http_network_transaction.cc revision 2a99a7e74a7f215066514fe81d2bfa6639d9eddd
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/http/http_network_transaction.h"
6
7#include <set>
8#include <vector>
9
10#include "base/bind.h"
11#include "base/bind_helpers.h"
12#include "base/compiler_specific.h"
13#include "base/format_macros.h"
14#include "base/memory/scoped_ptr.h"
15#include "base/metrics/field_trial.h"
16#include "base/metrics/histogram.h"
17#include "base/metrics/stats_counters.h"
18#include "base/stl_util.h"
19#include "base/string_number_conversions.h"
20#include "base/string_util.h"
21#include "base/stringprintf.h"
22#include "base/values.h"
23#include "build/build_config.h"
24#include "googleurl/src/gurl.h"
25#include "net/base/auth.h"
26#include "net/base/host_port_pair.h"
27#include "net/base/io_buffer.h"
28#include "net/base/load_flags.h"
29#include "net/base/load_timing_info.h"
30#include "net/base/net_errors.h"
31#include "net/base/net_util.h"
32#include "net/base/upload_data_stream.h"
33#include "net/http/http_auth.h"
34#include "net/http/http_auth_handler.h"
35#include "net/http/http_auth_handler_factory.h"
36#include "net/http/http_basic_stream.h"
37#include "net/http/http_chunked_decoder.h"
38#include "net/http/http_network_session.h"
39#include "net/http/http_proxy_client_socket.h"
40#include "net/http/http_proxy_client_socket_pool.h"
41#include "net/http/http_request_headers.h"
42#include "net/http/http_request_info.h"
43#include "net/http/http_response_headers.h"
44#include "net/http/http_response_info.h"
45#include "net/http/http_server_properties.h"
46#include "net/http/http_status_code.h"
47#include "net/http/http_stream_base.h"
48#include "net/http/http_stream_factory.h"
49#include "net/http/http_util.h"
50#include "net/http/url_security_manager.h"
51#include "net/socket/client_socket_factory.h"
52#include "net/socket/socks_client_socket_pool.h"
53#include "net/socket/ssl_client_socket.h"
54#include "net/socket/ssl_client_socket_pool.h"
55#include "net/socket/transport_client_socket_pool.h"
56#include "net/spdy/spdy_http_stream.h"
57#include "net/spdy/spdy_session.h"
58#include "net/spdy/spdy_session_pool.h"
59#include "net/ssl/ssl_cert_request_info.h"
60#include "net/ssl/ssl_connection_status_flags.h"
61
62using base::Time;
63
64namespace net {
65
66namespace {
67
68void ProcessAlternateProtocol(HttpStreamFactory* factory,
69                              HttpServerProperties* http_server_properties,
70                              const HttpResponseHeaders& headers,
71                              const HostPortPair& http_host_port_pair) {
72  std::string alternate_protocol_str;
73
74  if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader,
75                               &alternate_protocol_str)) {
76    // Header is not present.
77    return;
78  }
79
80  factory->ProcessAlternateProtocol(http_server_properties,
81                                    alternate_protocol_str,
82                                    http_host_port_pair);
83}
84
85// Returns true if |error| is a client certificate authentication error.
86bool IsClientCertificateError(int error) {
87  switch (error) {
88    case ERR_BAD_SSL_CLIENT_AUTH_CERT:
89    case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED:
90    case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY:
91    case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED:
92      return true;
93    default:
94      return false;
95  }
96}
97
98Value* NetLogSSLVersionFallbackCallback(const GURL* url,
99                                        int net_error,
100                                        uint16 version_before,
101                                        uint16 version_after,
102                                        NetLog::LogLevel /* log_level */) {
103  DictionaryValue* dict = new DictionaryValue();
104  dict->SetString("host_and_port", GetHostAndPort(*url));
105  dict->SetInteger("net_error", net_error);
106  dict->SetInteger("version_before", version_before);
107  dict->SetInteger("version_after", version_after);
108  return dict;
109}
110
111}  // namespace
112
113//-----------------------------------------------------------------------------
114
115HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority,
116                                               HttpNetworkSession* session)
117    : pending_auth_target_(HttpAuth::AUTH_NONE),
118      ALLOW_THIS_IN_INITIALIZER_LIST(io_callback_(
119          base::Bind(&HttpNetworkTransaction::OnIOComplete,
120                     base::Unretained(this)))),
121      session_(session),
122      request_(NULL),
123      priority_(priority),
124      headers_valid_(false),
125      logged_response_time_(false),
126      request_headers_(),
127      read_buf_len_(0),
128      next_state_(STATE_NONE),
129      establishing_tunnel_(false) {
130  session->ssl_config_service()->GetSSLConfig(&server_ssl_config_);
131  if (session->http_stream_factory()->has_next_protos()) {
132    server_ssl_config_.next_protos =
133        session->http_stream_factory()->next_protos();
134  }
135  proxy_ssl_config_ = server_ssl_config_;
136}
137
138HttpNetworkTransaction::~HttpNetworkTransaction() {
139  if (stream_.get()) {
140    HttpResponseHeaders* headers = GetResponseHeaders();
141    // TODO(mbelshe): The stream_ should be able to compute whether or not the
142    //                stream should be kept alive.  No reason to compute here
143    //                and pass it in.
144    bool try_to_keep_alive =
145        next_state_ == STATE_NONE &&
146        stream_->CanFindEndOfResponse() &&
147        (!headers || headers->IsKeepAlive());
148    if (!try_to_keep_alive) {
149      stream_->Close(true /* not reusable */);
150    } else {
151      if (stream_->IsResponseBodyComplete()) {
152        // If the response body is complete, we can just reuse the socket.
153        stream_->Close(false /* reusable */);
154      } else if (stream_->IsSpdyHttpStream()) {
155        // Doesn't really matter for SpdyHttpStream. Just close it.
156        stream_->Close(true /* not reusable */);
157      } else {
158        // Otherwise, we try to drain the response body.
159        HttpStreamBase* stream = stream_.release();
160        stream->Drain(session_);
161      }
162    }
163  }
164}
165
166int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info,
167                                  const CompletionCallback& callback,
168                                  const BoundNetLog& net_log) {
169  SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count");
170
171  net_log_ = net_log;
172  request_ = request_info;
173  start_time_ = base::Time::Now();
174
175  if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) {
176    server_ssl_config_.rev_checking_enabled = false;
177    proxy_ssl_config_.rev_checking_enabled = false;
178  }
179
180  next_state_ = STATE_CREATE_STREAM;
181  int rv = DoLoop(OK);
182  if (rv == ERR_IO_PENDING)
183    callback_ = callback;
184  return rv;
185}
186
187int HttpNetworkTransaction::RestartIgnoringLastError(
188    const CompletionCallback& callback) {
189  DCHECK(!stream_.get());
190  DCHECK(!stream_request_.get());
191  DCHECK_EQ(STATE_NONE, next_state_);
192
193  next_state_ = STATE_CREATE_STREAM;
194
195  int rv = DoLoop(OK);
196  if (rv == ERR_IO_PENDING)
197    callback_ = callback;
198  return rv;
199}
200
201int HttpNetworkTransaction::RestartWithCertificate(
202    X509Certificate* client_cert, const CompletionCallback& callback) {
203  // In HandleCertificateRequest(), we always tear down existing stream
204  // requests to force a new connection.  So we shouldn't have one here.
