http_network_transaction.cc revision ba5b9a6411cb1792fd21f0a078d7a25cd1ceec16
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/http/http_network_transaction.h" 6 7#include <set> 8#include <vector> 9 10#include "base/bind.h" 11#include "base/bind_helpers.h" 12#include "base/compiler_specific.h" 13#include "base/format_macros.h" 14#include "base/memory/scoped_ptr.h" 15#include "base/metrics/field_trial.h" 16#include "base/metrics/histogram.h" 17#include "base/metrics/stats_counters.h" 18#include "base/stl_util.h" 19#include "base/strings/string_number_conversions.h" 20#include "base/strings/string_util.h" 21#include "base/strings/stringprintf.h" 22#include "base/values.h" 23#include "build/build_config.h" 24#include "net/base/auth.h" 25#include "net/base/host_port_pair.h" 26#include "net/base/io_buffer.h" 27#include "net/base/load_flags.h" 28#include "net/base/load_timing_info.h" 29#include "net/base/net_errors.h" 30#include "net/base/net_util.h" 31#include "net/base/upload_data_stream.h" 32#include "net/http/http_auth.h" 33#include "net/http/http_auth_handler.h" 34#include "net/http/http_auth_handler_factory.h" 35#include "net/http/http_basic_stream.h" 36#include "net/http/http_chunked_decoder.h" 37#include "net/http/http_network_session.h" 38#include "net/http/http_proxy_client_socket.h" 39#include "net/http/http_proxy_client_socket_pool.h" 40#include "net/http/http_request_headers.h" 41#include "net/http/http_request_info.h" 42#include "net/http/http_response_headers.h" 43#include "net/http/http_response_info.h" 44#include "net/http/http_server_properties.h" 45#include "net/http/http_status_code.h" 46#include "net/http/http_stream_base.h" 47#include "net/http/http_stream_factory.h" 48#include "net/http/http_util.h" 49#include "net/http/transport_security_state.h" 50#include "net/http/url_security_manager.h" 51#include "net/socket/client_socket_factory.h" 52#include "net/socket/socks_client_socket_pool.h" 53#include "net/socket/ssl_client_socket.h" 54#include "net/socket/ssl_client_socket_pool.h" 55#include "net/socket/transport_client_socket_pool.h" 56#include "net/spdy/spdy_http_stream.h" 57#include "net/spdy/spdy_session.h" 58#include "net/spdy/spdy_session_pool.h" 59#include "net/ssl/ssl_cert_request_info.h" 60#include "net/ssl/ssl_connection_status_flags.h" 61#include "url/gurl.h" 62 63using base::Time; 64 65namespace net { 66 67namespace { 68 69void ProcessAlternateProtocol( 70 HttpStreamFactory* factory, 71 const base::WeakPtr<HttpServerProperties>& http_server_properties, 72 const HttpResponseHeaders& headers, 73 const HostPortPair& http_host_port_pair) { 74 std::string alternate_protocol_str; 75 76 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader, 77 &alternate_protocol_str)) { 78 // Header is not present. 79 return; 80 } 81 82 factory->ProcessAlternateProtocol(http_server_properties, 83 alternate_protocol_str, 84 http_host_port_pair); 85} 86 87// Returns true if |error| is a client certificate authentication error. 88bool IsClientCertificateError(int error) { 89 switch (error) { 90 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 91 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 92 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 93 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 94 return true; 95 default: 96 return false; 97 } 98} 99 100base::Value* NetLogSSLVersionFallbackCallback( 101 const GURL* url, 102 int net_error, 103 uint16 version_before, 104 uint16 version_after, 105 NetLog::LogLevel /* log_level */) { 106 base::DictionaryValue* dict = new base::DictionaryValue(); 107 dict->SetString("host_and_port", GetHostAndPort(*url)); 108 dict->SetInteger("net_error", net_error); 109 dict->SetInteger("version_before", version_before); 110 dict->SetInteger("version_after", version_after); 111 return dict; 112} 113 114} // namespace 115 116//----------------------------------------------------------------------------- 117 118HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 119 HttpNetworkSession* session) 120 : pending_auth_target_(HttpAuth::AUTH_NONE), 121 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 122 base::Unretained(this))), 123 session_(session), 124 request_(NULL), 125 priority_(priority), 126 headers_valid_(false), 127 logged_response_time_(false), 128 request_headers_(), 129 read_buf_len_(0), 130 next_state_(STATE_NONE), 131 establishing_tunnel_(false) { 132 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 133 if (session->http_stream_factory()->has_next_protos()) { 134 server_ssl_config_.next_protos = 135 session->http_stream_factory()->next_protos(); 136 } 137 proxy_ssl_config_ = server_ssl_config_; 138} 139 140HttpNetworkTransaction::~HttpNetworkTransaction() { 141 if (stream_.get()) { 142 HttpResponseHeaders* headers = GetResponseHeaders(); 143 // TODO(mbelshe): The stream_ should be able to compute whether or not the 144 // stream should be kept alive. No reason to compute here 145 // and pass it in. 146 bool try_to_keep_alive = 147 next_state_ == STATE_NONE && 148 stream_->CanFindEndOfResponse() && 149 (!headers || headers->IsKeepAlive()); 150 if (!try_to_keep_alive) { 151 stream_->Close(true /* not reusable */); 152 } else { 153 if (stream_->IsResponseBodyComplete()) { 154 // If the response body is complete, we can just reuse the socket. 155 stream_->Close(false /* reusable */); 156 } else if (stream_->IsSpdyHttpStream()) { 157 // Doesn't really matter for SpdyHttpStream. Just close it. 158 stream_->Close(true /* not reusable */); 159 } else { 160 // Otherwise, we try to drain the response body. 161 HttpStreamBase* stream = stream_.release(); 162 stream->Drain(session_.get()); 163 } 164 } 165 } 166} 167 168int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 169 const CompletionCallback& callback, 170 const BoundNetLog& net_log) { 171 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 172 173 net_log_ = net_log; 174 request_ = request_info; 175 start_time_ = base::Time::Now(); 176 177 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 178 server_ssl_config_.rev_checking_enabled = false; 179 proxy_ssl_config_.rev_checking_enabled = false; 180 } 181 182 // Channel ID is enabled unless --disable-tls-channel-id flag is set, 183 // or if privacy mode is enabled. 