http_network_transaction.cc revision 3551c9c881056c480085172ff9840cab31610854
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/http/http_network_transaction.h" 6 7#include <set> 8#include <vector> 9 10#include "base/bind.h" 11#include "base/bind_helpers.h" 12#include "base/compiler_specific.h" 13#include "base/format_macros.h" 14#include "base/memory/scoped_ptr.h" 15#include "base/metrics/field_trial.h" 16#include "base/metrics/histogram.h" 17#include "base/metrics/stats_counters.h" 18#include "base/stl_util.h" 19#include "base/strings/string_number_conversions.h" 20#include "base/strings/string_util.h" 21#include "base/strings/stringprintf.h" 22#include "base/values.h" 23#include "build/build_config.h" 24#include "net/base/auth.h" 25#include "net/base/host_port_pair.h" 26#include "net/base/io_buffer.h" 27#include "net/base/load_flags.h" 28#include "net/base/load_timing_info.h" 29#include "net/base/net_errors.h" 30#include "net/base/net_util.h" 31#include "net/base/upload_data_stream.h" 32#include "net/http/http_auth.h" 33#include "net/http/http_auth_handler.h" 34#include "net/http/http_auth_handler_factory.h" 35#include "net/http/http_basic_stream.h" 36#include "net/http/http_chunked_decoder.h" 37#include "net/http/http_network_session.h" 38#include "net/http/http_proxy_client_socket.h" 39#include "net/http/http_proxy_client_socket_pool.h" 40#include "net/http/http_request_headers.h" 41#include "net/http/http_request_info.h" 42#include "net/http/http_response_headers.h" 43#include "net/http/http_response_info.h" 44#include "net/http/http_server_properties.h" 45#include "net/http/http_status_code.h" 46#include "net/http/http_stream_base.h" 47#include "net/http/http_stream_factory.h" 48#include "net/http/http_util.h" 49#include "net/http/transport_security_state.h" 50#include "net/http/url_security_manager.h" 51#include "net/socket/client_socket_factory.h" 52#include "net/socket/socks_client_socket_pool.h" 53#include "net/socket/ssl_client_socket.h" 54#include "net/socket/ssl_client_socket_pool.h" 55#include "net/socket/transport_client_socket_pool.h" 56#include "net/spdy/spdy_http_stream.h" 57#include "net/spdy/spdy_session.h" 58#include "net/spdy/spdy_session_pool.h" 59#include "net/ssl/ssl_cert_request_info.h" 60#include "net/ssl/ssl_connection_status_flags.h" 61#include "url/gurl.h" 62 63using base::Time; 64 65namespace net { 66 67namespace { 68 69void ProcessAlternateProtocol( 70 HttpStreamFactory* factory, 71 const base::WeakPtr<HttpServerProperties>& http_server_properties, 72 const HttpResponseHeaders& headers, 73 const HostPortPair& http_host_port_pair) { 74 std::string alternate_protocol_str; 75 76 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader, 77 &alternate_protocol_str)) { 78 // Header is not present. 79 return; 80 } 81 82 factory->ProcessAlternateProtocol(http_server_properties, 83 alternate_protocol_str, 84 http_host_port_pair); 85} 86 87// Returns true if |error| is a client certificate authentication error. 88bool IsClientCertificateError(int error) { 89 switch (error) { 90 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 91 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 92 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 93 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 94 return true; 95 default: 96 return false; 97 } 98} 99 100base::Value* NetLogSSLVersionFallbackCallback( 101 const GURL* url, 102 int net_error, 103 uint16 version_before, 104 uint16 version_after, 105 NetLog::LogLevel /* log_level */) { 106 base::DictionaryValue* dict = new base::DictionaryValue(); 107 dict->SetString("host_and_port", GetHostAndPort(*url)); 108 dict->SetInteger("net_error", net_error); 109 dict->SetInteger("version_before", version_before); 110 dict->SetInteger("version_after", version_after); 111 return dict; 112} 113 114} // namespace 115 116//----------------------------------------------------------------------------- 117 118HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 119 HttpNetworkSession* session) 120 : pending_auth_target_(HttpAuth::AUTH_NONE), 121 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 122 base::Unretained(this))), 123 session_(session), 124 request_(NULL), 125 priority_(priority), 126 headers_valid_(false), 127 logged_response_time_(false), 128 request_headers_(), 129 read_buf_len_(0), 130 next_state_(STATE_NONE), 131 establishing_tunnel_(false) { 132 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 133 if (session->http_stream_factory()->has_next_protos()) { 134 server_ssl_config_.next_protos = 135 session->http_stream_factory()->next_protos(); 136 } 137 proxy_ssl_config_ = server_ssl_config_; 138} 139 140HttpNetworkTransaction::~HttpNetworkTransaction() { 141 if (stream_.get()) { 142 HttpResponseHeaders* headers = GetResponseHeaders(); 143 // TODO(mbelshe): The stream_ should be able to compute whether or not the 144 // stream should be kept alive. No reason to compute here 145 // and pass it in. 146 bool try_to_keep_alive = 147 next_state_ == STATE_NONE && 148 stream_->CanFindEndOfResponse() && 149 (!headers || headers->IsKeepAlive()); 150 if (!try_to_keep_alive) { 151 stream_->Close(true /* not reusable */); 152 } else { 153 if (stream_->IsResponseBodyComplete()) { 154 // If the response body is complete, we can just reuse the socket. 155 stream_->Close(false /* reusable */); 156 } else if (stream_->IsSpdyHttpStream()) { 157 // Doesn't really matter for SpdyHttpStream. Just close it. 158 stream_->Close(true /* not reusable */); 159 } else { 160 // Otherwise, we try to drain the response body. 161 HttpStreamBase* stream = stream_.release(); 162 stream->Drain(session_.get()); 163 } 164 } 165 } 166} 167 168int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 169 const CompletionCallback& callback, 170 const BoundNetLog& net_log) { 171 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 172 173 net_log_ = net_log; 174 request_ = request_info; 175 start_time_ = base::Time::Now(); 176 177 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 178 server_ssl_config_.rev_checking_enabled = false; 179 proxy_ssl_config_.rev_checking_enabled = false; 180 } 181 182 // Channel ID is enabled unless --disable-tls-channel-id flag is set, 183 // or if privacy mode is enabled. 