205  DCHECK(!stream_request_.get());
206  DCHECK(!stream_.get());
207  DCHECK_EQ(STATE_NONE, next_state_);
208
209  SSLConfig* ssl_config = response_.cert_request_info->is_proxy ?
210      &proxy_ssl_config_ : &server_ssl_config_;
211  ssl_config->send_client_cert = true;
212  ssl_config->client_cert = client_cert;
213  session_->ssl_client_auth_cache()->Add(
214      response_.cert_request_info->host_and_port, client_cert);
215  // Reset the other member variables.
216  // Note: this is necessary only with SSL renegotiation.
217  ResetStateForRestart();
218  next_state_ = STATE_CREATE_STREAM;
219  int rv = DoLoop(OK);
220  if (rv == ERR_IO_PENDING)
221    callback_ = callback;
222  return rv;
223}
224
225int HttpNetworkTransaction::RestartWithAuth(
226    const AuthCredentials& credentials, const CompletionCallback& callback) {
227  HttpAuth::Target target = pending_auth_target_;
228  if (target == HttpAuth::AUTH_NONE) {
229    NOTREACHED();
230    return ERR_UNEXPECTED;
231  }
232  pending_auth_target_ = HttpAuth::AUTH_NONE;
233
234  auth_controllers_[target]->ResetAuth(credentials);
235
236  DCHECK(callback_.is_null());
237
238  int rv = OK;
239  if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) {
240    // In this case, we've gathered credentials for use with proxy
241    // authentication of a tunnel.
242    DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
243    DCHECK(stream_request_ != NULL);
244    auth_controllers_[target] = NULL;
245    ResetStateForRestart();
246    rv = stream_request_->RestartTunnelWithProxyAuth(credentials);
247  } else {
248    // In this case, we've gathered credentials for the server or the proxy
249    // but it is not during the tunneling phase.
250    DCHECK(stream_request_ == NULL);
251    PrepareForAuthRestart(target);
252    rv = DoLoop(OK);
253  }
254
255  if (rv == ERR_IO_PENDING)
256    callback_ = callback;
257  return rv;
258}
259
260void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) {
261  DCHECK(HaveAuth(target));
262  DCHECK(!stream_request_.get());
263
264  bool keep_alive = false;
265  // Even if the server says the connection is keep-alive, we have to be
266  // able to find the end of each response in order to reuse the connection.
267  if (GetResponseHeaders()->IsKeepAlive() &&
268      stream_->CanFindEndOfResponse()) {
269    // If the response body hasn't been completely read, we need to drain
270    // it first.
271    if (!stream_->IsResponseBodyComplete()) {
272      next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
273      read_buf_ = new IOBuffer(kDrainBodyBufferSize);  // A bit bucket.
274      read_buf_len_ = kDrainBodyBufferSize;
275      return;
276    }
277    keep_alive = true;
278  }
279
280  // We don't need to drain the response body, so we act as if we had drained
281  // the response body.
282  DidDrainBodyForAuthRestart(keep_alive);
283}
284
285void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) {
286  DCHECK(!stream_request_.get());
287
288  if (stream_.get()) {
289    HttpStream* new_stream = NULL;
290    if (keep_alive && stream_->IsConnectionReusable()) {
291      // We should call connection_->set_idle_time(), but this doesn't occur
292      // often enough to be worth the trouble.
293      stream_->SetConnectionReused();
294      new_stream =
295          static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth();
296    }
297
298    if (!new_stream) {
299      // Close the stream and mark it as not_reusable.  Even in the
300      // keep_alive case, we've determined that the stream_ is not
301      // reusable if new_stream is NULL.
302      stream_->Close(true);
303      next_state_ = STATE_CREATE_STREAM;
304    } else {
305      next_state_ = STATE_INIT_STREAM;
306    }
307    stream_.reset(new_stream);
308  }
309
310  // Reset the other member variables.
311  ResetStateForAuthRestart();
312}
313
314bool HttpNetworkTransaction::IsReadyToRestartForAuth() {
315  return pending_auth_target_ != HttpAuth::AUTH_NONE &&
316      HaveAuth(pending_auth_target_);
317}
318
319int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len,
320                                 const CompletionCallback& callback) {
321  DCHECK(buf);
322  DCHECK_LT(0, buf_len);
323
324  State next_state = STATE_NONE;
325
326  scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders());
327  if (headers_valid_ && headers.get() && stream_request_.get()) {
328    // We're trying to read the body of the response but we're still trying
329    // to establish an SSL tunnel through an HTTP proxy.  We can't read these
330    // bytes when establishing a tunnel because they might be controlled by
331    // an active network attacker.  We don't worry about this for HTTP
332    // because an active network attacker can already control HTTP sessions.
333    // We reach this case when the user cancels a 407 proxy auth prompt.  We
334    // also don't worry about this for an HTTPS Proxy, because the
335    // communication with the proxy is secure.
336    // See http://crbug.com/8473.
337    DCHECK(proxy_info_.is_http() || proxy_info_.is_https());
338    DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED);
339    LOG(WARNING) << "Blocked proxy response with status "
340                 << headers->response_code() << " to CONNECT request for "
341                 << GetHostAndPort(request_->url) << ".";
342    return ERR_TUNNEL_CONNECTION_FAILED;
343  }
344
345  // Are we using SPDY or HTTP?
346  next_state = STATE_READ_BODY;
347
348  read_buf_ = buf;
349  read_buf_len_ = buf_len;
350
351  next_state_ = next_state;
352  int rv = DoLoop(OK);
353  if (rv == ERR_IO_PENDING)
354    callback_ = callback;
355  return rv;
356}
357
358const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const {
359  return ((headers_valid_ && response_.headers) || response_.ssl_info.cert ||
360          response_.cert_request_info) ? &response_ : NULL;
361}
362
363LoadState HttpNetworkTransaction::GetLoadState() const {
364  // TODO(wtc): Define a new LoadState value for the
365  // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request.