184 bool channel_id_enabled = server_ssl_config_.channel_id_enabled && 185 (request_->privacy_mode == kPrivacyModeDisabled); 186 server_ssl_config_.channel_id_enabled = channel_id_enabled; 187 188 next_state_ = STATE_CREATE_STREAM; 189 int rv = DoLoop(OK); 190 if (rv == ERR_IO_PENDING) 191 callback_ = callback; 192 return rv; 193} 194 195int HttpNetworkTransaction::RestartIgnoringLastError( 196 const CompletionCallback& callback) { 197 DCHECK(!stream_.get()); 198 DCHECK(!stream_request_.get()); 199 DCHECK_EQ(STATE_NONE, next_state_); 200 201 next_state_ = STATE_CREATE_STREAM; 202 203 int rv = DoLoop(OK); 204 if (rv == ERR_IO_PENDING) 205 callback_ = callback; 206 return rv; 207} 208 209int HttpNetworkTransaction::RestartWithCertificate( 210 X509Certificate* client_cert, const CompletionCallback& callback) { 211 // In HandleCertificateRequest(), we always tear down existing stream 212 // requests to force a new connection. So we shouldn't have one here. 213 DCHECK(!stream_request_.get()); 214 DCHECK(!stream_.get()); 215 DCHECK_EQ(STATE_NONE, next_state_); 216 217 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 218 &proxy_ssl_config_ : &server_ssl_config_; 219 ssl_config->send_client_cert = true; 220 ssl_config->client_cert = client_cert; 221 session_->ssl_client_auth_cache()->Add( 222 response_.cert_request_info->host_and_port, client_cert); 223 // Reset the other member variables. 224 // Note: this is necessary only with SSL renegotiation. 225 ResetStateForRestart(); 226 next_state_ = STATE_CREATE_STREAM; 227 int rv = DoLoop(OK); 228 if (rv == ERR_IO_PENDING) 229 callback_ = callback; 230 return rv; 231} 232 233int HttpNetworkTransaction::RestartWithAuth( 234 const AuthCredentials& credentials, const CompletionCallback& callback) { 235 HttpAuth::Target target = pending_auth_target_; 236 if (target == HttpAuth::AUTH_NONE) { 237 NOTREACHED(); 238 return ERR_UNEXPECTED; 239 } 240 pending_auth_target_ = HttpAuth::AUTH_NONE; 241 242 auth_controllers_[target]->ResetAuth(credentials); 243 244 DCHECK(callback_.is_null()); 245 246 int rv = OK; 247 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 248 // In this case, we've gathered credentials for use with proxy 249 // authentication of a tunnel. 250 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 251 DCHECK(stream_request_ != NULL); 252 auth_controllers_[target] = NULL; 253 ResetStateForRestart(); 254 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 255 } else { 256 // In this case, we've gathered credentials for the server or the proxy 257 // but it is not during the tunneling phase. 258 DCHECK(stream_request_ == NULL); 259 PrepareForAuthRestart(target); 260 rv = DoLoop(OK); 261 } 262 263 if (rv == ERR_IO_PENDING) 264 callback_ = callback; 265 return rv; 266} 267 268void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 269 DCHECK(HaveAuth(target)); 270 DCHECK(!stream_request_.get()); 271 272 bool keep_alive = false; 273 // Even if the server says the connection is keep-alive, we have to be 274 // able to find the end of each response in order to reuse the connection. 275 if (GetResponseHeaders()->IsKeepAlive() && 276 stream_->CanFindEndOfResponse()) { 277 // If the response body hasn't been completely read, we need to drain 278 // it first. 279 if (!stream_->IsResponseBodyComplete()) { 280 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 281 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 282 read_buf_len_ = kDrainBodyBufferSize; 283 return; 284 } 285 keep_alive = true; 286 } 287 288 // We don't need to drain the response body, so we act as if we had drained 289 // the response body. 290 DidDrainBodyForAuthRestart(keep_alive); 291} 292 293void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 294 DCHECK(!stream_request_.get()); 295 296 if (stream_.get()) { 297 HttpStream* new_stream = NULL; 298 if (keep_alive && stream_->IsConnectionReusable()) { 299 // We should call connection_->set_idle_time(), but this doesn't occur 300 // often enough to be worth the trouble. 301 stream_->SetConnectionReused(); 302 new_stream = 303 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 304 } 305 306 if (!new_stream) { 307 // Close the stream and mark it as not_reusable. Even in the 308 // keep_alive case, we've determined that the stream_ is not 309 // reusable if new_stream is NULL. 310 stream_->Close(true); 311 next_state_ = STATE_CREATE_STREAM; 312 } else { 313 next_state_ = STATE_INIT_STREAM; 314 } 315 stream_.reset(new_stream); 316 } 317 318 // Reset the other member variables. 319 ResetStateForAuthRestart(); 320} 321 322bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 323 return pending_auth_target_ != HttpAuth::AUTH_NONE && 324 HaveAuth(pending_auth_target_); 325} 326 327int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 328 const CompletionCallback& callback) { 329 DCHECK(buf); 330 DCHECK_LT(0, buf_len); 331 332 State next_state = STATE_NONE; 333 334 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 335 if (headers_valid_ && headers.get() && stream_request_.get()) { 336 // We're trying to read the body of the response but we're still trying 337 // to establish an SSL tunnel through an HTTP proxy. We can't read these 338 // bytes when establishing a tunnel because they might be controlled by 339 // an active network attacker. We don't worry about this for HTTP 340 // because an active network attacker can already control HTTP sessions. 341 // We reach this case when the user cancels a 407 proxy auth prompt. We 342 // also don't worry about this for an HTTPS Proxy, because the 343 // communication with the proxy is secure. 344 // See http://crbug.com/8473. 345 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 346 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 347 LOG(WARNING) << "Blocked proxy response with status " 348 << headers->response_code() << " to CONNECT request for " 349 << GetHostAndPort(request_->url) << "."; 350 return ERR_TUNNEL_CONNECTION_FAILED; 351 } 352 353 // Are we using SPDY or HTTP? 354 next_state = STATE_READ_BODY; 355 356 read_buf_ = buf; 357 read_buf_len_ = buf_len; 358 359 next_state_ = next_state; 360 int rv = DoLoop(OK); 361 if (rv == ERR_IO_PENDING) 362 callback_ = callback; 363 return rv; 364} 365 366bool HttpNetworkTransaction::GetFullRequestHeaders( 367 HttpRequestHeaders* headers) const { 368 // TODO(ttuttle): Make sure we've populated request_headers_. 