184 bool channel_id_enabled = server_ssl_config_.channel_id_enabled && 185 (request_->privacy_mode == kPrivacyModeDisabled); 186 server_ssl_config_.channel_id_enabled = channel_id_enabled; 187 188 next_state_ = STATE_CREATE_STREAM; 189 int rv = DoLoop(OK); 190 if (rv == ERR_IO_PENDING) 191 callback_ = callback; 192 return rv; 193} 194 195int HttpNetworkTransaction::RestartIgnoringLastError( 196 const CompletionCallback& callback) { 197 DCHECK(!stream_.get()); 198 DCHECK(!stream_request_.get()); 199 DCHECK_EQ(STATE_NONE, next_state_); 200 201 next_state_ = STATE_CREATE_STREAM; 202 203 int rv = DoLoop(OK); 204 if (rv == ERR_IO_PENDING) 205 callback_ = callback; 206 return rv; 207} 208 209int HttpNetworkTransaction::RestartWithCertificate( 210 X509Certificate* client_cert, const CompletionCallback& callback) { 211 // In HandleCertificateRequest(), we always tear down existing stream 212 // requests to force a new connection. So we shouldn't have one here. 213 DCHECK(!stream_request_.get()); 214 DCHECK(!stream_.get()); 215 DCHECK_EQ(STATE_NONE, next_state_); 216 217 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 218 &proxy_ssl_config_ : &server_ssl_config_; 219 ssl_config->send_client_cert = true; 220 ssl_config->client_cert = client_cert; 221 session_->ssl_client_auth_cache()->Add( 222 response_.cert_request_info->host_and_port, client_cert); 223 // Reset the other member variables. 224 // Note: this is necessary only with SSL renegotiation. 225 ResetStateForRestart(); 226 next_state_ = STATE_CREATE_STREAM; 227 int rv = DoLoop(OK); 228 if (rv == ERR_IO_PENDING) 229 callback_ = callback; 230 return rv; 231} 232 233int HttpNetworkTransaction::RestartWithAuth( 234 const AuthCredentials& credentials, const CompletionCallback& callback) { 235 HttpAuth::Target target = pending_auth_target_; 236 if (target == HttpAuth::AUTH_NONE) { 237 NOTREACHED(); 238 return ERR_UNEXPECTED; 239 } 240 pending_auth_target_ = HttpAuth::AUTH_NONE; 241 242 auth_controllers_[target]->ResetAuth(credentials); 243 244 DCHECK(callback_.is_null()); 245 246 int rv = OK; 247 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 248 // In this case, we've gathered credentials for use with proxy 249 // authentication of a tunnel. 250 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 251 DCHECK(stream_request_ != NULL); 252 auth_controllers_[target] = NULL; 253 ResetStateForRestart(); 254 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 255 } else { 256 // In this case, we've gathered credentials for the server or the proxy 257 // but it is not during the tunneling phase. 258 DCHECK(stream_request_ == NULL); 259 PrepareForAuthRestart(target); 260 rv = DoLoop(OK); 261 } 262 263 if (rv == ERR_IO_PENDING) 264 callback_ = callback; 265 return rv; 266} 267 268void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 269 DCHECK(HaveAuth(target)); 270 DCHECK(!stream_request_.get()); 271 272 bool keep_alive = false; 273 // Even if the server says the connection is keep-alive, we have to be 274 // able to find the end of each response in order to reuse the connection. 275 if (GetResponseHeaders()->IsKeepAlive() && 276 stream_->CanFindEndOfResponse()) { 277 // If the response body hasn't been completely read, we need to drain 278 // it first. 279 if (!stream_->IsResponseBodyComplete()) { 280 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 281 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 282 read_buf_len_ = kDrainBodyBufferSize; 283 return; 284 } 285 keep_alive = true; 286 } 287 288 // We don't need to drain the response body, so we act as if we had drained 289 // the response body. 290 DidDrainBodyForAuthRestart(keep_alive); 291} 292 293void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 294 DCHECK(!stream_request_.get()); 295 296 if (stream_.get()) { 297 HttpStream* new_stream = NULL; 298 if (keep_alive && stream_->IsConnectionReusable()) { 299 // We should call connection_->set_idle_time(), but this doesn't occur 300 // often enough to be worth the trouble. 301 stream_->SetConnectionReused(); 302 new_stream = 303 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 304 } 305 306 if (!new_stream) { 307 // Close the stream and mark it as not_reusable. Even in the 308 // keep_alive case, we've determined that the stream_ is not 309 // reusable if new_stream is NULL. 310 stream_->Close(true); 311 next_state_ = STATE_CREATE_STREAM; 312 } else { 313 next_state_ = STATE_INIT_STREAM; 314 } 315 stream_.reset(new_stream); 316 } 317 318 // Reset the other member variables. 319 ResetStateForAuthRestart(); 320} 321 322bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 323 return pending_auth_target_ != HttpAuth::AUTH_NONE && 324 HaveAuth(pending_auth_target_); 325} 326 327int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 328 const CompletionCallback& callback) { 329 DCHECK(buf); 330 DCHECK_LT(0, buf_len); 331 332 State next_state = STATE_NONE; 333 334 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 335 if (headers_valid_ && headers.get() && stream_request_.get()) { 336 // We're trying to read the body of the response but we're still trying 337 // to establish an SSL tunnel through an HTTP proxy. We can't read these 338 // bytes when establishing a tunnel because they might be controlled by 339 // an active network attacker. We don't worry about this for HTTP 340 // because an active network attacker can already control HTTP sessions. 341 // We reach this case when the user cancels a 407 proxy auth prompt. We 342 // also don't worry about this for an HTTPS Proxy, because the 343 // communication with the proxy is secure. 344 // See http://crbug.com/8473. 345 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 346 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 347 LOG(WARNING) << "Blocked proxy response with status " 348 << headers->response_code() << " to CONNECT request for " 349 << GetHostAndPort(request_->url) << "."; 350 return ERR_TUNNEL_CONNECTION_FAILED; 351 } 352 353 // Are we using SPDY or HTTP? 354 next_state = STATE_READ_BODY; 355 356 read_buf_ = buf; 357 read_buf_len_ = buf_len; 358 359 next_state_ = next_state; 360 int rv = DoLoop(OK); 361 if (rv == ERR_IO_PENDING) 362 callback_ = callback; 363 return rv; 364} 365 366bool HttpNetworkTransaction::GetFullRequestHeaders( 367 HttpRequestHeaders* headers) const { 368 // TODO(ttuttle): Make sure we've populated request_headers_. 