search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "Reland c91b178b07b0d - Delete dead signin code (SigninGlobalError)"
[chromium-blink-merge.git] / net / http / http_network_transaction.cc
blob135d0e40bce2bbe5efd76f73c9ed60bce1b0ed13
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/http_network_transaction.h"
6
7 #include <set>
8 #include <vector>
9
10 #include "base/bind.h"
11 #include "base/bind_helpers.h"
12 #include "base/compiler_specific.h"
13 #include "base/format_macros.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/metrics/field_trial.h"
16 #include "base/metrics/histogram_macros.h"
17 #include "base/metrics/sparse_histogram.h"
18 #include "base/profiler/scoped_tracker.h"
19 #include "base/stl_util.h"
20 #include "base/strings/string_number_conversions.h"
21 #include "base/strings/string_util.h"
22 #include "base/strings/stringprintf.h"
23 #include "base/time/time.h"
24 #include "base/values.h"
25 #include "build/build_config.h"
26 #include "net/base/auth.h"
27 #include "net/base/host_port_pair.h"
28 #include "net/base/io_buffer.h"
29 #include "net/base/load_flags.h"
30 #include "net/base/load_timing_info.h"
31 #include "net/base/net_errors.h"
32 #include "net/base/net_util.h"
33 #include "net/base/upload_data_stream.h"
34 #include "net/http/http_auth.h"
35 #include "net/http/http_auth_handler.h"
36 #include "net/http/http_auth_handler_factory.h"
37 #include "net/http/http_basic_stream.h"
38 #include "net/http/http_chunked_decoder.h"
39 #include "net/http/http_network_session.h"
40 #include "net/http/http_proxy_client_socket.h"
41 #include "net/http/http_proxy_client_socket_pool.h"
42 #include "net/http/http_request_headers.h"
43 #include "net/http/http_request_info.h"
44 #include "net/http/http_response_headers.h"
45 #include "net/http/http_response_info.h"
46 #include "net/http/http_server_properties.h"
47 #include "net/http/http_status_code.h"
48 #include "net/http/http_stream.h"
49 #include "net/http/http_stream_factory.h"
50 #include "net/http/http_util.h"
51 #include "net/http/transport_security_state.h"
52 #include "net/http/url_security_manager.h"
53 #include "net/socket/client_socket_factory.h"
54 #include "net/socket/socks_client_socket_pool.h"
55 #include "net/socket/ssl_client_socket.h"
56 #include "net/socket/ssl_client_socket_pool.h"
57 #include "net/socket/transport_client_socket_pool.h"
58 #include "net/spdy/spdy_http_stream.h"
59 #include "net/spdy/spdy_session.h"
60 #include "net/spdy/spdy_session_pool.h"
61 #include "net/ssl/ssl_cert_request_info.h"
62 #include "net/ssl/ssl_connection_status_flags.h"
63 #include "url/gurl.h"
64 #include "url/url_canon.h"
65
66 namespace net {
67
68 namespace {
69
70 void ProcessAlternativeServices(HttpNetworkSession* session,
71 const HttpResponseHeaders& headers,
72 const HostPortPair& http_host_port_pair) {
73 if (headers.HasHeader(kAlternativeServiceHeader)) {
74 std::string alternative_service_str;
75 headers.GetNormalizedHeader(kAlternativeServiceHeader,
76 &alternative_service_str);
77 session->http_stream_factory()->ProcessAlternativeService(
78 session->http_server_properties(), alternative_service_str,
79 http_host_port_pair, *session);
80 // If there is an "Alt-Svc" header, then ignore "Alternate-Protocol".
81 return;
82 }
83
84 if (!headers.HasHeader(kAlternateProtocolHeader))
85 return;
86
87 std::vector<std::string> alternate_protocol_values;
88 void* iter = NULL;
89 std::string alternate_protocol_str;
90 while (headers.EnumerateHeader(&iter, kAlternateProtocolHeader,
91 &alternate_protocol_str)) {
92 base::TrimWhitespaceASCII(alternate_protocol_str, base::TRIM_ALL,
93 &alternate_protocol_str);
94 if (!alternate_protocol_str.empty()) {
95 alternate_protocol_values.push_back(alternate_protocol_str);
96 }
97 }
98
99 session->http_stream_factory()->ProcessAlternateProtocol(
100 session->http_server_properties(),
101 alternate_protocol_values,
102 http_host_port_pair,
103 *session);
104 }
105
106 scoped_ptr<base::Value> NetLogSSLVersionFallbackCallback(
107 const GURL* url,
108 int net_error,
109 SSLFailureState ssl_failure_state,
110 uint16 version_before,
111 uint16 version_after,
112 NetLogCaptureMode /* capture_mode */) {
113 scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
114 dict->SetString("host_and_port", GetHostAndPort(*url));
115 dict->SetInteger("net_error", net_error);
116 dict->SetInteger("ssl_failure_state", ssl_failure_state);
117 dict->SetInteger("version_before", version_before);
118 dict->SetInteger("version_after", version_after);
119 return dict.Pass();
120 }
121
122 scoped_ptr<base::Value> NetLogSSLCipherFallbackCallback(
123 const GURL* url,
124 int net_error,
125 NetLogCaptureMode /* capture_mode */) {
126 scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
127 dict->SetString("host_and_port", GetHostAndPort(*url));
128 dict->SetInteger("net_error", net_error);
129 return dict.Pass();
130 }
131
132 } // namespace
133
134 //-----------------------------------------------------------------------------
135
136 HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority,
137 HttpNetworkSession* session)
138 : pending_auth_target_(HttpAuth::AUTH_NONE),
139 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete,
140 base::Unretained(this))),
141 session_(session),
142 request_(NULL),
143 priority_(priority),
144 headers_valid_(false),
145 server_ssl_failure_state_(SSL_FAILURE_NONE),
146 fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK),
147 fallback_failure_state_(SSL_FAILURE_NONE),
148 request_headers_(),
149 read_buf_len_(0),
150 total_received_bytes_(0),
151 next_state_(STATE_NONE),
152 establishing_tunnel_(false),
153 websocket_handshake_stream_base_create_helper_(NULL) {
154 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_);
155 session->GetNextProtos(&server_ssl_config_.next_protos);
156 proxy_ssl_config_ = server_ssl_config_;
157 }
158
159 HttpNetworkTransaction::~HttpNetworkTransaction() {
160 if (stream_.get()) {
161 HttpResponseHeaders* headers = GetResponseHeaders();
162 // TODO(mbelshe): The stream_ should be able to compute whether or not the
163 // stream should be kept alive. No reason to compute here
164 // and pass it in.
165 bool try_to_keep_alive =
166 next_state_ == STATE_NONE &&
167 stream_->CanFindEndOfResponse() &&
168 (!headers || headers->IsKeepAlive());
169 if (!try_to_keep_alive) {
170 stream_->Close(true /* not reusable */);
171 } else {
172 if (stream_->IsResponseBodyComplete()) {
173 // If the response body is complete, we can just reuse the socket.
174 stream_->Close(false /* reusable */);
175 } else if (stream_->IsSpdyHttpStream()) {
176 // Doesn't really matter for SpdyHttpStream. Just close it.
177 stream_->Close(true /* not reusable */);
178 } else {
179 // Otherwise, we try to drain the response body.
180 HttpStream* stream = stream_.release();
181 stream->Drain(session_);
182 }
183 }
184 }
185
186 if (request_ && request_->upload_data_stream)
187 request_->upload_data_stream->Reset(); // Invalidate pending callbacks.
188 }
189
190 int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info,
191 const CompletionCallback& callback,
192 const BoundNetLog& net_log) {
193 net_log_ = net_log;
194 request_ = request_info;
195
196 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) {
197 server_ssl_config_.rev_checking_enabled = false;
198 proxy_ssl_config_.rev_checking_enabled = false;
199 }
200
201 if (request_->load_flags & LOAD_PREFETCH)
202 response_.unused_since_prefetch = true;
203
204 // Channel ID is disabled if privacy mode is enabled for this request.
