http_network_transaction.cc revision f2477e01787aa58f445919b809d89e252beef54f
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/http/http_network_transaction.h" 6 7#include <set> 8#include <vector> 9 10#include "base/bind.h" 11#include "base/bind_helpers.h" 12#include "base/compiler_specific.h" 13#include "base/format_macros.h" 14#include "base/memory/scoped_ptr.h" 15#include "base/metrics/field_trial.h" 16#include "base/metrics/histogram.h" 17#include "base/metrics/stats_counters.h" 18#include "base/stl_util.h" 19#include "base/strings/string_number_conversions.h" 20#include "base/strings/string_util.h" 21#include "base/strings/stringprintf.h" 22#include "base/time/time.h" 23#include "base/values.h" 24#include "build/build_config.h" 25#include "net/base/auth.h" 26#include "net/base/host_port_pair.h" 27#include "net/base/io_buffer.h" 28#include "net/base/load_flags.h" 29#include "net/base/load_timing_info.h" 30#include "net/base/net_errors.h" 31#include "net/base/net_util.h" 32#include "net/base/upload_data_stream.h" 33#include "net/http/http_auth.h" 34#include "net/http/http_auth_handler.h" 35#include "net/http/http_auth_handler_factory.h" 36#include "net/http/http_basic_stream.h" 37#include "net/http/http_chunked_decoder.h" 38#include "net/http/http_network_session.h" 39#include "net/http/http_proxy_client_socket.h" 40#include "net/http/http_proxy_client_socket_pool.h" 41#include "net/http/http_request_headers.h" 42#include "net/http/http_request_info.h" 43#include "net/http/http_response_headers.h" 44#include "net/http/http_response_info.h" 45#include "net/http/http_server_properties.h" 46#include "net/http/http_status_code.h" 47#include "net/http/http_stream_base.h" 48#include "net/http/http_stream_factory.h" 49#include "net/http/http_util.h" 50#include "net/http/transport_security_state.h" 51#include "net/http/url_security_manager.h" 52#include "net/socket/client_socket_factory.h" 53#include "net/socket/socks_client_socket_pool.h" 54#include "net/socket/ssl_client_socket.h" 55#include "net/socket/ssl_client_socket_pool.h" 56#include "net/socket/transport_client_socket_pool.h" 57#include "net/spdy/spdy_http_stream.h" 58#include "net/spdy/spdy_session.h" 59#include "net/spdy/spdy_session_pool.h" 60#include "net/ssl/ssl_cert_request_info.h" 61#include "net/ssl/ssl_connection_status_flags.h" 62#include "url/gurl.h" 63 64using base::Time; 65 66namespace net { 67 68namespace { 69 70void ProcessAlternateProtocol( 71 HttpStreamFactory* factory, 72 const base::WeakPtr<HttpServerProperties>& http_server_properties, 73 const HttpResponseHeaders& headers, 74 const HostPortPair& http_host_port_pair) { 75 std::string alternate_protocol_str; 76 77 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader, 78 &alternate_protocol_str)) { 79 // Header is not present. 80 return; 81 } 82 83 factory->ProcessAlternateProtocol(http_server_properties, 84 alternate_protocol_str, 85 http_host_port_pair); 86} 87 88// Returns true if |error| is a client certificate authentication error. 89bool IsClientCertificateError(int error) { 90 switch (error) { 91 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 92 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 93 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 94 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 95 return true; 96 default: 97 return false; 98 } 99} 100 101base::Value* NetLogSSLVersionFallbackCallback( 102 const GURL* url, 103 int net_error, 104 uint16 version_before, 105 uint16 version_after, 106 NetLog::LogLevel /* log_level */) { 107 base::DictionaryValue* dict = new base::DictionaryValue(); 108 dict->SetString("host_and_port", GetHostAndPort(*url)); 109 dict->SetInteger("net_error", net_error); 110 dict->SetInteger("version_before", version_before); 111 dict->SetInteger("version_after", version_after); 112 return dict; 113} 114 115} // namespace 116 117//----------------------------------------------------------------------------- 118 119HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 120 HttpNetworkSession* session) 121 : pending_auth_target_(HttpAuth::AUTH_NONE), 122 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 123 base::Unretained(this))), 124 session_(session), 125 request_(NULL), 126 priority_(priority), 127 headers_valid_(false), 128 logged_response_time_(false), 129 request_headers_(), 130 read_buf_len_(0), 131 next_state_(STATE_NONE), 132 establishing_tunnel_(false), 133 websocket_handshake_stream_base_create_helper_(NULL) { 134 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 135 if (session->http_stream_factory()->has_next_protos()) { 136 server_ssl_config_.next_protos = 137 session->http_stream_factory()->next_protos(); 138 } 139 proxy_ssl_config_ = server_ssl_config_; 140} 141 142HttpNetworkTransaction::~HttpNetworkTransaction() { 143 if (stream_.get()) { 144 HttpResponseHeaders* headers = GetResponseHeaders(); 145 // TODO(mbelshe): The stream_ should be able to compute whether or not the 146 // stream should be kept alive. No reason to compute here 147 // and pass it in. 148 bool try_to_keep_alive = 149 next_state_ == STATE_NONE && 150 stream_->CanFindEndOfResponse() && 151 (!headers || headers->IsKeepAlive()); 152 if (!try_to_keep_alive) { 153 stream_->Close(true /* not reusable */); 154 } else { 155 if (stream_->IsResponseBodyComplete()) { 156 // If the response body is complete, we can just reuse the socket. 157 stream_->Close(false /* reusable */); 158 } else if (stream_->IsSpdyHttpStream()) { 159 // Doesn't really matter for SpdyHttpStream. Just close it. 160 stream_->Close(true /* not reusable */); 161 } else { 162 // Otherwise, we try to drain the response body. 163 HttpStreamBase* stream = stream_.release(); 164 stream->Drain(session_); 165 } 166 } 167 } 168 169 if (request_ && request_->upload_data_stream) 170 request_->upload_data_stream->Reset(); // Invalidate pending callbacks. 171} 172 173int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 174 const CompletionCallback& callback, 175 const BoundNetLog& net_log) { 176 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 177 178 net_log_ = net_log; 179 request_ = request_info; 180 start_time_ = base::Time::Now(); 181 182 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 183 server_ssl_config_.rev_checking_enabled = false; 184 proxy_ssl_config_.rev_checking_enabled = false; 185 } 186 187 // Channel ID is enabled unless --disable-tls-channel-id flag is set, 188 // or if privacy mode is enabled. 