369 *headers = request_headers_; 370 return true; 371} 372 373const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 374 return ((headers_valid_ && response_.headers.get()) || 375 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 376 ? &response_ 377 : NULL; 378} 379 380LoadState HttpNetworkTransaction::GetLoadState() const { 381 // TODO(wtc): Define a new LoadState value for the 382 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 383 switch (next_state_) { 384 case STATE_CREATE_STREAM_COMPLETE: 385 return stream_request_->GetLoadState(); 386 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 387 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 388 case STATE_SEND_REQUEST_COMPLETE: 389 return LOAD_STATE_SENDING_REQUEST; 390 case STATE_READ_HEADERS_COMPLETE: 391 return LOAD_STATE_WAITING_FOR_RESPONSE; 392 case STATE_READ_BODY_COMPLETE: 393 return LOAD_STATE_READING_RESPONSE; 394 default: 395 return LOAD_STATE_IDLE; 396 } 397} 398 399UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 400 if (!stream_.get()) 401 return UploadProgress(); 402 403 // TODO(bashi): This cast is temporary. Remove later. 404 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 405} 406 407bool HttpNetworkTransaction::GetLoadTimingInfo( 408 LoadTimingInfo* load_timing_info) const { 409 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 410 return false; 411 412 load_timing_info->proxy_resolve_start = 413 proxy_info_.proxy_resolve_start_time(); 414 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 415 load_timing_info->send_start = send_start_time_; 416 load_timing_info->send_end = send_end_time_; 417 return true; 418} 419 420void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 421 priority_ = priority; 422 // TODO(akalin): Plumb this through to |stream_request_| and 423 // |stream_|. 424} 425 426void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 427 const ProxyInfo& used_proxy_info, 428 HttpStreamBase* stream) { 429 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 430 DCHECK(stream_request_.get()); 431 432 stream_.reset(stream); 433 server_ssl_config_ = used_ssl_config; 434 proxy_info_ = used_proxy_info; 435 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 436 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 437 stream_request_->protocol_negotiated()); 438 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 439 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 440 441 OnIOComplete(OK); 442} 443 444void HttpNetworkTransaction::OnWebSocketStreamReady( 445 const SSLConfig& used_ssl_config, 446 const ProxyInfo& used_proxy_info, 447 WebSocketStreamBase* stream) { 448 NOTREACHED() << "This function should never be called."; 449} 450 451void HttpNetworkTransaction::OnStreamFailed(int result, 452 const SSLConfig& used_ssl_config) { 453 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 454 DCHECK_NE(OK, result); 455 DCHECK(stream_request_.get()); 456 DCHECK(!stream_.get()); 457 server_ssl_config_ = used_ssl_config; 458 459 OnIOComplete(result); 460} 461 462void HttpNetworkTransaction::OnCertificateError( 463 int result, 464 const SSLConfig& used_ssl_config, 465 const SSLInfo& ssl_info) { 466 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 467 DCHECK_NE(OK, result); 468 DCHECK(stream_request_.get()); 469 DCHECK(!stream_.get()); 470 471 response_.ssl_info = ssl_info; 472 server_ssl_config_ = used_ssl_config; 473 474 // TODO(mbelshe): For now, we're going to pass the error through, and that 475 // will close the stream_request in all cases. This means that we're always 476 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 477 // good and the user chooses to ignore the error. This is not ideal, but not 478 // the end of the world either. 479 480 OnIOComplete(result); 481} 482 483void HttpNetworkTransaction::OnNeedsProxyAuth( 484 const HttpResponseInfo& proxy_response, 485 const SSLConfig& used_ssl_config, 486 const ProxyInfo& used_proxy_info, 487 HttpAuthController* auth_controller) { 488 DCHECK(stream_request_.get()); 489 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 490 491 establishing_tunnel_ = true; 492 response_.headers = proxy_response.headers; 493 response_.auth_challenge = proxy_response.auth_challenge; 494 headers_valid_ = true; 495 server_ssl_config_ = used_ssl_config; 496 proxy_info_ = used_proxy_info; 497 498 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 499 pending_auth_target_ = HttpAuth::AUTH_PROXY; 500 501 DoCallback(OK); 502} 503 504void HttpNetworkTransaction::OnNeedsClientAuth( 505 const SSLConfig& used_ssl_config, 506 SSLCertRequestInfo* cert_info) { 507 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 508 509 server_ssl_config_ = used_ssl_config; 510 response_.cert_request_info = cert_info; 511 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 512} 513 514void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 515 const HttpResponseInfo& response_info, 516 const SSLConfig& used_ssl_config, 517 const ProxyInfo& used_proxy_info, 518 HttpStreamBase* stream) { 519 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 520 521 headers_valid_ = true; 522 response_ = response_info; 523 server_ssl_config_ = used_ssl_config; 524 proxy_info_ = used_proxy_info; 525 stream_.reset(stream); 526 stream_request_.reset(); // we're done with the stream request 527 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 528} 529 530bool HttpNetworkTransaction::is_https_request() const { 531 return request_->url.SchemeIs("https"); 532} 533 534void HttpNetworkTransaction::DoCallback(int rv) { 535 DCHECK_NE(rv, ERR_IO_PENDING); 536 DCHECK(!callback_.is_null()); 537 538 // Since Run may result in Read being called, clear user_callback_ up front. 