1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_proxy_client_socket.h" 6 7 #include "base/bind.h" 8 #include "base/bind_helpers.h" 9 #include "base/strings/string_util.h" 10 #include "base/strings/stringprintf.h" 11 #include "net/base/auth.h" 12 #include "net/base/host_port_pair.h" 13 #include "net/base/io_buffer.h" 14 #include "net/base/net_log.h" 15 #include "net/base/net_util.h" 16 #include "net/http/http_basic_stream.h" 17 #include "net/http/http_network_session.h" 18 #include "net/http/http_request_info.h" 19 #include "net/http/http_response_headers.h" 20 #include "net/http/http_stream_parser.h" 21 #include "net/http/proxy_connect_redirect_http_stream.h" 22 #include "net/socket/client_socket_handle.h" 23 #include "url/gurl.h" 24 25 namespace net { 26 27 HttpProxyClientSocket::HttpProxyClientSocket( 28 ClientSocketHandle* transport_socket, 29 const GURL& request_url, 30 const std::string& user_agent, 31 const HostPortPair& endpoint, 32 const HostPortPair& proxy_server, 33 HttpAuthCache* http_auth_cache, 34 HttpAuthHandlerFactory* http_auth_handler_factory, 35 bool tunnel, 36 bool using_spdy, 37 NextProto protocol_negotiated, 38 bool is_https_proxy) 39 : io_callback_(base::Bind(&HttpProxyClientSocket::OnIOComplete, 40 base::Unretained(this))), 41 next_state_(STATE_NONE), 42 transport_(transport_socket), 43 endpoint_(endpoint), 44 auth_(tunnel ? 45 new HttpAuthController(HttpAuth::AUTH_PROXY, 46 GURL((is_https_proxy ? "https://" : "http://") 47 + proxy_server.ToString()), 48 http_auth_cache, 49 http_auth_handler_factory) 50 : NULL), 51 tunnel_(tunnel), 52 using_spdy_(using_spdy), 53 protocol_negotiated_(protocol_negotiated), 54 is_https_proxy_(is_https_proxy), 55 redirect_has_load_timing_info_(false), 56 net_log_(transport_socket->socket()->NetLog()) { 57 // Synthesize the bits of a request that we actually use. 58 request_.url = request_url; 59 request_.method = "GET"; 60 if (!user_agent.empty()) 61 request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent, 62 user_agent); 63 } 64 65 HttpProxyClientSocket::~HttpProxyClientSocket() { 66 Disconnect(); 67 } 68 69 int HttpProxyClientSocket::RestartWithAuth(const CompletionCallback& callback) { 70 DCHECK_EQ(STATE_NONE, next_state_); 71 DCHECK(user_callback_.is_null()); 72 73 int rv = PrepareForAuthRestart(); 74 if (rv != OK) 75 return rv; 76 77 rv = DoLoop(OK); 78 if (rv == ERR_IO_PENDING) { 79 if (!callback.is_null()) 80 user_callback_ = callback; 81 } 82 83 return rv; 84 } 85 86 const scoped_refptr<HttpAuthController>& 87 HttpProxyClientSocket::GetAuthController() const { 88 return auth_; 89 } 90 91 bool HttpProxyClientSocket::IsUsingSpdy() const { 92 return using_spdy_; 93 } 94 95 NextProto HttpProxyClientSocket::GetProtocolNegotiated() const { 96 return protocol_negotiated_; 97 } 98 99 const HttpResponseInfo* HttpProxyClientSocket::GetConnectResponseInfo() const { 100 return response_.headers.get() ? &response_ : NULL; 101 } 102 103 HttpStream* HttpProxyClientSocket::CreateConnectResponseStream() { 104 return new ProxyConnectRedirectHttpStream( 105 redirect_has_load_timing_info_ ? &redirect_load_timing_info_ : NULL); 106 } 107 108 109 int HttpProxyClientSocket::Connect(const CompletionCallback& callback) { 110 DCHECK(transport_.get()); 111 DCHECK(transport_->socket()); 112 DCHECK(user_callback_.is_null()); 113 114 // TODO(rch): figure out the right way to set up a tunnel with SPDY. 115 // This approach sends the complete HTTPS request to the proxy 116 // which allows the proxy to see "private" data. Instead, we should 117 // create an SSL tunnel to the origin server using the CONNECT method 118 // inside a single SPDY stream. 