369 *headers = request_headers_; 370 return true; 371} 372 373const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 374 return ((headers_valid_ && response_.headers.get()) || 375 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 376 ? &response_ 377 : NULL; 378} 379 380LoadState HttpNetworkTransaction::GetLoadState() const { 381 // TODO(wtc): Define a new LoadState value for the 382 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 383 switch (next_state_) { 384 case STATE_CREATE_STREAM_COMPLETE: 385 return stream_request_->GetLoadState(); 386 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 387 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 388 case STATE_SEND_REQUEST_COMPLETE: 389 return LOAD_STATE_SENDING_REQUEST; 390 case STATE_READ_HEADERS_COMPLETE: 391 return LOAD_STATE_WAITING_FOR_RESPONSE; 392 case STATE_READ_BODY_COMPLETE: 393 return LOAD_STATE_READING_RESPONSE; 394 default: 395 return LOAD_STATE_IDLE; 396 } 397} 398 399UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 400 if (!stream_.get()) 401 return UploadProgress(); 402 403 // TODO(bashi): This cast is temporary. Remove later. 404 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 405} 406 407bool HttpNetworkTransaction::GetLoadTimingInfo( 408 LoadTimingInfo* load_timing_info) const { 409 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 410 return false; 411 412 load_timing_info->proxy_resolve_start = 413 proxy_info_.proxy_resolve_start_time(); 414 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 415 load_timing_info->send_start = send_start_time_; 416 load_timing_info->send_end = send_end_time_; 417 return true; 418} 419 420void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 421 priority_ = priority; 422 if (stream_request_) 423 stream_request_->SetPriority(priority); 424 if (stream_) 425 stream_->SetPriority(priority); 426} 427 428void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 429 const ProxyInfo& used_proxy_info, 430 HttpStreamBase* stream) { 431 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 432 DCHECK(stream_request_.get()); 433 434 stream_.reset(stream); 435 server_ssl_config_ = used_ssl_config; 436 proxy_info_ = used_proxy_info; 437 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 438 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 439 stream_request_->protocol_negotiated()); 440 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 441 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 442 443 OnIOComplete(OK); 444} 445 446void HttpNetworkTransaction::OnWebSocketStreamReady( 447 const SSLConfig& used_ssl_config, 448 const ProxyInfo& used_proxy_info, 449 WebSocketStreamBase* stream) { 450 NOTREACHED() << "This function should never be called."; 451} 452 453void HttpNetworkTransaction::OnStreamFailed(int result, 454 const SSLConfig& used_ssl_config) { 455 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 456 DCHECK_NE(OK, result); 457 DCHECK(stream_request_.get()); 458 DCHECK(!stream_.get()); 459 server_ssl_config_ = used_ssl_config; 460 461 OnIOComplete(result); 462} 463 464void HttpNetworkTransaction::OnCertificateError( 465 int result, 466 const SSLConfig& used_ssl_config, 467 const SSLInfo& ssl_info) { 468 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 469 DCHECK_NE(OK, result); 470 DCHECK(stream_request_.get()); 471 DCHECK(!stream_.get()); 472 473 response_.ssl_info = ssl_info; 474 server_ssl_config_ = used_ssl_config; 475 476 // TODO(mbelshe): For now, we're going to pass the error through, and that 477 // will close the stream_request in all cases. This means that we're always 478 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 479 // good and the user chooses to ignore the error. This is not ideal, but not 480 // the end of the world either. 481 482 OnIOComplete(result); 483} 484 485void HttpNetworkTransaction::OnNeedsProxyAuth( 486 const HttpResponseInfo& proxy_response, 487 const SSLConfig& used_ssl_config, 488 const ProxyInfo& used_proxy_info, 489 HttpAuthController* auth_controller) { 490 DCHECK(stream_request_.get()); 491 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 492 493 establishing_tunnel_ = true; 494 response_.headers = proxy_response.headers; 495 response_.auth_challenge = proxy_response.auth_challenge; 496 headers_valid_ = true; 497 server_ssl_config_ = used_ssl_config; 498 proxy_info_ = used_proxy_info; 499 500 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 501 pending_auth_target_ = HttpAuth::AUTH_PROXY; 502 503 DoCallback(OK); 504} 505 506void HttpNetworkTransaction::OnNeedsClientAuth( 507 const SSLConfig& used_ssl_config, 508 SSLCertRequestInfo* cert_info) { 509 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 510 511 server_ssl_config_ = used_ssl_config; 512 response_.cert_request_info = cert_info; 513 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 514} 515 516void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 517 const HttpResponseInfo& response_info, 518 const SSLConfig& used_ssl_config, 519 const ProxyInfo& used_proxy_info, 520 HttpStreamBase* stream) { 521 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 522 523 headers_valid_ = true; 524 response_ = response_info; 525 server_ssl_config_ = used_ssl_config; 526 proxy_info_ = used_proxy_info; 527 stream_.reset(stream); 528 stream_request_.reset(); // we're done with the stream request 529 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 530} 531 532bool HttpNetworkTransaction::is_https_request() const { 533 return request_->url.SchemeIs("https"); 534} 535 536void HttpNetworkTransaction::DoCallback(int rv) { 537 DCHECK_NE(rv, ERR_IO_PENDING); 538 DCHECK(!callback_.is_null()); 539 540 // Since Run may result in Read being called, clear user_callback_ up front. 