366  switch (next_state_) {
367    case STATE_CREATE_STREAM_COMPLETE:
368      return stream_request_->GetLoadState();
369    case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
370    case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE:
371    case STATE_SEND_REQUEST_COMPLETE:
372      return LOAD_STATE_SENDING_REQUEST;
373    case STATE_READ_HEADERS_COMPLETE:
374      return LOAD_STATE_WAITING_FOR_RESPONSE;
375    case STATE_READ_BODY_COMPLETE:
376      return LOAD_STATE_READING_RESPONSE;
377    default:
378      return LOAD_STATE_IDLE;
379  }
380}
381
382UploadProgress HttpNetworkTransaction::GetUploadProgress() const {
383  if (!stream_.get())
384    return UploadProgress();
385
386  // TODO(bashi): This cast is temporary. Remove later.
387  return static_cast<HttpStream*>(stream_.get())->GetUploadProgress();
388}
389
390bool HttpNetworkTransaction::GetLoadTimingInfo(
391    LoadTimingInfo* load_timing_info) const {
392  if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info))
393    return false;
394
395  load_timing_info->proxy_resolve_start =
396      proxy_info_.proxy_resolve_start_time();
397  load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time();
398  load_timing_info->send_start = send_start_time_;
399  load_timing_info->send_end = send_end_time_;
400  load_timing_info->receive_headers_end = receive_headers_end_;
401  return true;
402}
403
404void HttpNetworkTransaction::SetPriority(RequestPriority priority) {
405  priority_ = priority;
406  // TODO(akalin): Plumb this through to |stream_request_| and
407  // |stream_|.
408}
409
410void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config,
411                                           const ProxyInfo& used_proxy_info,
412                                           HttpStreamBase* stream) {
413  DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
414  DCHECK(stream_request_.get());
415
416  stream_.reset(stream);
417  server_ssl_config_ = used_ssl_config;
418  proxy_info_ = used_proxy_info;
419  response_.was_npn_negotiated = stream_request_->was_npn_negotiated();
420  response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString(
421      stream_request_->protocol_negotiated());
422  response_.was_fetched_via_spdy = stream_request_->using_spdy();
423  response_.was_fetched_via_proxy = !proxy_info_.is_direct();
424
425  OnIOComplete(OK);
426}
427
428void HttpNetworkTransaction::OnStreamFailed(int result,
429                                            const SSLConfig& used_ssl_config) {
430  DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
431  DCHECK_NE(OK, result);
432  DCHECK(stream_request_.get());
433  DCHECK(!stream_.get());
434  server_ssl_config_ = used_ssl_config;
435
436  OnIOComplete(result);
437}
438
439void HttpNetworkTransaction::OnCertificateError(
440    int result,
441    const SSLConfig& used_ssl_config,
442    const SSLInfo& ssl_info) {
443  DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
444  DCHECK_NE(OK, result);
445  DCHECK(stream_request_.get());
446  DCHECK(!stream_.get());
447
448  response_.ssl_info = ssl_info;
449  server_ssl_config_ = used_ssl_config;
450
451  // TODO(mbelshe):  For now, we're going to pass the error through, and that
452  // will close the stream_request in all cases.  This means that we're always
453  // going to restart an entire STATE_CREATE_STREAM, even if the connection is
454  // good and the user chooses to ignore the error.  This is not ideal, but not
455  // the end of the world either.
456
457  OnIOComplete(result);
458}
459
460void HttpNetworkTransaction::OnNeedsProxyAuth(
461    const HttpResponseInfo& proxy_response,
462    const SSLConfig& used_ssl_config,
463    const ProxyInfo& used_proxy_info,
464    HttpAuthController* auth_controller) {
465  DCHECK(stream_request_.get());
466  DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
467
468  establishing_tunnel_ = true;
469  response_.headers = proxy_response.headers;
470  response_.auth_challenge = proxy_response.auth_challenge;
471  headers_valid_ = true;
472  server_ssl_config_ = used_ssl_config;
473  proxy_info_ = used_proxy_info;
474
475  auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller;
476  pending_auth_target_ = HttpAuth::AUTH_PROXY;
477
478  DoCallback(OK);
479}
480
481void HttpNetworkTransaction::OnNeedsClientAuth(
482    const SSLConfig& used_ssl_config,
483    SSLCertRequestInfo* cert_info) {
484  DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
485
486  server_ssl_config_ = used_ssl_config;
487  response_.cert_request_info = cert_info;
488  OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
489}
490
491void HttpNetworkTransaction::OnHttpsProxyTunnelResponse(
492    const HttpResponseInfo& response_info,
493    const SSLConfig& used_ssl_config,
494    const ProxyInfo& used_proxy_info,
495    HttpStreamBase* stream) {
496  DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
497
498  headers_valid_ = true;
499  response_ = response_info;
500  server_ssl_config_ = used_ssl_config;
501  proxy_info_ = used_proxy_info;
502  stream_.reset(stream);
503  stream_request_.reset();  // we're done with the stream request
504  OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE);
505}
506
507bool HttpNetworkTransaction::is_https_request() const {
508  return request_->url.SchemeIs("https");
509}
510
511void HttpNetworkTransaction::DoCallback(int rv) {
512  DCHECK_NE(rv, ERR_IO_PENDING);
513  DCHECK(!callback_.is_null());
514
515  // Since Run may result in Read being called, clear user_callback_ up front.