539 CompletionCallback c = callback_; 540 callback_.Reset(); 541 c.Run(rv); 542} 543 544void HttpNetworkTransaction::OnIOComplete(int result) { 545 int rv = DoLoop(result); 546 if (rv != ERR_IO_PENDING) 547 DoCallback(rv); 548} 549 550int HttpNetworkTransaction::DoLoop(int result) { 551 DCHECK(next_state_ != STATE_NONE); 552 553 int rv = result; 554 do { 555 State state = next_state_; 556 next_state_ = STATE_NONE; 557 switch (state) { 558 case STATE_CREATE_STREAM: 559 DCHECK_EQ(OK, rv); 560 rv = DoCreateStream(); 561 break; 562 case STATE_CREATE_STREAM_COMPLETE: 563 rv = DoCreateStreamComplete(rv); 564 break; 565 case STATE_INIT_STREAM: 566 DCHECK_EQ(OK, rv); 567 rv = DoInitStream(); 568 break; 569 case STATE_INIT_STREAM_COMPLETE: 570 rv = DoInitStreamComplete(rv); 571 break; 572 case STATE_GENERATE_PROXY_AUTH_TOKEN: 573 DCHECK_EQ(OK, rv); 574 rv = DoGenerateProxyAuthToken(); 575 break; 576 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 577 rv = DoGenerateProxyAuthTokenComplete(rv); 578 break; 579 case STATE_GENERATE_SERVER_AUTH_TOKEN: 580 DCHECK_EQ(OK, rv); 581 rv = DoGenerateServerAuthToken(); 582 break; 583 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 584 rv = DoGenerateServerAuthTokenComplete(rv); 585 break; 586 case STATE_INIT_REQUEST_BODY: 587 DCHECK_EQ(OK, rv); 588 rv = DoInitRequestBody(); 589 break; 590 case STATE_INIT_REQUEST_BODY_COMPLETE: 591 rv = DoInitRequestBodyComplete(rv); 592 break; 593 case STATE_BUILD_REQUEST: 594 DCHECK_EQ(OK, rv); 595 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 596 rv = DoBuildRequest(); 597 break; 598 case STATE_BUILD_REQUEST_COMPLETE: 599 rv = DoBuildRequestComplete(rv); 600 break; 601 case STATE_SEND_REQUEST: 602 DCHECK_EQ(OK, rv); 603 rv = DoSendRequest(); 604 break; 605 case STATE_SEND_REQUEST_COMPLETE: 606 rv = DoSendRequestComplete(rv); 607 net_log_.EndEventWithNetErrorCode( 608 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 609 break; 610 case STATE_READ_HEADERS: 611 DCHECK_EQ(OK, rv); 612 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 613 rv = DoReadHeaders(); 614 break; 615 case STATE_READ_HEADERS_COMPLETE: 616 rv = DoReadHeadersComplete(rv); 617 net_log_.EndEventWithNetErrorCode( 618 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 619 break; 620 case STATE_READ_BODY: 621 DCHECK_EQ(OK, rv); 622 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 623 rv = DoReadBody(); 624 break; 625 case STATE_READ_BODY_COMPLETE: 626 rv = DoReadBodyComplete(rv); 627 net_log_.EndEventWithNetErrorCode( 628 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 629 break; 630 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 631 DCHECK_EQ(OK, rv); 632 net_log_.BeginEvent( 633 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 634 rv = DoDrainBodyForAuthRestart(); 635 break; 636 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 637 rv = DoDrainBodyForAuthRestartComplete(rv); 638 net_log_.EndEventWithNetErrorCode( 639 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 640 break; 641 default: 642 NOTREACHED() << "bad state"; 643 rv = ERR_FAILED; 644 break; 645 } 646 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 647 648 return rv; 649} 650 651int HttpNetworkTransaction::DoCreateStream() { 652 next_state_ = STATE_CREATE_STREAM_COMPLETE; 653 654 stream_request_.reset( 655 session_->http_stream_factory()->RequestStream( 656 *request_, 657 priority_, 658 server_ssl_config_, 659 proxy_ssl_config_, 660 this, 661 net_log_)); 662 DCHECK(stream_request_.get()); 663 return ERR_IO_PENDING; 664} 665 666int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 667 if (result == OK) { 668 next_state_ = STATE_INIT_STREAM; 669 DCHECK(stream_.get()); 670 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 671 result = HandleCertificateRequest(result); 672 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 673 // Return OK and let the caller read the proxy's error page 674 next_state_ = STATE_NONE; 675 return OK; 676 } 677 678 // Handle possible handshake errors that may have occurred if the stream 679 // used SSL for one or more of the layers. 680 result = HandleSSLHandshakeError(result); 681 682 // At this point we are done with the stream_request_. 683 stream_request_.reset(); 684 return result; 685} 686 687int HttpNetworkTransaction::DoInitStream() { 688 DCHECK(stream_.get()); 689 next_state_ = STATE_INIT_STREAM_COMPLETE; 690 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 691} 692 693int HttpNetworkTransaction::DoInitStreamComplete(int result) { 694 if (result == OK) { 695 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 696 } else { 697 if (result < 0) 698 result = HandleIOError(result); 699 700 // The stream initialization failed, so this stream will never be useful. 701 stream_.reset(); 702 } 703 704 return result; 705} 706 707int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 708 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 709 if (!ShouldApplyProxyAuth()) 710 return OK; 711 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 712 if (!auth_controllers_[target].get()) 713 auth_controllers_[target] = 714 new HttpAuthController(target, 715 AuthURL(target), 716 session_->http_auth_cache(), 717 session_->http_auth_handler_factory()); 718 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 719 io_callback_, 720 net_log_); 721} 722 723int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 724 DCHECK_NE(ERR_IO_PENDING, rv); 725 if (rv == OK) 726 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 727 return rv; 728} 729 730int HttpNetworkTransaction::DoGenerateServerAuthToken() { 731 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 732 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 733 if (!auth_controllers_[target].get()) 734 auth_controllers_[target] = 735 new HttpAuthController(target, 736 AuthURL(target), 737 session_->http_auth_cache(), 738 session_->http_auth_handler_factory()); 739 if (!ShouldApplyServerAuth()) 740 return OK; 741 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 742 io_callback_, 743 net_log_); 744} 745 746int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 747 DCHECK_NE(ERR_IO_PENDING, rv); 748 if (rv == OK) 749 next_state_ = STATE_INIT_REQUEST_BODY; 750 return rv; 751} 752 753void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 754 request_headers_.SetHeader(HttpRequestHeaders::kHost, 755 GetHostAndOptionalPort(request_->url)); 756 757 // For compat with HTTP/1.0 servers and proxies: 758 if (using_proxy) { 759 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 760 "keep-alive"); 761 } else { 762 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 763 } 764 765 // Add a content length header? 766 if (request_->upload_data_stream) { 767 if (request_->upload_data_stream->is_chunked()) { 768 request_headers_.SetHeader( 769 HttpRequestHeaders::kTransferEncoding, "chunked"); 770 } else { 771 request_headers_.SetHeader( 772 HttpRequestHeaders::kContentLength, 773 base::Uint64ToString(request_->upload_data_stream->size())); 774 } 775 } else if (request_->method == "POST" || request_->method == "PUT" || 776 request_->method == "HEAD") { 777 // An empty POST/PUT request still needs a content length. As for HEAD, 778 // IE and Safari also add a content length header. Presumably it is to 779 // support sending a HEAD request to an URL that only expects to be sent a 780 // POST or some other method that normally would have a message body. 781 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 782 } 783 784 // Honor load flags that impact proxy caches. 