541 CompletionCallback c = callback_; 542 callback_.Reset(); 543 c.Run(rv); 544} 545 546void HttpNetworkTransaction::OnIOComplete(int result) { 547 int rv = DoLoop(result); 548 if (rv != ERR_IO_PENDING) 549 DoCallback(rv); 550} 551 552int HttpNetworkTransaction::DoLoop(int result) { 553 DCHECK(next_state_ != STATE_NONE); 554 555 int rv = result; 556 do { 557 State state = next_state_; 558 next_state_ = STATE_NONE; 559 switch (state) { 560 case STATE_CREATE_STREAM: 561 DCHECK_EQ(OK, rv); 562 rv = DoCreateStream(); 563 break; 564 case STATE_CREATE_STREAM_COMPLETE: 565 rv = DoCreateStreamComplete(rv); 566 break; 567 case STATE_INIT_STREAM: 568 DCHECK_EQ(OK, rv); 569 rv = DoInitStream(); 570 break; 571 case STATE_INIT_STREAM_COMPLETE: 572 rv = DoInitStreamComplete(rv); 573 break; 574 case STATE_GENERATE_PROXY_AUTH_TOKEN: 575 DCHECK_EQ(OK, rv); 576 rv = DoGenerateProxyAuthToken(); 577 break; 578 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 579 rv = DoGenerateProxyAuthTokenComplete(rv); 580 break; 581 case STATE_GENERATE_SERVER_AUTH_TOKEN: 582 DCHECK_EQ(OK, rv); 583 rv = DoGenerateServerAuthToken(); 584 break; 585 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 586 rv = DoGenerateServerAuthTokenComplete(rv); 587 break; 588 case STATE_INIT_REQUEST_BODY: 589 DCHECK_EQ(OK, rv); 590 rv = DoInitRequestBody(); 591 break; 592 case STATE_INIT_REQUEST_BODY_COMPLETE: 593 rv = DoInitRequestBodyComplete(rv); 594 break; 595 case STATE_BUILD_REQUEST: 596 DCHECK_EQ(OK, rv); 597 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 598 rv = DoBuildRequest(); 599 break; 600 case STATE_BUILD_REQUEST_COMPLETE: 601 rv = DoBuildRequestComplete(rv); 602 break; 603 case STATE_SEND_REQUEST: 604 DCHECK_EQ(OK, rv); 605 rv = DoSendRequest(); 606 break; 607 case STATE_SEND_REQUEST_COMPLETE: 608 rv = DoSendRequestComplete(rv); 609 net_log_.EndEventWithNetErrorCode( 610 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 611 break; 612 case STATE_READ_HEADERS: 613 DCHECK_EQ(OK, rv); 614 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 615 rv = DoReadHeaders(); 616 break; 617 case STATE_READ_HEADERS_COMPLETE: 618 rv = DoReadHeadersComplete(rv); 619 net_log_.EndEventWithNetErrorCode( 620 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 621 break; 622 case STATE_READ_BODY: 623 DCHECK_EQ(OK, rv); 624 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 625 rv = DoReadBody(); 626 break; 627 case STATE_READ_BODY_COMPLETE: 628 rv = DoReadBodyComplete(rv); 629 net_log_.EndEventWithNetErrorCode( 630 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 631 break; 632 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 633 DCHECK_EQ(OK, rv); 634 net_log_.BeginEvent( 635 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 636 rv = DoDrainBodyForAuthRestart(); 637 break; 638 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 639 rv = DoDrainBodyForAuthRestartComplete(rv); 640 net_log_.EndEventWithNetErrorCode( 641 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 642 break; 643 default: 644 NOTREACHED() << "bad state"; 645 rv = ERR_FAILED; 646 break; 647 } 648 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 649 650 return rv; 651} 652 653int HttpNetworkTransaction::DoCreateStream() { 654 next_state_ = STATE_CREATE_STREAM_COMPLETE; 655 656 stream_request_.reset( 657 session_->http_stream_factory()->RequestStream( 658 *request_, 659 priority_, 660 server_ssl_config_, 661 proxy_ssl_config_, 662 this, 663 net_log_)); 664 DCHECK(stream_request_.get()); 665 return ERR_IO_PENDING; 666} 667 668int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 669 if (result == OK) { 670 next_state_ = STATE_INIT_STREAM; 671 DCHECK(stream_.get()); 672 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 673 result = HandleCertificateRequest(result); 674 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 675 // Return OK and let the caller read the proxy's error page 676 next_state_ = STATE_NONE; 677 return OK; 678 } 679 680 // Handle possible handshake errors that may have occurred if the stream 681 // used SSL for one or more of the layers. 682 result = HandleSSLHandshakeError(result); 683 684 // At this point we are done with the stream_request_. 685 stream_request_.reset(); 686 return result; 687} 688 689int HttpNetworkTransaction::DoInitStream() { 690 DCHECK(stream_.get()); 691 next_state_ = STATE_INIT_STREAM_COMPLETE; 692 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 693} 694 695int HttpNetworkTransaction::DoInitStreamComplete(int result) { 696 if (result == OK) { 697 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 698 } else { 699 if (result < 0) 700 result = HandleIOError(result); 701 702 // The stream initialization failed, so this stream will never be useful. 703 stream_.reset(); 704 } 705 706 return result; 707} 708 709int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 710 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 711 if (!ShouldApplyProxyAuth()) 712 return OK; 713 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 714 if (!auth_controllers_[target].get()) 715 auth_controllers_[target] = 716 new HttpAuthController(target, 717 AuthURL(target), 718 session_->http_auth_cache(), 719 session_->http_auth_handler_factory()); 720 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 721 io_callback_, 722 net_log_); 723} 724 725int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 726 DCHECK_NE(ERR_IO_PENDING, rv); 727 if (rv == OK) 728 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 729 return rv; 730} 731 732int HttpNetworkTransaction::DoGenerateServerAuthToken() { 733 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 734 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 735 if (!auth_controllers_[target].get()) 736 auth_controllers_[target] = 737 new HttpAuthController(target, 738 AuthURL(target), 739 session_->http_auth_cache(), 740 session_->http_auth_handler_factory()); 741 if (!ShouldApplyServerAuth()) 742 return OK; 743 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 744 io_callback_, 745 net_log_); 746} 747 748int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 749 DCHECK_NE(ERR_IO_PENDING, rv); 750 if (rv == OK) 751 next_state_ = STATE_INIT_REQUEST_BODY; 752 return rv; 753} 754 755void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 756 request_headers_.SetHeader(HttpRequestHeaders::kHost, 757 GetHostAndOptionalPort(request_->url)); 758 759 // For compat with HTTP/1.0 servers and proxies: 760 if (using_proxy) { 761 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 762 "keep-alive"); 763 } else { 764 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 765 } 766 767 // Add a content length header? 768 if (request_->upload_data_stream) { 769 if (request_->upload_data_stream->is_chunked()) { 770 request_headers_.SetHeader( 771 HttpRequestHeaders::kTransferEncoding, "chunked"); 772 } else { 773 request_headers_.SetHeader( 774 HttpRequestHeaders::kContentLength, 775 base::Uint64ToString(request_->upload_data_stream->size())); 776 } 777 } else if (request_->method == "POST" || request_->method == "PUT" || 778 request_->method == "HEAD") { 779 // An empty POST/PUT request still needs a content length. As for HEAD, 780 // IE and Safari also add a content length header. Presumably it is to 781 // support sending a HEAD request to an URL that only expects to be sent a 782 // POST or some other method that normally would have a message body. 783 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 784 } 785 786 // Honor load flags that impact proxy caches. 