search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update include paths in miscellaneous content/ directories for base/process changes.
[chromium-blink-merge.git] / net / http / http_network_transaction.cc
blobc26564cf1dff09438eb528155d9d2962cbb9e8b4
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/http_network_transaction.h"
6
7 #include <set>
8 #include <vector>
9
10 #include "base/bind.h"
11 #include "base/bind_helpers.h"
12 #include "base/compiler_specific.h"
13 #include "base/format_macros.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/metrics/field_trial.h"
16 #include "base/metrics/histogram.h"
17 #include "base/metrics/stats_counters.h"
18 #include "base/stl_util.h"
19 #include "base/strings/string_number_conversions.h"
20 #include "base/strings/string_util.h"
21 #include "base/strings/stringprintf.h"
22 #include "base/values.h"
23 #include "build/build_config.h"
24 #include "net/base/auth.h"
25 #include "net/base/host_port_pair.h"
26 #include "net/base/io_buffer.h"
27 #include "net/base/load_flags.h"
28 #include "net/base/load_timing_info.h"
29 #include "net/base/net_errors.h"
30 #include "net/base/net_util.h"
31 #include "net/base/upload_data_stream.h"
32 #include "net/http/http_auth.h"
33 #include "net/http/http_auth_handler.h"
34 #include "net/http/http_auth_handler_factory.h"
35 #include "net/http/http_basic_stream.h"
36 #include "net/http/http_chunked_decoder.h"
37 #include "net/http/http_network_session.h"
38 #include "net/http/http_proxy_client_socket.h"
39 #include "net/http/http_proxy_client_socket_pool.h"
40 #include "net/http/http_request_headers.h"
41 #include "net/http/http_request_info.h"
42 #include "net/http/http_response_headers.h"
43 #include "net/http/http_response_info.h"
44 #include "net/http/http_server_properties.h"
45 #include "net/http/http_status_code.h"
46 #include "net/http/http_stream_base.h"
47 #include "net/http/http_stream_factory.h"
48 #include "net/http/http_util.h"
49 #include "net/http/transport_security_state.h"
50 #include "net/http/url_security_manager.h"
51 #include "net/socket/client_socket_factory.h"
52 #include "net/socket/socks_client_socket_pool.h"
53 #include "net/socket/ssl_client_socket.h"
54 #include "net/socket/ssl_client_socket_pool.h"
55 #include "net/socket/transport_client_socket_pool.h"
56 #include "net/spdy/spdy_http_stream.h"
57 #include "net/spdy/spdy_session.h"
58 #include "net/spdy/spdy_session_pool.h"
59 #include "net/ssl/ssl_cert_request_info.h"
60 #include "net/ssl/ssl_connection_status_flags.h"
61 #include "url/gurl.h"
62
63 using base::Time;
64
65 namespace net {
66
67 namespace {
68
69 void ProcessAlternateProtocol(
70 HttpStreamFactory* factory,
71 const base::WeakPtr<HttpServerProperties>& http_server_properties,
72 const HttpResponseHeaders& headers,
73 const HostPortPair& http_host_port_pair) {
74 std::string alternate_protocol_str;
75
76 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader,
77 &alternate_protocol_str)) {
78 // Header is not present.
79 return;
80 }
81
82 factory->ProcessAlternateProtocol(http_server_properties,
83 alternate_protocol_str,
84 http_host_port_pair);
85 }
86
87 // Returns true if |error| is a client certificate authentication error.
88 bool IsClientCertificateError(int error) {
89 switch (error) {
90 case ERR_BAD_SSL_CLIENT_AUTH_CERT:
91 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED:
92 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY:
93 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED:
94 return true;
95 default:
96 return false;
97 }
98 }
99
100 base::Value* NetLogSSLVersionFallbackCallback(
101 const GURL* url,
102 int net_error,
103 uint16 version_before,
104 uint16 version_after,
105 NetLog::LogLevel /* log_level */) {
106 base::DictionaryValue* dict = new base::DictionaryValue();
107 dict->SetString("host_and_port", GetHostAndPort(*url));
108 dict->SetInteger("net_error", net_error);
109 dict->SetInteger("version_before", version_before);
110 dict->SetInteger("version_after", version_after);
111 return dict;
112 }
113
114 } // namespace
115
116 //-----------------------------------------------------------------------------
117
118 HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority,
119 HttpNetworkSession* session)
120 : pending_auth_target_(HttpAuth::AUTH_NONE),
121 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete,
122 base::Unretained(this))),
123 session_(session),
124 request_(NULL),
125 priority_(priority),
126 headers_valid_(false),
127 logged_response_time_(false),
128 request_headers_(),
129 read_buf_len_(0),
130 next_state_(STATE_NONE),
131 establishing_tunnel_(false) {
132 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_);
133 if (session->http_stream_factory()->has_next_protos()) {
134 server_ssl_config_.next_protos =
135 session->http_stream_factory()->next_protos();
136 }
137 proxy_ssl_config_ = server_ssl_config_;
138 }
139
140 HttpNetworkTransaction::~HttpNetworkTransaction() {
141 if (stream_.get()) {
142 HttpResponseHeaders* headers = GetResponseHeaders();
143 // TODO(mbelshe): The stream_ should be able to compute whether or not the
144 // stream should be kept alive. No reason to compute here
145 // and pass it in.
146 bool try_to_keep_alive =
147 next_state_ == STATE_NONE &&
148 stream_->CanFindEndOfResponse() &&
149 (!headers || headers->IsKeepAlive());
150 if (!try_to_keep_alive) {
151 stream_->Close(true /* not reusable */);
152 } else {
153 if (stream_->IsResponseBodyComplete()) {
154 // If the response body is complete, we can just reuse the socket.
155 stream_->Close(false /* reusable */);
156 } else if (stream_->IsSpdyHttpStream()) {
157 // Doesn't really matter for SpdyHttpStream. Just close it.
158 stream_->Close(true /* not reusable */);
159 } else {
160 // Otherwise, we try to drain the response body.
161 HttpStreamBase* stream = stream_.release();
162 stream->Drain(session_.get());
163 }
164 }
165 }
166 }
167
168 int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info,
169 const CompletionCallback& callback,
170 const BoundNetLog& net_log) {
171 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count");
172
173 net_log_ = net_log;
174 request_ = request_info;
175 start_time_ = base::Time::Now();
176
177 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) {
178 server_ssl_config_.rev_checking_enabled = false;
179 proxy_ssl_config_.rev_checking_enabled = false;
180 }
181
182 // Channel ID is enabled unless --disable-tls-channel-id flag is set,
183 // or if privacy mode is enabled.