205 if (request_->privacy_mode == PRIVACY_MODE_ENABLED)
206 server_ssl_config_.channel_id_enabled = false;
207
208 next_state_ = STATE_NOTIFY_BEFORE_CREATE_STREAM;
209 int rv = DoLoop(OK);
210 if (rv == ERR_IO_PENDING)
211 callback_ = callback;
212 return rv;
213 }
214
215 int HttpNetworkTransaction::RestartIgnoringLastError(
216 const CompletionCallback& callback) {
217 DCHECK(!stream_.get());
218 DCHECK(!stream_request_.get());
219 DCHECK_EQ(STATE_NONE, next_state_);
220
221 next_state_ = STATE_CREATE_STREAM;
222
223 int rv = DoLoop(OK);
224 if (rv == ERR_IO_PENDING)
225 callback_ = callback;
226 return rv;
227 }
228
229 int HttpNetworkTransaction::RestartWithCertificate(
230 X509Certificate* client_cert, const CompletionCallback& callback) {
231 // In HandleCertificateRequest(), we always tear down existing stream
232 // requests to force a new connection. So we shouldn't have one here.
233 DCHECK(!stream_request_.get());
234 DCHECK(!stream_.get());
235 DCHECK_EQ(STATE_NONE, next_state_);
236
237 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ?
238 &proxy_ssl_config_ : &server_ssl_config_;
239 ssl_config->send_client_cert = true;
240 ssl_config->client_cert = client_cert;
241 session_->ssl_client_auth_cache()->Add(
242 response_.cert_request_info->host_and_port, client_cert);
243 // Reset the other member variables.
244 // Note: this is necessary only with SSL renegotiation.
245 ResetStateForRestart();
246 next_state_ = STATE_CREATE_STREAM;
247 int rv = DoLoop(OK);
248 if (rv == ERR_IO_PENDING)
249 callback_ = callback;
250 return rv;
251 }
252
253 int HttpNetworkTransaction::RestartWithAuth(
254 const AuthCredentials& credentials, const CompletionCallback& callback) {
255 HttpAuth::Target target = pending_auth_target_;
256 if (target == HttpAuth::AUTH_NONE) {
257 NOTREACHED();
258 return ERR_UNEXPECTED;
259 }
260 pending_auth_target_ = HttpAuth::AUTH_NONE;
261
262 auth_controllers_[target]->ResetAuth(credentials);
263
264 DCHECK(callback_.is_null());
265
266 int rv = OK;
267 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) {
268 // In this case, we've gathered credentials for use with proxy
269 // authentication of a tunnel.
270 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
271 DCHECK(stream_request_ != NULL);
272 auth_controllers_[target] = NULL;
273 ResetStateForRestart();
274 rv = stream_request_->RestartTunnelWithProxyAuth(credentials);
275 } else {
276 // In this case, we've gathered credentials for the server or the proxy
277 // but it is not during the tunneling phase.
278 DCHECK(stream_request_ == NULL);
279 PrepareForAuthRestart(target);
280 rv = DoLoop(OK);
281 }
282
283 if (rv == ERR_IO_PENDING)
284 callback_ = callback;
285 return rv;
286 }
287
288 void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) {
289 DCHECK(HaveAuth(target));
290 DCHECK(!stream_request_.get());
291
292 bool keep_alive = false;
293 // Even if the server says the connection is keep-alive, we have to be
294 // able to find the end of each response in order to reuse the connection.
295 if (GetResponseHeaders()->IsKeepAlive() &&
296 stream_->CanFindEndOfResponse()) {
297 // If the response body hasn't been completely read, we need to drain
298 // it first.
299 if (!stream_->IsResponseBodyComplete()) {
300 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
301 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket.
302 read_buf_len_ = kDrainBodyBufferSize;
303 return;
304 }
305 keep_alive = true;
306 }
307
308 // We don't need to drain the response body, so we act as if we had drained
309 // the response body.
310 DidDrainBodyForAuthRestart(keep_alive);
311 }
312
313 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) {
314 DCHECK(!stream_request_.get());
315
316 if (stream_.get()) {
317 total_received_bytes_ += stream_->GetTotalReceivedBytes();
318 HttpStream* new_stream = NULL;
319 if (keep_alive && stream_->IsConnectionReusable()) {
320 // We should call connection_->set_idle_time(), but this doesn't occur
321 // often enough to be worth the trouble.
322 stream_->SetConnectionReused();
323 new_stream = stream_->RenewStreamForAuth();
324 }
325
326 if (!new_stream) {
327 // Close the stream and mark it as not_reusable. Even in the
328 // keep_alive case, we've determined that the stream_ is not
329 // reusable if new_stream is NULL.
330 stream_->Close(true);
331 next_state_ = STATE_CREATE_STREAM;
332 } else {
333 // Renewed streams shouldn't carry over received bytes.
334 DCHECK_EQ(0, new_stream->GetTotalReceivedBytes());
335 next_state_ = STATE_INIT_STREAM;
336 }
337 stream_.reset(new_stream);
338 }
339
340 // Reset the other member variables.
341 ResetStateForAuthRestart();
342 }
343
344 bool HttpNetworkTransaction::IsReadyToRestartForAuth() {
345 return pending_auth_target_ != HttpAuth::AUTH_NONE &&
346 HaveAuth(pending_auth_target_);
347 }
348
349 int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len,
350 const CompletionCallback& callback) {
351 DCHECK(buf);
352 DCHECK_LT(0, buf_len);
353
354 State next_state = STATE_NONE;
355
356 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders());
357 if (headers_valid_ && headers.get() && stream_request_.get()) {
358 // We're trying to read the body of the response but we're still trying
359 // to establish an SSL tunnel through an HTTP proxy. We can't read these
360 // bytes when establishing a tunnel because they might be controlled by
361 // an active network attacker. We don't worry about this for HTTP
362 // because an active network attacker can already control HTTP sessions.
363 // We reach this case when the user cancels a 407 proxy auth prompt. We
364 // also don't worry about this for an HTTPS Proxy, because the
365 // communication with the proxy is secure.
366 // See http://crbug.com/8473.
367 DCHECK(proxy_info_.is_http() || proxy_info_.is_https());
368 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED);
369 LOG(WARNING) << "Blocked proxy response with status "
370 << headers->response_code() << " to CONNECT request for "
371 << GetHostAndPort(request_->url) << ".";
372 return ERR_TUNNEL_CONNECTION_FAILED;
373 }
374
375 // Are we using SPDY or HTTP?
376 next_state = STATE_READ_BODY;
377
378 read_buf_ = buf;
379 read_buf_len_ = buf_len;
380
381 next_state_ = next_state;
382 int rv = DoLoop(OK);
383 if (rv == ERR_IO_PENDING)
384 callback_ = callback;
385 return rv;
386 }
387
388 void HttpNetworkTransaction::StopCaching() {}
389
390 bool HttpNetworkTransaction::GetFullRequestHeaders(
391 HttpRequestHeaders* headers) const {
392 // TODO(ttuttle): Make sure we've populated request_headers_.
393 *headers = request_headers_;
394 return true;
395 }
396
397 int64 HttpNetworkTransaction::GetTotalReceivedBytes() const {
398 int64 total_received_bytes = total_received_bytes_;
399 if (stream_)
400 total_received_bytes += stream_->GetTotalReceivedBytes();
401 return total_received_bytes;
402 }
403
404 void HttpNetworkTransaction::DoneReading() {}
405
406 const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const {
407 return &response_;
408 }
409
410 LoadState HttpNetworkTransaction::GetLoadState() const {
411 // TODO(wtc): Define a new LoadState value for the
412 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request.