189 bool channel_id_enabled = server_ssl_config_.channel_id_enabled && 190 (request_->privacy_mode == kPrivacyModeDisabled); 191 server_ssl_config_.channel_id_enabled = channel_id_enabled; 192 193 next_state_ = STATE_CREATE_STREAM; 194 int rv = DoLoop(OK); 195 if (rv == ERR_IO_PENDING) 196 callback_ = callback; 197 return rv; 198} 199 200int HttpNetworkTransaction::RestartIgnoringLastError( 201 const CompletionCallback& callback) { 202 DCHECK(!stream_.get()); 203 DCHECK(!stream_request_.get()); 204 DCHECK_EQ(STATE_NONE, next_state_); 205 206 next_state_ = STATE_CREATE_STREAM; 207 208 int rv = DoLoop(OK); 209 if (rv == ERR_IO_PENDING) 210 callback_ = callback; 211 return rv; 212} 213 214int HttpNetworkTransaction::RestartWithCertificate( 215 X509Certificate* client_cert, const CompletionCallback& callback) { 216 // In HandleCertificateRequest(), we always tear down existing stream 217 // requests to force a new connection. So we shouldn't have one here. 218 DCHECK(!stream_request_.get()); 219 DCHECK(!stream_.get()); 220 DCHECK_EQ(STATE_NONE, next_state_); 221 222 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 223 &proxy_ssl_config_ : &server_ssl_config_; 224 ssl_config->send_client_cert = true; 225 ssl_config->client_cert = client_cert; 226 session_->ssl_client_auth_cache()->Add( 227 response_.cert_request_info->host_and_port, client_cert); 228 // Reset the other member variables. 229 // Note: this is necessary only with SSL renegotiation. 230 ResetStateForRestart(); 231 next_state_ = STATE_CREATE_STREAM; 232 int rv = DoLoop(OK); 233 if (rv == ERR_IO_PENDING) 234 callback_ = callback; 235 return rv; 236} 237 238int HttpNetworkTransaction::RestartWithAuth( 239 const AuthCredentials& credentials, const CompletionCallback& callback) { 240 HttpAuth::Target target = pending_auth_target_; 241 if (target == HttpAuth::AUTH_NONE) { 242 NOTREACHED(); 243 return ERR_UNEXPECTED; 244 } 245 pending_auth_target_ = HttpAuth::AUTH_NONE; 246 247 auth_controllers_[target]->ResetAuth(credentials); 248 249 DCHECK(callback_.is_null()); 250 251 int rv = OK; 252 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 253 // In this case, we've gathered credentials for use with proxy 254 // authentication of a tunnel. 255 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 256 DCHECK(stream_request_ != NULL); 257 auth_controllers_[target] = NULL; 258 ResetStateForRestart(); 259 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 260 } else { 261 // In this case, we've gathered credentials for the server or the proxy 262 // but it is not during the tunneling phase. 263 DCHECK(stream_request_ == NULL); 264 PrepareForAuthRestart(target); 265 rv = DoLoop(OK); 266 } 267 268 if (rv == ERR_IO_PENDING) 269 callback_ = callback; 270 return rv; 271} 272 273void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 274 DCHECK(HaveAuth(target)); 275 DCHECK(!stream_request_.get()); 276 277 bool keep_alive = false; 278 // Even if the server says the connection is keep-alive, we have to be 279 // able to find the end of each response in order to reuse the connection. 280 if (GetResponseHeaders()->IsKeepAlive() && 281 stream_->CanFindEndOfResponse()) { 282 // If the response body hasn't been completely read, we need to drain 283 // it first. 284 if (!stream_->IsResponseBodyComplete()) { 285 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 286 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 287 read_buf_len_ = kDrainBodyBufferSize; 288 return; 289 } 290 keep_alive = true; 291 } 292 293 // We don't need to drain the response body, so we act as if we had drained 294 // the response body. 295 DidDrainBodyForAuthRestart(keep_alive); 296} 297 298void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 299 DCHECK(!stream_request_.get()); 300 301 if (stream_.get()) { 302 HttpStream* new_stream = NULL; 303 if (keep_alive && stream_->IsConnectionReusable()) { 304 // We should call connection_->set_idle_time(), but this doesn't occur 305 // often enough to be worth the trouble. 306 stream_->SetConnectionReused(); 307 new_stream = 308 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 309 } 310 311 if (!new_stream) { 312 // Close the stream and mark it as not_reusable. Even in the 313 // keep_alive case, we've determined that the stream_ is not 314 // reusable if new_stream is NULL. 315 stream_->Close(true); 316 next_state_ = STATE_CREATE_STREAM; 317 } else { 318 next_state_ = STATE_INIT_STREAM; 319 } 320 stream_.reset(new_stream); 321 } 322 323 // Reset the other member variables. 324 ResetStateForAuthRestart(); 325} 326 327bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 328 return pending_auth_target_ != HttpAuth::AUTH_NONE && 329 HaveAuth(pending_auth_target_); 330} 331 332int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 333 const CompletionCallback& callback) { 334 DCHECK(buf); 335 DCHECK_LT(0, buf_len); 336 337 State next_state = STATE_NONE; 338 339 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 340 if (headers_valid_ && headers.get() && stream_request_.get()) { 341 // We're trying to read the body of the response but we're still trying 342 // to establish an SSL tunnel through an HTTP proxy. We can't read these 343 // bytes when establishing a tunnel because they might be controlled by 344 // an active network attacker. We don't worry about this for HTTP 345 // because an active network attacker can already control HTTP sessions. 346 // We reach this case when the user cancels a 407 proxy auth prompt. We 347 // also don't worry about this for an HTTPS Proxy, because the 348 // communication with the proxy is secure. 349 // See http://crbug.com/8473. 350 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 351 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 352 LOG(WARNING) << "Blocked proxy response with status " 353 << headers->response_code() << " to CONNECT request for " 354 << GetHostAndPort(request_->url) << "."; 355 return ERR_TUNNEL_CONNECTION_FAILED; 356 } 357 358 // Are we using SPDY or HTTP? 359 next_state = STATE_READ_BODY; 360 361 read_buf_ = buf; 362 read_buf_len_ = buf_len; 363 364 next_state_ = next_state; 365 int rv = DoLoop(OK); 366 if (rv == ERR_IO_PENDING) 367 callback_ = callback; 368 return rv; 369} 370 371bool HttpNetworkTransaction::GetFullRequestHeaders( 372 HttpRequestHeaders* headers) const { 373 // TODO(ttuttle): Make sure we've populated request_headers_. 