h" 6 7#include <set> 8#include <vector> 9 10#include "base/bind.h" 11#include "base/bind_helpers.h" 12#include "base/compiler_specific.h" 13#include "base/format_macros.h" 14#include "base/memory/scoped_ptr.h" 15#include "base/metrics/field_trial.h" 16#include "base/metrics/histogram.h" 17#include "base/metrics/stats_counters.h" 18#include "base/stl_util.h" 19#include "base/strings/string_number_conversions.h" 20#include "base/strings/string_util.h" 21#include "base/strings/stringprintf.h" 22#include "base/time/time.h" 23#include "base/values.h" 24#include "build/build_config.h" 25#include "net/base/auth.h" 26#include "net/base/host_port_pair.h" 27#include "net/base/io_buffer.h" 28#include "net/base/load_flags.h" 29#include "net/base/load_timing_info.h" 30#include "net/base/net_errors.h" 31#include "net/base/net_util.h" 32#include "net/base/upload_data_stream.h" 33#include "net/http/http_auth.h" 34#include "net/http/http_auth_handler.h" 35#include "net/http/http_auth_handler_factory.h" 36#include "net/http/http_basic_stream.h" 37#include "net/http/http_chunked_decoder.h" 38#include "net/http/http_network_session.h" 39#include "net/http/http_proxy_client_socket.h" 40#include "net/http/http_proxy_client_socket_pool.h" 41#include "net/http/http_request_headers.h" 42#include "net/http/http_request_info.h" 43#include "net/http/http_response_headers.h" 44#include "net/http/http_response_info.h" 45#include "net/http/http_server_properties.h" 46#include "net/http/http_status_code.h" 47#include "net/http/http_stream_base.h" 48#include "net/http/http_stream_factory.h" 49#include "net/http/http_util.h" 50#include "net/http/transport_security_state.h" 51#include "net/http/url_security_manager.h" 52#include "net/socket/client_socket_factory.h" 53#include "net/socket/socks_client_socket_pool.h" 54#include "net/socket/ssl_client_socket.h" 55#include "net/socket/ssl_client_socket_pool.h" 56#include "net/socket/transport_client_socket_pool.h" 57#include "net/spdy/spdy_http_stream.h" 58#include "net/spdy/spdy_session.h" 59#include "net/spdy/spdy_session_pool.h" 60#include "net/ssl/ssl_cert_request_info.h" 61#include "net/ssl/ssl_connection_status_flags.h" 62#include "url/gurl.h" 63 64using base::Time; 65 66namespace net { 67 68namespace { 69 70void ProcessAlternateProtocol( 71 HttpStreamFactory* factory, 72 const base::WeakPtr<HttpServerProperties>& http_server_properties, 73 const HttpResponseHeaders& headers, 74 const HostPortPair& http_host_port_pair) { 75 std::string alternate_protocol_str; 76 77 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader, 78 &alternate_protocol_str)) { 79 // Header is not present. 80 return; 81 } 82 83 factory->ProcessAlternateProtocol(http_server_properties, 84 alternate_protocol_str, 85 http_host_port_pair); 86} 87 88// Returns true if |error| is a client certificate authentication error. 89bool IsClientCertificateError(int error) { 90 switch (error) { 91 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 92 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 93 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 94 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 95 return true; 96 default: 97 return false; 98 } 99} 100 101base::Value* NetLogSSLVersionFallbackCallback( 102 const GURL* url, 103 int net_error, 104 uint16 version_before, 105 uint16 version_after, 106 NetLog::LogLevel /* log_level */) { 107 base::DictionaryValue* dict = new base::DictionaryValue(); 108 dict->SetString("host_and_port", GetHostAndPort(*url)); 109 dict->SetInteger("net_error", net_error); 110 dict->SetInteger("version_before", version_before); 111 dict->SetInteger("version_after", version_after); 112 return dict; 113} 114 115} // namespace 116 117//----------------------------------------------------------------------------- 118 119HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 120 HttpNetworkSession* session) 121 : pending_auth_target_(HttpAuth::AUTH_NONE), 122 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 123 base::Unretained(this))), 124 session_(session), 125 request_(NULL), 126 priority_(priority), 127 headers_valid_(false), 128 logged_response_time_(false), 129 request_headers_(), 130 read_buf_len_(0), 131 next_state_(STATE_NONE), 132 establishing_tunnel_(false) { 133 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 134 if (session->http_stream_factory()->has_next_protos()) { 135 server_ssl_config_.next_protos = 136 session->http_stream_factory()->next_protos(); 137 } 138 proxy_ssl_config_ = server_ssl_config_; 139} 140 141HttpNetworkTransaction::~HttpNetworkTransaction() { 142 if (stream_.get()) { 143 HttpResponseHeaders* headers = GetResponseHeaders(); 144 // TODO(mbelshe): The stream_ should be able to compute whether or not the 145 // stream should be kept alive. No reason to compute here 146 // and pass it in. 147 bool try_to_keep_alive = 148 next_state_ == STATE_NONE && 149 stream_->CanFindEndOfResponse() && 150 (!headers || headers->IsKeepAlive()); 151 if (!try_to_keep_alive) { 152 stream_->Close(true /* not reusable */); 153 } else { 154 if (stream_->IsResponseBodyComplete()) { 155 // If the response body is complete, we can just reuse the socket. 156 stream_->Close(false /* reusable */); 157 } else if (stream_->IsSpdyHttpStream()) { 158 // Doesn't really matter for SpdyHttpStream. Just close it. 159 stream_->Close(true /* not reusable */); 160 } else { 161 // Otherwise, we try to drain the response body. 162 HttpStreamBase* stream = stream_.release(); 163 stream->Drain(session_); 164 } 165 } 166 } 167 168 if (request_ && request_->upload_data_stream) 169 request_->upload_data_stream->Reset(); // Invalidate pending callbacks. 170} 171 172int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 173 const CompletionCallback& callback, 174 const BoundNetLog& net_log) { 175 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 176 177 net_log_ = net_log; 178 request_ = request_info; 179 start_time_ = base::Time::Now(); 180 181 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 182 server_ssl_config_.rev_checking_enabled = false; 183 proxy_ssl_config_.rev_checking_enabled = false; 184 } 185 186 // Channel ID is enabled unless --disable-tls-channel-id flag is set, 187 // or if privacy mode is enabled. 