516  CompletionCallback c = callback_;
517  callback_.Reset();
518  c.Run(rv);
519}
520
521void HttpNetworkTransaction::OnIOComplete(int result) {
522  int rv = DoLoop(result);
523  if (rv != ERR_IO_PENDING)
524    DoCallback(rv);
525}
526
527int HttpNetworkTransaction::DoLoop(int result) {
528  DCHECK(next_state_ != STATE_NONE);
529
530  int rv = result;
531  do {
532    State state = next_state_;
533    next_state_ = STATE_NONE;
534    switch (state) {
535      case STATE_CREATE_STREAM:
536        DCHECK_EQ(OK, rv);
537        rv = DoCreateStream();
538        break;
539      case STATE_CREATE_STREAM_COMPLETE:
540        rv = DoCreateStreamComplete(rv);
541        break;
542      case STATE_INIT_STREAM:
543        DCHECK_EQ(OK, rv);
544        rv = DoInitStream();
545        break;
546      case STATE_INIT_STREAM_COMPLETE:
547        rv = DoInitStreamComplete(rv);
548        break;
549      case STATE_GENERATE_PROXY_AUTH_TOKEN:
550        DCHECK_EQ(OK, rv);
551        rv = DoGenerateProxyAuthToken();
552        break;
553      case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
554        rv = DoGenerateProxyAuthTokenComplete(rv);
555        break;
556      case STATE_GENERATE_SERVER_AUTH_TOKEN:
557        DCHECK_EQ(OK, rv);
558        rv = DoGenerateServerAuthToken();
559        break;
560      case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE:
561        rv = DoGenerateServerAuthTokenComplete(rv);
562        break;
563      case STATE_INIT_REQUEST_BODY:
564        DCHECK_EQ(OK, rv);
565        rv = DoInitRequestBody();
566        break;
567      case STATE_INIT_REQUEST_BODY_COMPLETE:
568        rv = DoInitRequestBodyComplete(rv);
569        break;
570      case STATE_BUILD_REQUEST:
571        DCHECK_EQ(OK, rv);
572        net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST);
573        rv = DoBuildRequest();
574        break;
575      case STATE_BUILD_REQUEST_COMPLETE:
576        rv = DoBuildRequestComplete(rv);
577        break;
578      case STATE_SEND_REQUEST:
579        DCHECK_EQ(OK, rv);
580        rv = DoSendRequest();
581        break;
582      case STATE_SEND_REQUEST_COMPLETE:
583        rv = DoSendRequestComplete(rv);
584        net_log_.EndEventWithNetErrorCode(
585            NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv);
586        break;
587      case STATE_READ_HEADERS:
588        DCHECK_EQ(OK, rv);
589        net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS);
590        rv = DoReadHeaders();
591        break;
592      case STATE_READ_HEADERS_COMPLETE:
593        rv = DoReadHeadersComplete(rv);
594        net_log_.EndEventWithNetErrorCode(
595            NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv);
596        break;
597      case STATE_READ_BODY:
598        DCHECK_EQ(OK, rv);
599        net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY);
600        rv = DoReadBody();
601        break;
602      case STATE_READ_BODY_COMPLETE:
603        rv = DoReadBodyComplete(rv);
604        net_log_.EndEventWithNetErrorCode(
605            NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv);
606        break;
607      case STATE_DRAIN_BODY_FOR_AUTH_RESTART:
608        DCHECK_EQ(OK, rv);
609        net_log_.BeginEvent(
610            NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART);
611        rv = DoDrainBodyForAuthRestart();
612        break;
613      case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE:
614        rv = DoDrainBodyForAuthRestartComplete(rv);
615        net_log_.EndEventWithNetErrorCode(
616            NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv);
617        break;
618      default:
619        NOTREACHED() << "bad state";
620        rv = ERR_FAILED;
621        break;
622    }
623  } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE);
624
625  return rv;
626}
627
628int HttpNetworkTransaction::DoCreateStream() {
629  next_state_ = STATE_CREATE_STREAM_COMPLETE;
630
631  stream_request_.reset(
632      session_->http_stream_factory()->RequestStream(
633          *request_,
634          priority_,
635          server_ssl_config_,
636          proxy_ssl_config_,
637          this,
638          net_log_));
639  DCHECK(stream_request_.get());
640  return ERR_IO_PENDING;
641}
642
643int HttpNetworkTransaction::DoCreateStreamComplete(int result) {
644  if (result == OK) {
645    next_state_ = STATE_INIT_STREAM;
646    DCHECK(stream_.get());
647  } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
648    result = HandleCertificateRequest(result);
649  } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) {
650    // Return OK and let the caller read the proxy's error page
651    next_state_ = STATE_NONE;
652    return OK;
653  }
654
655  // Handle possible handshake errors that may have occurred if the stream
656  // used SSL for one or more of the layers.
657  result = HandleSSLHandshakeError(result);
658
659  // At this point we are done with the stream_request_.
660  stream_request_.reset();
661  return result;
662}
663
664int HttpNetworkTransaction::DoInitStream() {
665  DCHECK(stream_.get());
666  next_state_ = STATE_INIT_STREAM_COMPLETE;
667  return stream_->InitializeStream(request_, priority_, net_log_, io_callback_);
668}
669
670int HttpNetworkTransaction::DoInitStreamComplete(int result) {
671  if (result == OK) {
672    next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
673  } else {
674    if (result < 0)
675      result = HandleIOError(result);
676
677    // The stream initialization failed, so this stream will never be useful.
678    stream_.reset();
679  }
680
681  return result;
682}
683
684int HttpNetworkTransaction::DoGenerateProxyAuthToken() {
685  next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
686  if (!ShouldApplyProxyAuth())
687    return OK;
688  HttpAuth::Target target = HttpAuth::AUTH_PROXY;
689  if (!auth_controllers_[target].get())
690    auth_controllers_[target] =
691        new HttpAuthController(target,
692                               AuthURL(target),
693                               session_->http_auth_cache(),
694                               session_->http_auth_handler_factory());
695  return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
696                                                           io_callback_,
697                                                           net_log_);
698}
699
700int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) {
701  DCHECK_NE(ERR_IO_PENDING, rv);
702  if (rv == OK)
703    next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN;
704  return rv;
705}
706
707int HttpNetworkTransaction::DoGenerateServerAuthToken() {
708  next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE;
709  HttpAuth::Target target = HttpAuth::AUTH_SERVER;
710  if (!auth_controllers_[target].get())
711    auth_controllers_[target] =
712        new HttpAuthController(target,
713                               AuthURL(target),
714                               session_->http_auth_cache(),
715                               session_->http_auth_handler_factory());
716  if (!ShouldApplyServerAuth())
717    return OK;
718  return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
719                                                           io_callback_,
720                                                           net_log_);
721}
722
723int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) {
724  DCHECK_NE(ERR_IO_PENDING, rv);
725  if (rv == OK)
726    next_state_ = STATE_INIT_REQUEST_BODY;
727  return rv;
728}
729
730void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) {
731  request_headers_.SetHeader(HttpRequestHeaders::kHost,
732                             GetHostAndOptionalPort(request_->url));
733
734  // For compat with HTTP/1.0 servers and proxies:
735  if (using_proxy) {
736    request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection,
737                               "keep-alive");
738  } else {
739    request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive");
740  }
741
742  // Add a content length header?
743  if (request_->upload_data_stream) {
744    if (request_->upload_data_stream->is_chunked()) {
745      request_headers_.SetHeader(
746          HttpRequestHeaders::kTransferEncoding, "chunked");
747    } else {
748      request_headers_.SetHeader(
749          HttpRequestHeaders::kContentLength,
750          base::Uint64ToString(request_->upload_data_stream->size()));
751    }
752  } else if (request_->method == "POST" || request_->method == "PUT" ||
753             request_->method == "HEAD") {
754    // An empty POST/PUT request still needs a content length.  As for HEAD,
755    // IE and Safari also add a content length header.  Presumably it is to
756    // support sending a HEAD request to an URL that only expects to be sent a
757    // POST or some other method that normally would have a message body.
758    request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0");
759  }
760
761  // Honor load flags that impact proxy caches.