374 *headers = request_headers_; 375 return true; 376} 377 378const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 379 return ((headers_valid_ && response_.headers.get()) || 380 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 381 ? &response_ 382 : NULL; 383} 384 385LoadState HttpNetworkTransaction::GetLoadState() const { 386 // TODO(wtc): Define a new LoadState value for the 387 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 388 switch (next_state_) { 389 case STATE_CREATE_STREAM_COMPLETE: 390 return stream_request_->GetLoadState(); 391 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 392 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 393 case STATE_SEND_REQUEST_COMPLETE: 394 return LOAD_STATE_SENDING_REQUEST; 395 case STATE_READ_HEADERS_COMPLETE: 396 return LOAD_STATE_WAITING_FOR_RESPONSE; 397 case STATE_READ_BODY_COMPLETE: 398 return LOAD_STATE_READING_RESPONSE; 399 default: 400 return LOAD_STATE_IDLE; 401 } 402} 403 404UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 405 if (!stream_.get()) 406 return UploadProgress(); 407 408 // TODO(bashi): This cast is temporary. Remove later. 409 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 410} 411 412bool HttpNetworkTransaction::GetLoadTimingInfo( 413 LoadTimingInfo* load_timing_info) const { 414 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 415 return false; 416 417 load_timing_info->proxy_resolve_start = 418 proxy_info_.proxy_resolve_start_time(); 419 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 420 load_timing_info->send_start = send_start_time_; 421 load_timing_info->send_end = send_end_time_; 422 return true; 423} 424 425void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 426 priority_ = priority; 427 if (stream_request_) 428 stream_request_->SetPriority(priority); 429 if (stream_) 430 stream_->SetPriority(priority); 431} 432 433void HttpNetworkTransaction::SetWebSocketHandshakeStreamCreateHelper( 434 WebSocketHandshakeStreamBase::CreateHelper* create_helper) { 435 websocket_handshake_stream_base_create_helper_ = create_helper; 436} 437 438void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 439 const ProxyInfo& used_proxy_info, 440 HttpStreamBase* stream) { 441 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 442 DCHECK(stream_request_.get()); 443 444 stream_.reset(stream); 445 server_ssl_config_ = used_ssl_config; 446 proxy_info_ = used_proxy_info; 447 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 448 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 449 stream_request_->protocol_negotiated()); 450 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 451 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 452 453 OnIOComplete(OK); 454} 455 456void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady( 457 const SSLConfig& used_ssl_config, 458 const ProxyInfo& used_proxy_info, 459 WebSocketHandshakeStreamBase* stream) { 460 OnStreamReady(used_ssl_config, used_proxy_info, stream); 461} 462 463void HttpNetworkTransaction::OnStreamFailed(int result, 464 const SSLConfig& used_ssl_config) { 465 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 466 DCHECK_NE(OK, result); 467 DCHECK(stream_request_.get()); 468 DCHECK(!stream_.get()); 469 server_ssl_config_ = used_ssl_config; 470 471 OnIOComplete(result); 472} 473 474void HttpNetworkTransaction::OnCertificateError( 475 int result, 476 const SSLConfig& used_ssl_config, 477 const SSLInfo& ssl_info) { 478 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 479 DCHECK_NE(OK, result); 480 DCHECK(stream_request_.get()); 481 DCHECK(!stream_.get()); 482 483 response_.ssl_info = ssl_info; 484 server_ssl_config_ = used_ssl_config; 485 486 // TODO(mbelshe): For now, we're going to pass the error through, and that 487 // will close the stream_request in all cases. This means that we're always 488 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 489 // good and the user chooses to ignore the error. This is not ideal, but not 490 // the end of the world either. 491 492 OnIOComplete(result); 493} 494 495void HttpNetworkTransaction::OnNeedsProxyAuth( 496 const HttpResponseInfo& proxy_response, 497 const SSLConfig& used_ssl_config, 498 const ProxyInfo& used_proxy_info, 499 HttpAuthController* auth_controller) { 500 DCHECK(stream_request_.get()); 501 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 502 503 establishing_tunnel_ = true; 504 response_.headers = proxy_response.headers; 505 response_.auth_challenge = proxy_response.auth_challenge; 506 headers_valid_ = true; 507 server_ssl_config_ = used_ssl_config; 508 proxy_info_ = used_proxy_info; 509 510 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 511 pending_auth_target_ = HttpAuth::AUTH_PROXY; 512 513 DoCallback(OK); 514} 515 516void HttpNetworkTransaction::OnNeedsClientAuth( 517 const SSLConfig& used_ssl_config, 518 SSLCertRequestInfo* cert_info) { 519 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 520 521 server_ssl_config_ = used_ssl_config; 522 response_.cert_request_info = cert_info; 523 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 524} 525 526void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 527 const HttpResponseInfo& response_info, 528 const SSLConfig& used_ssl_config, 529 const ProxyInfo& used_proxy_info, 530 HttpStreamBase* stream) { 531 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 532 533 headers_valid_ = true; 534 response_ = response_info; 535 server_ssl_config_ = used_ssl_config; 536 proxy_info_ = used_proxy_info; 537 stream_.reset(stream); 538 stream_request_.reset(); // we're done with the stream request 539 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 540} 541 542bool HttpNetworkTransaction::is_https_request() const { 543 return request_->url.SchemeIs("https"); 544} 545 546void HttpNetworkTransaction::DoCallback(int rv) { 547 DCHECK_NE(rv, ERR_IO_PENDING); 548 DCHECK(!callback_.is_null()); 549 550 // Since Run may result in Read being called, clear user_callback_ up front. 551 CompletionCallback c = callback_; 552 callback_.Reset(); 553 c.Run(rv); 554} 555 556void HttpNetworkTransaction::OnIOComplete(int result) { 557 int rv = DoLoop(result); 558 if (rv != ERR_IO_PENDING) 559 DoCallback(rv); 560} 561 562int HttpNetworkTransaction::DoLoop(int result) { 563 DCHECK(next_state_ != STATE_NONE); 564 565 int rv = result; 566 do { 567 State state = next_state_; 568 next_state_ = STATE_NONE; 569 switch (state) { 570 case STATE_CREATE_STREAM: 571 DCHECK_EQ(OK, rv); 572 rv = DoCreateStream(); 573 break; 574 case STATE_CREATE_STREAM_COMPLETE: 575 rv = DoCreateStreamComplete(rv); 576 break; 577 case STATE_INIT_STREAM: 578 DCHECK_EQ(OK, rv); 579 rv = DoInitStream(); 580 break; 581 case STATE_INIT_STREAM_COMPLETE: 582 rv = DoInitStreamComplete(rv); 583 break; 584 case STATE_GENERATE_PROXY_AUTH_TOKEN: 585 DCHECK_EQ(OK, rv); 586 rv = DoGenerateProxyAuthToken(); 587 break; 588 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 589 rv = DoGenerateProxyAuthTokenComplete(rv); 590 break; 591 case STATE_GENERATE_SERVER_AUTH_TOKEN: 592 DCHECK_EQ(OK, rv); 593 rv = DoGenerateServerAuthToken(); 594 break; 595 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 596 rv = DoGenerateServerAuthTokenComplete(rv); 597 break; 