413 switch (next_state_) {
414 case STATE_CREATE_STREAM:
415 return LOAD_STATE_WAITING_FOR_DELEGATE;
416 case STATE_CREATE_STREAM_COMPLETE:
417 return stream_request_->GetLoadState();
418 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
419 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE:
420 case STATE_SEND_REQUEST_COMPLETE:
421 return LOAD_STATE_SENDING_REQUEST;
422 case STATE_READ_HEADERS_COMPLETE:
423 return LOAD_STATE_WAITING_FOR_RESPONSE;
424 case STATE_READ_BODY_COMPLETE:
425 return LOAD_STATE_READING_RESPONSE;
426 default:
427 return LOAD_STATE_IDLE;
428 }
429 }
430
431 UploadProgress HttpNetworkTransaction::GetUploadProgress() const {
432 if (!stream_.get())
433 return UploadProgress();
434
435 return stream_->GetUploadProgress();
436 }
437
438 void HttpNetworkTransaction::SetQuicServerInfo(
439 QuicServerInfo* quic_server_info) {}
440
441 bool HttpNetworkTransaction::GetLoadTimingInfo(
442 LoadTimingInfo* load_timing_info) const {
443 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info))
444 return false;
445
446 load_timing_info->proxy_resolve_start =
447 proxy_info_.proxy_resolve_start_time();
448 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time();
449 load_timing_info->send_start = send_start_time_;
450 load_timing_info->send_end = send_end_time_;
451 return true;
452 }
453
454 void HttpNetworkTransaction::SetPriority(RequestPriority priority) {
455 priority_ = priority;
456 if (stream_request_)
457 stream_request_->SetPriority(priority);
458 if (stream_)
459 stream_->SetPriority(priority);
460 }
461
462 void HttpNetworkTransaction::SetWebSocketHandshakeStreamCreateHelper(
463 WebSocketHandshakeStreamBase::CreateHelper* create_helper) {
464 websocket_handshake_stream_base_create_helper_ = create_helper;
465 }
466
467 void HttpNetworkTransaction::SetBeforeNetworkStartCallback(
468 const BeforeNetworkStartCallback& callback) {
469 before_network_start_callback_ = callback;
470 }
471
472 void HttpNetworkTransaction::SetBeforeProxyHeadersSentCallback(
473 const BeforeProxyHeadersSentCallback& callback) {
474 before_proxy_headers_sent_callback_ = callback;
475 }
476
477 int HttpNetworkTransaction::ResumeNetworkStart() {
478 DCHECK_EQ(next_state_, STATE_CREATE_STREAM);
479 return DoLoop(OK);
480 }
481
482 void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config,
483 const ProxyInfo& used_proxy_info,
484 HttpStream* stream) {
485 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
486 DCHECK(stream_request_.get());
487
488 if (stream_)
489 total_received_bytes_ += stream_->GetTotalReceivedBytes();
490 stream_.reset(stream);
491 server_ssl_config_ = used_ssl_config;
492 proxy_info_ = used_proxy_info;
493 response_.was_npn_negotiated = stream_request_->was_npn_negotiated();
494 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString(
495 stream_request_->protocol_negotiated());
496 response_.was_fetched_via_spdy = stream_request_->using_spdy();
497 response_.was_fetched_via_proxy = !proxy_info_.is_direct();
498 if (response_.was_fetched_via_proxy && !proxy_info_.is_empty())
499 response_.proxy_server = proxy_info_.proxy_server().host_port_pair();
500 OnIOComplete(OK);
501 }
502
503 void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady(
504 const SSLConfig& used_ssl_config,
505 const ProxyInfo& used_proxy_info,
506 WebSocketHandshakeStreamBase* stream) {
507 OnStreamReady(used_ssl_config, used_proxy_info, stream);
508 }
509
510 void HttpNetworkTransaction::OnStreamFailed(int result,
511 const SSLConfig& used_ssl_config,
512 SSLFailureState ssl_failure_state) {
513 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
514 DCHECK_NE(OK, result);
515 DCHECK(stream_request_.get());
516 DCHECK(!stream_.get());
517 server_ssl_config_ = used_ssl_config;
518 server_ssl_failure_state_ = ssl_failure_state;
519
520 OnIOComplete(result);
521 }
522
523 void HttpNetworkTransaction::OnCertificateError(
524 int result,
525 const SSLConfig& used_ssl_config,
526 const SSLInfo& ssl_info) {
527 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
528 DCHECK_NE(OK, result);
529 DCHECK(stream_request_.get());
530 DCHECK(!stream_.get());
531
532 response_.ssl_info = ssl_info;
533 server_ssl_config_ = used_ssl_config;
534
535 // TODO(mbelshe): For now, we're going to pass the error through, and that
536 // will close the stream_request in all cases. This means that we're always
537 // going to restart an entire STATE_CREATE_STREAM, even if the connection is
538 // good and the user chooses to ignore the error. This is not ideal, but not
539 // the end of the world either.
540
541 OnIOComplete(result);
542 }
543
544 void HttpNetworkTransaction::OnNeedsProxyAuth(
545 const HttpResponseInfo& proxy_response,
546 const SSLConfig& used_ssl_config,
547 const ProxyInfo& used_proxy_info,
548 HttpAuthController* auth_controller) {
549 DCHECK(stream_request_.get());
550 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
551
552 establishing_tunnel_ = true;
553 response_.headers = proxy_response.headers;
554 response_.auth_challenge = proxy_response.auth_challenge;
555 headers_valid_ = true;
556 server_ssl_config_ = used_ssl_config;
557 proxy_info_ = used_proxy_info;
558
559 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller;
560 pending_auth_target_ = HttpAuth::AUTH_PROXY;
561
562 DoCallback(OK);
563 }
564
565 void HttpNetworkTransaction::OnNeedsClientAuth(
566 const SSLConfig& used_ssl_config,
567 SSLCertRequestInfo* cert_info) {
568 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
569
570 server_ssl_config_ = used_ssl_config;
571 response_.cert_request_info = cert_info;
572 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
573 }
574
575 void HttpNetworkTransaction::OnHttpsProxyTunnelResponse(
576 const HttpResponseInfo& response_info,
577 const SSLConfig& used_ssl_config,
578 const ProxyInfo& used_proxy_info,
579 HttpStream* stream) {
580 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
581
582 CopyConnectionAttemptsFromStreamRequest();
583
584 headers_valid_ = true;
585 response_ = response_info;
586 server_ssl_config_ = used_ssl_config;
587 proxy_info_ = used_proxy_info;
588 if (stream_)
589 total_received_bytes_ += stream_->GetTotalReceivedBytes();
590 stream_.reset(stream);
591 stream_request_.reset(); // we're done with the stream request
592 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE);
593 }
594
595 void HttpNetworkTransaction::GetConnectionAttempts(
596 ConnectionAttempts* out) const {
597 *out = connection_attempts_;
598 }
599
600 bool HttpNetworkTransaction::IsSecureRequest() const {
601 return request_->url.SchemeIsCryptographic();
602 }
603
604 bool HttpNetworkTransaction::UsingHttpProxyWithoutTunnel() const {
605 return (proxy_info_.is_http() || proxy_info_.is_https() ||
606 proxy_info_.is_quic()) &&
607 !(request_->url.SchemeIs("https") || request_->url.SchemeIsWSOrWSS());
608 }
609
610 void HttpNetworkTransaction::DoCallback(int rv) {
611 DCHECK_NE(rv, ERR_IO_PENDING);
612 DCHECK(!callback_.is_null());
613
614 // Since Run may result in Read being called, clear user_callback_ up front.