184 bool channel_id_enabled = server_ssl_config_.channel_id_enabled &&
185 (request_->privacy_mode == kPrivacyModeDisabled);
186 server_ssl_config_.channel_id_enabled = channel_id_enabled;
187
188 next_state_ = STATE_CREATE_STREAM;
189 int rv = DoLoop(OK);
190 if (rv == ERR_IO_PENDING)
191 callback_ = callback;
192 return rv;
193 }
194
195 int HttpNetworkTransaction::RestartIgnoringLastError(
196 const CompletionCallback& callback) {
197 DCHECK(!stream_.get());
198 DCHECK(!stream_request_.get());
199 DCHECK_EQ(STATE_NONE, next_state_);
200
201 next_state_ = STATE_CREATE_STREAM;
202
203 int rv = DoLoop(OK);
204 if (rv == ERR_IO_PENDING)
205 callback_ = callback;
206 return rv;
207 }
208
209 int HttpNetworkTransaction::RestartWithCertificate(
210 X509Certificate* client_cert, const CompletionCallback& callback) {
211 // In HandleCertificateRequest(), we always tear down existing stream
212 // requests to force a new connection. So we shouldn't have one here.
213 DCHECK(!stream_request_.get());
214 DCHECK(!stream_.get());
215 DCHECK_EQ(STATE_NONE, next_state_);
216
217 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ?
218 &proxy_ssl_config_ : &server_ssl_config_;
219 ssl_config->send_client_cert = true;
220 ssl_config->client_cert = client_cert;
221 session_->ssl_client_auth_cache()->Add(
222 response_.cert_request_info->host_and_port, client_cert);
223 // Reset the other member variables.
224 // Note: this is necessary only with SSL renegotiation.
225 ResetStateForRestart();
226 next_state_ = STATE_CREATE_STREAM;
227 int rv = DoLoop(OK);
228 if (rv == ERR_IO_PENDING)
229 callback_ = callback;
230 return rv;
231 }
232
233 int HttpNetworkTransaction::RestartWithAuth(
234 const AuthCredentials& credentials, const CompletionCallback& callback) {
235 HttpAuth::Target target = pending_auth_target_;
236 if (target == HttpAuth::AUTH_NONE) {
237 NOTREACHED();
238 return ERR_UNEXPECTED;
239 }
240 pending_auth_target_ = HttpAuth::AUTH_NONE;
241
242 auth_controllers_[target]->ResetAuth(credentials);
243
244 DCHECK(callback_.is_null());
245
246 int rv = OK;
247 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) {
248 // In this case, we've gathered credentials for use with proxy
249 // authentication of a tunnel.
250 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
251 DCHECK(stream_request_ != NULL);
252 auth_controllers_[target] = NULL;
253 ResetStateForRestart();
254 rv = stream_request_->RestartTunnelWithProxyAuth(credentials);
255 } else {
256 // In this case, we've gathered credentials for the server or the proxy
257 // but it is not during the tunneling phase.
258 DCHECK(stream_request_ == NULL);
259 PrepareForAuthRestart(target);
260 rv = DoLoop(OK);
261 }
262
263 if (rv == ERR_IO_PENDING)
264 callback_ = callback;
265 return rv;
266 }
267
268 void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) {
269 DCHECK(HaveAuth(target));
270 DCHECK(!stream_request_.get());
271
272 bool keep_alive = false;
273 // Even if the server says the connection is keep-alive, we have to be
274 // able to find the end of each response in order to reuse the connection.
275 if (GetResponseHeaders()->IsKeepAlive() &&
276 stream_->CanFindEndOfResponse()) {
277 // If the response body hasn't been completely read, we need to drain
278 // it first.
279 if (!stream_->IsResponseBodyComplete()) {
280 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
281 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket.
282 read_buf_len_ = kDrainBodyBufferSize;
283 return;
284 }
285 keep_alive = true;
286 }
287
288 // We don't need to drain the response body, so we act as if we had drained
289 // the response body.
290 DidDrainBodyForAuthRestart(keep_alive);
291 }
292
293 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) {
294 DCHECK(!stream_request_.get());
295
296 if (stream_.get()) {
297 HttpStream* new_stream = NULL;
298 if (keep_alive && stream_->IsConnectionReusable()) {
299 // We should call connection_->set_idle_time(), but this doesn't occur
300 // often enough to be worth the trouble.
301 stream_->SetConnectionReused();
302 new_stream =
303 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth();
304 }
305
306 if (!new_stream) {
307 // Close the stream and mark it as not_reusable. Even in the
308 // keep_alive case, we've determined that the stream_ is not
309 // reusable if new_stream is NULL.
310 stream_->Close(true);
311 next_state_ = STATE_CREATE_STREAM;
312 } else {
313 next_state_ = STATE_INIT_STREAM;
314 }
315 stream_.reset(new_stream);
316 }
317
318 // Reset the other member variables.
319 ResetStateForAuthRestart();
320 }
321
322 bool HttpNetworkTransaction::IsReadyToRestartForAuth() {
323 return pending_auth_target_ != HttpAuth::AUTH_NONE &&
324 HaveAuth(pending_auth_target_);
325 }
326
327 int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len,
328 const CompletionCallback& callback) {
329 DCHECK(buf);
330 DCHECK_LT(0, buf_len);
331
332 State next_state = STATE_NONE;
333
334 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders());
335 if (headers_valid_ && headers.get() && stream_request_.get()) {
336 // We're trying to read the body of the response but we're still trying
337 // to establish an SSL tunnel through an HTTP proxy. We can't read these
338 // bytes when establishing a tunnel because they might be controlled by
339 // an active network attacker. We don't worry about this for HTTP
340 // because an active network attacker can already control HTTP sessions.
341 // We reach this case when the user cancels a 407 proxy auth prompt. We
342 // also don't worry about this for an HTTPS Proxy, because the
343 // communication with the proxy is secure.
344 // See http://crbug.com/8473.
345 DCHECK(proxy_info_.is_http() || proxy_info_.is_https());
346 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED);
347 LOG(WARNING) << "Blocked proxy response with status "
348 << headers->response_code() << " to CONNECT request for "
349 << GetHostAndPort(request_->url) << ".";
350 return ERR_TUNNEL_CONNECTION_FAILED;
351 }
352
353 // Are we using SPDY or HTTP?