787 if (request_->load_flags & LOAD_BYPASS_CACHE) { 788 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 789 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 790 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 791 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 792 } 793 794 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 795 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 796 &request_headers_); 797 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 798 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 799 &request_headers_); 800 801 request_headers_.MergeFrom(request_->extra_headers); 802 response_.did_use_http_auth = 803 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 804 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 805} 806 807int HttpNetworkTransaction::DoInitRequestBody() { 808 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 809 int rv = OK; 810 if (request_->upload_data_stream) 811 rv = request_->upload_data_stream->Init(io_callback_); 812 return rv; 813} 814 815int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 816 if (result == OK) 817 next_state_ = STATE_BUILD_REQUEST; 818 return result; 819} 820 821int HttpNetworkTransaction::DoBuildRequest() { 822 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 823 headers_valid_ = false; 824 825 // This is constructed lazily (instead of within our Start method), so that 826 // we have proxy info available. 827 if (request_headers_.IsEmpty()) { 828 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 829 !is_https_request(); 830 BuildRequestHeaders(using_proxy); 831 } 832 833 return OK; 834} 835 836int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 837 if (result == OK) 838 next_state_ = STATE_SEND_REQUEST; 839 return result; 840} 841 842int HttpNetworkTransaction::DoSendRequest() { 843 send_start_time_ = base::TimeTicks::Now(); 844 next_state_ = STATE_SEND_REQUEST_COMPLETE; 845 846 return stream_->SendRequest(request_headers_, &response_, io_callback_); 847} 848 849int HttpNetworkTransaction::DoSendRequestComplete(int result) { 850 send_end_time_ = base::TimeTicks::Now(); 851 if (result < 0) 852 return HandleIOError(result); 853 response_.network_accessed = true; 854 next_state_ = STATE_READ_HEADERS; 855 return OK; 856} 857 858int HttpNetworkTransaction::DoReadHeaders() { 859 next_state_ = STATE_READ_HEADERS_COMPLETE; 860 return stream_->ReadResponseHeaders(io_callback_); 861} 862 863int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() { 864 if (!response_.headers.get() && !stream_->IsConnectionReused()) { 865 // The connection was closed before any data was sent. Likely an error 866 // rather than empty HTTP/0.9 response. 867 return ERR_EMPTY_RESPONSE; 868 } 869 870 return OK; 871} 872 873int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 874 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 875 // due to SSL renegotiation. 876 if (IsCertificateError(result)) { 877 // We don't handle a certificate error during SSL renegotiation, so we 878 // have to return an error that's not in the certificate error range 879 // (-2xx). 880 LOG(ERROR) << "Got a server certificate with error " << result 881 << " during SSL renegotiation"; 882 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 883 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 884 // TODO(wtc): Need a test case for this code path! 885 DCHECK(stream_.get()); 886 DCHECK(is_https_request()); 887 response_.cert_request_info = new SSLCertRequestInfo; 888 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 889 result = HandleCertificateRequest(result); 890 if (result == OK) 891 return result; 892 } 893 894 if (result < 0 && result != ERR_CONNECTION_CLOSED) 895 return HandleIOError(result); 896 897 if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) { 898 ResetConnectionAndRequestForResend(); 899 return OK; 900 } 901 902 // After we call RestartWithAuth a new response_time will be recorded, and 903 // we need to be cautious about incorrectly logging the duration across the 904 // authentication activity. 905 if (result == OK) 906 LogTransactionConnectedMetrics(); 907 908 if (result == ERR_CONNECTION_CLOSED) { 909 // For now, if we get at least some data, we do the best we can to make 910 // sense of it and send it back up the stack. 911 int rv = HandleConnectionClosedBeforeEndOfHeaders(); 912 if (rv != OK) 913 return rv; 914 } 915 DCHECK(response_.headers.get()); 916 917 // Server-induced fallback is supported only if this is a PAC configured 918 // proxy. See: http://crbug.com/143712 919 if (response_.was_fetched_via_proxy && proxy_info_.did_use_pac_script() && 920 response_.headers.get() != NULL) { 921 bool should_fallback = 922 response_.headers->HasHeaderValue("connection", "proxy-bypass"); 923 // Additionally, fallback if a 500 is returned via the data reduction proxy. 924 // This is conservative, as the 500 might have been generated by the origin, 925 // and not the proxy. 926#if defined(SPDY_PROXY_AUTH_ORIGIN) 927 if (!should_fallback) { 928 should_fallback = 929 response_.headers->response_code() == HTTP_INTERNAL_SERVER_ERROR && 930 proxy_info_.proxy_server().host_port_pair().Equals( 931 HostPortPair::FromURL(GURL(SPDY_PROXY_AUTH_ORIGIN))); 932 } 933#endif 934 if (should_fallback) { 935 ProxyService* proxy_service = session_->proxy_service(); 936 if (proxy_service->MarkProxyAsBad(proxy_info_, net_log_)) { 937 // Only retry in the case of GETs. We don't want to resubmit a POST 938 // if the proxy took some action. 939 if (request_->method == "GET") { 940 ResetConnectionAndRequestForResend(); 941 return OK; 942 } 943 } 944 } 945 } 946 947 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 948 if (request_->load_flags & LOAD_MAIN_FRAME) { 949 const int response_code = response_.headers->response_code(); 950 UMA_HISTOGRAM_ENUMERATION( 951 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 952 } 953 954 net_log_.AddEvent( 955 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 956 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 957 958 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 959 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 960 // indicates a buggy server. See: 961 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 962 if (request_->method == "PUT") 963 return ERR_METHOD_NOT_SUPPORTED; 964 } 965 966 // Check for an intermediate 100 Continue response. An origin server is 967 // allowed to send this response even if we didn't ask for it, so we just 968 // need to skip over it. 969 // We treat any other 1xx in this same way (although in practice getting 970 // a 1xx that isn't a 100 is rare). 