188 bool channel_id_enabled = server_ssl_config_.channel_id_enabled && 189 (request_->privacy_mode == kPrivacyModeDisabled); 190 server_ssl_config_.channel_id_enabled = channel_id_enabled; 191 192 next_state_ = STATE_CREATE_STREAM; 193 int rv = DoLoop(OK); 194 if (rv == ERR_IO_PENDING) 195 callback_ = callback; 196 return rv; 197} 198 199int HttpNetworkTransaction::RestartIgnoringLastError( 200 const CompletionCallback& callback) { 201 DCHECK(!stream_.get()); 202 DCHECK(!stream_request_.get()); 203 DCHECK_EQ(STATE_NONE, next_state_); 204 205 next_state_ = STATE_CREATE_STREAM; 206 207 int rv = DoLoop(OK); 208 if (rv == ERR_IO_PENDING) 209 callback_ = callback; 210 return rv; 211} 212 213int HttpNetworkTransaction::RestartWithCertificate( 214 X509Certificate* client_cert, const CompletionCallback& callback) { 215 // In HandleCertificateRequest(), we always tear down existing stream 216 // requests to force a new connection. So we shouldn't have one here. 217 DCHECK(!stream_request_.get()); 218 DCHECK(!stream_.get()); 219 DCHECK_EQ(STATE_NONE, next_state_); 220 221 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 222 &proxy_ssl_config_ : &server_ssl_config_; 223 ssl_config->send_client_cert = true; 224 ssl_config->client_cert = client_cert; 225 session_->ssl_client_auth_cache()->Add( 226 response_.cert_request_info->host_and_port, client_cert); 227 // Reset the other member variables. 228 // Note: this is necessary only with SSL renegotiation. 229 ResetStateForRestart(); 230 next_state_ = STATE_CREATE_STREAM; 231 int rv = DoLoop(OK); 232 if (rv == ERR_IO_PENDING) 233 callback_ = callback; 234 return rv; 235} 236 237int HttpNetworkTransaction::RestartWithAuth( 238 const AuthCredentials& credentials, const CompletionCallback& callback) { 239 HttpAuth::Target target = pending_auth_target_; 240 if (target == HttpAuth::AUTH_NONE) { 241 NOTREACHED(); 242 return ERR_UNEXPECTED; 243 } 244 pending_auth_target_ = HttpAuth::AUTH_NONE; 245 246 auth_controllers_[target]->ResetAuth(credentials); 247 248 DCHECK(callback_.is_null()); 249 250 int rv = OK; 251 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 252 // In this case, we've gathered credentials for use with proxy 253 // authentication of a tunnel. 254 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 255 DCHECK(stream_request_ != NULL); 256 auth_controllers_[target] = NULL; 257 ResetStateForRestart(); 258 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 259 } else { 260 // In this case, we've gathered credentials for the server or the proxy 261 // but it is not during the tunneling phase. 262 DCHECK(stream_request_ == NULL); 263 PrepareForAuthRestart(target); 264 rv = DoLoop(OK); 265 } 266 267 if (rv == ERR_IO_PENDING) 268 callback_ = callback; 269 return rv; 270} 271 272void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 273 DCHECK(HaveAuth(target)); 274 DCHECK(!stream_request_.get()); 275 276 bool keep_alive = false; 277 // Even if the server says the connection is keep-alive, we have to be 278 // able to find the end of each response in order to reuse the connection. 279 if (GetResponseHeaders()->IsKeepAlive() && 280 stream_->CanFindEndOfResponse()) { 281 // If the response body hasn't been completely read, we need to drain 282 // it first. 283 if (!stream_->IsResponseBodyComplete()) { 284 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 285 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 286 read_buf_len_ = kDrainBodyBufferSize; 287 return; 288 } 289 keep_alive = true; 290 } 291 292 // We don't need to drain the response body, so we act as if we had drained 293 // the response body. 294 DidDrainBodyForAuthRestart(keep_alive); 295} 296 297void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 298 DCHECK(!stream_request_.get()); 299 300 if (stream_.get()) { 301 HttpStream* new_stream = NULL; 302 if (keep_alive && stream_->IsConnectionReusable()) { 303 // We should call connection_->set_idle_time(), but this doesn't occur 304 // often enough to be worth the trouble. 305 stream_->SetConnectionReused(); 306 new_stream = 307 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 308 } 309 310 if (!new_stream) { 311 // Close the stream and mark it as not_reusable. Even in the 312 // keep_alive case, we've determined that the stream_ is not 313 // reusable if new_stream is NULL. 314 stream_->Close(true); 315 next_state_ = STATE_CREATE_STREAM; 316 } else { 317 next_state_ = STATE_INIT_STREAM; 318 } 319 stream_.reset(new_stream); 320 } 321 322 // Reset the other member variables. 323 ResetStateForAuthRestart(); 324} 325 326bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 327 return pending_auth_target_ != HttpAuth::AUTH_NONE && 328 HaveAuth(pending_auth_target_); 329} 330 331int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 332 const CompletionCallback& callback) { 333 DCHECK(buf); 334 DCHECK_LT(0, buf_len); 335 336 State next_state = STATE_NONE; 337 338 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 339 if (headers_valid_ && headers.get() && stream_request_.get()) { 340 // We're trying to read the body of the response but we're still trying 341 // to establish an SSL tunnel through an HTTP proxy. We can't read these 342 // bytes when establishing a tunnel because they might be controlled by 343 // an active network attacker. We don't worry about this for HTTP 344 // because an active network attacker can already control HTTP sessions. 345 // We reach this case when the user cancels a 407 proxy auth prompt. We 346 // also don't worry about this for an HTTPS Proxy, because the 347 // communication with the proxy is secure. 348 // See http://crbug.com/8473. 349 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 350 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 351 LOG(WARNING) << "Blocked proxy response with status " 352 << headers->response_code() << " to CONNECT request for " 353 << GetHostAndPort(request_->url) << "."; 354 return ERR_TUNNEL_CONNECTION_FAILED; 355 } 356 357 // Are we using SPDY or HTTP? 358 next_state = STATE_READ_BODY; 359 360 read_buf_ = buf; 361 read_buf_len_ = buf_len; 362 363 next_state_ = next_state; 364 int rv = DoLoop(OK); 365 if (rv == ERR_IO_PENDING) 366 callback_ = callback; 367 return rv; 368} 369 370bool HttpNetworkTransaction::GetFullRequestHeaders( 371 HttpRequestHeaders* headers) const { 372 // TODO(ttuttle): Make sure we've populated request_headers_. 