354 next_state = STATE_READ_BODY;
355
356 read_buf_ = buf;
357 read_buf_len_ = buf_len;
358
359 next_state_ = next_state;
360 int rv = DoLoop(OK);
361 if (rv == ERR_IO_PENDING)
362 callback_ = callback;
363 return rv;
364 }
365
366 bool HttpNetworkTransaction::GetFullRequestHeaders(
367 HttpRequestHeaders* headers) const {
368 // TODO(ttuttle): Make sure we've populated request_headers_.
369 *headers = request_headers_;
370 return true;
371 }
372
373 const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const {
374 return ((headers_valid_ && response_.headers.get()) ||
375 response_.ssl_info.cert.get() || response_.cert_request_info.get())
376 ? &response_
377 : NULL;
378 }
379
380 LoadState HttpNetworkTransaction::GetLoadState() const {
381 // TODO(wtc): Define a new LoadState value for the
382 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request.
383 switch (next_state_) {
384 case STATE_CREATE_STREAM_COMPLETE:
385 return stream_request_->GetLoadState();
386 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
387 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE:
388 case STATE_SEND_REQUEST_COMPLETE:
389 return LOAD_STATE_SENDING_REQUEST;
390 case STATE_READ_HEADERS_COMPLETE:
391 return LOAD_STATE_WAITING_FOR_RESPONSE;
392 case STATE_READ_BODY_COMPLETE:
393 return LOAD_STATE_READING_RESPONSE;
394 default:
395 return LOAD_STATE_IDLE;
396 }
397 }
398
399 UploadProgress HttpNetworkTransaction::GetUploadProgress() const {
400 if (!stream_.get())
401 return UploadProgress();
402
403 // TODO(bashi): This cast is temporary. Remove later.
404 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress();
405 }
406
407 bool HttpNetworkTransaction::GetLoadTimingInfo(
408 LoadTimingInfo* load_timing_info) const {
409 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info))
410 return false;
411
412 load_timing_info->proxy_resolve_start =
413 proxy_info_.proxy_resolve_start_time();
414 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time();
415 load_timing_info->send_start = send_start_time_;
416 load_timing_info->send_end = send_end_time_;
417 return true;
418 }
419
420 void HttpNetworkTransaction::SetPriority(RequestPriority priority) {
421 priority_ = priority;
422 // TODO(akalin): Plumb this through to |stream_request_| and
423 // |stream_|.
424 }
425
426 void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config,
427 const ProxyInfo& used_proxy_info,
428 HttpStreamBase* stream) {
429 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
430 DCHECK(stream_request_.get());
431
432 stream_.reset(stream);
433 server_ssl_config_ = used_ssl_config;
434 proxy_info_ = used_proxy_info;
435 response_.was_npn_negotiated = stream_request_->was_npn_negotiated();
436 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString(
437 stream_request_->protocol_negotiated());
438 response_.was_fetched_via_spdy = stream_request_->using_spdy();
439 response_.was_fetched_via_proxy = !proxy_info_.is_direct();
440
441 OnIOComplete(OK);
442 }
443
444 void HttpNetworkTransaction::OnWebSocketStreamReady(
445 const SSLConfig& used_ssl_config,
446 const ProxyInfo& used_proxy_info,
447 WebSocketStreamBase* stream) {
448 NOTREACHED() << "This function should never be called.";
449 }
450
451 void HttpNetworkTransaction::OnStreamFailed(int result,
452 const SSLConfig& used_ssl_config) {
453 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
454 DCHECK_NE(OK, result);
455 DCHECK(stream_request_.get());
456 DCHECK(!stream_.get());
457 server_ssl_config_ = used_ssl_config;
458
459 OnIOComplete(result);
460 }
461
462 void HttpNetworkTransaction::OnCertificateError(
463 int result,
464 const SSLConfig& used_ssl_config,
465 const SSLInfo& ssl_info) {
466 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
467 DCHECK_NE(OK, result);
468 DCHECK(stream_request_.get());
469 DCHECK(!stream_.get());
470
471 response_.ssl_info = ssl_info;
472 server_ssl_config_ = used_ssl_config;
473
474 // TODO(mbelshe): For now, we're going to pass the error through, and that
475 // will close the stream_request in all cases. This means that we're always
476 // going to restart an entire STATE_CREATE_STREAM, even if the connection is
477 // good and the user chooses to ignore the error. This is not ideal, but not
478 // the end of the world either.
479
480 OnIOComplete(result);
481 }
482
483 void HttpNetworkTransaction::OnNeedsProxyAuth(
484 const HttpResponseInfo& proxy_response,
485 const SSLConfig& used_ssl_config,
486 const ProxyInfo& used_proxy_info,
487 HttpAuthController* auth_controller) {
488 DCHECK(stream_request_.get());
489 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
490
491 establishing_tunnel_ = true;
492 response_.headers = proxy_response.headers;
493 response_.auth_challenge = proxy_response.auth_challenge;
494 headers_valid_ = true;
495 server_ssl_config_ = used_ssl_config;
496 proxy_info_ = used_proxy_info;
497
498 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller;
499 pending_auth_target_ = HttpAuth::AUTH_PROXY;
500
501 DoCallback(OK);
502 }
503
504 void HttpNetworkTransaction::OnNeedsClientAuth(
505 const SSLConfig& used_ssl_config,
506 SSLCertRequestInfo* cert_info) {
507 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
508
509 server_ssl_config_ = used_ssl_config;
510 response_.cert_request_info = cert_info;
511 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
512 }
513
514 void HttpNetworkTransaction::OnHttpsProxyTunnelResponse(
515 const HttpResponseInfo& response_info,
516 const SSLConfig& used_ssl_config,
517 const ProxyInfo& used_proxy_info,
518 HttpStreamBase* stream) {
519 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
520
521 headers_valid_ = true;
522 response_ = response_info;
523 server_ssl_config_ = used_ssl_config;
524 proxy_info_ = used_proxy_info;
525 stream_.reset(stream);
526 stream_request_.reset(); // we're done with the stream request
527 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE);
528 }
529
530 bool HttpNetworkTransaction::is_https_request() const {
531 return request_->url.SchemeIs("https");
532 }
533
534 void HttpNetworkTransaction::DoCallback(int rv) {
535 DCHECK_NE(rv, ERR_IO_PENDING);
536 DCHECK(!callback_.is_null());
537
538 // Since Run may result in Read being called, clear user_callback_ up front.