785 if (request_->load_flags & LOAD_BYPASS_CACHE) { 786 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 787 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 788 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 789 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 790 } 791 792 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 793 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 794 &request_headers_); 795 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 796 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 797 &request_headers_); 798 799 request_headers_.MergeFrom(request_->extra_headers); 800 response_.did_use_http_auth = 801 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 802 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 803} 804 805int HttpNetworkTransaction::DoInitRequestBody() { 806 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 807 int rv = OK; 808 if (request_->upload_data_stream) 809 rv = request_->upload_data_stream->Init(io_callback_); 810 return rv; 811} 812 813int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 814 if (result == OK) 815 next_state_ = STATE_BUILD_REQUEST; 816 return result; 817} 818 819int HttpNetworkTransaction::DoBuildRequest() { 820 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 821 headers_valid_ = false; 822 823 // This is constructed lazily (instead of within our Start method), so that 824 // we have proxy info available. 825 if (request_headers_.IsEmpty()) { 826 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 827 !is_https_request(); 828 BuildRequestHeaders(using_proxy); 829 } 830 831 return OK; 832} 833 834int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 835 if (result == OK) 836 next_state_ = STATE_SEND_REQUEST; 837 return result; 838} 839 840int HttpNetworkTransaction::DoSendRequest() { 841 send_start_time_ = base::TimeTicks::Now(); 842 next_state_ = STATE_SEND_REQUEST_COMPLETE; 843 844 return stream_->SendRequest(request_headers_, &response_, io_callback_); 845} 846 847int HttpNetworkTransaction::DoSendRequestComplete(int result) { 848 send_end_time_ = base::TimeTicks::Now(); 849 if (result < 0) 850 return HandleIOError(result); 851 response_.network_accessed = true; 852 next_state_ = STATE_READ_HEADERS; 853 return OK; 854} 855 856int HttpNetworkTransaction::DoReadHeaders() { 857 next_state_ = STATE_READ_HEADERS_COMPLETE; 858 return stream_->ReadResponseHeaders(io_callback_); 859} 860 861int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() { 862 if (!response_.headers.get() && !stream_->IsConnectionReused()) { 863 // The connection was closed before any data was sent. Likely an error 864 // rather than empty HTTP/0.9 response. 865 return ERR_EMPTY_RESPONSE; 866 } 867 868 return OK; 869} 870 871int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 872 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 873 // due to SSL renegotiation. 874 if (IsCertificateError(result)) { 875 // We don't handle a certificate error during SSL renegotiation, so we 876 // have to return an error that's not in the certificate error range 877 // (-2xx). 878 LOG(ERROR) << "Got a server certificate with error " << result 879 << " during SSL renegotiation"; 880 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 881 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 882 // TODO(wtc): Need a test case for this code path! 883 DCHECK(stream_.get()); 884 DCHECK(is_https_request()); 885 response_.cert_request_info = new SSLCertRequestInfo; 886 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 887 result = HandleCertificateRequest(result); 888 if (result == OK) 889 return result; 890 } 891 892 if (result < 0 && result != ERR_CONNECTION_CLOSED) 893 return HandleIOError(result); 894 895 if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) { 896 ResetConnectionAndRequestForResend(); 897 return OK; 898 } 899 900 // After we call RestartWithAuth a new response_time will be recorded, and 901 // we need to be cautious about incorrectly logging the duration across the 902 // authentication activity. 903 if (result == OK) 904 LogTransactionConnectedMetrics(); 905 906 if (result == ERR_CONNECTION_CLOSED) { 907 // For now, if we get at least some data, we do the best we can to make 908 // sense of it and send it back up the stack. 909 int rv = HandleConnectionClosedBeforeEndOfHeaders(); 910 if (rv != OK) 911 return rv; 912 } 913 DCHECK(response_.headers.get()); 914 915 // Server-induced fallback is supported only if this is a PAC configured 916 // proxy. See: http://crbug.com/143712 917 if (response_.was_fetched_via_proxy && proxy_info_.did_use_pac_script() && 918 response_.headers.get() != NULL) { 919 bool should_fallback = 920 response_.headers->HasHeaderValue("connection", "proxy-bypass"); 921 // Additionally, fallback if a 500 is returned via the data reduction proxy. 922 // This is conservative, as the 500 might have been generated by the origin, 923 // and not the proxy. 924#if defined(SPDY_PROXY_AUTH_ORIGIN) 925 if (!should_fallback) { 926 should_fallback = 927 response_.headers->response_code() == HTTP_INTERNAL_SERVER_ERROR && 928 proxy_info_.proxy_server().host_port_pair().Equals( 929 HostPortPair::FromURL(GURL(SPDY_PROXY_AUTH_ORIGIN))); 930 } 931#endif 932 if (should_fallback) { 933 ProxyService* proxy_service = session_->proxy_service(); 934 if (proxy_service->MarkProxyAsBad(proxy_info_, net_log_)) { 935 // Only retry in the case of GETs. We don't want to resubmit a POST 936 // if the proxy took some action. 937 if (request_->method == "GET") { 938 ResetConnectionAndRequestForResend(); 939 return OK; 940 } 941 } 942 } 943 } 944 945 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 946 if (request_->load_flags & LOAD_MAIN_FRAME) { 947 const int response_code = response_.headers->response_code(); 948 UMA_HISTOGRAM_ENUMERATION( 949 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 950 } 951 952 net_log_.AddEvent( 953 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 954 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 955 956 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 957 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 958 // indicates a buggy server. See: 959 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 960 if (request_->method == "PUT") 961 return ERR_METHOD_NOT_SUPPORTED; 962 } 963 964 // Check for an intermediate 100 Continue response. An origin server is 965 // allowed to send this response even if we didn't ask for it, so we just 966 // need to skip over it. 967 // We treat any other 1xx in this same way (although in practice getting 968 // a 1xx that isn't a 100 is rare). 