762  if (request_->load_flags & LOAD_BYPASS_CACHE) {
763    request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache");
764    request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache");
765  } else if (request_->load_flags & LOAD_VALIDATE_CACHE) {
766    request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0");
767  }
768
769  if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY))
770    auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader(
771        &request_headers_);
772  if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER))
773    auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader(
774        &request_headers_);
775
776  request_headers_.MergeFrom(request_->extra_headers);
777}
778
779int HttpNetworkTransaction::DoInitRequestBody() {
780  next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE;
781  int rv = OK;
782  if (request_->upload_data_stream)
783    rv = request_->upload_data_stream->Init(io_callback_);
784  return rv;
785}
786
787int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) {
788  if (result == OK)
789    next_state_ = STATE_BUILD_REQUEST;
790  return result;
791}
792
793int HttpNetworkTransaction::DoBuildRequest() {
794  next_state_ = STATE_BUILD_REQUEST_COMPLETE;
795  headers_valid_ = false;
796
797  // This is constructed lazily (instead of within our Start method), so that
798  // we have proxy info available.
799  if (request_headers_.IsEmpty()) {
800    bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) &&
801                        !is_https_request();
802    BuildRequestHeaders(using_proxy);
803  }
804
805  return OK;
806}
807
808int HttpNetworkTransaction::DoBuildRequestComplete(int result) {
809  if (result == OK)
810    next_state_ = STATE_SEND_REQUEST;
811  return result;
812}
813
814int HttpNetworkTransaction::DoSendRequest() {
815  send_start_time_ = base::TimeTicks::Now();
816  next_state_ = STATE_SEND_REQUEST_COMPLETE;
817
818  return stream_->SendRequest(request_headers_, &response_, io_callback_);
819}
820
821int HttpNetworkTransaction::DoSendRequestComplete(int result) {
822  send_end_time_ = base::TimeTicks::Now();
823  if (result < 0)
824    return HandleIOError(result);
825  next_state_ = STATE_READ_HEADERS;
826  return OK;
827}
828
829int HttpNetworkTransaction::DoReadHeaders() {
830  next_state_ = STATE_READ_HEADERS_COMPLETE;
831  return stream_->ReadResponseHeaders(io_callback_);
832}
833
834int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() {
835  if (!response_.headers && !stream_->IsConnectionReused()) {
836    // The connection was closed before any data was sent. Likely an error
837    // rather than empty HTTP/0.9 response.
838    return ERR_EMPTY_RESPONSE;
839  }
840
841  return OK;
842}
843
844int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
845  receive_headers_end_ = base::TimeTicks::Now();
846
847  // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here
848  // due to SSL renegotiation.
849  if (IsCertificateError(result)) {
850    // We don't handle a certificate error during SSL renegotiation, so we
851    // have to return an error that's not in the certificate error range
852    // (-2xx).
853    LOG(ERROR) << "Got a server certificate with error " << result
854               << " during SSL renegotiation";
855    result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION;
856  } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
857    // TODO(wtc): Need a test case for this code path!
858    DCHECK(stream_.get());
859    DCHECK(is_https_request());
860    response_.cert_request_info = new SSLCertRequestInfo;
861    stream_->GetSSLCertRequestInfo(response_.cert_request_info);
862    result = HandleCertificateRequest(result);
863    if (result == OK)
864      return result;
865  }
866
867  if (result < 0 && result != ERR_CONNECTION_CLOSED)
868    return HandleIOError(result);
869
870  if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) {
871    ResetConnectionAndRequestForResend();
872    return OK;
873  }
874
875  // After we call RestartWithAuth a new response_time will be recorded, and
876  // we need to be cautious about incorrectly logging the duration across the
877  // authentication activity.
878  if (result == OK)
879    LogTransactionConnectedMetrics();
880
881  if (result == ERR_CONNECTION_CLOSED) {
882    // For now, if we get at least some data, we do the best we can to make
883    // sense of it and send it back up the stack.
884    int rv = HandleConnectionClosedBeforeEndOfHeaders();
885    if (rv != OK)
886      return rv;
887  }
888  DCHECK(response_.headers);
889
890  // Server-induced fallback is supported only if this is a PAC configured
891  // proxy. See: http://crbug.com/143712
892  if (response_.was_fetched_via_proxy && proxy_info_.did_use_pac_script()) {
893    if (response_.headers != NULL &&
894        response_.headers->HasHeaderValue("connection", "proxy-bypass")) {
895      ProxyService* proxy_service = session_->proxy_service();
896      if (proxy_service->MarkProxyAsBad(proxy_info_, net_log_)) {
897        // Only retry in the case of GETs. We don't want to resubmit a POST
898        // if the proxy took some action.
899        if (request_->method == "GET") {
900          ResetConnectionAndRequestForResend();
901          return OK;
902        }
903      }
904    }
905  }
906
907  // Like Net.HttpResponseCode, but only for MAIN_FRAME loads.
908  if (request_->load_flags & LOAD_MAIN_FRAME) {
909    const int response_code = response_.headers->response_code();
910    UMA_HISTOGRAM_ENUMERATION(
911        "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10);
912  }
913
914  net_log_.AddEvent(
915      NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
916      base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
917
918  if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) {
919    // HTTP/0.9 doesn't support the PUT method, so lack of response headers
920    // indicates a buggy server.  See:
921    // https://bugzilla.mozilla.org/show_bug.cgi?id=193921
922    if (request_->method == "PUT")
923      return ERR_METHOD_NOT_SUPPORTED;
924  }
925
926  // Check for an intermediate 100 Continue response.  An origin server is
927  // allowed to send this response even if we didn't ask for it, so we just
928  // need to skip over it.
929  // We treat any other 1xx in this same way (although in practice getting
930  // a 1xx that isn't a 100 is rare).
931  if (response_.headers->response_code() / 100 == 1) {
932    response_.headers = new HttpResponseHeaders("");
933    next_state_ = STATE_READ_HEADERS;
934    return OK;
935  }
936
937  HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(),
938                                       request_->url.EffectiveIntPort());
939  ProcessAlternateProtocol(session_->http_stream_factory(),
940                           session_->http_server_properties(),
941                           *response_.headers,
942                           endpoint);
943
944  int rv = HandleAuthChallenge();
945  if (rv != OK)
946    return rv;
947
948  if (is_https_request())
949    stream_->GetSSLInfo(&response_.ssl_info);
950
951  headers_valid_ = true;
952  return OK;
953}
954
955int HttpNetworkTransaction::DoReadBody() {
956  DCHECK(read_buf_);
957  DCHECK_GT(read_buf_len_, 0);
958  DCHECK(stream_ != NULL);
959
960  next_state_ = STATE_READ_BODY_COMPLETE;
961  return stream_->ReadResponseBody(read_buf_, read_buf_len_, io_callback_);
962}
963
964int HttpNetworkTransaction::DoReadBodyComplete(int result) {
965  // We are done with the Read call.