539 CompletionCallback c = callback_;
540 callback_.Reset();
541 c.Run(rv);
542 }
543
544 void HttpNetworkTransaction::OnIOComplete(int result) {
545 int rv = DoLoop(result);
546 if (rv != ERR_IO_PENDING)
547 DoCallback(rv);
548 }
549
550 int HttpNetworkTransaction::DoLoop(int result) {
551 DCHECK(next_state_ != STATE_NONE);
552
553 int rv = result;
554 do {
555 State state = next_state_;
556 next_state_ = STATE_NONE;
557 switch (state) {
558 case STATE_CREATE_STREAM:
559 DCHECK_EQ(OK, rv);
560 rv = DoCreateStream();
561 break;
562 case STATE_CREATE_STREAM_COMPLETE:
563 rv = DoCreateStreamComplete(rv);
564 break;
565 case STATE_INIT_STREAM:
566 DCHECK_EQ(OK, rv);
567 rv = DoInitStream();
568 break;
569 case STATE_INIT_STREAM_COMPLETE:
570 rv = DoInitStreamComplete(rv);
571 break;
572 case STATE_GENERATE_PROXY_AUTH_TOKEN:
573 DCHECK_EQ(OK, rv);
574 rv = DoGenerateProxyAuthToken();
575 break;
576 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
577 rv = DoGenerateProxyAuthTokenComplete(rv);
578 break;
579 case STATE_GENERATE_SERVER_AUTH_TOKEN:
580 DCHECK_EQ(OK, rv);
581 rv = DoGenerateServerAuthToken();
582 break;
583 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE:
584 rv = DoGenerateServerAuthTokenComplete(rv);
585 break;
586 case STATE_INIT_REQUEST_BODY:
587 DCHECK_EQ(OK, rv);
588 rv = DoInitRequestBody();
589 break;
590 case STATE_INIT_REQUEST_BODY_COMPLETE:
591 rv = DoInitRequestBodyComplete(rv);
592 break;
593 case STATE_BUILD_REQUEST:
594 DCHECK_EQ(OK, rv);
595 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST);
596 rv = DoBuildRequest();
597 break;
598 case STATE_BUILD_REQUEST_COMPLETE:
599 rv = DoBuildRequestComplete(rv);
600 break;
601 case STATE_SEND_REQUEST:
602 DCHECK_EQ(OK, rv);
603 rv = DoSendRequest();
604 break;
605 case STATE_SEND_REQUEST_COMPLETE:
606 rv = DoSendRequestComplete(rv);
607 net_log_.EndEventWithNetErrorCode(
608 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv);
609 break;
610 case STATE_READ_HEADERS:
611 DCHECK_EQ(OK, rv);
612 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS);
613 rv = DoReadHeaders();
614 break;
615 case STATE_READ_HEADERS_COMPLETE:
616 rv = DoReadHeadersComplete(rv);
617 net_log_.EndEventWithNetErrorCode(
618 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv);
619 break;
620 case STATE_READ_BODY:
621 DCHECK_EQ(OK, rv);
622 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY);
623 rv = DoReadBody();
624 break;
625 case STATE_READ_BODY_COMPLETE:
626 rv = DoReadBodyComplete(rv);
627 net_log_.EndEventWithNetErrorCode(
628 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv);
629 break;
630 case STATE_DRAIN_BODY_FOR_AUTH_RESTART:
631 DCHECK_EQ(OK, rv);
632 net_log_.BeginEvent(
633 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART);
634 rv = DoDrainBodyForAuthRestart();
635 break;
636 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE:
637 rv = DoDrainBodyForAuthRestartComplete(rv);
638 net_log_.EndEventWithNetErrorCode(
639 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv);
640 break;
641 default:
642 NOTREACHED() << "bad state";
643 rv = ERR_FAILED;
644 break;
645 }
646 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE);
647
648 return rv;
649 }
650
651 int HttpNetworkTransaction::DoCreateStream() {
652 next_state_ = STATE_CREATE_STREAM_COMPLETE;
653
654 stream_request_.reset(
655 session_->http_stream_factory()->RequestStream(
656 *request_,
657 priority_,
658 server_ssl_config_,
659 proxy_ssl_config_,
660 this,
661 net_log_));
662 DCHECK(stream_request_.get());
663 return ERR_IO_PENDING;
664 }
665
666 int HttpNetworkTransaction::DoCreateStreamComplete(int result) {
667 if (result == OK) {
668 next_state_ = STATE_INIT_STREAM;
669 DCHECK(stream_.get());
670 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
671 result = HandleCertificateRequest(result);
672 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) {
673 // Return OK and let the caller read the proxy's error page
674 next_state_ = STATE_NONE;
675 return OK;
676 }
677
678 // Handle possible handshake errors that may have occurred if the stream
679 // used SSL for one or more of the layers.
680 result = HandleSSLHandshakeError(result);
681
682 // At this point we are done with the stream_request_.
683 stream_request_.reset();
684 return result;
685 }
686
687 int HttpNetworkTransaction::DoInitStream() {
688 DCHECK(stream_.get());
689 next_state_ = STATE_INIT_STREAM_COMPLETE;
690 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_);
691 }
692
693 int HttpNetworkTransaction::DoInitStreamComplete(int result) {
694 if (result == OK) {
695 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
696 } else {
697 if (result < 0)
698 result = HandleIOError(result);
699
700 // The stream initialization failed, so this stream will never be useful.
701 stream_.reset();
702 }
703
704 return result;
705 }
706
707 int HttpNetworkTransaction::DoGenerateProxyAuthToken() {
708 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
709 if (!ShouldApplyProxyAuth())
710 return OK;
711 HttpAuth::Target target = HttpAuth::AUTH_PROXY;
712 if (!auth_controllers_[target].get())
713 auth_controllers_[target] =
714 new HttpAuthController(target,
715 AuthURL(target),
716 session_->http_auth_cache(),
717 session_->http_auth_handler_factory());
718 return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
719 io_callback_,
720 net_log_);
721 }
722
723 int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) {
724 DCHECK_NE(ERR_IO_PENDING, rv);
725 if (rv == OK)
726 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN;
727 return rv;
728 }
729
730 int HttpNetworkTransaction::DoGenerateServerAuthToken() {
731 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE;
732 HttpAuth::Target target = HttpAuth::AUTH_SERVER;
733 if (!auth_controllers_[target].get())
734 auth_controllers_[target] =
735 new HttpAuthController(target,
736 AuthURL(target),
737 session_->http_auth_cache(),
738 session_->http_auth_handler_factory());
739 if (!ShouldApplyServerAuth())
740 return OK;
741 return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
742 io_callback_,
743 net_log_);
744 }
745
746 int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) {
747 DCHECK_NE(ERR_IO_PENDING, rv);
748 if (rv == OK)
749 next_state_ = STATE_INIT_REQUEST_BODY;
750 return rv;
751 }
752
753 void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) {
754 request_headers_.SetHeader(HttpRequestHeaders::kHost,
755 GetHostAndOptionalPort(request_->url));
756
757 // For compat with HTTP/1.0 servers and proxies:
758 if (using_proxy) {
759 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection,
760 "keep-alive");
761 } else {
762 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive");
763 }
764
765 // Add a content length header?