373 *headers = request_headers_; 374 return true; 375} 376 377const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 378 return ((headers_valid_ && response_.headers.get()) || 379 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 380 ? &response_ 381 : NULL; 382} 383 384LoadState HttpNetworkTransaction::GetLoadState() const { 385 // TODO(wtc): Define a new LoadState value for the 386 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 387 switch (next_state_) { 388 case STATE_CREATE_STREAM_COMPLETE: 389 return stream_request_->GetLoadState(); 390 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 391 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 392 case STATE_SEND_REQUEST_COMPLETE: 393 return LOAD_STATE_SENDING_REQUEST; 394 case STATE_READ_HEADERS_COMPLETE: 395 return LOAD_STATE_WAITING_FOR_RESPONSE; 396 case STATE_READ_BODY_COMPLETE: 397 return LOAD_STATE_READING_RESPONSE; 398 default: 399 return LOAD_STATE_IDLE; 400 } 401} 402 403UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 404 if (!stream_.get()) 405 return UploadProgress(); 406 407 // TODO(bashi): This cast is temporary. Remove later. 408 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 409} 410 411bool HttpNetworkTransaction::GetLoadTimingInfo( 412 LoadTimingInfo* load_timing_info) const { 413 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 414 return false; 415 416 load_timing_info->proxy_resolve_start = 417 proxy_info_.proxy_resolve_start_time(); 418 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 419 load_timing_info->send_start = send_start_time_; 420 load_timing_info->send_end = send_end_time_; 421 return true; 422} 423 424void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 425 priority_ = priority; 426 if (stream_request_) 427 stream_request_->SetPriority(priority); 428 if (stream_) 429 stream_->SetPriority(priority); 430} 431 432void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 433 const ProxyInfo& used_proxy_info, 434 HttpStreamBase* stream) { 435 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 436 DCHECK(stream_request_.get()); 437 438 stream_.reset(stream); 439 server_ssl_config_ = used_ssl_config; 440 proxy_info_ = used_proxy_info; 441 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 442 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 443 stream_request_->protocol_negotiated()); 444 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 445 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 446 447 OnIOComplete(OK); 448} 449 450void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady( 451 const SSLConfig& used_ssl_config, 452 const ProxyInfo& used_proxy_info, 453 WebSocketHandshakeStreamBase* stream) { 454 NOTREACHED() << "This function should never be called."; 455} 456 457void HttpNetworkTransaction::OnStreamFailed(int result, 458 const SSLConfig& used_ssl_config) { 459 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 460 DCHECK_NE(OK, result); 461 DCHECK(stream_request_.get()); 462 DCHECK(!stream_.get()); 463 server_ssl_config_ = used_ssl_config; 464 465 OnIOComplete(result); 466} 467 468void HttpNetworkTransaction::OnCertificateError( 469 int result, 470 const SSLConfig& used_ssl_config, 471 const SSLInfo& ssl_info) { 472 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 473 DCHECK_NE(OK, result); 474 DCHECK(stream_request_.get()); 475 DCHECK(!stream_.get()); 476 477 response_.ssl_info = ssl_info; 478 server_ssl_config_ = used_ssl_config; 479 480 // TODO(mbelshe): For now, we're going to pass the error through, and that 481 // will close the stream_request in all cases. This means that we're always 482 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 483 // good and the user chooses to ignore the error. This is not ideal, but not 484 // the end of the world either. 485 486 OnIOComplete(result); 487} 488 489void HttpNetworkTransaction::OnNeedsProxyAuth( 490 const HttpResponseInfo& proxy_response, 491 const SSLConfig& used_ssl_config, 492 const ProxyInfo& used_proxy_info, 493 HttpAuthController* auth_controller) { 494 DCHECK(stream_request_.get()); 495 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 496 497 establishing_tunnel_ = true; 498 response_.headers = proxy_response.headers; 499 response_.auth_challenge = proxy_response.auth_challenge; 500 headers_valid_ = true; 501 server_ssl_config_ = used_ssl_config; 502 proxy_info_ = used_proxy_info; 503 504 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 505 pending_auth_target_ = HttpAuth::AUTH_PROXY; 506 507 DoCallback(OK); 508} 509 510void HttpNetworkTransaction::OnNeedsClientAuth( 511 const SSLConfig& used_ssl_config, 512 SSLCertRequestInfo* cert_info) { 513 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 514 515 server_ssl_config_ = used_ssl_config; 516 response_.cert_request_info = cert_info; 517 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 518} 519 520void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 521 const HttpResponseInfo& response_info, 522 const SSLConfig& used_ssl_config, 523 const ProxyInfo& used_proxy_info, 524 HttpStreamBase* stream) { 525 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 526 527 headers_valid_ = true; 528 response_ = response_info; 529 server_ssl_config_ = used_ssl_config; 530 proxy_info_ = used_proxy_info; 531 stream_.reset(stream); 532 stream_request_.reset(); // we're done with the stream request 533 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 534} 535 536bool HttpNetworkTransaction::is_https_request() const { 537 return request_->url.SchemeIs("https"); 538} 539 540void HttpNetworkTransaction::DoCallback(int rv) { 541 DCHECK_NE(rv, ERR_IO_PENDING); 542 DCHECK(!callback_.is_null()); 543 544 // Since Run may result in Read being called, clear user_callback_ up front. 545 CompletionCallback c = callback_; 546 callback_.Reset(); 547 c.Run(rv); 548} 549 550void HttpNetworkTransaction::OnIOComplete(int result) { 551 int rv = DoLoop(result); 552 if (rv != ERR_IO_PENDING) 553 DoCallback(rv); 554} 555 556int HttpNetworkTransaction::DoLoop(int result) { 557 DCHECK(next_state_ != STATE_NONE); 558 559 int rv = result; 560 do { 561 State state = next_state_; 562 next_state_ = STATE_NONE; 563 switch (state) { 564 case STATE_CREATE_STREAM: 565 DCHECK_EQ(OK, rv); 566 rv = DoCreateStream(); 567 break; 568 case STATE_CREATE_STREAM_COMPLETE: 569 rv = DoCreateStreamComplete(rv); 570 break; 571 case STATE_INIT_STREAM: 572 DCHECK_EQ(OK, rv); 573 rv = DoInitStream(); 574 break; 575 case STATE_INIT_STREAM_COMPLETE: 576 rv = DoInitStreamComplete(rv); 577 break; 578 case STATE_GENERATE_PROXY_AUTH_TOKEN: 579 DCHECK_EQ(OK, rv); 580 rv = DoGenerateProxyAuthToken(); 581 break; 582 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 583 rv = DoGenerateProxyAuthTokenComplete(rv); 584 break; 585 case STATE_GENERATE_SERVER_AUTH_TOKEN: 586 DCHECK_EQ(OK, rv); 587 rv = DoGenerateServerAuthToken(); 588 break; 589 