966  bool done = false;
967  if (result <= 0) {
968    DCHECK_NE(ERR_IO_PENDING, result);
969    done = true;
970  }
971
972  bool keep_alive = false;
973  if (stream_->IsResponseBodyComplete()) {
974    // Note: Just because IsResponseBodyComplete is true, we're not
975    // necessarily "done".  We're only "done" when it is the last
976    // read on this HttpNetworkTransaction, which will be signified
977    // by a zero-length read.
978    // TODO(mbelshe): The keepalive property is really a property of
979    //    the stream.  No need to compute it here just to pass back
980    //    to the stream's Close function.
981    // TODO(rtenneti): CanFindEndOfResponse should return false if there are no
982    // ResponseHeaders.
983    if (stream_->CanFindEndOfResponse()) {
984      HttpResponseHeaders* headers = GetResponseHeaders();
985      if (headers)
986        keep_alive = headers->IsKeepAlive();
987    }
988  }
989
990  // Clean up connection if we are done.
991  if (done) {
992    LogTransactionMetrics();
993    // TODO(bashi): This cast is temporary. Remove later.
994    static_cast<HttpStream*>(stream_.get())->LogNumRttVsBytesMetrics();
995    stream_->Close(!keep_alive);
996    // Note: we don't reset the stream here.  We've closed it, but we still
997    // need it around so that callers can call methods such as
998    // GetUploadProgress() and have them be meaningful.
999    // TODO(mbelshe): This means we closed the stream here, and we close it
1000    // again in ~HttpNetworkTransaction.  Clean that up.
1001
1002    // The next Read call will return 0 (EOF).
1003  }
1004
1005  // Clear these to avoid leaving around old state.
1006  read_buf_ = NULL;
1007  read_buf_len_ = 0;
1008
1009  return result;
1010}
1011
1012int HttpNetworkTransaction::DoDrainBodyForAuthRestart() {
1013  // This method differs from DoReadBody only in the next_state_.  So we just
1014  // call DoReadBody and override the next_state_.  Perhaps there is a more
1015  // elegant way for these two methods to share code.
1016  int rv = DoReadBody();
1017  DCHECK(next_state_ == STATE_READ_BODY_COMPLETE);
1018  next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE;
1019  return rv;
1020}
1021
1022// TODO(wtc): This method and the DoReadBodyComplete method are almost
1023// the same.  Figure out a good way for these two methods to share code.
1024int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) {
1025  // keep_alive defaults to true because the very reason we're draining the
1026  // response body is to reuse the connection for auth restart.
1027  bool done = false, keep_alive = true;
1028  if (result < 0) {
1029    // Error or closed connection while reading the socket.
1030    done = true;
1031    keep_alive = false;
1032  } else if (stream_->IsResponseBodyComplete()) {
1033    done = true;
1034  }
1035
1036  if (done) {
1037    DidDrainBodyForAuthRestart(keep_alive);
1038  } else {
1039    // Keep draining.
1040    next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
1041  }
1042
1043  return OK;
1044}
1045
1046void HttpNetworkTransaction::LogTransactionConnectedMetrics() {
1047  if (logged_response_time_)
1048    return;
1049
1050  logged_response_time_ = true;
1051
1052  base::TimeDelta total_duration = response_.response_time - start_time_;
1053
1054  UMA_HISTOGRAM_CUSTOM_TIMES(
1055      "Net.Transaction_Connected",
1056      total_duration,
1057      base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1058      100);
1059
1060  bool reused_socket = stream_->IsConnectionReused();
1061  if (!reused_socket) {
1062    UMA_HISTOGRAM_CUSTOM_TIMES(
1063        "Net.Transaction_Connected_New_b",
1064        total_duration,
1065        base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1066        100);
1067  }
1068
1069  static const bool use_spdy_histogram =
1070      base::FieldTrialList::TrialExists("SpdyImpact");
1071  if (use_spdy_histogram && response_.was_npn_negotiated) {
1072    UMA_HISTOGRAM_CUSTOM_TIMES(
1073      base::FieldTrial::MakeName("Net.Transaction_Connected",
1074                                 "SpdyImpact"),
1075        total_duration, base::TimeDelta::FromMilliseconds(1),
1076        base::TimeDelta::FromMinutes(10), 100);
1077
1078    if (!reused_socket) {
1079      UMA_HISTOGRAM_CUSTOM_TIMES(
1080          base::FieldTrial::MakeName("Net.Transaction_Connected_New_b",
1081                                     "SpdyImpact"),
1082          total_duration, base::TimeDelta::FromMilliseconds(1),
1083          base::TimeDelta::FromMinutes(10), 100);
1084    }
1085  }
1086
1087  // Currently, non-HIGHEST priority requests are frame or sub-frame resource
1088  // types.  This will change when we also prioritize certain subresources like
1089  // css, js, etc.
1090  if (priority_ != HIGHEST) {
1091    UMA_HISTOGRAM_CUSTOM_TIMES(
1092        "Net.Priority_High_Latency_b",
1093        total_duration,
1094        base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1095        100);
1096  } else {
1097    UMA_HISTOGRAM_CUSTOM_TIMES(
1098        "Net.Priority_Low_Latency_b",
1099        total_duration,
1100        base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1101        100);
1102  }
1103}
1104
1105void HttpNetworkTransaction::LogTransactionMetrics() const {
1106  base::TimeDelta duration = base::Time::Now() -
1107                             response_.request_time;
1108  if (60 < duration.InMinutes())
1109    return;
1110
1111  base::TimeDelta total_duration = base::Time::Now() - start_time_;
1112
1113  UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration,
1114                             base::TimeDelta::FromMilliseconds(1),
1115                             base::TimeDelta::FromMinutes(10),
1116                             100);
1117  UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total",
1118                             total_duration,
1119                             base::TimeDelta::FromMilliseconds(1),
1120                             base::TimeDelta::FromMinutes(10), 100);
1121
1122  static const bool use_warm_socket_impact_histogram =
1123      base::FieldTrialList::TrialExists("WarmSocketImpact");
1124  if (use_warm_socket_impact_histogram) {
1125    UMA_HISTOGRAM_CUSTOM_TIMES(
1126        base::FieldTrial::MakeName("Net.Transaction_Latency_b",
1127                                   "WarmSocketImpact"),
1128        duration,
1129        base::TimeDelta::FromMilliseconds(1),
1130        base::TimeDelta::FromMinutes(10),
1131        100);
1132    UMA_HISTOGRAM_CUSTOM_TIMES(
1133        base::FieldTrial::MakeName("Net.Transaction_Latency_Total",
1134                                   "WarmSocketImpact"),
1135        total_duration,
1136        base::TimeDelta::FromMilliseconds(1),
1137        base::TimeDelta::FromMinutes(10), 100);
1138  }
1139
1140  if (!stream_->IsConnectionReused()) {
1141    UMA_HISTOGRAM_CUSTOM_TIMES(
1142        "Net.Transaction_Latency_Total_New_Connection",
1143        total_duration, base::TimeDelta::FromMilliseconds(1),
1144        base::TimeDelta::FromMinutes(10), 100);
1145  }
1146}
1147
1148int HttpNetworkTransaction::HandleCertificateRequest(int error) {
1149  // There are two paths through which the server can request a certificate
1150  // from us.  The first is during the initial handshake, the second is
1151  // during SSL renegotiation.