766 if (request_->upload_data_stream) {
767 if (request_->upload_data_stream->is_chunked()) {
768 request_headers_.SetHeader(
769 HttpRequestHeaders::kTransferEncoding, "chunked");
770 } else {
771 request_headers_.SetHeader(
772 HttpRequestHeaders::kContentLength,
773 base::Uint64ToString(request_->upload_data_stream->size()));
774 }
775 } else if (request_->method == "POST" || request_->method == "PUT" ||
776 request_->method == "HEAD") {
777 // An empty POST/PUT request still needs a content length. As for HEAD,
778 // IE and Safari also add a content length header. Presumably it is to
779 // support sending a HEAD request to an URL that only expects to be sent a
780 // POST or some other method that normally would have a message body.
781 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0");
782 }
783
784 // Honor load flags that impact proxy caches.
785 if (request_->load_flags & LOAD_BYPASS_CACHE) {
786 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache");
787 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache");
788 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) {
789 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0");
790 }
791
792 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY))
793 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader(
794 &request_headers_);
795 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER))
796 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader(
797 &request_headers_);
798
799 request_headers_.MergeFrom(request_->extra_headers);
800 response_.did_use_http_auth =
801 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) ||
802 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization);
803 }
804
805 int HttpNetworkTransaction::DoInitRequestBody() {
806 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE;
807 int rv = OK;
808 if (request_->upload_data_stream)
809 rv = request_->upload_data_stream->Init(io_callback_);
810 return rv;
811 }
812
813 int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) {
814 if (result == OK)
815 next_state_ = STATE_BUILD_REQUEST;
816 return result;
817 }
818
819 int HttpNetworkTransaction::DoBuildRequest() {
820 next_state_ = STATE_BUILD_REQUEST_COMPLETE;
821 headers_valid_ = false;
822
823 // This is constructed lazily (instead of within our Start method), so that
824 // we have proxy info available.
825 if (request_headers_.IsEmpty()) {
826 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) &&
827 !is_https_request();
828 BuildRequestHeaders(using_proxy);
829 }
830
831 return OK;
832 }
833
834 int HttpNetworkTransaction::DoBuildRequestComplete(int result) {
835 if (result == OK)
836 next_state_ = STATE_SEND_REQUEST;
837 return result;
838 }
839
840 int HttpNetworkTransaction::DoSendRequest() {
841 send_start_time_ = base::TimeTicks::Now();
842 next_state_ = STATE_SEND_REQUEST_COMPLETE;
843
844 return stream_->SendRequest(request_headers_, &response_, io_callback_);
845 }
846
847 int HttpNetworkTransaction::DoSendRequestComplete(int result) {
848 send_end_time_ = base::TimeTicks::Now();
849 if (result < 0)
850 return HandleIOError(result);
851 response_.network_accessed = true;
852 next_state_ = STATE_READ_HEADERS;
853 return OK;
854 }
855
856 int HttpNetworkTransaction::DoReadHeaders() {
857 next_state_ = STATE_READ_HEADERS_COMPLETE;
858 return stream_->ReadResponseHeaders(io_callback_);
859 }
860
861 int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() {
862 if (!response_.headers.get() && !stream_->IsConnectionReused()) {
863 // The connection was closed before any data was sent. Likely an error
864 // rather than empty HTTP/0.9 response.
865 return ERR_EMPTY_RESPONSE;
866 }
867
868 return OK;
869 }
870
871 int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
872 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here
873 // due to SSL renegotiation.
874 if (IsCertificateError(result)) {
875 // We don't handle a certificate error during SSL renegotiation, so we
876 // have to return an error that's not in the certificate error range
877 // (-2xx).
878 LOG(ERROR) << "Got a server certificate with error " << result
879 << " during SSL renegotiation";
880 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION;
881 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
882 // TODO(wtc): Need a test case for this code path!
883 DCHECK(stream_.get());
884 DCHECK(is_https_request());
885 response_.cert_request_info = new SSLCertRequestInfo;
886 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get());
887 result = HandleCertificateRequest(result);
888 if (result == OK)
889 return result;
890 }
891
892 if (result < 0 && result != ERR_CONNECTION_CLOSED)
893 return HandleIOError(result);
894
895 if (result == ERR_CONNECTION_CLOSED && ShouldResendRequest(result)) {
896 ResetConnectionAndRequestForResend();
897 return OK;
898 }
899
900 // After we call RestartWithAuth a new response_time will be recorded, and
901 // we need to be cautious about incorrectly logging the duration across the
902 // authentication activity.
903 if (result == OK)
904 LogTransactionConnectedMetrics();
905
906 if (result == ERR_CONNECTION_CLOSED) {
907 // For now, if we get at least some data, we do the best we can to make
908 // sense of it and send it back up the stack.
909 int rv = HandleConnectionClosedBeforeEndOfHeaders();
910 if (rv != OK)
911 return rv;
912 }
913 DCHECK(response_.headers.get());
914
915 // Server-induced fallback is supported only if this is a PAC configured
916 // proxy. See: http://crbug.com/143712
917 if (response_.was_fetched_via_proxy && proxy_info_.did_use_pac_script() &&
918 response_.headers.get() != NULL) {
919 bool should_fallback =
920 response_.headers->HasHeaderValue("connection", "proxy-bypass");
921 // Additionally, fallback if a 500 is returned via the data reduction proxy.
922 // This is conservative, as the 500 might have been generated by the origin,
923 // and not the proxy.
924 #if defined(SPDY_PROXY_AUTH_ORIGIN)
925 if (!should_fallback) {
926 should_fallback =
927 response_.headers->response_code() == HTTP_INTERNAL_SERVER_ERROR &&
928 proxy_info_.proxy_server().host_port_pair().Equals(
929 HostPortPair::FromURL(GURL(SPDY_PROXY_AUTH_ORIGIN)));
930 }
931 #endif
932 if (should_fallback) {
933 ProxyService* proxy_service = session_->proxy_service();
934 if (proxy_service->MarkProxyAsBad(proxy_info_, net_log_)) {
935 // Only retry in the case of GETs. We don't want to resubmit a POST
936 // if the proxy took some action.
937 if (request_->method == "GET") {
938 ResetConnectionAndRequestForResend();
939 return OK;
940 }
941 }
942 }
943 }
944
945 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads.