969 if (response_.headers->response_code() / 100 == 1) { 970 response_.headers = new HttpResponseHeaders(std::string()); 971 next_state_ = STATE_READ_HEADERS; 972 return OK; 973 } 974 975 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 976 request_->url.EffectiveIntPort()); 977 ProcessAlternateProtocol(session_->http_stream_factory(), 978 session_->http_server_properties(), 979 *response_.headers.get(), 980 endpoint); 981 982 int rv = HandleAuthChallenge(); 983 if (rv != OK) 984 return rv; 985 986 if (is_https_request()) 987 stream_->GetSSLInfo(&response_.ssl_info); 988 989 headers_valid_ = true; 990 return OK; 991} 992 993int HttpNetworkTransaction::DoReadBody() { 994 DCHECK(read_buf_.get()); 995 DCHECK_GT(read_buf_len_, 0); 996 DCHECK(stream_ != NULL); 997 998 next_state_ = STATE_READ_BODY_COMPLETE; 999 return stream_->ReadResponseBody( 1000 read_buf_.get(), read_buf_len_, io_callback_); 1001} 1002 1003int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1004 // We are done with the Read call. 1005 bool done = false; 1006 if (result <= 0) { 1007 DCHECK_NE(ERR_IO_PENDING, result); 1008 done = true; 1009 } 1010 1011 bool keep_alive = false; 1012 if (stream_->IsResponseBodyComplete()) { 1013 // Note: Just because IsResponseBodyComplete is true, we're not 1014 // necessarily "done". We're only "done" when it is the last 1015 // read on this HttpNetworkTransaction, which will be signified 1016 // by a zero-length read. 1017 // TODO(mbelshe): The keepalive property is really a property of 1018 // the stream. No need to compute it here just to pass back 1019 // to the stream's Close function. 1020 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1021 // ResponseHeaders. 1022 if (stream_->CanFindEndOfResponse()) { 1023 HttpResponseHeaders* headers = GetResponseHeaders(); 1024 if (headers) 1025 keep_alive = headers->IsKeepAlive(); 1026 } 1027 } 1028 1029 // Clean up connection if we are done. 1030 if (done) { 1031 LogTransactionMetrics(); 1032 stream_->Close(!keep_alive); 1033 // Note: we don't reset the stream here. We've closed it, but we still 1034 // need it around so that callers can call methods such as 1035 // GetUploadProgress() and have them be meaningful. 1036 // TODO(mbelshe): This means we closed the stream here, and we close it 1037 // again in ~HttpNetworkTransaction. Clean that up. 1038 1039 // The next Read call will return 0 (EOF). 1040 } 1041 1042 // Clear these to avoid leaving around old state. 1043 read_buf_ = NULL; 1044 read_buf_len_ = 0; 1045 1046 return result; 1047} 1048 1049int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1050 // This method differs from DoReadBody only in the next_state_. So we just 1051 // call DoReadBody and override the next_state_. Perhaps there is a more 1052 // elegant way for these two methods to share code. 1053 int rv = DoReadBody(); 1054 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1055 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1056 return rv; 1057} 1058 1059// TODO(wtc): This method and the DoReadBodyComplete method are almost 1060// the same. Figure out a good way for these two methods to share code. 1061int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1062 // keep_alive defaults to true because the very reason we're draining the 1063 // response body is to reuse the connection for auth restart. 1064 bool done = false, keep_alive = true; 1065 if (result < 0) { 1066 // Error or closed connection while reading the socket. 1067 done = true; 1068 keep_alive = false; 1069 } else if (stream_->IsResponseBodyComplete()) { 1070 done = true; 1071 } 1072 1073 if (done) { 1074 DidDrainBodyForAuthRestart(keep_alive); 1075 } else { 1076 // Keep draining. 1077 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1078 } 1079 1080 return OK; 1081} 1082 1083void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1084 if (logged_response_time_) 1085 return; 1086 1087 logged_response_time_ = true; 1088 1089 base::TimeDelta total_duration = response_.response_time - start_time_; 1090 1091 UMA_HISTOGRAM_CUSTOM_TIMES( 1092 "Net.Transaction_Connected", 1093 total_duration, 1094 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1095 100); 1096 1097 bool reused_socket = stream_->IsConnectionReused(); 1098 if (!reused_socket) { 1099 UMA_HISTOGRAM_CUSTOM_TIMES( 1100 "Net.Transaction_Connected_New_b", 1101 total_duration, 1102 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1103 100); 1104 } 1105 1106 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1107 // types. This will change when we also prioritize certain subresources like 1108 // css, js, etc. 1109 if (priority_ != HIGHEST) { 1110 UMA_HISTOGRAM_CUSTOM_TIMES( 1111 "Net.Priority_High_Latency_b", 1112 total_duration, 1113 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1114 100); 1115 } else { 1116 UMA_HISTOGRAM_CUSTOM_TIMES( 1117 "Net.Priority_Low_Latency_b", 1118 total_duration, 1119 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1120 100); 1121 } 1122} 1123 1124void HttpNetworkTransaction::LogTransactionMetrics() const { 1125 base::TimeDelta duration = base::Time::Now() - 1126 response_.request_time; 1127 if (60 < duration.InMinutes()) 1128 return; 1129 1130 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1131 1132 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1133 base::TimeDelta::FromMilliseconds(1), 1134 base::TimeDelta::FromMinutes(10), 1135 100); 1136 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1137 total_duration, 1138 base::TimeDelta::FromMilliseconds(1), 1139 base::TimeDelta::FromMinutes(10), 100); 1140 1141 if (!stream_->IsConnectionReused()) { 1142 UMA_HISTOGRAM_CUSTOM_TIMES( 1143 "Net.Transaction_Latency_Total_New_Connection", 1144 total_duration, base::TimeDelta::FromMilliseconds(1), 1145 base::TimeDelta::FromMinutes(10), 100); 1146 } 1147} 1148 1149int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1150 // There are two paths through which the server can request a certificate 1151 // from us. The first is during the initial handshake, the second is 1152 // during SSL renegotiation. 