119 if (using_spdy_ || !tunnel_) 120 next_state_ = STATE_DONE; 121 if (next_state_ == STATE_DONE) 122 return OK; 123 124 DCHECK_EQ(STATE_NONE, next_state_); 125 next_state_ = STATE_GENERATE_AUTH_TOKEN; 126 127 int rv = DoLoop(OK); 128 if (rv == ERR_IO_PENDING) 129 user_callback_ = callback; 130 return rv; 131 } 132 133 void HttpProxyClientSocket::Disconnect() { 134 if (transport_.get()) 135 transport_->socket()->Disconnect(); 136 137 // Reset other states to make sure they aren't mistakenly used later. 138 // These are the states initialized by Connect(). 139 next_state_ = STATE_NONE; 140 user_callback_.Reset(); 141 } 142 143 bool HttpProxyClientSocket::IsConnected() const { 144 return next_state_ == STATE_DONE && transport_->socket()->IsConnected(); 145 } 146 147 bool HttpProxyClientSocket::IsConnectedAndIdle() const { 148 return next_state_ == STATE_DONE && 149 transport_->socket()->IsConnectedAndIdle(); 150 } 151 152 const BoundNetLog& HttpProxyClientSocket::NetLog() const { 153 return net_log_; 154 } 155 156 void HttpProxyClientSocket::SetSubresourceSpeculation() { 157 if (transport_.get() && transport_->socket()) { 158 transport_->socket()->SetSubresourceSpeculation(); 159 } else { 160 NOTREACHED(); 161 } 162 } 163 164 void HttpProxyClientSocket::SetOmniboxSpeculation() { 165 if (transport_.get() && transport_->socket()) { 166 transport_->socket()->SetOmniboxSpeculation(); 167 } else { 168 NOTREACHED(); 169 } 170 } 171 172 bool HttpProxyClientSocket::WasEverUsed() const { 173 if (transport_.get() && transport_->socket()) { 174 return transport_->socket()->WasEverUsed(); 175 } 176 NOTREACHED(); 177 return false; 178 } 179 180 bool HttpProxyClientSocket::UsingTCPFastOpen() const { 181 if (transport_.get() && transport_->socket()) { 182 return transport_->socket()->UsingTCPFastOpen(); 183 } 184 NOTREACHED(); 185 return false; 186 } 187 188 bool HttpProxyClientSocket::WasNpnNegotiated() const { 189 if (transport_.get() && transport_->socket()) { 190 return transport_->socket()->WasNpnNegotiated(); 191 } 192 NOTREACHED(); 193 return false; 194 } 195 196 NextProto HttpProxyClientSocket::GetNegotiatedProtocol() const { 197 if (transport_.get() && transport_->socket()) { 198 return transport_->socket()->GetNegotiatedProtocol(); 199 } 200 NOTREACHED(); 201 return kProtoUnknown; 202 } 203 204 bool HttpProxyClientSocket::GetSSLInfo(SSLInfo* ssl_info) { 205 if (transport_.get() && transport_->socket()) { 206 return transport_->socket()->GetSSLInfo(ssl_info); 207 } 208 NOTREACHED(); 209 return false; 210 } 211 212 int HttpProxyClientSocket::Read(IOBuffer* buf, int buf_len, 213 const CompletionCallback& callback) { 214 DCHECK(user_callback_.is_null()); 215 if (next_state_ != STATE_DONE) { 216 // We're trying to read the body of the response but we're still trying 217 // to establish an SSL tunnel through the proxy. We can't read these 218 // bytes when establishing a tunnel because they might be controlled by 219 // an active network attacker. We don't worry about this for HTTP 220 // because an active network attacker can already control HTTP sessions. 221 // We reach this case when the user cancels a 407 proxy auth prompt. 222 // See http://crbug.com/8473. 