615 CompletionCallback c = callback_;
616 callback_.Reset();
617 c.Run(rv);
618 }
619
620 void HttpNetworkTransaction::OnIOComplete(int result) {
621 int rv = DoLoop(result);
622 if (rv != ERR_IO_PENDING)
623 DoCallback(rv);
624 }
625
626 int HttpNetworkTransaction::DoLoop(int result) {
627 DCHECK(next_state_ != STATE_NONE);
628
629 int rv = result;
630 do {
631 State state = next_state_;
632 next_state_ = STATE_NONE;
633 switch (state) {
634 case STATE_NOTIFY_BEFORE_CREATE_STREAM:
635 DCHECK_EQ(OK, rv);
636 rv = DoNotifyBeforeCreateStream();
637 break;
638 case STATE_CREATE_STREAM:
639 DCHECK_EQ(OK, rv);
640 rv = DoCreateStream();
641 break;
642 case STATE_CREATE_STREAM_COMPLETE:
643 rv = DoCreateStreamComplete(rv);
644 break;
645 case STATE_INIT_STREAM:
646 DCHECK_EQ(OK, rv);
647 rv = DoInitStream();
648 break;
649 case STATE_INIT_STREAM_COMPLETE:
650 rv = DoInitStreamComplete(rv);
651 break;
652 case STATE_GENERATE_PROXY_AUTH_TOKEN:
653 DCHECK_EQ(OK, rv);
654 rv = DoGenerateProxyAuthToken();
655 break;
656 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE:
657 rv = DoGenerateProxyAuthTokenComplete(rv);
658 break;
659 case STATE_GENERATE_SERVER_AUTH_TOKEN:
660 DCHECK_EQ(OK, rv);
661 rv = DoGenerateServerAuthToken();
662 break;
663 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE:
664 rv = DoGenerateServerAuthTokenComplete(rv);
665 break;
666 case STATE_INIT_REQUEST_BODY:
667 DCHECK_EQ(OK, rv);
668 rv = DoInitRequestBody();
669 break;
670 case STATE_INIT_REQUEST_BODY_COMPLETE:
671 rv = DoInitRequestBodyComplete(rv);
672 break;
673 case STATE_BUILD_REQUEST:
674 DCHECK_EQ(OK, rv);
675 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST);
676 rv = DoBuildRequest();
677 break;
678 case STATE_BUILD_REQUEST_COMPLETE:
679 rv = DoBuildRequestComplete(rv);
680 break;
681 case STATE_SEND_REQUEST:
682 DCHECK_EQ(OK, rv);
683 rv = DoSendRequest();
684 break;
685 case STATE_SEND_REQUEST_COMPLETE:
686 rv = DoSendRequestComplete(rv);
687 net_log_.EndEventWithNetErrorCode(
688 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv);
689 break;
690 case STATE_READ_HEADERS:
691 DCHECK_EQ(OK, rv);
692 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS);
693 rv = DoReadHeaders();
694 break;
695 case STATE_READ_HEADERS_COMPLETE:
696 rv = DoReadHeadersComplete(rv);
697 net_log_.EndEventWithNetErrorCode(
698 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv);
699 break;
700 case STATE_READ_BODY:
701 DCHECK_EQ(OK, rv);
702 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY);
703 rv = DoReadBody();
704 break;
705 case STATE_READ_BODY_COMPLETE:
706 rv = DoReadBodyComplete(rv);
707 net_log_.EndEventWithNetErrorCode(
708 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv);
709 break;
710 case STATE_DRAIN_BODY_FOR_AUTH_RESTART:
711 DCHECK_EQ(OK, rv);
712 net_log_.BeginEvent(
713 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART);
714 rv = DoDrainBodyForAuthRestart();
715 break;
716 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE:
717 rv = DoDrainBodyForAuthRestartComplete(rv);
718 net_log_.EndEventWithNetErrorCode(
719 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv);
720 break;
721 default:
722 NOTREACHED() << "bad state";
723 rv = ERR_FAILED;
724 break;
725 }
726 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE);
727
728 return rv;
729 }
730
731 int HttpNetworkTransaction::DoNotifyBeforeCreateStream() {
732 next_state_ = STATE_CREATE_STREAM;
733 bool defer = false;
734 if (!before_network_start_callback_.is_null())
735 before_network_start_callback_.Run(&defer);
736 if (!defer)
737 return OK;
738 return ERR_IO_PENDING;
739 }
740
741 int HttpNetworkTransaction::DoCreateStream() {
742 // TODO(mmenke): Remove ScopedTracker below once crbug.com/424359 is fixed.
743 tracked_objects::ScopedTracker tracking_profile(
744 FROM_HERE_WITH_EXPLICIT_FUNCTION(
745 "424359 HttpNetworkTransaction::DoCreateStream"));
746
747 response_.network_accessed = true;
748
749 next_state_ = STATE_CREATE_STREAM_COMPLETE;
750 if (ForWebSocketHandshake()) {
751 stream_request_.reset(
752 session_->http_stream_factory_for_websocket()
753 ->RequestWebSocketHandshakeStream(
754 *request_,
755 priority_,
756 server_ssl_config_,
757 proxy_ssl_config_,
758 this,
759 websocket_handshake_stream_base_create_helper_,
760 net_log_));
761 } else {
762 stream_request_.reset(
763 session_->http_stream_factory()->RequestStream(
764 *request_,
765 priority_,
766 server_ssl_config_,
767 proxy_ssl_config_,
768 this,
769 net_log_));
770 }
771 DCHECK(stream_request_.get());
772 return ERR_IO_PENDING;
773 }
774
775 int HttpNetworkTransaction::DoCreateStreamComplete(int result) {
776 // If |result| is ERR_HTTPS_PROXY_TUNNEL_RESPONSE, then
777 // DoCreateStreamComplete is being called from OnHttpsProxyTunnelResponse,
778 // which resets the stream request first. Therefore, we have to grab the
779 // connection attempts in *that* function instead of here in that case.
780 if (result != ERR_HTTPS_PROXY_TUNNEL_RESPONSE)
781 CopyConnectionAttemptsFromStreamRequest();
782
783 if (request_->url.SchemeIsCryptographic())
784 RecordSSLFallbackMetrics(result);
785
786 if (result == OK) {
787 next_state_ = STATE_INIT_STREAM;
788 DCHECK(stream_.get());
789 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
790 result = HandleCertificateRequest(result);
791 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) {
792 // Return OK and let the caller read the proxy's error page
793 next_state_ = STATE_NONE;
794 return OK;
795 } else if (result == ERR_HTTP_1_1_REQUIRED ||
796 result == ERR_PROXY_HTTP_1_1_REQUIRED) {
797 return HandleHttp11Required(result);
798 }
799
800 // Handle possible handshake errors that may have occurred if the stream
801 // used SSL for one or more of the layers.
802 result = HandleSSLHandshakeError(result);
803
804 // At this point we are done with the stream_request_.
805 stream_request_.reset();
806 return result;
807 }
808
809 int HttpNetworkTransaction::DoInitStream() {
810 DCHECK(stream_.get());
811 next_state_ = STATE_INIT_STREAM_COMPLETE;
812 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_);
813 }
814
815 int HttpNetworkTransaction::DoInitStreamComplete(int result) {
816 if (result == OK) {
817 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
818 } else {
819 if (result < 0)
820 result = HandleIOError(result);
821
822 // The stream initialization failed, so this stream will never be useful.
823 if (stream_)
824 total_received_bytes_ += stream_->GetTotalReceivedBytes();
825 stream_.reset();
826 }
827
828 return result;
829 }
830
831 int HttpNetworkTransaction::DoGenerateProxyAuthToken() {
832 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE;
833 if (!ShouldApplyProxyAuth())
834 return OK;
835 HttpAuth::Target target = HttpAuth::AUTH_PROXY;
836 if (!auth_controllers_[target].get())
837 auth_controllers_[target] =
838 new HttpAuthController(target,
839 AuthURL(target),
840 session_->http_auth_cache(),
841 session_->http_auth_handler_factory());
842 return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
843 io_callback_,
844 net_log_);
845 }
846
847 int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) {
848 DCHECK_NE(ERR_IO_PENDING, rv);
849 if (rv == OK)
850 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN;
851 return rv;
852 }
853
854 int HttpNetworkTransaction::DoGenerateServerAuthToken() {
855 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE;
856 HttpAuth::Target target = HttpAuth::AUTH_SERVER;
857 if (!auth_controllers_[target].get()) {
858 auth_controllers_[target] =
859 new HttpAuthController(target,
860 AuthURL(target),
861 session_->http_auth_cache(),
862 session_->http_auth_handler_factory());
863 if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY)
864 auth_controllers_[target]->DisableEmbeddedIdentity();
865 }
866 if (!ShouldApplyServerAuth())
867 return OK;
868 return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
869 io_callback_,
870 net_log_);
871 }
872
873 int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) {
874 DCHECK_NE(ERR_IO_PENDING, rv);
875 if (rv == OK)
876 next_state_ = STATE_INIT_REQUEST_BODY;
877 return rv;
878 }
879
880 void HttpNetworkTransaction::BuildRequestHeaders(
881 bool using_http_proxy_without_tunnel) {
882 request_headers_.SetHeader(HttpRequestHeaders::kHost,
883 GetHostAndOptionalPort(request_->url));
884
885 // For compat with HTTP/1.0 servers and proxies:
886 if (using_http_proxy_without_tunnel) {
887 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection,
888 "keep-alive");
889 } else {
890 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive");
891 }
892
893 // Add a content length header?