1152  //
1153  // In both cases, we want to close the connection before proceeding.
1154  // We do this for two reasons:
1155  //   First, we don't want to keep the connection to the server hung for a
1156  //   long time while the user selects a certificate.
1157  //   Second, even if we did keep the connection open, NSS has a bug where
1158  //   restarting the handshake for ClientAuth is currently broken.
1159  DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
1160
1161  if (stream_.get()) {
1162    // Since we already have a stream, we're being called as part of SSL
1163    // renegotiation.
1164    DCHECK(!stream_request_.get());
1165    stream_->Close(true);
1166    stream_.reset();
1167  }
1168
1169  // The server is asking for a client certificate during the initial
1170  // handshake.
1171  stream_request_.reset();
1172
1173  // If the user selected one of the certificates in client_certs or declined
1174  // to provide one for this server before, use the past decision
1175  // automatically.
1176  scoped_refptr<X509Certificate> client_cert;
1177  bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup(
1178      response_.cert_request_info->host_and_port, &client_cert);
1179  if (!found_cached_cert)
1180    return error;
1181
1182  // Check that the certificate selected is still a certificate the server
1183  // is likely to accept, based on the criteria supplied in the
1184  // CertificateRequest message.
1185  if (client_cert) {
1186    const std::vector<std::string>& cert_authorities =
1187        response_.cert_request_info->cert_authorities;
1188
1189    bool cert_still_valid = cert_authorities.empty() ||
1190        client_cert->IsIssuedByEncoded(cert_authorities);
1191    if (!cert_still_valid)
1192      return error;
1193  }
1194
1195  // TODO(davidben): Add a unit test which covers this path; we need to be
1196  // able to send a legitimate certificate and also bypass/clear the
1197  // SSL session cache.
1198  SSLConfig* ssl_config = response_.cert_request_info->is_proxy ?
1199      &proxy_ssl_config_ : &server_ssl_config_;
1200  ssl_config->send_client_cert = true;
1201  ssl_config->client_cert = client_cert;
1202  next_state_ = STATE_CREATE_STREAM;
1203  // Reset the other member variables.
1204  // Note: this is necessary only with SSL renegotiation.
1205  ResetStateForRestart();
1206  return OK;
1207}
1208
1209// TODO(rch): This does not correctly handle errors when an SSL proxy is
1210// being used, as all of the errors are handled as if they were generated
1211// by the endpoint host, request_->url, rather than considering if they were
1212// generated by the SSL proxy. http://crbug.com/69329
1213int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
1214  DCHECK(request_);
1215  if (server_ssl_config_.send_client_cert &&
1216      (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) {
1217    session_->ssl_client_auth_cache()->Remove(
1218        GetHostAndPort(request_->url));
1219  }
1220
1221  switch (error) {
1222    case ERR_SSL_PROTOCOL_ERROR:
1223    case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
1224      if (server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
1225          server_ssl_config_.version_max > server_ssl_config_.version_min) {
1226        // This could be a TLS-intolerant server or a server that chose a
1227        // cipher suite defined only for higher protocol versions (such as
1228        // an SSL 3.0 server that chose a TLS-only cipher suite).  Fall
1229        // back to the next lower version and retry.
1230        // NOTE: if the SSLClientSocket class doesn't support TLS 1.1,
1231        // specifying TLS 1.1 in version_max will result in a TLS 1.0
1232        // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply
1233        // repeat the TLS 1.0 handshake. To avoid this problem, the default
1234        // version_max should match the maximum protocol version supported
1235        // by the SSLClientSocket class.
1236        uint16 version_before = server_ssl_config_.version_max;
1237        server_ssl_config_.version_max--;
1238        net_log_.AddEvent(
1239            NetLog::TYPE_SSL_VERSION_FALLBACK,
1240            base::Bind(&NetLogSSLVersionFallbackCallback,
1241                       &request_->url, error, version_before,
1242                       server_ssl_config_.version_max));
1243        server_ssl_config_.version_fallback = true;
1244        ResetConnectionAndRequestForResend();
1245        error = OK;
1246      }
1247      break;
1248    case ERR_SSL_DECOMPRESSION_FAILURE_ALERT:
1249    case ERR_SSL_BAD_RECORD_MAC_ALERT:
1250      if (server_ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
1251          server_ssl_config_.version_min == SSL_PROTOCOL_VERSION_SSL3) {
1252        // This could be a server with buggy DEFLATE support. Turn off TLS,
1253        // DEFLATE support and retry.
1254        // TODO(wtc): turn off DEFLATE support only. Do not tie it to TLS.
1255        uint16 version_before = server_ssl_config_.version_max;
1256        server_ssl_config_.version_max = SSL_PROTOCOL_VERSION_SSL3;
1257        net_log_.AddEvent(
1258            NetLog::TYPE_SSL_VERSION_FALLBACK,
1259            base::Bind(&NetLogSSLVersionFallbackCallback,
1260                       &request_->url, error, version_before,
1261                       server_ssl_config_.version_max));
1262        server_ssl_config_.version_fallback = true;
1263        ResetConnectionAndRequestForResend();
1264        error = OK;
1265      }
1266      break;
1267  }
1268  return error;
1269}
1270
1271// This method determines whether it is safe to resend the request after an
1272// IO error.  It can only be called in response to request header or body
1273// write errors or response header read errors.  It should not be used in
1274// other cases, such as a Connect error.
1275int HttpNetworkTransaction::HandleIOError(int error) {
1276  // SSL errors may happen at any time during the stream and indicate issues
1277  // with the underlying connection. Because the peer may request
1278  // renegotiation at any time, check and handle any possible SSL handshake
1279  // related errors. In addition to renegotiation, TLS False Start may cause
1280  // SSL handshake errors (specifically servers with buggy DEFLATE support)
1281  // to be delayed until the first Read on the underlying connection.
1282  error = HandleSSLHandshakeError(error);
1283
1284  switch (error) {
1285    // If we try to reuse a connection that the server is in the process of
1286    // closing, we may end up successfully writing out our request (or a
1287    // portion of our request) only to find a connection error when we try to
1288    // read from (or finish writing to) the socket.