598 case STATE_INIT_REQUEST_BODY: 599 DCHECK_EQ(OK, rv); 600 rv = DoInitRequestBody(); 601 break; 602 case STATE_INIT_REQUEST_BODY_COMPLETE: 603 rv = DoInitRequestBodyComplete(rv); 604 break; 605 case STATE_BUILD_REQUEST: 606 DCHECK_EQ(OK, rv); 607 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 608 rv = DoBuildRequest(); 609 break; 610 case STATE_BUILD_REQUEST_COMPLETE: 611 rv = DoBuildRequestComplete(rv); 612 break; 613 case STATE_SEND_REQUEST: 614 DCHECK_EQ(OK, rv); 615 rv = DoSendRequest(); 616 break; 617 case STATE_SEND_REQUEST_COMPLETE: 618 rv = DoSendRequestComplete(rv); 619 net_log_.EndEventWithNetErrorCode( 620 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 621 break; 622 case STATE_READ_HEADERS: 623 DCHECK_EQ(OK, rv); 624 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 625 rv = DoReadHeaders(); 626 break; 627 case STATE_READ_HEADERS_COMPLETE: 628 rv = DoReadHeadersComplete(rv); 629 net_log_.EndEventWithNetErrorCode( 630 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 631 break; 632 case STATE_READ_BODY: 633 DCHECK_EQ(OK, rv); 634 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 635 rv = DoReadBody(); 636 break; 637 case STATE_READ_BODY_COMPLETE: 638 rv = DoReadBodyComplete(rv); 639 net_log_.EndEventWithNetErrorCode( 640 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 641 break; 642 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 643 DCHECK_EQ(OK, rv); 644 net_log_.BeginEvent( 645 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 646 rv = DoDrainBodyForAuthRestart(); 647 break; 648 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 649 rv = DoDrainBodyForAuthRestartComplete(rv); 650 net_log_.EndEventWithNetErrorCode( 651 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 652 break; 653 default: 654 NOTREACHED() << "bad state"; 655 rv = ERR_FAILED; 656 break; 657 } 658 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 659 660 return rv; 661} 662 663int HttpNetworkTransaction::DoCreateStream() { 664 next_state_ = STATE_CREATE_STREAM_COMPLETE; 665 666 if (ForWebSocketHandshake()) { 667 stream_request_.reset( 668 session_->http_stream_factory_for_websocket() 669 ->RequestWebSocketHandshakeStream( 670 *request_, 671 priority_, 672 server_ssl_config_, 673 proxy_ssl_config_, 674 this, 675 websocket_handshake_stream_base_create_helper_, 676 net_log_)); 677 } else { 678 stream_request_.reset( 679 session_->http_stream_factory()->RequestStream( 680 *request_, 681 priority_, 682 server_ssl_config_, 683 proxy_ssl_config_, 684 this, 685 net_log_)); 686 } 687 DCHECK(stream_request_.get()); 688 return ERR_IO_PENDING; 689} 690 691int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 692 if (result == OK) { 693 next_state_ = STATE_INIT_STREAM; 694 DCHECK(stream_.get()); 695 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 696 result = HandleCertificateRequest(result); 697 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 698 // Return OK and let the caller read the proxy's error page 699 next_state_ = STATE_NONE; 700 return OK; 701 } 702 703 // Handle possible handshake errors that may have occurred if the stream 704 // used SSL for one or more of the layers. 705 result = HandleSSLHandshakeError(result); 706 707 // At this point we are done with the stream_request_. 708 stream_request_.reset(); 709 return result; 710} 711 712int HttpNetworkTransaction::DoInitStream() { 713 DCHECK(stream_.get()); 714 next_state_ = STATE_INIT_STREAM_COMPLETE; 715 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 716} 717 718int HttpNetworkTransaction::DoInitStreamComplete(int result) { 719 if (result == OK) { 720 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 721 } else { 722 if (result < 0) 723 result = HandleIOError(result); 724 725 // The stream initialization failed, so this stream will never be useful. 726 stream_.reset(); 727 } 728 729 return result; 730} 731 732int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 733 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 734 if (!ShouldApplyProxyAuth()) 735 return OK; 736 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 737 if (!auth_controllers_[target].get()) 738 auth_controllers_[target] = 739 new HttpAuthController(target, 740 AuthURL(target), 741 session_->http_auth_cache(), 742 session_->http_auth_handler_factory()); 743 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 744 io_callback_, 745 net_log_); 746} 747 748int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 749 DCHECK_NE(ERR_IO_PENDING, rv); 750 if (rv == OK) 751 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 752 return rv; 753} 754 755int HttpNetworkTransaction::DoGenerateServerAuthToken() { 756 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 757 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 758 if (!auth_controllers_[target].get()) { 759 auth_controllers_[target] = 760 new HttpAuthController(target, 761 AuthURL(target), 762 session_->http_auth_cache(), 763 session_->http_auth_handler_factory()); 764 if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY) 765 auth_controllers_[target]->DisableEmbeddedIdentity(); 766 } 767 if (!ShouldApplyServerAuth()) 768 return OK; 769 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 770 io_callback_, 771 net_log_); 772} 773 774int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 775 DCHECK_NE(ERR_IO_PENDING, rv); 776 if (rv == OK) 777 next_state_ = STATE_INIT_REQUEST_BODY; 778 return rv; 779} 780 781void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 782 request_headers_.SetHeader(HttpRequestHeaders::kHost, 783 GetHostAndOptionalPort(request_->url)); 784 785 // For compat with HTTP/1.0 servers and proxies: 786 if (using_proxy) { 787 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 788 "keep-alive"); 789 } else { 790 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 791 } 792 793 // Add a content length header? 794 if (request_->upload_data_stream) { 795 if (request_->upload_data_stream->is_chunked()) { 796 request_headers_.SetHeader( 797 HttpRequestHeaders::kTransferEncoding, "chunked"); 798 } else { 799 request_headers_.SetHeader( 800 HttpRequestHeaders::kContentLength, 801 base::Uint64ToString(request_->upload_data_stream->size())); 802 } 803 } else if (request_->method == "POST" || request_->method == "PUT" || 804 request_->method == "HEAD") { 805 // An empty POST/PUT request still needs a content length. As for HEAD, 806 // IE and Safari also add a content length header. Presumably it is to 807 // support sending a HEAD request to an URL that only expects to be sent a 808 // POST or some other method that normally would have a message body. 809 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 810 } 811 812 // Honor load flags that impact proxy caches. 