894 if (request_->upload_data_stream) {
895 if (request_->upload_data_stream->is_chunked()) {
896 request_headers_.SetHeader(
897 HttpRequestHeaders::kTransferEncoding, "chunked");
898 } else {
899 request_headers_.SetHeader(
900 HttpRequestHeaders::kContentLength,
901 base::Uint64ToString(request_->upload_data_stream->size()));
902 }
903 } else if (request_->method == "POST" || request_->method == "PUT") {
904 // An empty POST/PUT request still needs a content length. As for HEAD,
905 // IE and Safari also add a content length header. Presumably it is to
906 // support sending a HEAD request to an URL that only expects to be sent a
907 // POST or some other method that normally would have a message body.
908 // Firefox (40.0) does not send the header, and RFC 7230 & 7231
909 // specify that it should not be sent due to undefined behavior.
910 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0");
911 }
912
913 // Honor load flags that impact proxy caches.
914 if (request_->load_flags & LOAD_BYPASS_CACHE) {
915 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache");
916 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache");
917 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) {
918 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0");
919 }
920
921 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY))
922 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader(
923 &request_headers_);
924 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER))
925 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader(
926 &request_headers_);
927
928 request_headers_.MergeFrom(request_->extra_headers);
929
930 if (using_http_proxy_without_tunnel &&
931 !before_proxy_headers_sent_callback_.is_null())
932 before_proxy_headers_sent_callback_.Run(proxy_info_, &request_headers_);
933
934 response_.did_use_http_auth =
935 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) ||
936 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization);
937 }
938
939 int HttpNetworkTransaction::DoInitRequestBody() {
940 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE;
941 int rv = OK;
942 if (request_->upload_data_stream)
943 rv = request_->upload_data_stream->Init(io_callback_);
944 return rv;
945 }
946
947 int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) {
948 if (result == OK)
949 next_state_ = STATE_BUILD_REQUEST;
950 return result;
951 }
952
953 int HttpNetworkTransaction::DoBuildRequest() {
954 next_state_ = STATE_BUILD_REQUEST_COMPLETE;
955 headers_valid_ = false;
956
957 // This is constructed lazily (instead of within our Start method), so that
958 // we have proxy info available.
959 if (request_headers_.IsEmpty()) {
960 bool using_http_proxy_without_tunnel = UsingHttpProxyWithoutTunnel();
961 BuildRequestHeaders(using_http_proxy_without_tunnel);
962 }
963
964 return OK;
965 }
966
967 int HttpNetworkTransaction::DoBuildRequestComplete(int result) {
968 if (result == OK)
969 next_state_ = STATE_SEND_REQUEST;
970 return result;
971 }
972
973 int HttpNetworkTransaction::DoSendRequest() {
974 // TODO(mmenke): Remove ScopedTracker below once crbug.com/424359 is fixed.
975 tracked_objects::ScopedTracker tracking_profile(
976 FROM_HERE_WITH_EXPLICIT_FUNCTION(
977 "424359 HttpNetworkTransaction::DoSendRequest"));
978
979 send_start_time_ = base::TimeTicks::Now();
980 next_state_ = STATE_SEND_REQUEST_COMPLETE;
981
982 return stream_->SendRequest(request_headers_, &response_, io_callback_);
983 }
984
985 int HttpNetworkTransaction::DoSendRequestComplete(int result) {
986 send_end_time_ = base::TimeTicks::Now();
987 if (result < 0)
988 return HandleIOError(result);
989 next_state_ = STATE_READ_HEADERS;
990 return OK;
991 }
992
993 int HttpNetworkTransaction::DoReadHeaders() {
994 next_state_ = STATE_READ_HEADERS_COMPLETE;
995 return stream_->ReadResponseHeaders(io_callback_);
996 }
997
998 int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
999 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here
1000 // due to SSL renegotiation.
1001 if (IsCertificateError(result)) {
1002 // We don't handle a certificate error during SSL renegotiation, so we
1003 // have to return an error that's not in the certificate error range
1004 // (-2xx).
1005 LOG(ERROR) << "Got a server certificate with error " << result
1006 << " during SSL renegotiation";
1007 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION;
1008 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
1009 // TODO(wtc): Need a test case for this code path!
1010 DCHECK(stream_.get());
1011 DCHECK(IsSecureRequest());
1012 response_.cert_request_info = new SSLCertRequestInfo;
1013 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get());
1014 result = HandleCertificateRequest(result);
1015 if (result == OK)
1016 return result;
1017 }
1018
1019 if (result == ERR_HTTP_1_1_REQUIRED ||
1020 result == ERR_PROXY_HTTP_1_1_REQUIRED) {
1021 return HandleHttp11Required(result);
1022 }
1023
1024 // ERR_CONNECTION_CLOSED is treated differently at this point; if partial
1025 // response headers were received, we do the best we can to make sense of it
1026 // and send it back up the stack.
1027 //
1028 // TODO(davidben): Consider moving this to HttpBasicStream, It's a little
1029 // bizarre for SPDY. Assuming this logic is useful at all.
1030 // TODO(davidben): Bubble the error code up so we do not cache?
1031 if (result == ERR_CONNECTION_CLOSED && response_.headers.get())
1032 result = OK;
1033
1034 if (result < 0)
1035 return HandleIOError(result);
1036
1037 DCHECK(response_.headers.get());
1038
1039 // On a 408 response from the server ("Request Timeout") on a stale socket,
1040 // retry the request.
1041 // Headers can be NULL because of http://crbug.com/384554.
1042 if (response_.headers.get() && response_.headers->response_code() == 408 &&
1043 stream_->IsConnectionReused()) {
1044 net_log_.AddEventWithNetErrorCode(
1045 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR,
1046 response_.headers->response_code());
1047 // This will close the socket - it would be weird to try and reuse it, even
1048 // if the server doesn't actually close it.
1049 ResetConnectionAndRequestForResend();
1050 return OK;
1051 }
1052
1053 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads.
1054 if (request_->load_flags & LOAD_MAIN_FRAME) {
1055 const int response_code = response_.headers->response_code();
1056 UMA_HISTOGRAM_ENUMERATION(
1057 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10);
1058 }
1059
1060 net_log_.AddEvent(
1061 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
1062 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
1063
1064 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) {
1065 // HTTP/0.9 doesn't support the PUT method, so lack of response headers
1066 // indicates a buggy server. See:
1067 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921
1068 if (request_->method == "PUT")
1069 return ERR_METHOD_NOT_SUPPORTED;
1070 }
1071
1072 // Check for an intermediate 100 Continue response. An origin server is
1073 // allowed to send this response even if we didn't ask for it, so we just
1074 // need to skip over it.
1075 // We treat any other 1xx in this same way (although in practice getting
1076 // a 1xx that isn't a 100 is rare).
1077 // Unless this is a WebSocket request, in which case we pass it on up.