1289    case ERR_CONNECTION_RESET:
1290    case ERR_CONNECTION_CLOSED:
1291    case ERR_CONNECTION_ABORTED:
1292    // There can be a race between the socket pool checking checking whether a
1293    // socket is still connected, receiving the FIN, and sending/reading data
1294    // on a reused socket.  If we receive the FIN between the connectedness
1295    // check and writing/reading from the socket, we may first learn the socket
1296    // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED.  This will most
1297    // likely happen when trying to retrieve its IP address.
1298    // See http://crbug.com/105824 for more details.
1299    case ERR_SOCKET_NOT_CONNECTED:
1300      if (ShouldResendRequest(error)) {
1301        net_log_.AddEventWithNetErrorCode(
1302            NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1303        ResetConnectionAndRequestForResend();
1304        error = OK;
1305      }
1306      break;
1307    case ERR_PIPELINE_EVICTION:
1308      if (!session_->force_http_pipelining()) {
1309        net_log_.AddEventWithNetErrorCode(
1310            NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1311        ResetConnectionAndRequestForResend();
1312        error = OK;
1313      }
1314      break;
1315    case ERR_SPDY_PING_FAILED:
1316    case ERR_SPDY_SERVER_REFUSED_STREAM:
1317      net_log_.AddEventWithNetErrorCode(
1318          NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1319      ResetConnectionAndRequestForResend();
1320      error = OK;
1321      break;
1322  }
1323  return error;
1324}
1325
1326void HttpNetworkTransaction::ResetStateForRestart() {
1327  ResetStateForAuthRestart();
1328  stream_.reset();
1329}
1330
1331void HttpNetworkTransaction::ResetStateForAuthRestart() {
1332  send_start_time_ = base::TimeTicks();
1333  send_end_time_ = base::TimeTicks();
1334  receive_headers_end_ = base::TimeTicks();
1335
1336  pending_auth_target_ = HttpAuth::AUTH_NONE;
1337  read_buf_ = NULL;
1338  read_buf_len_ = 0;
1339  headers_valid_ = false;
1340  request_headers_.Clear();
1341  response_ = HttpResponseInfo();
1342  establishing_tunnel_ = false;
1343}
1344
1345HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
1346  return response_.headers;
1347}
1348
1349bool HttpNetworkTransaction::ShouldResendRequest(int error) const {
1350  bool connection_is_proven = stream_->IsConnectionReused();
1351  bool has_received_headers = GetResponseHeaders() != NULL;
1352
1353  // NOTE: we resend a request only if we reused a keep-alive connection.
1354  // This automatically prevents an infinite resend loop because we'll run
1355  // out of the cached keep-alive connections eventually.
1356  if (connection_is_proven && !has_received_headers)
1357    return true;
1358  return false;
1359}
1360
1361void HttpNetworkTransaction::ResetConnectionAndRequestForResend() {
1362  if (stream_.get()) {
1363    stream_->Close(true);
1364    stream_.reset();
1365  }
1366
1367  // We need to clear request_headers_ because it contains the real request
1368  // headers, but we may need to resend the CONNECT request first to recreate
1369  // the SSL tunnel.
1370  request_headers_.Clear();
1371  next_state_ = STATE_CREATE_STREAM;  // Resend the request.
1372}
1373
1374bool HttpNetworkTransaction::ShouldApplyProxyAuth() const {
1375  return !is_https_request() &&
1376      (proxy_info_.is_https() || proxy_info_.is_http());
1377}
1378
1379bool HttpNetworkTransaction::ShouldApplyServerAuth() const {
1380  return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA);
1381}
1382
1383int HttpNetworkTransaction::HandleAuthChallenge() {
1384  scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders());
1385  DCHECK(headers);
1386
1387  int status = headers->response_code();
1388  if (status != HTTP_UNAUTHORIZED &&
1389      status != HTTP_PROXY_AUTHENTICATION_REQUIRED)
1390    return OK;
1391  HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ?
1392                            HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
1393  if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
1394    return ERR_UNEXPECTED_PROXY_AUTH;
1395
1396  // This case can trigger when an HTTPS server responds with a "Proxy
1397  // authentication required" status code through a non-authenticating
1398  // proxy.
1399  if (!auth_controllers_[target].get())
1400    return ERR_UNEXPECTED_PROXY_AUTH;
1401
1402  int rv = auth_controllers_[target]->HandleAuthChallenge(
1403      headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false,
1404      net_log_);
1405  if (auth_controllers_[target]->HaveAuthHandler())
1406      pending_auth_target_ = target;
1407
1408  scoped_refptr<AuthChallengeInfo> auth_info =
1409      auth_controllers_[target]->auth_info();
1410  if (auth_info.get())
1411      response_.auth_challenge = auth_info;
1412
1413  return rv;
1414}
1415
1416bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const {
1417  return auth_controllers_[target].get() &&
1418      auth_controllers_[target]->HaveAuth();
1419}
1420
1421GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const {
1422  switch (target) {
1423    case HttpAuth::AUTH_PROXY: {
1424      if (!proxy_info_.proxy_server().is_valid() ||
1425          proxy_info_.proxy_server().is_direct()) {
1426        return GURL();  // There is no proxy server.
1427      }
1428      const char* scheme = proxy_info_.is_https() ? "https://" : "http://";
1429      return GURL(scheme +
1430                  proxy_info_.proxy_server().host_port_pair().ToString());
1431    }
1432    case HttpAuth::AUTH_SERVER:
1433      return request_->url;
1434    default:
1435     return GURL();
1436  }
1437}
1438
1439#define STATE_CASE(s) \
1440  case s: \
1441    description = base::StringPrintf("%s (0x%08X)", #s, s); \
1442    break
1443
1444std::string HttpNetworkTransaction::DescribeState(State state) {
1445  std::string description;
1446  switch (state) {
1447    STATE_CASE(STATE_CREATE_STREAM);
1448    STATE_CASE(STATE_CREATE_STREAM_COMPLETE);
1449    STATE_CASE(STATE_INIT_REQUEST_BODY);
1450    STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE);
1451    STATE_CASE(STATE_BUILD_REQUEST);
1452    STATE_CASE(STATE_BUILD_REQUEST_COMPLETE);
1453    STATE_CASE(STATE_SEND_REQUEST);
1454    STATE_CASE(STATE_SEND_REQUEST_COMPLETE);
1455    STATE_CASE(STATE_READ_HEADERS);
1456    STATE_CASE(STATE_READ_HEADERS_COMPLETE);
1457    STATE_CASE(STATE_READ_BODY);
1458    STATE_CASE(STATE_READ_BODY_COMPLETE);
1459    STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART);
1460    STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE);
1461    STATE_CASE(STATE_NONE);
1462    default:
1463      description = base::StringPrintf("Unknown state 0x%08X (%u)", state,
1464                                       state);
1465      break;
1466  }
1467  return description;
1468}
1469
1470#undef STATE_CASE
1471
1472}  // namespace net
1473