813 if (request_->load_flags & LOAD_BYPASS_CACHE) { 814 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 815 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 816 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 817 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 818 } 819 820 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 821 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 822 &request_headers_); 823 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 824 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 825 &request_headers_); 826 827 request_headers_.MergeFrom(request_->extra_headers); 828 response_.did_use_http_auth = 829 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 830 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 831} 832 833int HttpNetworkTransaction::DoInitRequestBody() { 834 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 835 int rv = OK; 836 if (request_->upload_data_stream) 837 rv = request_->upload_data_stream->Init(io_callback_); 838 return rv; 839} 840 841int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 842 if (result == OK) 843 next_state_ = STATE_BUILD_REQUEST; 844 return result; 845} 846 847int HttpNetworkTransaction::DoBuildRequest() { 848 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 849 headers_valid_ = false; 850 851 // This is constructed lazily (instead of within our Start method), so that 852 // we have proxy info available. 853 if (request_headers_.IsEmpty()) { 854 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 855 !is_https_request(); 856 BuildRequestHeaders(using_proxy); 857 } 858 859 return OK; 860} 861 862int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 863 if (result == OK) 864 next_state_ = STATE_SEND_REQUEST; 865 return result; 866} 867 868int HttpNetworkTransaction::DoSendRequest() { 869 send_start_time_ = base::TimeTicks::Now(); 870 next_state_ = STATE_SEND_REQUEST_COMPLETE; 871 872 return stream_->SendRequest(request_headers_, &response_, io_callback_); 873} 874 875int HttpNetworkTransaction::DoSendRequestComplete(int result) { 876 send_end_time_ = base::TimeTicks::Now(); 877 if (result < 0) 878 return HandleIOError(result); 879 response_.network_accessed = true; 880 next_state_ = STATE_READ_HEADERS; 881 return OK; 882} 883 884int HttpNetworkTransaction::DoReadHeaders() { 885 next_state_ = STATE_READ_HEADERS_COMPLETE; 886 return stream_->ReadResponseHeaders(io_callback_); 887} 888 889int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() { 890 if (!response_.headers.get() && !stream_->IsConnectionReused()) { 891 // The connection was closed before any data was sent. Likely an error 892 // rather than empty HTTP/0.9 response. 893 return ERR_EMPTY_RESPONSE; 894 } 895 896 return OK; 897} 898 899int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 900 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 901 // due to SSL renegotiation. 902 if (IsCertificateError(result)) { 903 // We don't handle a certificate error during SSL renegotiation, so we 904 // have to return an error that's not in the certificate error range 905 // (-2xx). 906 LOG(ERROR) << "Got a server certificate with error " << result 907 << " during SSL renegotiation"; 908 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 909 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 910 // TODO(wtc): Need a test case for this code path! 911 DCHECK(stream_.get()); 912 DCHECK(is_https_request()); 913 response_.cert_request_info = new SSLCertRequestInfo; 914 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 915 result = HandleCertificateRequest(result); 916 if (result == OK) 917 return result; 918 } 919 920 if (result == ERR_QUIC_HANDSHAKE_FAILED) { 921 ResetConnectionAndRequestForResend(); 922 return OK; 923 } 924 925 if (result < 0 && result != ERR_CONNECTION_CLOSED) 926 return HandleIOError(result); 927 928 if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) { 929 ResetConnectionAndRequestForResend(); 930 return OK; 931 } 932 933 // After we call RestartWithAuth a new response_time will be recorded, and 934 // we need to be cautious about incorrectly logging the duration across the 935 // authentication activity. 936 if (result == OK) 937 LogTransactionConnectedMetrics(); 938 939 if (result == ERR_CONNECTION_CLOSED) { 940 // For now, if we get at least some data, we do the best we can to make 941 // sense of it and send it back up the stack. 942 int rv = HandleConnectionClosedBeforeEndOfHeaders(); 943 if (rv != OK) 944 return rv; 945 } 946 DCHECK(response_.headers.get()); 947 948#if defined(SPDY_PROXY_AUTH_ORIGIN) 949 // Server-induced fallback; see: http://crbug.com/143712 950 if (response_.was_fetched_via_proxy && response_.headers.get() != NULL) { 951 ProxyService::DataReductionProxyBypassEventType proxy_bypass_event = 952 ProxyService::BYPASS_EVENT_TYPE_MAX; 953 base::TimeDelta bypass_duration; 954 bool chrome_proxy_used = 955 proxy_info_.proxy_server().isDataReductionProxy(); 956 bool chrome_fallback_proxy_used = false; 957#if defined(DATA_REDUCTION_FALLBACK_HOST) 958 if (!chrome_proxy_used) { 959 chrome_fallback_proxy_used = 960 proxy_info_.proxy_server().isDataReductionProxyFallback(); 961 } 962#endif 963 964 if (chrome_proxy_used || chrome_fallback_proxy_used) { 965 if (response_.headers->GetChromeProxyInfo(&bypass_duration)) { 966 proxy_bypass_event = 967 (bypass_duration < base::TimeDelta::FromMinutes(30) ? 968 ProxyService::SHORT_BYPASS : 969 ProxyService::LONG_BYPASS); 970 } else { 971 // Additionally, fallback if a 500 is returned via the data reduction 972 // proxy. This is conservative, as the 500 might have been generated by 973 // the origin, and not the proxy. 974 if (response_.headers->response_code() == HTTP_INTERNAL_SERVER_ERROR) 975 proxy_bypass_event = ProxyService::INTERNAL_SERVER_ERROR_BYPASS; 976 } 977 978 if (proxy_bypass_event < ProxyService::BYPASS_EVENT_TYPE_MAX) { 979 ProxyService* proxy_service = session_->proxy_service(); 980 981 proxy_service->RecordDataReductionProxyBypassInfo( 982 chrome_proxy_used, proxy_info_.proxy_server(), proxy_bypass_event); 983 984 if (proxy_service->MarkProxyAsBad(proxy_info_, bypass_duration, 985 net_log_)) { 986 // Only retry in the case of GETs. We don't want to resubmit a POST 987 // if the proxy took some action. 