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 590 rv = DoGenerateServerAuthTokenComplete(rv); 591 break; 592 case STATE_INIT_REQUEST_BODY: 593 DCHECK_EQ(OK, rv); 594 rv = DoInitRequestBody(); 595 break; 596 case STATE_INIT_REQUEST_BODY_COMPLETE: 597 rv = DoInitRequestBodyComplete(rv); 598 break; 599 case STATE_BUILD_REQUEST: 600 DCHECK_EQ(OK, rv); 601 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 602 rv = DoBuildRequest(); 603 break; 604 case STATE_BUILD_REQUEST_COMPLETE: 605 rv = DoBuildRequestComplete(rv); 606 break; 607 case STATE_SEND_REQUEST: 608 DCHECK_EQ(OK, rv); 609 rv = DoSendRequest(); 610 break; 611 case STATE_SEND_REQUEST_COMPLETE: 612 rv = DoSendRequestComplete(rv); 613 net_log_.EndEventWithNetErrorCode( 614 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 615 break; 616 case STATE_READ_HEADERS: 617 DCHECK_EQ(OK, rv); 618 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 619 rv = DoReadHeaders(); 620 break; 621 case STATE_READ_HEADERS_COMPLETE: 622 rv = DoReadHeadersComplete(rv); 623 net_log_.EndEventWithNetErrorCode( 624 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 625 break; 626 case STATE_READ_BODY: 627 DCHECK_EQ(OK, rv); 628 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 629 rv = DoReadBody(); 630 break; 631 case STATE_READ_BODY_COMPLETE: 632 rv = DoReadBodyComplete(rv); 633 net_log_.EndEventWithNetErrorCode( 634 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 635 break; 636 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 637 DCHECK_EQ(OK, rv); 638 net_log_.BeginEvent( 639 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 640 rv = DoDrainBodyForAuthRestart(); 641 break; 642 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 643 rv = DoDrainBodyForAuthRestartComplete(rv); 644 net_log_.EndEventWithNetErrorCode( 645 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 646 break; 647 default: 648 NOTREACHED() << "bad state"; 649 rv = ERR_FAILED; 650 break; 651 } 652 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 653 654 return rv; 655} 656 657int HttpNetworkTransaction::DoCreateStream() { 658 next_state_ = STATE_CREATE_STREAM_COMPLETE; 659 660 stream_request_.reset( 661 session_->http_stream_factory()->RequestStream( 662 *request_, 663 priority_, 664 server_ssl_config_, 665 proxy_ssl_config_, 666 this, 667 net_log_)); 668 DCHECK(stream_request_.get()); 669 return ERR_IO_PENDING; 670} 671 672int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 673 if (result == OK) { 674 next_state_ = STATE_INIT_STREAM; 675 DCHECK(stream_.get()); 676 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 677 result = HandleCertificateRequest(result); 678 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 679 // Return OK and let the caller read the proxy's error page 680 next_state_ = STATE_NONE; 681 return OK; 682 } 683 684 // Handle possible handshake errors that may have occurred if the stream 685 // used SSL for one or more of the layers. 686 result = HandleSSLHandshakeError(result); 687 688 // At this point we are done with the stream_request_. 689 stream_request_.reset(); 690 return result; 691} 692 693int HttpNetworkTransaction::DoInitStream() { 694 DCHECK(stream_.get()); 695 next_state_ = STATE_INIT_STREAM_COMPLETE; 696 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 697} 698 699int HttpNetworkTransaction::DoInitStreamComplete(int result) { 700 if (result == OK) { 701 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 702 } else { 703 if (result < 0) 704 result = HandleIOError(result); 705 706 // The stream initialization failed, so this stream will never be useful. 707 stream_.reset(); 708 } 709 710 return result; 711} 712 713int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 714 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 715 if (!ShouldApplyProxyAuth()) 716 return OK; 717 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 718 if (!auth_controllers_[target].get()) 719 auth_controllers_[target] = 720 new HttpAuthController(target, 721 AuthURL(target), 722 session_->http_auth_cache(), 723 session_->http_auth_handler_factory()); 724 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 725 io_callback_, 726 net_log_); 727} 728 729int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 730 DCHECK_NE(ERR_IO_PENDING, rv); 731 if (rv == OK) 732 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 733 return rv; 734} 735 736int HttpNetworkTransaction::DoGenerateServerAuthToken() { 737 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 738 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 739 if (!auth_controllers_[target].get()) { 740 auth_controllers_[target] = 741 new HttpAuthController(target, 742 AuthURL(target), 743 session_->http_auth_cache(), 744 session_->http_auth_handler_factory()); 745 if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY) 746 auth_controllers_[target]->DisableEmbeddedIdentity(); 747 } 748 if (!ShouldApplyServerAuth()) 749 return OK; 750 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 751 io_callback_, 752 net_log_); 753} 754 755int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 756 DCHECK_NE(ERR_IO_PENDING, rv); 757 if (rv == OK) 758 next_state_ = STATE_INIT_REQUEST_BODY; 759 return rv; 760} 761 762void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 763 request_headers_.SetHeader(HttpRequestHeaders::kHost, 764 GetHostAndOptionalPort(request_->url)); 765 766 // For compat with HTTP/1.0 servers and proxies: 767 if (using_proxy) { 768 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 769 "keep-alive"); 770 } else { 771 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 772 } 773 774 // Add a content length header? 775 if (request_->upload_data_stream) { 776 if (request_->upload_data_stream->is_chunked()) { 777 request_headers_.SetHeader( 778 HttpRequestHeaders::kTransferEncoding, "chunked"); 779 } else { 780 request_headers_.SetHeader( 781 HttpRequestHeaders::kContentLength, 782 base::Uint64ToString(request_->upload_data_stream->size())); 783 } 784 } else if (request_->method == "POST" || request_->method == "PUT" || 785 request_->method == "HEAD") { 786 // An empty POST/PUT request still needs a content length. As for HEAD, 787 // IE and Safari also add a content length header. Presumably it is to 788 // support sending a HEAD request to an URL that only expects to be sent a 789 // POST or some other method that normally would have a message body. 790 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 791 } 792 793 // Honor load flags that impact proxy caches. 