946 if (request_->load_flags & LOAD_MAIN_FRAME) {
947 const int response_code = response_.headers->response_code();
948 UMA_HISTOGRAM_ENUMERATION(
949 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10);
950 }
951
952 net_log_.AddEvent(
953 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
954 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
955
956 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) {
957 // HTTP/0.9 doesn't support the PUT method, so lack of response headers
958 // indicates a buggy server. See:
959 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921
960 if (request_->method == "PUT")
961 return ERR_METHOD_NOT_SUPPORTED;
962 }
963
964 // Check for an intermediate 100 Continue response. An origin server is
965 // allowed to send this response even if we didn't ask for it, so we just
966 // need to skip over it.
967 // We treat any other 1xx in this same way (although in practice getting
968 // a 1xx that isn't a 100 is rare).
969 if (response_.headers->response_code() / 100 == 1) {
970 response_.headers = new HttpResponseHeaders(std::string());
971 next_state_ = STATE_READ_HEADERS;
972 return OK;
973 }
974
975 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(),
976 request_->url.EffectiveIntPort());
977 ProcessAlternateProtocol(session_->http_stream_factory(),
978 session_->http_server_properties(),
979 *response_.headers.get(),
980 endpoint);
981
982 int rv = HandleAuthChallenge();
983 if (rv != OK)
984 return rv;
985
986 if (is_https_request())
987 stream_->GetSSLInfo(&response_.ssl_info);
988
989 headers_valid_ = true;
990 return OK;
991 }
992
993 int HttpNetworkTransaction::DoReadBody() {
994 DCHECK(read_buf_.get());
995 DCHECK_GT(read_buf_len_, 0);
996 DCHECK(stream_ != NULL);
997
998 next_state_ = STATE_READ_BODY_COMPLETE;
999 return stream_->ReadResponseBody(
1000 read_buf_.get(), read_buf_len_, io_callback_);
1001 }
1002
1003 int HttpNetworkTransaction::DoReadBodyComplete(int result) {
1004 // We are done with the Read call.
1005 bool done = false;
1006 if (result <= 0) {
1007 DCHECK_NE(ERR_IO_PENDING, result);
1008 done = true;
1009 }
1010
1011 bool keep_alive = false;
1012 if (stream_->IsResponseBodyComplete()) {
1013 // Note: Just because IsResponseBodyComplete is true, we're not
1014 // necessarily "done". We're only "done" when it is the last
1015 // read on this HttpNetworkTransaction, which will be signified
1016 // by a zero-length read.
1017 // TODO(mbelshe): The keepalive property is really a property of
1018 // the stream. No need to compute it here just to pass back
1019 // to the stream's Close function.
1020 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no
1021 // ResponseHeaders.
1022 if (stream_->CanFindEndOfResponse()) {
1023 HttpResponseHeaders* headers = GetResponseHeaders();
1024 if (headers)
1025 keep_alive = headers->IsKeepAlive();
1026 }
1027 }
1028
1029 // Clean up connection if we are done.
1030 if (done) {
1031 LogTransactionMetrics();
1032 stream_->Close(!keep_alive);
1033 // Note: we don't reset the stream here. We've closed it, but we still
1034 // need it around so that callers can call methods such as
1035 // GetUploadProgress() and have them be meaningful.
1036 // TODO(mbelshe): This means we closed the stream here, and we close it
1037 // again in ~HttpNetworkTransaction. Clean that up.
1038
1039 // The next Read call will return 0 (EOF).
1040 }
1041
1042 // Clear these to avoid leaving around old state.
1043 read_buf_ = NULL;
1044 read_buf_len_ = 0;
1045
1046 return result;
1047 }
1048
1049 int HttpNetworkTransaction::DoDrainBodyForAuthRestart() {
1050 // This method differs from DoReadBody only in the next_state_. So we just
1051 // call DoReadBody and override the next_state_. Perhaps there is a more
1052 // elegant way for these two methods to share code.
1053 int rv = DoReadBody();
1054 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE);
1055 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE;
1056 return rv;
1057 }
1058
1059 // TODO(wtc): This method and the DoReadBodyComplete method are almost
1060 // the same. Figure out a good way for these two methods to share code.
1061 int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) {
1062 // keep_alive defaults to true because the very reason we're draining the
1063 // response body is to reuse the connection for auth restart.
1064 bool done = false, keep_alive = true;
1065 if (result < 0) {
1066 // Error or closed connection while reading the socket.
1067 done = true;
1068 keep_alive = false;
1069 } else if (stream_->IsResponseBodyComplete()) {
1070 done = true;
1071 }
1072
1073 if (done) {
1074 DidDrainBodyForAuthRestart(keep_alive);
1075 } else {
1076 // Keep draining.
1077 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
1078 }
1079
1080 return OK;
1081 }
1082
1083 void HttpNetworkTransaction::LogTransactionConnectedMetrics() {
1084 if (logged_response_time_)
1085 return;
1086
1087 logged_response_time_ = true;
1088
1089 base::TimeDelta total_duration = response_.response_time - start_time_;
1090
1091 UMA_HISTOGRAM_CUSTOM_TIMES(
1092 "Net.Transaction_Connected",
1093 total_duration,
1094 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1095 100);
1096
1097 bool reused_socket = stream_->IsConnectionReused();
1098 if (!reused_socket) {
1099 UMA_HISTOGRAM_CUSTOM_TIMES(
1100 "Net.Transaction_Connected_New_b",
1101 total_duration,
1102 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1103 100);
1104 }
1105
1106 // Currently, non-HIGHEST priority requests are frame or sub-frame resource
1107 // types. This will change when we also prioritize certain subresources like
1108 // css, js, etc.
1109 if (priority_ != HIGHEST) {
1110 UMA_HISTOGRAM_CUSTOM_TIMES(
1111 "Net.Priority_High_Latency_b",
1112 total_duration,
1113 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1114 100);
1115 } else {
1116 UMA_HISTOGRAM_CUSTOM_TIMES(
1117 "Net.Priority_Low_Latency_b",
1118 total_duration,
1119 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10),
1120 100);
1121 }
1122 }
1123
1124 void HttpNetworkTransaction::LogTransactionMetrics() const {
1125 base::TimeDelta duration = base::Time::Now() -
1126 response_.request_time;
1127 if (60 < duration.InMinutes())
1128 return;
1129
1130 base::TimeDelta total_duration = base::Time::Now() - start_time_;
1131
1132 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration,
1133 base::TimeDelta::FromMilliseconds(1),
1134 base::TimeDelta::FromMinutes(10),
1135 100);
1136 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total",
1137 total_duration,
1138 base::TimeDelta::FromMilliseconds(1),
1139 base::TimeDelta::FromMinutes(10), 100);
1140
1141 if (!stream_->IsConnectionReused()) {
1142 UMA_HISTOGRAM_CUSTOM_TIMES(
1143 "Net.Transaction_Latency_Total_New_Connection",
1144 total_duration, base::TimeDelta::FromMilliseconds(1),
1145 base::TimeDelta::FromMinutes(10), 100);
1146 }
1147 }
1148
1149 int HttpNetworkTransaction::HandleCertificateRequest(int error) {
1150 // There are two paths through which the server can request a certificate
1151 // from us. The first is during the initial handshake, the second is
1152 // during SSL renegotiation.