988 if (request_->method == "GET") { 989 ResetConnectionAndRequestForResend(); 990 return OK; 991 } 992 } 993 } 994 } 995 } 996#endif 997 998 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 999 if (request_->load_flags & LOAD_MAIN_FRAME) { 1000 const int response_code = response_.headers->response_code(); 1001 UMA_HISTOGRAM_ENUMERATION( 1002 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 1003 } 1004 1005 net_log_.AddEvent( 1006 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 1007 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 1008 1009 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 1010 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 1011 // indicates a buggy server. See: 1012 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 1013 if (request_->method == "PUT") 1014 return ERR_METHOD_NOT_SUPPORTED; 1015 } 1016 1017 // Check for an intermediate 100 Continue response. An origin server is 1018 // allowed to send this response even if we didn't ask for it, so we just 1019 // need to skip over it. 1020 // We treat any other 1xx in this same way (although in practice getting 1021 // a 1xx that isn't a 100 is rare). 1022 // Unless this is a WebSocket request, in which case we pass it on up. 1023 if (response_.headers->response_code() / 100 == 1 && 1024 !ForWebSocketHandshake()) { 1025 response_.headers = new HttpResponseHeaders(std::string()); 1026 next_state_ = STATE_READ_HEADERS; 1027 return OK; 1028 } 1029 1030 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 1031 request_->url.EffectiveIntPort()); 1032 ProcessAlternateProtocol(session_->http_stream_factory(), 1033 session_->http_server_properties(), 1034 *response_.headers.get(), 1035 endpoint); 1036 1037 int rv = HandleAuthChallenge(); 1038 if (rv != OK) 1039 return rv; 1040 1041 if (is_https_request()) 1042 stream_->GetSSLInfo(&response_.ssl_info); 1043 1044 headers_valid_ = true; 1045 return OK; 1046} 1047 1048int HttpNetworkTransaction::DoReadBody() { 1049 DCHECK(read_buf_.get()); 1050 DCHECK_GT(read_buf_len_, 0); 1051 DCHECK(stream_ != NULL); 1052 1053 next_state_ = STATE_READ_BODY_COMPLETE; 1054 return stream_->ReadResponseBody( 1055 read_buf_.get(), read_buf_len_, io_callback_); 1056} 1057 1058int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1059 // We are done with the Read call. 1060 bool done = false; 1061 if (result <= 0) { 1062 DCHECK_NE(ERR_IO_PENDING, result); 1063 done = true; 1064 } 1065 1066 bool keep_alive = false; 1067 if (stream_->IsResponseBodyComplete()) { 1068 // Note: Just because IsResponseBodyComplete is true, we're not 1069 // necessarily "done". We're only "done" when it is the last 1070 // read on this HttpNetworkTransaction, which will be signified 1071 // by a zero-length read. 1072 // TODO(mbelshe): The keepalive property is really a property of 1073 // the stream. No need to compute it here just to pass back 1074 // to the stream's Close function. 1075 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1076 // ResponseHeaders. 1077 if (stream_->CanFindEndOfResponse()) { 1078 HttpResponseHeaders* headers = GetResponseHeaders(); 1079 if (headers) 1080 keep_alive = headers->IsKeepAlive(); 1081 } 1082 } 1083 1084 // Clean up connection if we are done. 1085 if (done) { 1086 LogTransactionMetrics(); 1087 stream_->Close(!keep_alive); 1088 // Note: we don't reset the stream here. We've closed it, but we still 1089 // need it around so that callers can call methods such as 1090 // GetUploadProgress() and have them be meaningful. 1091 // TODO(mbelshe): This means we closed the stream here, and we close it 1092 // again in ~HttpNetworkTransaction. Clean that up. 1093 1094 // The next Read call will return 0 (EOF). 1095 } 1096 1097 // Clear these to avoid leaving around old state. 1098 read_buf_ = NULL; 1099 read_buf_len_ = 0; 1100 1101 return result; 1102} 1103 1104int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1105 // This method differs from DoReadBody only in the next_state_. So we just 1106 // call DoReadBody and override the next_state_. Perhaps there is a more 1107 // elegant way for these two methods to share code. 1108 int rv = DoReadBody(); 1109 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1110 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1111 return rv; 1112} 1113 1114// TODO(wtc): This method and the DoReadBodyComplete method are almost 1115// the same. Figure out a good way for these two methods to share code. 1116int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1117 // keep_alive defaults to true because the very reason we're draining the 1118 // response body is to reuse the connection for auth restart. 1119 bool done = false, keep_alive = true; 1120 if (result < 0) { 1121 // Error or closed connection while reading the socket. 1122 done = true; 1123 keep_alive = false; 1124 } else if (stream_->IsResponseBodyComplete()) { 1125 done = true; 1126 } 1127 1128 if (done) { 1129 DidDrainBodyForAuthRestart(keep_alive); 1130 } else { 1131 // Keep draining. 1132 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1133 } 1134 1135 return OK; 1136} 1137 1138void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1139 if (logged_response_time_) 1140 return; 1141 1142 logged_response_time_ = true; 1143 1144 base::TimeDelta total_duration = response_.response_time - start_time_; 1145 1146 UMA_HISTOGRAM_CUSTOM_TIMES( 1147 "Net.Transaction_Connected", 1148 total_duration, 1149 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1150 100); 1151 1152 bool reused_socket = stream_->IsConnectionReused(); 1153 if (!reused_socket) { 1154 UMA_HISTOGRAM_CUSTOM_TIMES( 1155 "Net.Transaction_Connected_New_b", 1156 total_duration, 1157 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1158 100); 1159 } 1160 1161 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1162 // types. This will change when we also prioritize certain subresources like 1163 // css, js, etc. 1164 if (priority_ != HIGHEST) { 1165 UMA_HISTOGRAM_CUSTOM_TIMES( 1166 "Net.Priority_High_Latency_b", 1167 total_duration, 1168 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1169 100); 1170 } else { 1171 UMA_HISTOGRAM_CUSTOM_TIMES( 1172 "Net.Priority_Low_Latency_b", 1173 total_duration, 1174 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1175 100); 1176 } 1177} 1178 1179void HttpNetworkTransaction::LogTransactionMetrics() const { 1180 base::TimeDelta duration = base::Time::Now() - 1181 response_.request_time; 1182 if (60 < duration.InMinutes()) 1183 return; 1184 1185 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1186 1187 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1188 base::TimeDelta::FromMilliseconds(1), 1189 base::TimeDelta::FromMinutes(10), 1190 100); 1191 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1192 total_duration, 1193 base::TimeDelta::FromMilliseconds(1), 1194 base::TimeDelta::FromMinutes(10), 100); 1195 1196 if (!stream_->IsConnectionReused()) { 1197 UMA_HISTOGRAM_CUSTOM_TIMES( 1198 "Net.Transaction_Latency_Total_New_Connection", 1199 total_duration, base::TimeDelta::FromMilliseconds(1), 1200 base::TimeDelta::FromMinutes(10), 100); 1201 } 1202} 1203 1204int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1205 // There are two paths through which the server can request a certificate 1206 // from us. The first is during the initial handshake, the second is 1207 // during SSL renegotiation. 