1153 // 1154 // In both cases, we want to close the connection before proceeding. 1155 // We do this for two reasons: 1156 // First, we don't want to keep the connection to the server hung for a 1157 // long time while the user selects a certificate. 1158 // Second, even if we did keep the connection open, NSS has a bug where 1159 // restarting the handshake for ClientAuth is currently broken. 1160 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1161 1162 if (stream_.get()) { 1163 // Since we already have a stream, we're being called as part of SSL 1164 // renegotiation. 1165 DCHECK(!stream_request_.get()); 1166 stream_->Close(true); 1167 stream_.reset(); 1168 } 1169 1170 // The server is asking for a client certificate during the initial 1171 // handshake. 1172 stream_request_.reset(); 1173 1174 // If the user selected one of the certificates in client_certs or declined 1175 // to provide one for this server before, use the past decision 1176 // automatically. 1177 scoped_refptr<X509Certificate> client_cert; 1178 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1179 response_.cert_request_info->host_and_port, &client_cert); 1180 if (!found_cached_cert) 1181 return error; 1182 1183 // Check that the certificate selected is still a certificate the server 1184 // is likely to accept, based on the criteria supplied in the 1185 // CertificateRequest message. 1186 if (client_cert.get()) { 1187 const std::vector<std::string>& cert_authorities = 1188 response_.cert_request_info->cert_authorities; 1189 1190 bool cert_still_valid = cert_authorities.empty() || 1191 client_cert->IsIssuedByEncoded(cert_authorities); 1192 if (!cert_still_valid) 1193 return error; 1194 } 1195 1196 // TODO(davidben): Add a unit test which covers this path; we need to be 1197 // able to send a legitimate certificate and also bypass/clear the 1198 // SSL session cache. 1199 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1200 &proxy_ssl_config_ : &server_ssl_config_; 1201 ssl_config->send_client_cert = true; 1202 ssl_config->client_cert = client_cert; 1203 next_state_ = STATE_CREATE_STREAM; 1204 // Reset the other member variables. 1205 // Note: this is necessary only with SSL renegotiation. 1206 ResetStateForRestart(); 1207 return OK; 1208} 1209 1210// TODO(rch): This does not correctly handle errors when an SSL proxy is 1211// being used, as all of the errors are handled as if they were generated 1212// by the endpoint host, request_->url, rather than considering if they were 1213// generated by the SSL proxy. http://crbug.com/69329 1214int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1215 DCHECK(request_); 1216 if (server_ssl_config_.send_client_cert && 1217 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1218 session_->ssl_client_auth_cache()->Remove( 1219 GetHostAndPort(request_->url)); 1220 } 1221 1222 bool should_fallback = false; 1223 uint16 version_max = server_ssl_config_.version_max; 1224 1225 switch (error) { 1226 case ERR_SSL_PROTOCOL_ERROR: 1227 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1228 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1229 version_max > server_ssl_config_.version_min) { 1230 // This could be a TLS-intolerant server or a server that chose a 1231 // cipher suite defined only for higher protocol versions (such as 1232 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1233 // back to the next lower version and retry. 1234 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1235 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1236 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1237 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1238 // version_max should match the maximum protocol version supported 1239 // by the SSLClientSocket class. 1240 version_max--; 1241 1242 // Fallback to the lower SSL version. 1243 // While SSL 3.0 fallback should be eliminated because of security 1244 // reasons, there is a high risk of breaking the servers if this is 1245 // done in general. 1246 // For now SSL 3.0 fallback is disabled for Google servers first, 1247 // and will be expanded to other servers after enough experiences 1248 // have been gained showing that this experiment works well with 1249 // today's Internet. 1250 if (version_max > SSL_PROTOCOL_VERSION_SSL3 || 1251 (server_ssl_config_.unrestricted_ssl3_fallback_enabled || 1252 !TransportSecurityState::IsGooglePinnedProperty( 1253 request_->url.host(), true /* include SNI */))) { 1254 should_fallback = true; 1255 } 1256 } 1257 break; 1258 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1259 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1260 version_max > server_ssl_config_.version_min) { 1261 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1262 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1263 // crbug.com/260358. In order to make the fallback as minimal as 1264 // possible, this fallback is only triggered for >= TLS 1.1. 1265 version_max--; 1266 should_fallback = true; 1267 } 1268 break; 1269 } 1270 1271 if (should_fallback) { 1272 net_log_.AddEvent( 1273 NetLog::TYPE_SSL_VERSION_FALLBACK, 1274 base::Bind(&NetLogSSLVersionFallbackCallback, 1275 &request_->url, error, server_ssl_config_.version_max, 1276 version_max)); 1277 server_ssl_config_.version_max = version_max; 1278 server_ssl_config_.version_fallback = true; 1279 ResetConnectionAndRequestForResend(); 1280 error = OK; 1281 } 1282 1283 return error; 1284} 1285 1286// This method determines whether it is safe to resend the request after an 1287// IO error. It can only be called in response to request header or body 1288// write errors or response header read errors. It should not be used in 1289// other cases, such as a Connect error. 1290int HttpNetworkTransaction::HandleIOError(int error) { 1291 // SSL errors may happen at any time during the stream and indicate issues 1292 // with the underlying connection. Because the peer may request 1293 // renegotiation at any time, check and handle any possible SSL handshake 1294 // related errors. In addition to renegotiation, TLS False Start may cause 1295 // SSL handshake errors (specifically servers with buggy DEFLATE support) 1296 // to be delayed until the first Read on the underlying connection. 1297 error = HandleSSLHandshakeError(error); 1298 1299 switch (error) { 1300 // If we try to reuse a connection that the server is in the process of 1301 // closing, we may end up successfully writing out our request (or a 1302 // portion of our request) only to find a connection error when we try to 1303 // read from (or finish writing to) the socket. 