1078 if (response_.headers->response_code() / 100 == 1 &&
1079 !ForWebSocketHandshake()) {
1080 response_.headers = new HttpResponseHeaders(std::string());
1081 next_state_ = STATE_READ_HEADERS;
1082 return OK;
1083 }
1084
1085 ProcessAlternativeServices(session_, *response_.headers.get(),
1086 HostPortPair::FromURL(request_->url));
1087
1088 int rv = HandleAuthChallenge();
1089 if (rv != OK)
1090 return rv;
1091
1092 if (IsSecureRequest())
1093 stream_->GetSSLInfo(&response_.ssl_info);
1094
1095 headers_valid_ = true;
1096 return OK;
1097 }
1098
1099 int HttpNetworkTransaction::DoReadBody() {
1100 DCHECK(read_buf_.get());
1101 DCHECK_GT(read_buf_len_, 0);
1102 DCHECK(stream_ != NULL);
1103
1104 next_state_ = STATE_READ_BODY_COMPLETE;
1105 return stream_->ReadResponseBody(
1106 read_buf_.get(), read_buf_len_, io_callback_);
1107 }
1108
1109 int HttpNetworkTransaction::DoReadBodyComplete(int result) {
1110 // We are done with the Read call.
1111 bool done = false;
1112 if (result <= 0) {
1113 DCHECK_NE(ERR_IO_PENDING, result);
1114 done = true;
1115 }
1116
1117 bool keep_alive = false;
1118 if (stream_->IsResponseBodyComplete()) {
1119 // Note: Just because IsResponseBodyComplete is true, we're not
1120 // necessarily "done". We're only "done" when it is the last
1121 // read on this HttpNetworkTransaction, which will be signified
1122 // by a zero-length read.
1123 // TODO(mbelshe): The keepalive property is really a property of
1124 // the stream. No need to compute it here just to pass back
1125 // to the stream's Close function.
1126 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no
1127 // ResponseHeaders.
1128 if (stream_->CanFindEndOfResponse()) {
1129 HttpResponseHeaders* headers = GetResponseHeaders();
1130 if (headers)
1131 keep_alive = headers->IsKeepAlive();
1132 }
1133 }
1134
1135 // Clean up connection if we are done.
1136 if (done) {
1137 stream_->Close(!keep_alive);
1138 // Note: we don't reset the stream here. We've closed it, but we still
1139 // need it around so that callers can call methods such as
1140 // GetUploadProgress() and have them be meaningful.
1141 // TODO(mbelshe): This means we closed the stream here, and we close it
1142 // again in ~HttpNetworkTransaction. Clean that up.
1143
1144 // The next Read call will return 0 (EOF).
1145 }
1146
1147 // Clear these to avoid leaving around old state.
1148 read_buf_ = NULL;
1149 read_buf_len_ = 0;
1150
1151 return result;
1152 }
1153
1154 int HttpNetworkTransaction::DoDrainBodyForAuthRestart() {
1155 // This method differs from DoReadBody only in the next_state_. So we just
1156 // call DoReadBody and override the next_state_. Perhaps there is a more
1157 // elegant way for these two methods to share code.
1158 int rv = DoReadBody();
1159 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE);
1160 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE;
1161 return rv;
1162 }
1163
1164 // TODO(wtc): This method and the DoReadBodyComplete method are almost
1165 // the same. Figure out a good way for these two methods to share code.
1166 int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) {
1167 // keep_alive defaults to true because the very reason we're draining the
1168 // response body is to reuse the connection for auth restart.
1169 bool done = false, keep_alive = true;
1170 if (result < 0) {
1171 // Error or closed connection while reading the socket.
1172 done = true;
1173 keep_alive = false;
1174 } else if (stream_->IsResponseBodyComplete()) {
1175 done = true;
1176 }
1177
1178 if (done) {
1179 DidDrainBodyForAuthRestart(keep_alive);
1180 } else {
1181 // Keep draining.
1182 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
1183 }
1184
1185 return OK;
1186 }
1187
1188 int HttpNetworkTransaction::HandleCertificateRequest(int error) {
1189 // There are two paths through which the server can request a certificate
1190 // from us. The first is during the initial handshake, the second is
1191 // during SSL renegotiation.
1192 //
1193 // In both cases, we want to close the connection before proceeding.
1194 // We do this for two reasons:
1195 // First, we don't want to keep the connection to the server hung for a
1196 // long time while the user selects a certificate.
1197 // Second, even if we did keep the connection open, NSS has a bug where
1198 // restarting the handshake for ClientAuth is currently broken.
1199 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
1200
1201 if (stream_.get()) {
1202 // Since we already have a stream, we're being called as part of SSL
1203 // renegotiation.
1204 DCHECK(!stream_request_.get());
1205 total_received_bytes_ += stream_->GetTotalReceivedBytes();
1206 stream_->Close(true);
1207 stream_.reset();
1208 }
1209
1210 // The server is asking for a client certificate during the initial
1211 // handshake.
1212 stream_request_.reset();
1213
1214 // If the user selected one of the certificates in client_certs or declined
1215 // to provide one for this server before, use the past decision
1216 // automatically.
1217 scoped_refptr<X509Certificate> client_cert;
1218 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup(
1219 response_.cert_request_info->host_and_port, &client_cert);
1220 if (!found_cached_cert)
1221 return error;
1222
1223 // Check that the certificate selected is still a certificate the server
1224 // is likely to accept, based on the criteria supplied in the
1225 // CertificateRequest message.
1226 if (client_cert.get()) {
1227 const std::vector<std::string>& cert_authorities =
1228 response_.cert_request_info->cert_authorities;
1229
1230 bool cert_still_valid = cert_authorities.empty() ||
1231 client_cert->IsIssuedByEncoded(cert_authorities);
1232 if (!cert_still_valid)
1233 return error;
1234 }
1235
1236 // TODO(davidben): Add a unit test which covers this path; we need to be
1237 // able to send a legitimate certificate and also bypass/clear the
1238 // SSL session cache.
1239 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ?
1240 &proxy_ssl_config_ : &server_ssl_config_;
1241 ssl_config->send_client_cert = true;
1242 ssl_config->client_cert = client_cert;
1243 next_state_ = STATE_CREATE_STREAM;
1244 // Reset the other member variables.
1245 // Note: this is necessary only with SSL renegotiation.
1246 ResetStateForRestart();
1247 return OK;
1248 }
1249
1250 int HttpNetworkTransaction::HandleHttp11Required(int error) {
1251 DCHECK(error == ERR_HTTP_1_1_REQUIRED ||
1252 error == ERR_PROXY_HTTP_1_1_REQUIRED);
1253
1254 if (error == ERR_HTTP_1_1_REQUIRED) {
1255 HttpServerProperties::ForceHTTP11(&server_ssl_config_);
1256 } else {
1257 HttpServerProperties::ForceHTTP11(&proxy_ssl_config_);
1258 }
1259 ResetConnectionAndRequestForResend();
1260 return OK;
1261 }
1262
1263 void HttpNetworkTransaction::HandleClientAuthError(int error) {
1264 if (server_ssl_config_.send_client_cert &&
1265 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) {
1266 session_->ssl_client_auth_cache()->Remove(
1267 HostPortPair::FromURL(request_->url));
1268 }
1269 }
1270
1271 // TODO(rch): This does not correctly handle errors when an SSL proxy is
1272 // being used, as all of the errors are handled as if they were generated
1273 // by the endpoint host, request_->url, rather than considering if they were
1274 // generated by the SSL proxy. http://crbug.com/69329
1275 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
1276 DCHECK(request_);
1277 HandleClientAuthError(error);
1278
1279 // Accept deprecated cipher suites, but only on a fallback. This makes UMA
1280 // reflect servers require a deprecated cipher rather than merely prefer
1281 // it. This, however, has no security benefit until the ciphers are actually
1282 // removed.