794 if (request_->load_flags & LOAD_BYPASS_CACHE) { 795 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 796 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 797 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 798 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 799 } 800 801 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 802 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 803 &request_headers_); 804 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 805 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 806 &request_headers_); 807 808 request_headers_.MergeFrom(request_->extra_headers); 809 response_.did_use_http_auth = 810 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 811 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 812} 813 814int HttpNetworkTransaction::DoInitRequestBody() { 815 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 816 int rv = OK; 817 if (request_->upload_data_stream) 818 rv = request_->upload_data_stream->Init(io_callback_); 819 return rv; 820} 821 822int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 823 if (result == OK) 824 next_state_ = STATE_BUILD_REQUEST; 825 return result; 826} 827 828int HttpNetworkTransaction::DoBuildRequest() { 829 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 830 headers_valid_ = false; 831 832 // This is constructed lazily (instead of within our Start method), so that 833 // we have proxy info available. 834 if (request_headers_.IsEmpty()) { 835 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 836 !is_https_request(); 837 BuildRequestHeaders(using_proxy); 838 } 839 840 return OK; 841} 842 843int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 844 if (result == OK) 845 next_state_ = STATE_SEND_REQUEST; 846 return result; 847} 848 849int HttpNetworkTransaction::DoSendRequest() { 850 send_start_time_ = base::TimeTicks::Now(); 851 next_state_ = STATE_SEND_REQUEST_COMPLETE; 852 853 return stream_->SendRequest(request_headers_, &response_, io_callback_); 854} 855 856int HttpNetworkTransaction::DoSendRequestComplete(int result) { 857 send_end_time_ = base::TimeTicks::Now(); 858 if (result < 0) 859 return HandleIOError(result); 860 response_.network_accessed = true; 861 next_state_ = STATE_READ_HEADERS; 862 return OK; 863} 864 865int HttpNetworkTransaction::DoReadHeaders() { 866 next_state_ = STATE_READ_HEADERS_COMPLETE; 867 return stream_->ReadResponseHeaders(io_callback_); 868} 869 870int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() { 871 if (!response_.headers.get() && !stream_->IsConnectionReused()) { 872 // The connection was closed before any data was sent. Likely an error 873 // rather than empty HTTP/0.9 response. 874 return ERR_EMPTY_RESPONSE; 875 } 876 877 return OK; 878} 879 880int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 881 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 882 // due to SSL renegotiation. 883 if (IsCertificateError(result)) { 884 // We don't handle a certificate error during SSL renegotiation, so we 885 // have to return an error that's not in the certificate error range 886 // (-2xx). 887 LOG(ERROR) << "Got a server certificate with error " << result 888 << " during SSL renegotiation"; 889 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 890 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 891 // TODO(wtc): Need a test case for this code path! 892 DCHECK(stream_.get()); 893 DCHECK(is_https_request()); 894 response_.cert_request_info = new SSLCertRequestInfo; 895 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 896 result = HandleCertificateRequest(result); 897 if (result == OK) 898 return result; 899 } 900 901 if (result == ERR_QUIC_HANDSHAKE_FAILED) { 902 ResetConnectionAndRequestForResend(); 903 return OK; 904 } 905 906 if (result < 0 && result != ERR_CONNECTION_CLOSED) 907 return HandleIOError(result); 908 909 if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) { 910 ResetConnectionAndRequestForResend(); 911 return OK; 912 } 913 914 // After we call RestartWithAuth a new response_time will be recorded, and 915 // we need to be cautious about incorrectly logging the duration across the 916 // authentication activity. 917 if (result == OK) 918 LogTransactionConnectedMetrics(); 919 920 if (result == ERR_CONNECTION_CLOSED) { 921 // For now, if we get at least some data, we do the best we can to make 922 // sense of it and send it back up the stack. 923 int rv = HandleConnectionClosedBeforeEndOfHeaders(); 924 if (rv != OK) 925 return rv; 926 } 927 DCHECK(response_.headers.get()); 928 929#if defined(SPDY_PROXY_AUTH_ORIGIN) 930 // Server-induced fallback; see: http://crbug.com/143712 931 if (response_.was_fetched_via_proxy && response_.headers.get() != NULL) { 932 base::TimeDelta bypass_duration; 933 bool chrome_proxy_used = 934 proxy_info_.proxy_server().host_port_pair().Equals( 935 HostPortPair::FromURL(GURL(SPDY_PROXY_AUTH_ORIGIN))); 936#if defined(DATA_REDUCTION_FALLBACK_HOST) 937 if (!chrome_proxy_used) { 938 chrome_proxy_used = 939 proxy_info_.proxy_server().host_port_pair().Equals( 940 HostPortPair::FromURL(GURL(DATA_REDUCTION_FALLBACK_HOST))); 941 } 942#endif 943 bool should_fallback = chrome_proxy_used && 944 response_.headers->GetChromeProxyInfo(&bypass_duration); 945 // Additionally, fallback if a 500 is returned via the data reduction proxy. 946 // This is conservative, as the 500 might have been generated by the origin, 947 // and not the proxy. 948 if (!should_fallback) { 949 should_fallback = chrome_proxy_used && 950 response_.headers->response_code() == HTTP_INTERNAL_SERVER_ERROR; 951 } 952 953 if (should_fallback) { 954 ProxyService* proxy_service = session_->proxy_service(); 955 if (proxy_service->MarkProxyAsBad(proxy_info_, bypass_duration, 956 net_log_)) { 957 // Only retry in the case of GETs. We don't want to resubmit a POST 958 // if the proxy took some action. 959 if (request_->method == "GET") { 960 ResetConnectionAndRequestForResend(); 961 return OK; 962 } 963 } 964 } 965 } 966#endif 967 968 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 969 if (request_->load_flags & LOAD_MAIN_FRAME) { 970 const int response_code = response_.headers->response_code(); 971 UMA_HISTOGRAM_ENUMERATION( 972 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 973 } 974 975 net_log_.AddEvent( 976 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 977 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 978 979 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 980 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 981 // indicates a buggy server. See: 982 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 983 if (request_->method == "PUT") 984 return ERR_METHOD_NOT_SUPPORTED; 985 } 986 987 // Check for an intermediate 100 Continue response. An origin server is 988 // allowed to send this response even if we didn't ask for it, so we just 989 // need to skip over it. 990 // We treat any other 1xx in this same way (although in practice getting 991 // a 1xx that isn't a 100 is rare). 