971 if (response_.headers->response_code() / 100 == 1) { 972 response_.headers = new HttpResponseHeaders(std::string()); 973 next_state_ = STATE_READ_HEADERS; 974 return OK; 975 } 976 977 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 978 request_->url.EffectiveIntPort()); 979 ProcessAlternateProtocol(session_->http_stream_factory(), 980 session_->http_server_properties(), 981 *response_.headers.get(), 982 endpoint); 983 984 int rv = HandleAuthChallenge(); 985 if (rv != OK) 986 return rv; 987 988 if (is_https_request()) 989 stream_->GetSSLInfo(&response_.ssl_info); 990 991 headers_valid_ = true; 992 return OK; 993} 994 995int HttpNetworkTransaction::DoReadBody() { 996 DCHECK(read_buf_.get()); 997 DCHECK_GT(read_buf_len_, 0); 998 DCHECK(stream_ != NULL); 999 1000 next_state_ = STATE_READ_BODY_COMPLETE; 1001 return stream_->ReadResponseBody( 1002 read_buf_.get(), read_buf_len_, io_callback_); 1003} 1004 1005int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1006 // We are done with the Read call. 1007 bool done = false; 1008 if (result <= 0) { 1009 DCHECK_NE(ERR_IO_PENDING, result); 1010 done = true; 1011 } 1012 1013 bool keep_alive = false; 1014 if (stream_->IsResponseBodyComplete()) { 1015 // Note: Just because IsResponseBodyComplete is true, we're not 1016 // necessarily "done". We're only "done" when it is the last 1017 // read on this HttpNetworkTransaction, which will be signified 1018 // by a zero-length read. 1019 // TODO(mbelshe): The keepalive property is really a property of 1020 // the stream. No need to compute it here just to pass back 1021 // to the stream's Close function. 1022 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1023 // ResponseHeaders. 1024 if (stream_->CanFindEndOfResponse()) { 1025 HttpResponseHeaders* headers = GetResponseHeaders(); 1026 if (headers) 1027 keep_alive = headers->IsKeepAlive(); 1028 } 1029 } 1030 1031 // Clean up connection if we are done. 1032 if (done) { 1033 LogTransactionMetrics(); 1034 stream_->Close(!keep_alive); 1035 // Note: we don't reset the stream here. We've closed it, but we still 1036 // need it around so that callers can call methods such as 1037 // GetUploadProgress() and have them be meaningful. 1038 // TODO(mbelshe): This means we closed the stream here, and we close it 1039 // again in ~HttpNetworkTransaction. Clean that up. 1040 1041 // The next Read call will return 0 (EOF). 1042 } 1043 1044 // Clear these to avoid leaving around old state. 1045 read_buf_ = NULL; 1046 read_buf_len_ = 0; 1047 1048 return result; 1049} 1050 1051int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1052 // This method differs from DoReadBody only in the next_state_. So we just 1053 // call DoReadBody and override the next_state_. Perhaps there is a more 1054 // elegant way for these two methods to share code. 1055 int rv = DoReadBody(); 1056 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1057 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1058 return rv; 1059} 1060 1061// TODO(wtc): This method and the DoReadBodyComplete method are almost 1062// the same. Figure out a good way for these two methods to share code. 1063int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1064 // keep_alive defaults to true because the very reason we're draining the 1065 // response body is to reuse the connection for auth restart. 1066 bool done = false, keep_alive = true; 1067 if (result < 0) { 1068 // Error or closed connection while reading the socket. 1069 done = true; 1070 keep_alive = false; 1071 } else if (stream_->IsResponseBodyComplete()) { 1072 done = true; 1073 } 1074 1075 if (done) { 1076 DidDrainBodyForAuthRestart(keep_alive); 1077 } else { 1078 // Keep draining. 1079 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1080 } 1081 1082 return OK; 1083} 1084 1085void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1086 if (logged_response_time_) 1087 return; 1088 1089 logged_response_time_ = true; 1090 1091 base::TimeDelta total_duration = response_.response_time - start_time_; 1092 1093 UMA_HISTOGRAM_CUSTOM_TIMES( 1094 "Net.Transaction_Connected", 1095 total_duration, 1096 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1097 100); 1098 1099 bool reused_socket = stream_->IsConnectionReused(); 1100 if (!reused_socket) { 1101 UMA_HISTOGRAM_CUSTOM_TIMES( 1102 "Net.Transaction_Connected_New_b", 1103 total_duration, 1104 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1105 100); 1106 } 1107 1108 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1109 // types. This will change when we also prioritize certain subresources like 1110 // css, js, etc. 1111 if (priority_ != HIGHEST) { 1112 UMA_HISTOGRAM_CUSTOM_TIMES( 1113 "Net.Priority_High_Latency_b", 1114 total_duration, 1115 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1116 100); 1117 } else { 1118 UMA_HISTOGRAM_CUSTOM_TIMES( 1119 "Net.Priority_Low_Latency_b", 1120 total_duration, 1121 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1122 100); 1123 } 1124} 1125 1126void HttpNetworkTransaction::LogTransactionMetrics() const { 1127 base::TimeDelta duration = base::Time::Now() - 1128 response_.request_time; 1129 if (60 < duration.InMinutes()) 1130 return; 1131 1132 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1133 1134 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1135 base::TimeDelta::FromMilliseconds(1), 1136 base::TimeDelta::FromMinutes(10), 1137 100); 1138 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1139 total_duration, 1140 base::TimeDelta::FromMilliseconds(1), 1141 base::TimeDelta::FromMinutes(10), 100); 1142 1143 if (!stream_->IsConnectionReused()) { 1144 UMA_HISTOGRAM_CUSTOM_TIMES( 1145 "Net.Transaction_Latency_Total_New_Connection", 1146 total_duration, base::TimeDelta::FromMilliseconds(1), 1147 base::TimeDelta::FromMinutes(10), 100); 1148 } 1149} 1150 1151int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1152 // There are two paths through which the server can request a certificate 1153 // from us. The first is during the initial handshake, the second is 1154 // during SSL renegotiation. 