1283 if (!server_ssl_config_.enable_deprecated_cipher_suites &&
1284 (error == ERR_SSL_VERSION_OR_CIPHER_MISMATCH ||
1285 error == ERR_CONNECTION_CLOSED || error == ERR_CONNECTION_RESET)) {
1286 net_log_.AddEvent(
1287 NetLog::TYPE_SSL_CIPHER_FALLBACK,
1288 base::Bind(&NetLogSSLCipherFallbackCallback, &request_->url, error));
1289 server_ssl_config_.enable_deprecated_cipher_suites = true;
1290 ResetConnectionAndRequestForResend();
1291 return OK;
1292 }
1293
1294 bool should_fallback = false;
1295 uint16 version_max = server_ssl_config_.version_max;
1296
1297 switch (error) {
1298 case ERR_CONNECTION_CLOSED:
1299 case ERR_SSL_PROTOCOL_ERROR:
1300 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
1301 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 &&
1302 version_max > server_ssl_config_.version_min) {
1303 // This could be a TLS-intolerant server or a server that chose a
1304 // cipher suite defined only for higher protocol versions (such as
1305 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall
1306 // back to the next lower version and retry.
1307 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1,
1308 // specifying TLS 1.1 in version_max will result in a TLS 1.0
1309 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply
1310 // repeat the TLS 1.0 handshake. To avoid this problem, the default
1311 // version_max should match the maximum protocol version supported
1312 // by the SSLClientSocket class.
1313 version_max--;
1314
1315 // Fallback to the lower SSL version.
1316 // While SSL 3.0 fallback should be eliminated because of security
1317 // reasons, there is a high risk of breaking the servers if this is
1318 // done in general.
1319 should_fallback = true;
1320 }
1321 break;
1322 case ERR_CONNECTION_RESET:
1323 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 &&
1324 version_max > server_ssl_config_.version_min) {
1325 // Some network devices that inspect application-layer packets seem to
1326 // inject TCP reset packets to break the connections when they see TLS
1327 // 1.1 in ClientHello or ServerHello. See http://crbug.com/130293.
1328 //
1329 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or
1330 // 1.2. We don't lose much in this fallback because the explicit IV for
1331 // CBC mode in TLS 1.1 is approximated by record splitting in TLS
1332 // 1.0. The fallback will be more painful for TLS 1.2 when we have GCM
1333 // support.
1334 //
1335 // ERR_CONNECTION_RESET is a common network error, so we don't want it
1336 // to trigger a version fallback in general, especially the TLS 1.0 ->
1337 // SSL 3.0 fallback, which would drop TLS extensions.
1338 version_max--;
1339 should_fallback = true;
1340 }
1341 break;
1342 case ERR_SSL_BAD_RECORD_MAC_ALERT:
1343 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 &&
1344 version_max > server_ssl_config_.version_min) {
1345 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or
1346 // 1.2 ClientHello, but then return a bad_record_mac alert. See
1347 // crbug.com/260358. In order to make the fallback as minimal as
1348 // possible, this fallback is only triggered for >= TLS 1.1.
1349 version_max--;
1350 should_fallback = true;
1351 }
1352 break;
1353 case ERR_SSL_INAPPROPRIATE_FALLBACK:
1354 // The server told us that we should not have fallen back. A buggy server
1355 // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial
1356 // connection. |fallback_error_code_| is initialised to
1357 // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case.
1358 error = fallback_error_code_;
1359 break;
1360 }
1361
1362 if (should_fallback) {
1363 net_log_.AddEvent(
1364 NetLog::TYPE_SSL_VERSION_FALLBACK,
1365 base::Bind(&NetLogSSLVersionFallbackCallback, &request_->url, error,
1366 server_ssl_failure_state_, server_ssl_config_.version_max,
1367 version_max));
1368 fallback_error_code_ = error;
1369 fallback_failure_state_ = server_ssl_failure_state_;
1370 server_ssl_config_.version_max = version_max;
1371 server_ssl_config_.version_fallback = true;
1372 ResetConnectionAndRequestForResend();
1373 error = OK;
1374 }
1375
1376 return error;
1377 }
1378
1379 // This method determines whether it is safe to resend the request after an
1380 // IO error. It can only be called in response to request header or body
1381 // write errors or response header read errors. It should not be used in
1382 // other cases, such as a Connect error.
1383 int HttpNetworkTransaction::HandleIOError(int error) {
1384 // Because the peer may request renegotiation with client authentication at
1385 // any time, check and handle client authentication errors.
1386 HandleClientAuthError(error);
1387
1388 switch (error) {
1389 // If we try to reuse a connection that the server is in the process of
1390 // closing, we may end up successfully writing out our request (or a
1391 // portion of our request) only to find a connection error when we try to
1392 // read from (or finish writing to) the socket.
1393 case ERR_CONNECTION_RESET:
1394 case ERR_CONNECTION_CLOSED:
1395 case ERR_CONNECTION_ABORTED:
1396 // There can be a race between the socket pool checking checking whether a
1397 // socket is still connected, receiving the FIN, and sending/reading data
1398 // on a reused socket. If we receive the FIN between the connectedness
1399 // check and writing/reading from the socket, we may first learn the socket
1400 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most
1401 // likely happen when trying to retrieve its IP address.
1402 // See http://crbug.com/105824 for more details.
1403 case ERR_SOCKET_NOT_CONNECTED:
1404 // If a socket is closed on its initial request, HttpStreamParser returns
1405 // ERR_EMPTY_RESPONSE. This may still be close/reuse race if the socket was
1406 // preconnected but failed to be used before the server timed it out.
1407 case ERR_EMPTY_RESPONSE:
1408 if (ShouldResendRequest()) {
1409 net_log_.AddEventWithNetErrorCode(
1410 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1411 ResetConnectionAndRequestForResend();
1412 error = OK;
1413 }
1414 break;
1415 case ERR_SPDY_PING_FAILED:
1416 case ERR_SPDY_SERVER_REFUSED_STREAM:
1417 case ERR_QUIC_HANDSHAKE_FAILED:
1418 net_log_.AddEventWithNetErrorCode(
1419 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error);
1420 ResetConnectionAndRequestForResend();
1421 error = OK;
1422 break;
1423 }
1424 return error;
1425 }
1426
1427 void HttpNetworkTransaction::ResetStateForRestart() {
1428 ResetStateForAuthRestart();
1429 if (stream_)
1430 total_received_bytes_ += stream_->GetTotalReceivedBytes();
1431 stream_.reset();
1432 }
1433
1434 void HttpNetworkTransaction::ResetStateForAuthRestart() {
1435 send_start_time_ = base::TimeTicks();
1436 send_end_time_ = base::TimeTicks();
1437
1438 pending_auth_target_ = HttpAuth::AUTH_NONE;
1439 read_buf_ = NULL;
1440 read_buf_len_ = 0;
1441 headers_valid_ = false;
1442 request_headers_.Clear();
1443 response_ = HttpResponseInfo();
1444 establishing_tunnel_ = false;
1445 }
1446
1447 void HttpNetworkTransaction::RecordSSLFallbackMetrics(int result) {
1448 if (result != OK && result != ERR_SSL_INAPPROPRIATE_FALLBACK)
1449 return;
1450
1451 const std::string& host = request_->url.host();
1452 bool is_google = base::EndsWith(host, "google.com",
1453 base::CompareCase::SENSITIVE) &&
1454 (host.size() == 10 || host[host.size() - 11] == '.');
1455 if (is_google) {
1456 // Some fraction of successful connections use the fallback, but only due to
1457 // a spurious network failure. To estimate this fraction, compare handshakes
1458 // to Google servers which succeed against those that fail with an
1459 // inappropriate_fallback alert. Google servers are known to implement
1460 // FALLBACK_SCSV, so a spurious network failure while connecting would
1461 // trigger the fallback, successfully connect, but fail with this alert.
1462 UMA_HISTOGRAM_BOOLEAN("Net.GoogleConnectionInappropriateFallback",
1463 result == ERR_SSL_INAPPROPRIATE_FALLBACK);
1464 }
1465
1466 if (result != OK)
1467 return;
1468
1469 // Note: these values are used in histograms, so new values must be appended.