992 if (response_.headers->response_code() / 100 == 1) { 993 response_.headers = new HttpResponseHeaders(std::string()); 994 next_state_ = STATE_READ_HEADERS; 995 return OK; 996 } 997 998 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 999 request_->url.EffectiveIntPort()); 1000 ProcessAlternateProtocol(session_->http_stream_factory(), 1001 session_->http_server_properties(), 1002 *response_.headers.get(), 1003 endpoint); 1004 1005 int rv = HandleAuthChallenge(); 1006 if (rv != OK) 1007 return rv; 1008 1009 if (is_https_request()) 1010 stream_->GetSSLInfo(&response_.ssl_info); 1011 1012 headers_valid_ = true; 1013 return OK; 1014} 1015 1016int HttpNetworkTransaction::DoReadBody() { 1017 DCHECK(read_buf_.get()); 1018 DCHECK_GT(read_buf_len_, 0); 1019 DCHECK(stream_ != NULL); 1020 1021 next_state_ = STATE_READ_BODY_COMPLETE; 1022 return stream_->ReadResponseBody( 1023 read_buf_.get(), read_buf_len_, io_callback_); 1024} 1025 1026int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1027 // We are done with the Read call. 1028 bool done = false; 1029 if (result <= 0) { 1030 DCHECK_NE(ERR_IO_PENDING, result); 1031 done = true; 1032 } 1033 1034 bool keep_alive = false; 1035 if (stream_->IsResponseBodyComplete()) { 1036 // Note: Just because IsResponseBodyComplete is true, we're not 1037 // necessarily "done". We're only "done" when it is the last 1038 // read on this HttpNetworkTransaction, which will be signified 1039 // by a zero-length read. 1040 // TODO(mbelshe): The keepalive property is really a property of 1041 // the stream. No need to compute it here just to pass back 1042 // to the stream's Close function. 1043 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1044 // ResponseHeaders. 1045 if (stream_->CanFindEndOfResponse()) { 1046 HttpResponseHeaders* headers = GetResponseHeaders(); 1047 if (headers) 1048 keep_alive = headers->IsKeepAlive(); 1049 } 1050 } 1051 1052 // Clean up connection if we are done. 1053 if (done) { 1054 LogTransactionMetrics(); 1055 stream_->Close(!keep_alive); 1056 // Note: we don't reset the stream here. We've closed it, but we still 1057 // need it around so that callers can call methods such as 1058 // GetUploadProgress() and have them be meaningful. 1059 // TODO(mbelshe): This means we closed the stream here, and we close it 1060 // again in ~HttpNetworkTransaction. Clean that up. 1061 1062 // The next Read call will return 0 (EOF). 1063 } 1064 1065 // Clear these to avoid leaving around old state. 1066 read_buf_ = NULL; 1067 read_buf_len_ = 0; 1068 1069 return result; 1070} 1071 1072int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1073 // This method differs from DoReadBody only in the next_state_. So we just 1074 // call DoReadBody and override the next_state_. Perhaps there is a more 1075 // elegant way for these two methods to share code. 1076 int rv = DoReadBody(); 1077 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1078 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1079 return rv; 1080} 1081 1082// TODO(wtc): This method and the DoReadBodyComplete method are almost 1083// the same. Figure out a good way for these two methods to share code. 1084int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1085 // keep_alive defaults to true because the very reason we're draining the 1086 // response body is to reuse the connection for auth restart. 1087 bool done = false, keep_alive = true; 1088 if (result < 0) { 1089 // Error or closed connection while reading the socket. 1090 done = true; 1091 keep_alive = false; 1092 } else if (stream_->IsResponseBodyComplete()) { 1093 done = true; 1094 } 1095 1096 if (done) { 1097 DidDrainBodyForAuthRestart(keep_alive); 1098 } else { 1099 // Keep draining. 1100 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1101 } 1102 1103 return OK; 1104} 1105 1106void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1107 if (logged_response_time_) 1108 return; 1109 1110 logged_response_time_ = true; 1111 1112 base::TimeDelta total_duration = response_.response_time - start_time_; 1113 1114 UMA_HISTOGRAM_CUSTOM_TIMES( 1115 "Net.Transaction_Connected", 1116 total_duration, 1117 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1118 100); 1119 1120 bool reused_socket = stream_->IsConnectionReused(); 1121 if (!reused_socket) { 1122 UMA_HISTOGRAM_CUSTOM_TIMES( 1123 "Net.Transaction_Connected_New_b", 1124 total_duration, 1125 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1126 100); 1127 } 1128 1129 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1130 // types. This will change when we also prioritize certain subresources like 1131 // css, js, etc. 1132 if (priority_ != HIGHEST) { 1133 UMA_HISTOGRAM_CUSTOM_TIMES( 1134 "Net.Priority_High_Latency_b", 1135 total_duration, 1136 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1137 100); 1138 } else { 1139 UMA_HISTOGRAM_CUSTOM_TIMES( 1140 "Net.Priority_Low_Latency_b", 1141 total_duration, 1142 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1143 100); 1144 } 1145} 1146 1147void HttpNetworkTransaction::LogTransactionMetrics() const { 1148 base::TimeDelta duration = base::Time::Now() - 1149 response_.request_time; 1150 if (60 < duration.InMinutes()) 1151 return; 1152 1153 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1154 1155 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1156 base::TimeDelta::FromMilliseconds(1), 1157 base::TimeDelta::FromMinutes(10), 1158 100); 1159 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1160 total_duration, 1161 base::TimeDelta::FromMilliseconds(1), 1162 base::TimeDelta::FromMinutes(10), 100); 1163 1164 if (!stream_->IsConnectionReused()) { 1165 UMA_HISTOGRAM_CUSTOM_TIMES( 1166 "Net.Transaction_Latency_Total_New_Connection", 1167 total_duration, base::TimeDelta::FromMilliseconds(1), 1168 base::TimeDelta::FromMinutes(10), 100); 1169 } 1170} 1171 1172int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1173 // There are two paths through which the server can request a certificate 1174 // from us. The first is during the initial handshake, the second is 1175 // during SSL renegotiation. 