1153 //
1154 // In both cases, we want to close the connection before proceeding.
1155 // We do this for two reasons:
1156 // First, we don't want to keep the connection to the server hung for a
1157 // long time while the user selects a certificate.
1158 // Second, even if we did keep the connection open, NSS has a bug where
1159 // restarting the handshake for ClientAuth is currently broken.
1160 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
1161
1162 if (stream_.get()) {
1163 // Since we already have a stream, we're being called as part of SSL
1164 // renegotiation.
1165 DCHECK(!stream_request_.get());
1166 stream_->Close(true);
1167 stream_.reset();
1168 }
1169
1170 // The server is asking for a client certificate during the initial
1171 // handshake.
1172 stream_request_.reset();
1173
1174 // If the user selected one of the certificates in client_certs or declined
1175 // to provide one for this server before, use the past decision
1176 // automatically.
1177 scoped_refptr<X509Certificate> client_cert;
1178 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup(
1179 response_.cert_request_info->host_and_port, &client_cert);
1180 if (!found_cached_cert)
1181 return error;
1182
1183 // Check that the certificate selected is still a certificate the server
1184 // is likely to accept, based on the criteria supplied in the
1185 // CertificateRequest message.
1186 if (client_cert.get()) {
1187 const std::vector<std::string>& cert_authorities =
1188 response_.cert_request_info->cert_authorities;
1189
1190 bool cert_still_valid = cert_authorities.empty() ||
1191 client_cert->IsIssuedByEncoded(cert_authorities);
1192 if (!cert_still_valid)
1193 return error;
1194 }
1195
1196 // TODO(davidben): Add a unit test which covers this path; we need to be
1197 // able to send a legitimate certificate and also bypass/clear the
1198 // SSL session cache.
1199 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ?
1200 &proxy_ssl_config_ : &server_ssl_config_;
1201 ssl_config->send_client_cert = true;
1202 ssl_config->client_cert = client_cert;
1203 next_state_ = STATE_CREATE_STREAM;
1204 // Reset the other member variables.
1205 // Note: this is necessary only with SSL renegotiation.
1206 ResetStateForRestart();
1207 return OK;
1208 }
1209
1210 // TODO(rch): This does not correctly handle errors when an SSL proxy is
1211 // being used, as all of the errors are handled as if they were generated
1212 // by the endpoint host, request_->url, rather than considering if they were
1213 // generated by the SSL proxy. http://crbug.com/69329
1214 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
1215 DCHECK(request_);
1216 if (server_ssl_config_.send_client_cert &&
1217 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) {
1218 session_->ssl_client_auth_cache()->Remove(
1219 GetHostAndPort(request_->url));
1220 }
1221
1222 uint16 version_max = server_ssl_config_.version_max;
1223
1224 switch (error) {
1225 case ERR_SSL_PROTOCOL_ERROR:
1226 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
1227 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
1228 version_max > server_ssl_config_.version_min) {
1229 // This could be a TLS-intolerant server or a server that chose a
1230 // cipher suite defined only for higher protocol versions (such as
1231 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall
1232 // back to the next lower version and retry.
1233 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1,
1234 // specifying TLS 1.1 in version_max will result in a TLS 1.0
1235 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply
1236 // repeat the TLS 1.0 handshake. To avoid this problem, the default
1237 // version_max should match the maximum protocol version supported
1238 // by the SSLClientSocket class.
1239 version_max--;
1240
1241 // Fallback to the lower SSL version.
1242 // While SSL 3.0 fallback should be eliminated because of security
1243 // reasons, there is a high risk of breaking the servers if this is
1244 // done in general.
1245 // For now SSL 3.0 fallback is disabled for Google servers first,
1246 // and will be expanded to other servers after enough experiences
1247 // have been gained showing that this experiment works well with
1248 // today's Internet.
1249 if (version_max > SSL_PROTOCOL_VERSION_SSL3 ||
1250 (server_ssl_config_.unrestricted_ssl3_fallback_enabled ||
1251 !TransportSecurityState::IsGooglePinnedProperty(
1252 request_->url.host(), true /* include SNI */))) {
1253 net_log_.AddEvent(
1254 NetLog::TYPE_SSL_VERSION_FALLBACK,
1255 base::Bind(&NetLogSSLVersionFallbackCallback,
1256 &request_->url, error, server_ssl_config_.version_max,
1257 version_max));
1258 server_ssl_config_.version_max = version_max;
1259 server_ssl_config_.version_fallback = true;
1260 ResetConnectionAndRequestForResend();
1261 error = OK;
1262 }
1263 }
1264 break;
1265 }
1266
1267 return error;
1268 }
1269
1270 // This method determines whether it is safe to resend the request after an
1271 // IO error. It can only be called in response to request header or body
1272 // write errors or response header read errors. It should not be used in
1273 // other cases, such as a Connect error.
1274 int HttpNetworkTransaction::HandleIOError(int error) {
1275 // SSL errors may happen at any time during the stream and indicate issues
1276 // with the underlying connection. Because the peer may request
1277 // renegotiation at any time, check and handle any possible SSL handshake
1278 // related errors. In addition to renegotiation, TLS False Start may cause
1279 // SSL handshake errors (specifically servers with buggy DEFLATE support)
1280 // to be delayed until the first Read on the underlying connection.
1281 error = HandleSSLHandshakeError(error);
1282
1283 switch (error) {
1284 // If we try to reuse a connection that the server is in the process of
1285 // closing, we may end up successfully writing out our request (or a
1286 // portion of our request) only to find a connection error when we try to
1287 // read from (or finish writing to) the socket.
1288 case ERR_CONNECTION_RESET:
1289 case ERR_CONNECTION_CLOSED:
1290 case ERR_CONNECTION_ABORTED:
1291 // There can be a race between the socket pool checking checking whether a
1292 // socket is still connected, receiving the FIN, and sending/reading data
1293 // on a reused socket. If we receive the FIN between the connectedness
1294 // check and writing/reading from the socket, we may first learn the socket
1295 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most
1296 // likely happen when trying to retrieve its IP address.