1470 enum FallbackVersion {
1471 FALLBACK_NONE = 0, // SSL version fallback did not occur.
1472 // Obsolete: FALLBACK_SSL3 = 1,
1473 FALLBACK_TLS1 = 2, // Fell back to TLS 1.0.
1474 FALLBACK_TLS1_1 = 3, // Fell back to TLS 1.1.
1475 FALLBACK_MAX,
1476 };
1477
1478 FallbackVersion fallback = FALLBACK_NONE;
1479 if (server_ssl_config_.version_fallback) {
1480 switch (server_ssl_config_.version_max) {
1481 case SSL_PROTOCOL_VERSION_TLS1:
1482 fallback = FALLBACK_TLS1;
1483 break;
1484 case SSL_PROTOCOL_VERSION_TLS1_1:
1485 fallback = FALLBACK_TLS1_1;
1486 break;
1487 default:
1488 NOTREACHED();
1489 }
1490 }
1491 UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLVersionFallback2", fallback,
1492 FALLBACK_MAX);
1493
1494 // Google servers are known to implement TLS 1.2 and FALLBACK_SCSV, so it
1495 // should be impossible to successfully connect to them with the fallback.
1496 // This helps estimate intolerant locally-configured SSL MITMs.
1497 if (is_google) {
1498 UMA_HISTOGRAM_ENUMERATION("Net.GoogleConnectionUsedSSLVersionFallback2",
1499 fallback, FALLBACK_MAX);
1500 }
1501
1502 UMA_HISTOGRAM_BOOLEAN("Net.ConnectionUsedSSLDeprecatedCipherFallback2",
1503 server_ssl_config_.enable_deprecated_cipher_suites);
1504
1505 if (server_ssl_config_.version_fallback) {
1506 // Record the error code which triggered the fallback and the state the
1507 // handshake was in.
1508 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLFallbackErrorCode",
1509 -fallback_error_code_);
1510 UMA_HISTOGRAM_ENUMERATION("Net.SSLFallbackFailureState",
1511 fallback_failure_state_, SSL_FAILURE_MAX);
1512 }
1513 }
1514
1515 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
1516 return response_.headers.get();
1517 }
1518
1519 bool HttpNetworkTransaction::ShouldResendRequest() const {
1520 bool connection_is_proven = stream_->IsConnectionReused();
1521 bool has_received_headers = GetResponseHeaders() != NULL;
1522
1523 // NOTE: we resend a request only if we reused a keep-alive connection.
1524 // This automatically prevents an infinite resend loop because we'll run
1525 // out of the cached keep-alive connections eventually.
1526 if (connection_is_proven && !has_received_headers)
1527 return true;
1528 return false;
1529 }
1530
1531 void HttpNetworkTransaction::ResetConnectionAndRequestForResend() {
1532 if (stream_.get()) {
1533 stream_->Close(true);
1534 stream_.reset();
1535 }
1536
1537 // We need to clear request_headers_ because it contains the real request
1538 // headers, but we may need to resend the CONNECT request first to recreate
1539 // the SSL tunnel.
1540 request_headers_.Clear();
1541 next_state_ = STATE_CREATE_STREAM; // Resend the request.
1542 }
1543
1544 bool HttpNetworkTransaction::ShouldApplyProxyAuth() const {
1545 return UsingHttpProxyWithoutTunnel();
1546 }
1547
1548 bool HttpNetworkTransaction::ShouldApplyServerAuth() const {
1549 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA);
1550 }
1551
1552 int HttpNetworkTransaction::HandleAuthChallenge() {
1553 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders());
1554 DCHECK(headers.get());
1555
1556 int status = headers->response_code();
1557 if (status != HTTP_UNAUTHORIZED &&
1558 status != HTTP_PROXY_AUTHENTICATION_REQUIRED)
1559 return OK;
1560 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ?
1561 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
1562 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
1563 return ERR_UNEXPECTED_PROXY_AUTH;
1564
1565 // This case can trigger when an HTTPS server responds with a "Proxy
1566 // authentication required" status code through a non-authenticating
1567 // proxy.
1568 if (!auth_controllers_[target].get())
1569 return ERR_UNEXPECTED_PROXY_AUTH;
1570
1571 int rv = auth_controllers_[target]->HandleAuthChallenge(
1572 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false,
1573 net_log_);
1574 if (auth_controllers_[target]->HaveAuthHandler())
1575 pending_auth_target_ = target;
1576
1577 scoped_refptr<AuthChallengeInfo> auth_info =
1578 auth_controllers_[target]->auth_info();
1579 if (auth_info.get())
1580 response_.auth_challenge = auth_info;
1581
1582 return rv;
1583 }
1584
1585 bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const {
1586 return auth_controllers_[target].get() &&
1587 auth_controllers_[target]->HaveAuth();
1588 }
1589
1590 GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const {
1591 switch (target) {
1592 case HttpAuth::AUTH_PROXY: {
1593 if (!proxy_info_.proxy_server().is_valid() ||
1594 proxy_info_.proxy_server().is_direct()) {
1595 return GURL(); // There is no proxy server.
1596 }
1597 const char* scheme = proxy_info_.is_https() ? "https://" : "http://";
1598 return GURL(scheme +
1599 proxy_info_.proxy_server().host_port_pair().ToString());
1600 }
1601 case HttpAuth::AUTH_SERVER:
1602 if (ForWebSocketHandshake()) {
1603 const GURL& url = request_->url;
1604 url::Replacements<char> ws_to_http;
1605 if (url.SchemeIs("ws")) {
1606 ws_to_http.SetScheme("http", url::Component(0, 4));
1607 } else {
1608 DCHECK(url.SchemeIs("wss"));
1609 ws_to_http.SetScheme("https", url::Component(0, 5));
1610 }
1611 return url.ReplaceComponents(ws_to_http);
1612 }
1613 return request_->url;
1614 default:
1615 return GURL();
1616 }
1617 }
1618
1619 bool HttpNetworkTransaction::ForWebSocketHandshake() const {
1620 return websocket_handshake_stream_base_create_helper_ &&
1621 request_->url.SchemeIsWSOrWSS();
1622 }
1623
1624 #define STATE_CASE(s) \
1625 case s: \
1626 description = base::StringPrintf("%s (0x%08X)", #s, s); \
1627 break
1628
1629 std::string HttpNetworkTransaction::DescribeState(State state) {
1630 std::string description;
1631 switch (state) {
1632 STATE_CASE(STATE_NOTIFY_BEFORE_CREATE_STREAM);
1633 STATE_CASE(STATE_CREATE_STREAM);
1634 STATE_CASE(STATE_CREATE_STREAM_COMPLETE);
1635 STATE_CASE(STATE_INIT_REQUEST_BODY);
1636 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE);
1637 STATE_CASE(STATE_BUILD_REQUEST);
1638 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE);
1639 STATE_CASE(STATE_SEND_REQUEST);
1640 STATE_CASE(STATE_SEND_REQUEST_COMPLETE);
1641 STATE_CASE(STATE_READ_HEADERS);
1642 STATE_CASE(STATE_READ_HEADERS_COMPLETE);
1643 STATE_CASE(STATE_READ_BODY);
1644 STATE_CASE(STATE_READ_BODY_COMPLETE);
1645 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART);
1646 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE);
1647 STATE_CASE(STATE_NONE);
1648 default:
1649 description = base::StringPrintf("Unknown state 0x%08X (%u)", state,
1650 state);
1651 break;
1652 }
1653 return description;
1654 }
1655
1656 #undef STATE_CASE
1657
1658 void HttpNetworkTransaction::CopyConnectionAttemptsFromStreamRequest() {
1659 DCHECK(stream_request_);
1660
1661 // Since the transaction can restart with auth credentials, it may create a
1662 // stream more than once. Accumulate all of the connection attempts across
1663 // those streams by appending them to the vector:
1664 for (const auto& attempt : stream_request_->connection_attempts())
1665 connection_attempts_.push_back(attempt);
1666 }
1667
1668 } // namespace net