223 DCHECK_EQ(407, response_.headers->response_code()); 224 LogBlockedTunnelResponse(); 225 226 return ERR_TUNNEL_CONNECTION_FAILED; 227 } 228 229 return transport_->socket()->Read(buf, buf_len, callback); 230 } 231 232 int HttpProxyClientSocket::Write(IOBuffer* buf, int buf_len, 233 const CompletionCallback& callback) { 234 DCHECK_EQ(STATE_DONE, next_state_); 235 DCHECK(user_callback_.is_null()); 236 237 return transport_->socket()->Write(buf, buf_len, callback); 238 } 239 240 bool HttpProxyClientSocket::SetReceiveBufferSize(int32 size) { 241 return transport_->socket()->SetReceiveBufferSize(size); 242 } 243 244 bool HttpProxyClientSocket::SetSendBufferSize(int32 size) { 245 return transport_->socket()->SetSendBufferSize(size); 246 } 247 248 int HttpProxyClientSocket::GetPeerAddress(IPEndPoint* address) const { 249 return transport_->socket()->GetPeerAddress(address); 250 } 251 252 int HttpProxyClientSocket::GetLocalAddress(IPEndPoint* address) const { 253 return transport_->socket()->GetLocalAddress(address); 254 } 255 256 int HttpProxyClientSocket::PrepareForAuthRestart() { 257 if (!response_.headers.get()) 258 return ERR_CONNECTION_RESET; 259 260 bool keep_alive = false; 261 if (response_.headers->IsKeepAlive() && 262 http_stream_parser_->CanFindEndOfResponse()) { 263 if (!http_stream_parser_->IsResponseBodyComplete()) { 264 next_state_ = STATE_DRAIN_BODY; 265 drain_buf_ = new IOBuffer(kDrainBodyBufferSize); 266 return OK; 267 } 268 keep_alive = true; 269 } 270 271 // We don't need to drain the response body, so we act as if we had drained 272 // the response body. 273 return DidDrainBodyForAuthRestart(keep_alive); 274 } 275 276 int HttpProxyClientSocket::DidDrainBodyForAuthRestart(bool keep_alive) { 277 if (keep_alive && transport_->socket()->IsConnectedAndIdle()) { 278 next_state_ = STATE_GENERATE_AUTH_TOKEN; 279 transport_->set_is_reused(true); 280 } else { 281 // This assumes that the underlying transport socket is a TCP socket, 282 // since only TCP sockets are restartable. 283 next_state_ = STATE_TCP_RESTART; 284 transport_->socket()->Disconnect(); 285 } 286 287 // Reset the other member variables. 288 drain_buf_ = NULL; 289 parser_buf_ = NULL; 290 http_stream_parser_.reset(); 291 request_line_.clear(); 292 request_headers_.Clear(); 293 response_ = HttpResponseInfo(); 294 return OK; 295 } 296 297 void HttpProxyClientSocket::LogBlockedTunnelResponse() const { 298 ProxyClientSocket::LogBlockedTunnelResponse( 299 response_.headers->response_code(), 300 request_.url, 301 is_https_proxy_); 302 } 303 304 void HttpProxyClientSocket::DoCallback(int result) { 305 DCHECK_NE(ERR_IO_PENDING, result); 306 DCHECK(!user_callback_.is_null()); 307 308 // Since Run() may result in Read being called, 309 // clear user_callback_ up front. 310 CompletionCallback c = user_callback_; 311 user_callback_.Reset(); 312 c.Run(result); 313 } 314 315 void HttpProxyClientSocket::OnIOComplete(int result) { 316 DCHECK_NE(STATE_NONE, next_state_); 317 DCHECK_NE(STATE_DONE, next_state_); 318 int rv = DoLoop(result); 319 if (rv != ERR_IO_PENDING) 320 DoCallback(rv); 321 } 322 323 int HttpProxyClientSocket::DoLoop(int last_io_result) { 324 DCHECK_NE(next_state_, STATE_NONE); 325 DCHECK_NE(next_state_, STATE_DONE); 326 int rv = last_io_result; 327 do { 328 State state = next_state_; 329 next_state_ = STATE_NONE; 330 switch (state) { 331 case STATE_GENERATE_AUTH_TOKEN: 332 DCHECK_EQ(OK, rv); 333 rv = DoGenerateAuthToken(); 334 break; 335 case STATE_GENERATE_AUTH_TOKEN_COMPLETE: 336 rv = DoGenerateAuthTokenComplete(rv); 337 break; 338 case STATE_SEND_REQUEST: 339 DCHECK_EQ(OK, rv); 340 net_log_.BeginEvent( 341 NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_SEND_REQUEST); 342 rv = DoSendRequest(); 343 break; 344 case STATE_SEND_REQUEST_COMPLETE: 345 rv = DoSendRequestComplete(rv); 346 net_log_.EndEventWithNetErrorCode( 347 NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_SEND_REQUEST, rv); 348 break; 349 case STATE_READ_HEADERS: 350 DCHECK_EQ(OK, rv); 351 net_log_.BeginEvent( 352 NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS); 353 rv = DoReadHeaders(); 354 break; 355 case STATE_READ_HEADERS_COMPLETE: 356 rv = DoReadHeadersComplete(rv); 357 net_log_.EndEventWithNetErrorCode( 358 NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS, rv); 359 break; 360 case STATE_DRAIN_BODY: 361 DCHECK_EQ(OK, rv); 362 rv = DoDrainBody(); 363 break; 364 case STATE_DRAIN_BODY_COMPLETE: 365 rv = DoDrainBodyComplete(rv); 366 break; 367 case STATE_TCP_RESTART: 368 DCHECK_EQ(OK, rv); 369 rv = DoTCPRestart(); 370 break; 371 case STATE_TCP_RESTART_COMPLETE: 372 rv = DoTCPRestartComplete(rv); 373 break; 374 case STATE_DONE: 375 break; 376 default: 377 NOTREACHED() << "bad state"; 378 rv = ERR_UNEXPECTED; 379 break; 380 } 381 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE && 382 next_state_ != STATE_DONE); 383 return rv; 384 } 385 386 int HttpProxyClientSocket::DoGenerateAuthToken() { 387 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; 388 return auth_->MaybeGenerateAuthToken(&request_, io_callback_, net_log_); 389 } 390 391 int HttpProxyClientSocket::DoGenerateAuthTokenComplete(int result) { 392 DCHECK_NE(ERR_IO_PENDING, result); 393 if (result == OK) 394 next_state_ = STATE_SEND_REQUEST; 395 return result; 396 } 397 398 int HttpProxyClientSocket::DoSendRequest() { 399 next_state_ = STATE_SEND_REQUEST_COMPLETE; 400 401 // This is constructed lazily (instead of within our Start method), so that 402 // we have proxy info available. 403 if (request_line_.empty()) { 404 DCHECK(request_headers_.IsEmpty()); 405 HttpRequestHeaders authorization_headers; 406 if (auth_->HaveAuth()) 407 auth_->AddAuthorizationHeader(&authorization_headers); 408 BuildTunnelRequest(request_, authorization_headers, endpoint_, 409 &request_line_, &request_headers_); 410 411 net_log_.AddEvent( 412 NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS, 413 base::Bind(&HttpRequestHeaders::NetLogCallback, 414 base::Unretained(&request_headers_), 415 &request_line_)); 416 } 417 418 parser_buf_ = new GrowableIOBuffer(); 419 http_stream_parser_.reset(new HttpStreamParser( 420 transport_.get(), &request_, parser_buf_.get(), net_log_)); 421 return http_stream_parser_->SendRequest( 422 request_line_, request_headers_, &response_, io_callback_); 423 } 424 425 int HttpProxyClientSocket::DoSendRequestComplete(int result) { 426 if (result < 0) 427 return result; 428 429 next_state_ = STATE_READ_HEADERS; 430 return OK; 431 } 432 433 int HttpProxyClientSocket::DoReadHeaders() { 434 next_state_ = STATE_READ_HEADERS_COMPLETE; 435 return http_stream_parser_->ReadResponseHeaders(io_callback_); 436 } 437 438 int HttpProxyClientSocket::DoReadHeadersComplete(int result) { 439 if (result < 0) 440 return result; 441 442 // Require the "HTTP/1.x" status line for SSL CONNECT. 