1297 // See http://crbug.com/105824 for more details.
1298 case ERR_SOCKET_NOT_CONNECTED:
1299 if (ShouldResendRequest(error)) {
1300 net_log_.AddEventWithNetErrorCode(
1301 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1302 ResetConnectionAndRequestForResend();
1303 error = OK;
1304 }
1305 break;
1306 case ERR_PIPELINE_EVICTION:
1307 if (!session_->force_http_pipelining()) {
1308 net_log_.AddEventWithNetErrorCode(
1309 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1310 ResetConnectionAndRequestForResend();
1311 error = OK;
1312 }
1313 break;
1314 case ERR_SPDY_PING_FAILED:
1315 case ERR_SPDY_SERVER_REFUSED_STREAM:
1316 net_log_.AddEventWithNetErrorCode(
1317 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1318 ResetConnectionAndRequestForResend();
1319 error = OK;
1320 break;
1321 }
1322 return error;
1323 }
1324
1325 void HttpNetworkTransaction::ResetStateForRestart() {
1326 ResetStateForAuthRestart();
1327 stream_.reset();
1328 }
1329
1330 void HttpNetworkTransaction::ResetStateForAuthRestart() {
1331 send_start_time_ = base::TimeTicks();
1332 send_end_time_ = base::TimeTicks();
1333
1334 pending_auth_target_ = HttpAuth::AUTH_NONE;
1335 read_buf_ = NULL;
1336 read_buf_len_ = 0;
1337 headers_valid_ = false;
1338 request_headers_.Clear();
1339 response_ = HttpResponseInfo();
1340 establishing_tunnel_ = false;
1341 }
1342
1343 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
1344 return response_.headers.get();
1345 }
1346
1347 bool HttpNetworkTransaction::ShouldResendRequest(int error) const {
1348 bool connection_is_proven = stream_->IsConnectionReused();
1349 bool has_received_headers = GetResponseHeaders() != NULL;
1350
1351 // NOTE: we resend a request only if we reused a keep-alive connection.
1352 // This automatically prevents an infinite resend loop because we'll run
1353 // out of the cached keep-alive connections eventually.
1354 if (connection_is_proven && !has_received_headers)
1355 return true;
1356 return false;
1357 }
1358
1359 void HttpNetworkTransaction::ResetConnectionAndRequestForResend() {
1360 if (stream_.get()) {
1361 stream_->Close(true);
1362 stream_.reset();
1363 }
1364
1365 // We need to clear request_headers_ because it contains the real request
1366 // headers, but we may need to resend the CONNECT request first to recreate
1367 // the SSL tunnel.
1368 request_headers_.Clear();
1369 next_state_ = STATE_CREATE_STREAM; // Resend the request.
1370 }
1371
1372 bool HttpNetworkTransaction::ShouldApplyProxyAuth() const {
1373 return !is_https_request() &&
1374 (proxy_info_.is_https() || proxy_info_.is_http());
1375 }
1376
1377 bool HttpNetworkTransaction::ShouldApplyServerAuth() const {
1378 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA);
1379 }
1380
1381 int HttpNetworkTransaction::HandleAuthChallenge() {
1382 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders());
1383 DCHECK(headers.get());
1384
1385 int status = headers->response_code();
1386 if (status != HTTP_UNAUTHORIZED &&
1387 status != HTTP_PROXY_AUTHENTICATION_REQUIRED)
1388 return OK;
1389 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ?
1390 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
1391 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
1392 return ERR_UNEXPECTED_PROXY_AUTH;
1393
1394 // This case can trigger when an HTTPS server responds with a "Proxy
1395 // authentication required" status code through a non-authenticating
1396 // proxy.
1397 if (!auth_controllers_[target].get())
1398 return ERR_UNEXPECTED_PROXY_AUTH;
1399
1400 int rv = auth_controllers_[target]->HandleAuthChallenge(
1401 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false,
1402 net_log_);
1403 if (auth_controllers_[target]->HaveAuthHandler())
1404 pending_auth_target_ = target;
1405
1406 scoped_refptr<AuthChallengeInfo> auth_info =
1407 auth_controllers_[target]->auth_info();
1408 if (auth_info.get())
1409 response_.auth_challenge = auth_info;
1410
1411 return rv;
1412 }
1413
1414 bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const {
1415 return auth_controllers_[target].get() &&
1416 auth_controllers_[target]->HaveAuth();
1417 }
1418
1419 GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const {
1420 switch (target) {
1421 case HttpAuth::AUTH_PROXY: {
1422 if (!proxy_info_.proxy_server().is_valid() ||
1423 proxy_info_.proxy_server().is_direct()) {
1424 return GURL(); // There is no proxy server.
1425 }
1426 const char* scheme = proxy_info_.is_https() ? "https://" : "http://";
1427 return GURL(scheme +
1428 proxy_info_.proxy_server().host_port_pair().ToString());
1429 }
1430 case HttpAuth::AUTH_SERVER:
1431 return request_->url;
1432 default:
1433 return GURL();
1434 }
1435 }
1436
1437 #define STATE_CASE(s) \
1438 case s: \
1439 description = base::StringPrintf("%s (0x%08X)", #s, s); \
1440 break
1441
1442 std::string HttpNetworkTransaction::DescribeState(State state) {
1443 std::string description;
1444 switch (state) {
1445 STATE_CASE(STATE_CREATE_STREAM);
1446 STATE_CASE(STATE_CREATE_STREAM_COMPLETE);
1447 STATE_CASE(STATE_INIT_REQUEST_BODY);
1448 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE);
1449 STATE_CASE(STATE_BUILD_REQUEST);
1450 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE);
1451 STATE_CASE(STATE_SEND_REQUEST);
1452 STATE_CASE(STATE_SEND_REQUEST_COMPLETE);
1453 STATE_CASE(STATE_READ_HEADERS);
1454 STATE_CASE(STATE_READ_HEADERS_COMPLETE);
1455 STATE_CASE(STATE_READ_BODY);
1456 STATE_CASE(STATE_READ_BODY_COMPLETE);
1457 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART);
1458 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE);
1459 STATE_CASE(STATE_NONE);
1460 default:
1461 description = base::StringPrintf("Unknown state 0x%08X (%u)", state,
1462 state);
1463 break;
1464 }
1465 return description;
1466 }
1467
1468 #undef STATE_CASE
1469
1470 } // namespace net