1176 // 1177 // In both cases, we want to close the connection before proceeding. 1178 // We do this for two reasons: 1179 // First, we don't want to keep the connection to the server hung for a 1180 // long time while the user selects a certificate. 1181 // Second, even if we did keep the connection open, NSS has a bug where 1182 // restarting the handshake for ClientAuth is currently broken. 1183 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1184 1185 if (stream_.get()) { 1186 // Since we already have a stream, we're being called as part of SSL 1187 // renegotiation. 1188 DCHECK(!stream_request_.get()); 1189 stream_->Close(true); 1190 stream_.reset(); 1191 } 1192 1193 // The server is asking for a client certificate during the initial 1194 // handshake. 1195 stream_request_.reset(); 1196 1197 // If the user selected one of the certificates in client_certs or declined 1198 // to provide one for this server before, use the past decision 1199 // automatically. 1200 scoped_refptr<X509Certificate> client_cert; 1201 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1202 response_.cert_request_info->host_and_port, &client_cert); 1203 if (!found_cached_cert) 1204 return error; 1205 1206 // Check that the certificate selected is still a certificate the server 1207 // is likely to accept, based on the criteria supplied in the 1208 // CertificateRequest message. 1209 if (client_cert.get()) { 1210 const std::vector<std::string>& cert_authorities = 1211 response_.cert_request_info->cert_authorities; 1212 1213 bool cert_still_valid = cert_authorities.empty() || 1214 client_cert->IsIssuedByEncoded(cert_authorities); 1215 if (!cert_still_valid) 1216 return error; 1217 } 1218 1219 // TODO(davidben): Add a unit test which covers this path; we need to be 1220 // able to send a legitimate certificate and also bypass/clear the 1221 // SSL session cache. 1222 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1223 &proxy_ssl_config_ : &server_ssl_config_; 1224 ssl_config->send_client_cert = true; 1225 ssl_config->client_cert = client_cert; 1226 next_state_ = STATE_CREATE_STREAM; 1227 // Reset the other member variables. 1228 // Note: this is necessary only with SSL renegotiation. 1229 ResetStateForRestart(); 1230 return OK; 1231} 1232 1233// TODO(rch): This does not correctly handle errors when an SSL proxy is 1234// being used, as all of the errors are handled as if they were generated 1235// by the endpoint host, request_->url, rather than considering if they were 1236// generated by the SSL proxy. http://crbug.com/69329 1237int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1238 DCHECK(request_); 1239 if (server_ssl_config_.send_client_cert && 1240 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1241 session_->ssl_client_auth_cache()->Remove( 1242 GetHostAndPort(request_->url)); 1243 } 1244 1245 bool should_fallback = false; 1246 uint16 version_max = server_ssl_config_.version_max; 1247 1248 switch (error) { 1249 case ERR_SSL_PROTOCOL_ERROR: 1250 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1251 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1252 version_max > server_ssl_config_.version_min) { 1253 // This could be a TLS-intolerant server or a server that chose a 1254 // cipher suite defined only for higher protocol versions (such as 1255 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1256 // back to the next lower version and retry. 1257 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1258 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1259 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1260 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1261 // version_max should match the maximum protocol version supported 1262 // by the SSLClientSocket class. 1263 version_max--; 1264 should_fallback = true; 1265 } 1266 break; 1267 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1268 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1269 version_max > server_ssl_config_.version_min) { 1270 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1271 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1272 // crbug.com/260358. In order to make the fallback as minimal as 1273 // possible, this fallback is only triggered for >= TLS 1.1. 1274 version_max--; 1275 should_fallback = true; 1276 } 1277 break; 1278 } 1279 1280 // While fallback should be eliminated because of security reasons, 1281 // there is a high risk of breaking the servers if this is done in 1282 // general. 1283 // 1284 // For now fallback is disabled for Google servers first, and will be 1285 // expanded to other servers after enough experiences have been gained 1286 // showing that this experiment works well with today's Internet. 1287 // 1288 // The --enable-unrestricted-ssl3-fallback command-line flag exists to allow 1289 // fallback to any version, all the way down to SSLv3. 1290 if (!server_ssl_config_.unrestricted_ssl3_fallback_enabled && 1291 TransportSecurityState::IsGooglePinnedProperty(request_->url.host(), 1292 true /* include SNI */)) { 1293 should_fallback = false; 1294 } 1295 1296 if (should_fallback) { 1297 net_log_.AddEvent( 1298 NetLog::TYPE_SSL_VERSION_FALLBACK, 1299 base::Bind(&NetLogSSLVersionFallbackCallback, 1300 &request_->url, error, server_ssl_config_.version_max, 1301 version_max)); 1302 server_ssl_config_.version_max = version_max; 1303 server_ssl_config_.version_fallback = true; 1304 ResetConnectionAndRequestForResend(); 1305 error = OK; 1306 } 1307 1308 return error; 1309} 1310 1311// This method determines whether it is safe to resend the request after an 1312// IO error. It can only be called in response to request header or body 1313// write errors or response header read errors. It should not be used in 1314// other cases, such as a Connect error. 1315int HttpNetworkTransaction::HandleIOError(int error) { 1316 // SSL errors may happen at any time during the stream and indicate issues 1317 // with the underlying connection. Because the peer may request 1318 // renegotiation at any time, check and handle any possible SSL handshake 1319 // related errors. In addition to renegotiation, TLS False Start may cause 1320 // SSL handshake errors (specifically servers with buggy DEFLATE support) 1321 // to be delayed until the first Read on the underlying connection. 