443 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) 444 return ERR_TUNNEL_CONNECTION_FAILED; 445 446 net_log_.AddEvent( 447 NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS, 448 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 449 450 switch (response_.headers->response_code()) { 451 case 200: // OK 452 if (http_stream_parser_->IsMoreDataBuffered()) 453 // The proxy sent extraneous data after the headers. 454 return ERR_TUNNEL_CONNECTION_FAILED; 455 456 next_state_ = STATE_DONE; 457 return OK; 458 459 // We aren't able to CONNECT to the remote host through the proxy. We 460 // need to be very suspicious about the response because an active network 461 // attacker can force us into this state by masquerading as the proxy. 462 // The only safe thing to do here is to fail the connection because our 463 // client is expecting an SSL protected response. 464 // See http://crbug.com/7338. 465 466 case 302: // Found / Moved Temporarily 467 // Attempt to follow redirects from HTTPS proxies, but only if we can 468 // sanitize the response. This still allows a rogue HTTPS proxy to 469 // redirect an HTTPS site load to a similar-looking site, but no longer 470 // allows it to impersonate the site the user requested. 471 if (is_https_proxy_ && SanitizeProxyRedirect(&response_, request_.url)) { 472 bool is_connection_reused = http_stream_parser_->IsConnectionReused(); 473 redirect_has_load_timing_info_ = 474 transport_->GetLoadTimingInfo( 475 is_connection_reused, &redirect_load_timing_info_); 476 transport_.reset(); 477 http_stream_parser_.reset(); 478 return ERR_HTTPS_PROXY_TUNNEL_RESPONSE; 479 } 480 481 // We're not using an HTTPS proxy, or we couldn't sanitize the redirect. 482 LogBlockedTunnelResponse(); 483 return ERR_TUNNEL_CONNECTION_FAILED; 484 485 case 407: // Proxy Authentication Required 486 // We need this status code to allow proxy authentication. Our 487 // authentication code is smart enough to avoid being tricked by an 488 // active network attacker. 489 // The next state is intentionally not set as it should be STATE_NONE; 490 return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_); 491 492 default: 493 // Ignore response to avoid letting the proxy impersonate the target 494 // server. (See http://crbug.com/137891.) 495 // We lose something by doing this. We have seen proxy 403, 404, and 496 // 501 response bodies that contain a useful error message. For 497 // example, Squid uses a 404 response to report the DNS error: "The 498 // domain name does not exist." 499 LogBlockedTunnelResponse(); 500 return ERR_TUNNEL_CONNECTION_FAILED; 501 } 502 } 503 504 int HttpProxyClientSocket::DoDrainBody() { 505 DCHECK(drain_buf_.get()); 506 DCHECK(transport_->is_initialized()); 507 next_state_ = STATE_DRAIN_BODY_COMPLETE; 508 return http_stream_parser_->ReadResponseBody( 509 drain_buf_.get(), kDrainBodyBufferSize, io_callback_); 510 } 511 512 int HttpProxyClientSocket::DoDrainBodyComplete(int result) { 513 if (result < 0) 514 return result; 515 516 if (http_stream_parser_->IsResponseBodyComplete()) 517 return DidDrainBodyForAuthRestart(true); 518 519 // Keep draining. 520 next_state_ = STATE_DRAIN_BODY; 521 return OK; 522 } 523 524 int HttpProxyClientSocket::DoTCPRestart() { 525 next_state_ = STATE_TCP_RESTART_COMPLETE; 526 return transport_->socket()->Connect( 527 base::Bind(&HttpProxyClientSocket::OnIOComplete, base::Unretained(this))); 528 } 529 530 int HttpProxyClientSocket::DoTCPRestartComplete(int result) { 531 if (result != OK) 532 return result; 533 534 next_state_ = STATE_GENERATE_AUTH_TOKEN; 535 return result; 536 } 537 538 } // namespace net 539