1208 // 1209 // In both cases, we want to close the connection before proceeding. 1210 // We do this for two reasons: 1211 // First, we don't want to keep the connection to the server hung for a 1212 // long time while the user selects a certificate. 1213 // Second, even if we did keep the connection open, NSS has a bug where 1214 // restarting the handshake for ClientAuth is currently broken. 1215 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1216 1217 if (stream_.get()) { 1218 // Since we already have a stream, we're being called as part of SSL 1219 // renegotiation. 1220 DCHECK(!stream_request_.get()); 1221 stream_->Close(true); 1222 stream_.reset(); 1223 } 1224 1225 // The server is asking for a client certificate during the initial 1226 // handshake. 1227 stream_request_.reset(); 1228 1229 // If the user selected one of the certificates in client_certs or declined 1230 // to provide one for this server before, use the past decision 1231 // automatically. 1232 scoped_refptr<X509Certificate> client_cert; 1233 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1234 response_.cert_request_info->host_and_port, &client_cert); 1235 if (!found_cached_cert) 1236 return error; 1237 1238 // Check that the certificate selected is still a certificate the server 1239 // is likely to accept, based on the criteria supplied in the 1240 // CertificateRequest message. 1241 if (client_cert.get()) { 1242 const std::vector<std::string>& cert_authorities = 1243 response_.cert_request_info->cert_authorities; 1244 1245 bool cert_still_valid = cert_authorities.empty() || 1246 client_cert->IsIssuedByEncoded(cert_authorities); 1247 if (!cert_still_valid) 1248 return error; 1249 } 1250 1251 // TODO(davidben): Add a unit test which covers this path; we need to be 1252 // able to send a legitimate certificate and also bypass/clear the 1253 // SSL session cache. 1254 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1255 &proxy_ssl_config_ : &server_ssl_config_; 1256 ssl_config->send_client_cert = true; 1257 ssl_config->client_cert = client_cert; 1258 next_state_ = STATE_CREATE_STREAM; 1259 // Reset the other member variables. 1260 // Note: this is necessary only with SSL renegotiation. 1261 ResetStateForRestart(); 1262 return OK; 1263} 1264 1265// TODO(rch): This does not correctly handle errors when an SSL proxy is 1266// being used, as all of the errors are handled as if they were generated 1267// by the endpoint host, request_->url, rather than considering if they were 1268// generated by the SSL proxy. http://crbug.com/69329 1269int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1270 DCHECK(request_); 1271 if (server_ssl_config_.send_client_cert && 1272 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1273 session_->ssl_client_auth_cache()->Remove( 1274 GetHostAndPort(request_->url)); 1275 } 1276 1277 bool should_fallback = false; 1278 uint16 version_max = server_ssl_config_.version_max; 1279 1280 switch (error) { 1281 case ERR_SSL_PROTOCOL_ERROR: 1282 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1283 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1284 version_max > server_ssl_config_.version_min) { 1285 // This could be a TLS-intolerant server or a server that chose a 1286 // cipher suite defined only for higher protocol versions (such as 1287 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1288 // back to the next lower version and retry. 1289 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1290 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1291 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1292 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1293 // version_max should match the maximum protocol version supported 1294 // by the SSLClientSocket class. 1295 version_max--; 1296 1297 // Fallback to the lower SSL version. 1298 // While SSL 3.0 fallback should be eliminated because of security 1299 // reasons, there is a high risk of breaking the servers if this is 1300 // done in general. 1301 // For now SSL 3.0 fallback is disabled for Google servers first, 1302 // and will be expanded to other servers after enough experiences 1303 // have been gained showing that this experiment works well with 1304 // today's Internet. 1305 if (version_max > SSL_PROTOCOL_VERSION_SSL3 || 1306 (server_ssl_config_.unrestricted_ssl3_fallback_enabled || 1307 !TransportSecurityState::IsGooglePinnedProperty( 1308 request_->url.host(), true /* include SNI */))) { 1309 should_fallback = true; 1310 } 1311 } 1312 break; 1313 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1314 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1315 version_max > server_ssl_config_.version_min) { 1316 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1317 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1318 // crbug.com/260358. In order to make the fallback as minimal as 1319 // possible, this fallback is only triggered for >= TLS 1.1. 1320 version_max--; 1321 should_fallback = true; 1322 } 1323 break; 1324 } 1325 1326 if (should_fallback) { 1327 net_log_.AddEvent( 1328 NetLog::TYPE_SSL_VERSION_FALLBACK, 1329 base::Bind(&NetLogSSLVersionFallbackCallback, 1330 &request_->url, error, server_ssl_config_.version_max, 1331 version_max)); 1332 server_ssl_config_.version_max = version_max; 1333 server_ssl_config_.version_fallback = true; 1334 ResetConnectionAndRequestForResend(); 1335 error = OK; 1336 } 1337 1338 return error; 1339} 1340 1341// This method determines whether it is safe to resend the request after an 1342// IO error. It can only be called in response to request header or body 1343// write errors or response header read errors. It should not be used in 1344// other cases, such as a Connect error. 1345int HttpNetworkTransaction::HandleIOError(int error) { 1346 // SSL errors may happen at any time during the stream and indicate issues 1347 // with the underlying connection. Because the peer may request 1348 // renegotiation at any time, check and handle any possible SSL handshake 1349 // related errors. In addition to renegotiation, TLS False Start may cause 1350 // SSL handshake errors (specifically servers with buggy DEFLATE support) 1351 // to be delayed until the first Read on the underlying connection. 