1304 case ERR_CONNECTION_RESET: 1305 case ERR_CONNECTION_CLOSED: 1306 case ERR_CONNECTION_ABORTED: 1307 // There can be a race between the socket pool checking checking whether a 1308 // socket is still connected, receiving the FIN, and sending/reading data 1309 // on a reused socket. If we receive the FIN between the connectedness 1310 // check and writing/reading from the socket, we may first learn the socket 1311 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1312 // likely happen when trying to retrieve its IP address. 1313 // See http://crbug.com/105824 for more details. 1314 case ERR_SOCKET_NOT_CONNECTED: 1315 if (ShouldResendRequest(error)) { 1316 net_log_.AddEventWithNetErrorCode( 1317 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1318 ResetConnectionAndRequestForResend(); 1319 error = OK; 1320 } 1321 break; 1322 case ERR_PIPELINE_EVICTION: 1323 if (!session_->force_http_pipelining()) { 1324 net_log_.AddEventWithNetErrorCode( 1325 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1326 ResetConnectionAndRequestForResend(); 1327 error = OK; 1328 } 1329 break; 1330 case ERR_SPDY_PING_FAILED: 1331 case ERR_SPDY_SERVER_REFUSED_STREAM: 1332 net_log_.AddEventWithNetErrorCode( 1333 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1334 ResetConnectionAndRequestForResend(); 1335 error = OK; 1336 break; 1337 } 1338 return error; 1339} 1340 1341void HttpNetworkTransaction::ResetStateForRestart() { 1342 ResetStateForAuthRestart(); 1343 stream_.reset(); 1344} 1345 1346void HttpNetworkTransaction::ResetStateForAuthRestart() { 1347 send_start_time_ = base::TimeTicks(); 1348 send_end_time_ = base::TimeTicks(); 1349 1350 pending_auth_target_ = HttpAuth::AUTH_NONE; 1351 read_buf_ = NULL; 1352 read_buf_len_ = 0; 1353 headers_valid_ = false; 1354 request_headers_.Clear(); 1355 response_ = HttpResponseInfo(); 1356 establishing_tunnel_ = false; 1357} 1358 1359HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1360 return response_.headers.get(); 1361} 1362 1363bool HttpNetworkTransaction::ShouldResendRequest(int error) const { 1364 bool connection_is_proven = stream_->IsConnectionReused(); 1365 bool has_received_headers = GetResponseHeaders() != NULL; 1366 1367 // NOTE: we resend a request only if we reused a keep-alive connection. 1368 // This automatically prevents an infinite resend loop because we'll run 1369 // out of the cached keep-alive connections eventually. 1370 if (connection_is_proven && !has_received_headers) 1371 return true; 1372 return false; 1373} 1374 1375void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1376 if (stream_.get()) { 1377 stream_->Close(true); 1378 stream_.reset(); 1379 } 1380 1381 // We need to clear request_headers_ because it contains the real request 1382 // headers, but we may need to resend the CONNECT request first to recreate 1383 // the SSL tunnel. 1384 request_headers_.Clear(); 1385 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1386} 1387 1388bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1389 return !is_https_request() && 1390 (proxy_info_.is_https() || proxy_info_.is_http()); 1391} 1392 1393bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1394 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1395} 1396 1397int HttpNetworkTransaction::HandleAuthChallenge() { 1398 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1399 DCHECK(headers.get()); 1400 1401 int status = headers->response_code(); 1402 if (status != HTTP_UNAUTHORIZED && 1403 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1404 return OK; 1405 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1406 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1407 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1408 return ERR_UNEXPECTED_PROXY_AUTH; 1409 1410 // This case can trigger when an HTTPS server responds with a "Proxy 1411 // authentication required" status code through a non-authenticating 1412 // proxy. 1413 if (!auth_controllers_[target].get()) 1414 return ERR_UNEXPECTED_PROXY_AUTH; 1415 1416 int rv = auth_controllers_[target]->HandleAuthChallenge( 1417 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1418 net_log_); 1419 if (auth_controllers_[target]->HaveAuthHandler()) 1420 pending_auth_target_ = target; 1421 1422 scoped_refptr<AuthChallengeInfo> auth_info = 1423 auth_controllers_[target]->auth_info(); 1424 if (auth_info.get()) 1425 response_.auth_challenge = auth_info; 1426 1427 return rv; 1428} 1429 1430bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1431 return auth_controllers_[target].get() && 1432 auth_controllers_[target]->HaveAuth(); 1433} 1434 1435GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1436 switch (target) { 1437 case HttpAuth::AUTH_PROXY: { 1438 if (!proxy_info_.proxy_server().is_valid() || 1439 proxy_info_.proxy_server().is_direct()) { 1440 return GURL(); // There is no proxy server. 1441 } 1442 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1443 return GURL(scheme + 1444 proxy_info_.proxy_server().host_port_pair().ToString()); 1445 } 1446 case HttpAuth::AUTH_SERVER: 1447 return request_->url; 1448 default: 1449 return GURL(); 1450 } 1451} 1452 1453#define STATE_CASE(s) \ 1454 case s: \ 1455 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1456 break 1457 1458std::string HttpNetworkTransaction::DescribeState(State state) { 1459 std::string description; 1460 switch (state) { 1461 STATE_CASE(STATE_CREATE_STREAM); 1462 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1463 STATE_CASE(STATE_INIT_REQUEST_BODY); 1464 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1465 STATE_CASE(STATE_BUILD_REQUEST); 1466 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1467 STATE_CASE(STATE_SEND_REQUEST); 1468 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1469 STATE_CASE(STATE_READ_HEADERS); 1470 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1471 STATE_CASE(STATE_READ_BODY); 1472 STATE_CASE(STATE_READ_BODY_COMPLETE); 1473 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1474 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1475 STATE_CASE(STATE_NONE); 1476 default: 1477 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1478 state); 1479 break; 1480 } 1481 return description; 1482} 1483 1484#undef STATE_CASE 1485 1486} // namespace net 1487