1155 // 1156 // In both cases, we want to close the connection before proceeding. 1157 // We do this for two reasons: 1158 // First, we don't want to keep the connection to the server hung for a 1159 // long time while the user selects a certificate. 1160 // Second, even if we did keep the connection open, NSS has a bug where 1161 // restarting the handshake for ClientAuth is currently broken. 1162 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1163 1164 if (stream_.get()) { 1165 // Since we already have a stream, we're being called as part of SSL 1166 // renegotiation. 1167 DCHECK(!stream_request_.get()); 1168 stream_->Close(true); 1169 stream_.reset(); 1170 } 1171 1172 // The server is asking for a client certificate during the initial 1173 // handshake. 1174 stream_request_.reset(); 1175 1176 // If the user selected one of the certificates in client_certs or declined 1177 // to provide one for this server before, use the past decision 1178 // automatically. 1179 scoped_refptr<X509Certificate> client_cert; 1180 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1181 response_.cert_request_info->host_and_port, &client_cert); 1182 if (!found_cached_cert) 1183 return error; 1184 1185 // Check that the certificate selected is still a certificate the server 1186 // is likely to accept, based on the criteria supplied in the 1187 // CertificateRequest message. 1188 if (client_cert.get()) { 1189 const std::vector<std::string>& cert_authorities = 1190 response_.cert_request_info->cert_authorities; 1191 1192 bool cert_still_valid = cert_authorities.empty() || 1193 client_cert->IsIssuedByEncoded(cert_authorities); 1194 if (!cert_still_valid) 1195 return error; 1196 } 1197 1198 // TODO(davidben): Add a unit test which covers this path; we need to be 1199 // able to send a legitimate certificate and also bypass/clear the 1200 // SSL session cache. 1201 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1202 &proxy_ssl_config_ : &server_ssl_config_; 1203 ssl_config->send_client_cert = true; 1204 ssl_config->client_cert = client_cert; 1205 next_state_ = STATE_CREATE_STREAM; 1206 // Reset the other member variables. 1207 // Note: this is necessary only with SSL renegotiation. 1208 ResetStateForRestart(); 1209 return OK; 1210} 1211 1212// TODO(rch): This does not correctly handle errors when an SSL proxy is 1213// being used, as all of the errors are handled as if they were generated 1214// by the endpoint host, request_->url, rather than considering if they were 1215// generated by the SSL proxy. http://crbug.com/69329 1216int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1217 DCHECK(request_); 1218 if (server_ssl_config_.send_client_cert && 1219 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1220 session_->ssl_client_auth_cache()->Remove( 1221 GetHostAndPort(request_->url)); 1222 } 1223 1224 bool should_fallback = false; 1225 uint16 version_max = server_ssl_config_.version_max; 1226 1227 switch (error) { 1228 case ERR_SSL_PROTOCOL_ERROR: 1229 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1230 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1231 version_max > server_ssl_config_.version_min) { 1232 // This could be a TLS-intolerant server or a server that chose a 1233 // cipher suite defined only for higher protocol versions (such as 1234 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1235 // back to the next lower version and retry. 1236 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1237 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1238 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1239 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1240 // version_max should match the maximum protocol version supported 1241 // by the SSLClientSocket class. 1242 version_max--; 1243 1244 // Fallback to the lower SSL version. 1245 // While SSL 3.0 fallback should be eliminated because of security 1246 // reasons, there is a high risk of breaking the servers if this is 1247 // done in general. 1248 // For now SSL 3.0 fallback is disabled for Google servers first, 1249 // and will be expanded to other servers after enough experiences 1250 // have been gained showing that this experiment works well with 1251 // today's Internet. 1252 if (version_max > SSL_PROTOCOL_VERSION_SSL3 || 1253 (server_ssl_config_.unrestricted_ssl3_fallback_enabled || 1254 !TransportSecurityState::IsGooglePinnedProperty( 1255 request_->url.host(), true /* include SNI */))) { 1256 should_fallback = true; 1257 } 1258 } 1259 break; 1260 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1261 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1262 version_max > server_ssl_config_.version_min) { 1263 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1264 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1265 // crbug.com/260358. In order to make the fallback as minimal as 1266 // possible, this fallback is only triggered for >= TLS 1.1. 1267 version_max--; 1268 should_fallback = true; 1269 } 1270 break; 1271 } 1272 1273 if (should_fallback) { 1274 net_log_.AddEvent( 1275 NetLog::TYPE_SSL_VERSION_FALLBACK, 1276 base::Bind(&NetLogSSLVersionFallbackCallback, 1277 &request_->url, error, server_ssl_config_.version_max, 1278 version_max)); 1279 server_ssl_config_.version_max = version_max; 1280 server_ssl_config_.version_fallback = true; 1281 ResetConnectionAndRequestForResend(); 1282 error = OK; 1283 } 1284 1285 return error; 1286} 1287 1288// This method determines whether it is safe to resend the request after an 1289// IO error. It can only be called in response to request header or body 1290// write errors or response header read errors. It should not be used in 1291// other cases, such as a Connect error. 1292int HttpNetworkTransaction::HandleIOError(int error) { 1293 // SSL errors may happen at any time during the stream and indicate issues 1294 // with the underlying connection. Because the peer may request 1295 // renegotiation at any time, check and handle any possible SSL handshake 1296 // related errors. In addition to renegotiation, TLS False Start may cause 1297 // SSL handshake errors (specifically servers with buggy DEFLATE support) 1298 // to be delayed until the first Read on the underlying connection. 1299 error = HandleSSLHandshakeError(error); 1300 1301 switch (error) { 1302 // If we try to reuse a connection that the server is in the process of 1303 // closing, we may end up successfully writing out our request (or a 1304 // portion of our request) only to find a connection error when we try to 1305 // read from (or finish writing to) the socket. 