1352 error = HandleSSLHandshakeError(error); 1353 1354 switch (error) { 1355 // If we try to reuse a connection that the server is in the process of 1356 // closing, we may end up successfully writing out our request (or a 1357 // portion of our request) only to find a connection error when we try to 1358 // read from (or finish writing to) the socket. 1359 case ERR_CONNECTION_RESET: 1360 case ERR_CONNECTION_CLOSED: 1361 case ERR_CONNECTION_ABORTED: 1362 // There can be a race between the socket pool checking checking whether a 1363 // socket is still connected, receiving the FIN, and sending/reading data 1364 // on a reused socket. If we receive the FIN between the connectedness 1365 // check and writing/reading from the socket, we may first learn the socket 1366 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1367 // likely happen when trying to retrieve its IP address. 1368 // See http://crbug.com/105824 for more details. 1369 case ERR_SOCKET_NOT_CONNECTED: 1370 if (ShouldResendRequest(error)) { 1371 net_log_.AddEventWithNetErrorCode( 1372 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1373 ResetConnectionAndRequestForResend(); 1374 error = OK; 1375 } 1376 break; 1377 case ERR_PIPELINE_EVICTION: 1378 if (!session_->force_http_pipelining()) { 1379 net_log_.AddEventWithNetErrorCode( 1380 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1381 ResetConnectionAndRequestForResend(); 1382 error = OK; 1383 } 1384 break; 1385 case ERR_SPDY_PING_FAILED: 1386 case ERR_SPDY_SERVER_REFUSED_STREAM: 1387 case ERR_QUIC_HANDSHAKE_FAILED: 1388 net_log_.AddEventWithNetErrorCode( 1389 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1390 ResetConnectionAndRequestForResend(); 1391 error = OK; 1392 break; 1393 } 1394 return error; 1395} 1396 1397void HttpNetworkTransaction::ResetStateForRestart() { 1398 ResetStateForAuthRestart(); 1399 stream_.reset(); 1400} 1401 1402void HttpNetworkTransaction::ResetStateForAuthRestart() { 1403 send_start_time_ = base::TimeTicks(); 1404 send_end_time_ = base::TimeTicks(); 1405 1406 pending_auth_target_ = HttpAuth::AUTH_NONE; 1407 read_buf_ = NULL; 1408 read_buf_len_ = 0; 1409 headers_valid_ = false; 1410 request_headers_.Clear(); 1411 response_ = HttpResponseInfo(); 1412 establishing_tunnel_ = false; 1413} 1414 1415HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1416 return response_.headers.get(); 1417} 1418 1419bool HttpNetworkTransaction::ShouldResendRequest(int error) const { 1420 bool connection_is_proven = stream_->IsConnectionReused(); 1421 bool has_received_headers = GetResponseHeaders() != NULL; 1422 1423 // NOTE: we resend a request only if we reused a keep-alive connection. 1424 // This automatically prevents an infinite resend loop because we'll run 1425 // out of the cached keep-alive connections eventually. 1426 if (connection_is_proven && !has_received_headers) 1427 return true; 1428 return false; 1429} 1430 1431void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1432 if (stream_.get()) { 1433 stream_->Close(true); 1434 stream_.reset(); 1435 } 1436 1437 // We need to clear request_headers_ because it contains the real request 1438 // headers, but we may need to resend the CONNECT request first to recreate 1439 // the SSL tunnel. 1440 request_headers_.Clear(); 1441 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1442} 1443 1444bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1445 return !is_https_request() && 1446 (proxy_info_.is_https() || proxy_info_.is_http()); 1447} 1448 1449bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1450 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1451} 1452 1453int HttpNetworkTransaction::HandleAuthChallenge() { 1454 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1455 DCHECK(headers.get()); 1456 1457 int status = headers->response_code(); 1458 if (status != HTTP_UNAUTHORIZED && 1459 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1460 return OK; 1461 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1462 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1463 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1464 return ERR_UNEXPECTED_PROXY_AUTH; 1465 1466 // This case can trigger when an HTTPS server responds with a "Proxy 1467 // authentication required" status code through a non-authenticating 1468 // proxy. 1469 if (!auth_controllers_[target].get()) 1470 return ERR_UNEXPECTED_PROXY_AUTH; 1471 1472 int rv = auth_controllers_[target]->HandleAuthChallenge( 1473 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1474 net_log_); 1475 if (auth_controllers_[target]->HaveAuthHandler()) 1476 pending_auth_target_ = target; 1477 1478 scoped_refptr<AuthChallengeInfo> auth_info = 1479 auth_controllers_[target]->auth_info(); 1480 if (auth_info.get()) 1481 response_.auth_challenge = auth_info; 1482 1483 return rv; 1484} 1485 1486bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1487 return auth_controllers_[target].get() && 1488 auth_controllers_[target]->HaveAuth(); 1489} 1490 1491GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1492 switch (target) { 1493 case HttpAuth::AUTH_PROXY: { 1494 if (!proxy_info_.proxy_server().is_valid() || 1495 proxy_info_.proxy_server().is_direct()) { 1496 return GURL(); // There is no proxy server. 1497 } 1498 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1499 return GURL(scheme + 1500 proxy_info_.proxy_server().host_port_pair().ToString()); 1501 } 1502 case HttpAuth::AUTH_SERVER: 1503 return request_->url; 1504 default: 1505 return GURL(); 1506 } 1507} 1508 1509bool HttpNetworkTransaction::ForWebSocketHandshake() const { 1510 return websocket_handshake_stream_base_create_helper_ && 1511 request_->url.SchemeIsWSOrWSS(); 1512} 1513 1514#define STATE_CASE(s) \ 1515 case s: \ 1516 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1517 break 1518 1519std::string HttpNetworkTransaction::DescribeState(State state) { 1520 std::string description; 1521 switch (state) { 1522 STATE_CASE(STATE_CREATE_STREAM); 1523 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1524 STATE_CASE(STATE_INIT_REQUEST_BODY); 1525 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1526 STATE_CASE(STATE_BUILD_REQUEST); 1527 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1528 STATE_CASE(STATE_SEND_REQUEST); 1529 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1530 STATE_CASE(STATE_READ_HEADERS); 1531 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1532 STATE_CASE(STATE_READ_BODY); 1533 STATE_CASE(STATE_READ_BODY_COMPLETE); 1534 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1535 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1536 STATE_CASE(STATE_NONE); 1537 default: 1538 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1539 state); 1540 break; 1541 } 1542 return description; 1543} 1544 1545#undef STATE_CASE 1546 1547} // namespace net 1548