1322 error = HandleSSLHandshakeError(error); 1323 1324 switch (error) { 1325 // If we try to reuse a connection that the server is in the process of 1326 // closing, we may end up successfully writing out our request (or a 1327 // portion of our request) only to find a connection error when we try to 1328 // read from (or finish writing to) the socket. 1329 case ERR_CONNECTION_RESET: 1330 case ERR_CONNECTION_CLOSED: 1331 case ERR_CONNECTION_ABORTED: 1332 // There can be a race between the socket pool checking checking whether a 1333 // socket is still connected, receiving the FIN, and sending/reading data 1334 // on a reused socket. If we receive the FIN between the connectedness 1335 // check and writing/reading from the socket, we may first learn the socket 1336 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1337 // likely happen when trying to retrieve its IP address. 1338 // See http://crbug.com/105824 for more details. 1339 case ERR_SOCKET_NOT_CONNECTED: 1340 if (ShouldResendRequest(error)) { 1341 net_log_.AddEventWithNetErrorCode( 1342 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1343 ResetConnectionAndRequestForResend(); 1344 error = OK; 1345 } 1346 break; 1347 case ERR_PIPELINE_EVICTION: 1348 if (!session_->force_http_pipelining()) { 1349 net_log_.AddEventWithNetErrorCode( 1350 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1351 ResetConnectionAndRequestForResend(); 1352 error = OK; 1353 } 1354 break; 1355 case ERR_SPDY_PING_FAILED: 1356 case ERR_SPDY_SERVER_REFUSED_STREAM: 1357 case ERR_QUIC_HANDSHAKE_FAILED: 1358 net_log_.AddEventWithNetErrorCode( 1359 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1360 ResetConnectionAndRequestForResend(); 1361 error = OK; 1362 break; 1363 } 1364 return error; 1365} 1366 1367void HttpNetworkTransaction::ResetStateForRestart() { 1368 ResetStateForAuthRestart(); 1369 stream_.reset(); 1370} 1371 1372void HttpNetworkTransaction::ResetStateForAuthRestart() { 1373 send_start_time_ = base::TimeTicks(); 1374 send_end_time_ = base::TimeTicks(); 1375 1376 pending_auth_target_ = HttpAuth::AUTH_NONE; 1377 read_buf_ = NULL; 1378 read_buf_len_ = 0; 1379 headers_valid_ = false; 1380 request_headers_.Clear(); 1381 response_ = HttpResponseInfo(); 1382 establishing_tunnel_ = false; 1383} 1384 1385HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1386 return response_.headers.get(); 1387} 1388 1389bool HttpNetworkTransaction::ShouldResendRequest(int error) const { 1390 bool connection_is_proven = stream_->IsConnectionReused(); 1391 bool has_received_headers = GetResponseHeaders() != NULL; 1392 1393 // NOTE: we resend a request only if we reused a keep-alive connection. 1394 // This automatically prevents an infinite resend loop because we'll run 1395 // out of the cached keep-alive connections eventually. 1396 if (connection_is_proven && !has_received_headers) 1397 return true; 1398 return false; 1399} 1400 1401void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1402 if (stream_.get()) { 1403 stream_->Close(true); 1404 stream_.reset(); 1405 } 1406 1407 // We need to clear request_headers_ because it contains the real request 1408 // headers, but we may need to resend the CONNECT request first to recreate 1409 // the SSL tunnel. 1410 request_headers_.Clear(); 1411 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1412} 1413 1414bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1415 return !is_https_request() && 1416 (proxy_info_.is_https() || proxy_info_.is_http()); 1417} 1418 1419bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1420 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1421} 1422 1423int HttpNetworkTransaction::HandleAuthChallenge() { 1424 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1425 DCHECK(headers.get()); 1426 1427 int status = headers->response_code(); 1428 if (status != HTTP_UNAUTHORIZED && 1429 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1430 return OK; 1431 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1432 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1433 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1434 return ERR_UNEXPECTED_PROXY_AUTH; 1435 1436 // This case can trigger when an HTTPS server responds with a "Proxy 1437 // authentication required" status code through a non-authenticating 1438 // proxy. 1439 if (!auth_controllers_[target].get()) 1440 return ERR_UNEXPECTED_PROXY_AUTH; 1441 1442 int rv = auth_controllers_[target]->HandleAuthChallenge( 1443 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1444 net_log_); 1445 if (auth_controllers_[target]->HaveAuthHandler()) 1446 pending_auth_target_ = target; 1447 1448 scoped_refptr<AuthChallengeInfo> auth_info = 1449 auth_controllers_[target]->auth_info(); 1450 if (auth_info.get()) 1451 response_.auth_challenge = auth_info; 1452 1453 return rv; 1454} 1455 1456bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1457 return auth_controllers_[target].get() && 1458 auth_controllers_[target]->HaveAuth(); 1459} 1460 1461GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1462 switch (target) { 1463 case HttpAuth::AUTH_PROXY: { 1464 if (!proxy_info_.proxy_server().is_valid() || 1465 proxy_info_.proxy_server().is_direct()) { 1466 return GURL(); // There is no proxy server. 1467 } 1468 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1469 return GURL(scheme + 1470 proxy_info_.proxy_server().host_port_pair().ToString()); 1471 } 1472 case HttpAuth::AUTH_SERVER: 1473 return request_->url; 1474 default: 1475 return GURL(); 1476 } 1477} 1478 1479#define STATE_CASE(s) \ 1480 case s: \ 1481 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1482 break 1483 1484std::string HttpNetworkTransaction::DescribeState(State state) { 1485 std::string description; 1486 switch (state) { 1487 STATE_CASE(STATE_CREATE_STREAM); 1488 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1489 STATE_CASE(STATE_INIT_REQUEST_BODY); 1490 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1491 STATE_CASE(STATE_BUILD_REQUEST); 1492 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1493 STATE_CASE(STATE_SEND_REQUEST); 1494 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1495 STATE_CASE(STATE_READ_HEADERS); 1496 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1497 STATE_CASE(STATE_READ_BODY); 1498 STATE_CASE(STATE_READ_BODY_COMPLETE); 1499 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1500 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1501 STATE_CASE(STATE_NONE); 1502 default: 1503 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1504 state); 1505 break; 1506 } 1507 return description; 1508} 1509 1510#undef STATE_CASE 1511 1512} // namespace net 1513