1306 case ERR_CONNECTION_RESET: 1307 case ERR_CONNECTION_CLOSED: 1308 case ERR_CONNECTION_ABORTED: 1309 // There can be a race between the socket pool checking checking whether a 1310 // socket is still connected, receiving the FIN, and sending/reading data 1311 // on a reused socket. If we receive the FIN between the connectedness 1312 // check and writing/reading from the socket, we may first learn the socket 1313 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1314 // likely happen when trying to retrieve its IP address. 1315 // See http://crbug.com/105824 for more details. 1316 case ERR_SOCKET_NOT_CONNECTED: 1317 if (ShouldResendRequest(error)) { 1318 net_log_.AddEventWithNetErrorCode( 1319 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1320 ResetConnectionAndRequestForResend(); 1321 error = OK; 1322 } 1323 break; 1324 case ERR_PIPELINE_EVICTION: 1325 if (!session_->force_http_pipelining()) { 1326 net_log_.AddEventWithNetErrorCode( 1327 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1328 ResetConnectionAndRequestForResend(); 1329 error = OK; 1330 } 1331 break; 1332 case ERR_SPDY_PING_FAILED: 1333 case ERR_SPDY_SERVER_REFUSED_STREAM: 1334 net_log_.AddEventWithNetErrorCode( 1335 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1336 ResetConnectionAndRequestForResend(); 1337 error = OK; 1338 break; 1339 } 1340 return error; 1341} 1342 1343void HttpNetworkTransaction::ResetStateForRestart() { 1344 ResetStateForAuthRestart(); 1345 stream_.reset(); 1346} 1347 1348void HttpNetworkTransaction::ResetStateForAuthRestart() { 1349 send_start_time_ = base::TimeTicks(); 1350 send_end_time_ = base::TimeTicks(); 1351 1352 pending_auth_target_ = HttpAuth::AUTH_NONE; 1353 read_buf_ = NULL; 1354 read_buf_len_ = 0; 1355 headers_valid_ = false; 1356 request_headers_.Clear(); 1357 response_ = HttpResponseInfo(); 1358 establishing_tunnel_ = false; 1359} 1360 1361HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1362 return response_.headers.get(); 1363} 1364 1365bool HttpNetworkTransaction::ShouldResendRequest(int error) const { 1366 bool connection_is_proven = stream_->IsConnectionReused(); 1367 bool has_received_headers = GetResponseHeaders() != NULL; 1368 1369 // NOTE: we resend a request only if we reused a keep-alive connection. 1370 // This automatically prevents an infinite resend loop because we'll run 1371 // out of the cached keep-alive connections eventually. 1372 if (connection_is_proven && !has_received_headers) 1373 return true; 1374 return false; 1375} 1376 1377void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1378 if (stream_.get()) { 1379 stream_->Close(true); 1380 stream_.reset(); 1381 } 1382 1383 // We need to clear request_headers_ because it contains the real request 1384 // headers, but we may need to resend the CONNECT request first to recreate 1385 // the SSL tunnel. 1386 request_headers_.Clear(); 1387 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1388} 1389 1390bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1391 return !is_https_request() && 1392 (proxy_info_.is_https() || proxy_info_.is_http()); 1393} 1394 1395bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1396 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1397} 1398 1399int HttpNetworkTransaction::HandleAuthChallenge() { 1400 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1401 DCHECK(headers.get()); 1402 1403 int status = headers->response_code(); 1404 if (status != HTTP_UNAUTHORIZED && 1405 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1406 return OK; 1407 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1408 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1409 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1410 return ERR_UNEXPECTED_PROXY_AUTH; 1411 1412 // This case can trigger when an HTTPS server responds with a "Proxy 1413 // authentication required" status code through a non-authenticating 1414 // proxy. 1415 if (!auth_controllers_[target].get()) 1416 return ERR_UNEXPECTED_PROXY_AUTH; 1417 1418 int rv = auth_controllers_[target]->HandleAuthChallenge( 1419 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1420 net_log_); 1421 if (auth_controllers_[target]->HaveAuthHandler()) 1422 pending_auth_target_ = target; 1423 1424 scoped_refptr<AuthChallengeInfo> auth_info = 1425 auth_controllers_[target]->auth_info(); 1426 if (auth_info.get()) 1427 response_.auth_challenge = auth_info; 1428 1429 return rv; 1430} 1431 1432bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1433 return auth_controllers_[target].get() && 1434 auth_controllers_[target]->HaveAuth(); 1435} 1436 1437GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1438 switch (target) { 1439 case HttpAuth::AUTH_PROXY: { 1440 if (!proxy_info_.proxy_server().is_valid() || 1441 proxy_info_.proxy_server().is_direct()) { 1442 return GURL(); // There is no proxy server. 1443 } 1444 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1445 return GURL(scheme + 1446 proxy_info_.proxy_server().host_port_pair().ToString()); 1447 } 1448 case HttpAuth::AUTH_SERVER: 1449 return request_->url; 1450 default: 1451 return GURL(); 1452 } 1453} 1454 1455#define STATE_CASE(s) \ 1456 case s: \ 1457 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1458 break 1459 1460std::string HttpNetworkTransaction::DescribeState(State state) { 1461 std::string description; 1462 switch (state) { 1463 STATE_CASE(STATE_CREATE_STREAM); 1464 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1465 STATE_CASE(STATE_INIT_REQUEST_BODY); 1466 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1467 STATE_CASE(STATE_BUILD_REQUEST); 1468 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1469 STATE_CASE(STATE_SEND_REQUEST); 1470 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1471 STATE_CASE(STATE_READ_HEADERS); 1472 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1473 STATE_CASE(STATE_READ_BODY); 1474 STATE_CASE(STATE_READ_BODY_COMPLETE); 1475 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1476 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1477 STATE_CASE(STATE_NONE); 1478 default: 1479 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1480 state); 1481 break; 1482 } 1483 return description; 1484} 1485 1486#undef STATE_CASE 1487 1488} // namespace net 1489