1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 // 5 // TODO(ukai): code is similar with http_network_transaction.cc. We should 6 // think about ways to share code, if possible. 7 8 #include "net/socket_stream/socket_stream.h" 9 10 #include <set> 11 #include <string> 12 #include <vector> 13 14 #include "base/bind.h" 15 #include "base/bind_helpers.h" 16 #include "base/compiler_specific.h" 17 #include "base/logging.h" 18 #include "base/message_loop/message_loop.h" 19 #include "base/strings/string_util.h" 20 #include "base/strings/stringprintf.h" 21 #include "base/strings/utf_string_conversions.h" 22 #include "net/base/auth.h" 23 #include "net/base/io_buffer.h" 24 #include "net/base/net_errors.h" 25 #include "net/base/net_util.h" 26 #include "net/dns/host_resolver.h" 27 #include "net/http/http_auth_controller.h" 28 #include "net/http/http_network_session.h" 29 #include "net/http/http_request_headers.h" 30 #include "net/http/http_request_info.h" 31 #include "net/http/http_response_headers.h" 32 #include "net/http/http_stream_factory.h" 33 #include "net/http/http_transaction_factory.h" 34 #include "net/http/http_util.h" 35 #include "net/socket/client_socket_factory.h" 36 #include "net/socket/client_socket_handle.h" 37 #include "net/socket/socks5_client_socket.h" 38 #include "net/socket/socks_client_socket.h" 39 #include "net/socket/ssl_client_socket.h" 40 #include "net/socket/tcp_client_socket.h" 41 #include "net/socket_stream/socket_stream_metrics.h" 42 #include "net/ssl/ssl_cert_request_info.h" 43 #include "net/ssl/ssl_info.h" 44 #include "net/url_request/url_request.h" 45 #include "net/url_request/url_request_context.h" 46 47 static const int kMaxPendingSendAllowed = 32768; // 32 kilobytes. 48 static const int kReadBufferSize = 4096; 49 50 namespace net { 51 52 int SocketStream::Delegate::OnStartOpenConnection( 53 SocketStream* socket, const CompletionCallback& callback) { 54 return OK; 55 } 56 57 void SocketStream::Delegate::OnAuthRequired(SocketStream* socket, 58 AuthChallengeInfo* auth_info) { 59 // By default, no credential is available and close the connection. 60 socket->Close(); 61 } 62 63 void SocketStream::Delegate::OnSSLCertificateError( 64 SocketStream* socket, 65 const SSLInfo& ssl_info, 66 bool fatal) { 67 socket->CancelWithSSLError(ssl_info); 68 } 69 70 bool SocketStream::Delegate::CanGetCookies(SocketStream* socket, 71 const GURL& url) { 72 return true; 73 } 74 75 bool SocketStream::Delegate::CanSetCookie(SocketStream* request, 76 const GURL& url, 77 const std::string& cookie_line, 78 CookieOptions* options) { 79 return true; 80 } 81 82 SocketStream::ResponseHeaders::ResponseHeaders() : IOBuffer() {} 83 84 void SocketStream::ResponseHeaders::Realloc(size_t new_size) { 85 headers_.reset(static_cast<char*>(realloc(headers_.release(), new_size))); 86 } 87 88 SocketStream::ResponseHeaders::~ResponseHeaders() { data_ = NULL; } 89 90 SocketStream::SocketStream(const GURL& url, Delegate* delegate, 91 URLRequestContext* context, 92 CookieStore* cookie_store) 93 : delegate_(delegate), 94 url_(url), 95 max_pending_send_allowed_(kMaxPendingSendAllowed), 96 context_(context), 97 next_state_(STATE_NONE), 98 factory_(ClientSocketFactory::GetDefaultFactory()), 99 proxy_mode_(kDirectConnection), 100 proxy_url_(url), 101 pac_request_(NULL), 102 connection_(new ClientSocketHandle), 103 privacy_mode_(PRIVACY_MODE_DISABLED), 104 // Unretained() is required; without it, Bind() creates a circular 105 // dependency and the SocketStream object will not be freed. 106 io_callback_(base::Bind(&SocketStream::OnIOCompleted, 107 base::Unretained(this))), 108 read_buf_(NULL), 109 current_write_buf_(NULL), 110 waiting_for_write_completion_(false), 111 closing_(false), 112 server_closed_(false), 113 metrics_(new SocketStreamMetrics(url)), 114 cookie_store_(cookie_store) { 115 DCHECK(base::MessageLoop::current()) 116 << "The current base::MessageLoop must exist"; 117 DCHECK(base::MessageLoopForIO::IsCurrent()) 118 << "The current base::MessageLoop must be TYPE_IO"; 119 DCHECK(delegate_); 120 121 if (context_) { 122 if (!cookie_store_) 123 cookie_store_ = context_->cookie_store(); 124 125 net_log_ = BoundNetLog::Make( 126 context->net_log(), 127 NetLog::SOURCE_SOCKET_STREAM); 128 129 net_log_.BeginEvent(NetLog::TYPE_REQUEST_ALIVE); 130 } 131 } 132 133 SocketStream::UserData* SocketStream::GetUserData( 134 const void* key) const { 135 UserDataMap::const_iterator found = user_data_.find(key); 136 if (found != user_data_.end()) 137 return found->second.get(); 138 return NULL; 139 } 140 141 void SocketStream::SetUserData(const void* key, UserData* data) { 142 user_data_[key] = linked_ptr<UserData>(data); 143 } 144 145 bool SocketStream::is_secure() const { 146 return url_.SchemeIs("wss"); 147 } 148 149 void SocketStream::DetachContext() { 150 if (!context_) 151 return; 152 153 if (pac_request_) { 154 context_->proxy_service()->CancelPacRequest(pac_request_); 155 pac_request_ = NULL; 156 } 157 158 net_log_.EndEvent(NetLog::TYPE_REQUEST_ALIVE); 159 net_log_ = BoundNetLog(); 160 161 context_ = NULL; 162 cookie_store_ = NULL; 163 } 164 165 void SocketStream::CheckPrivacyMode() { 166 if (context_ && context_->network_delegate()) { 167 bool enable = context_->network_delegate()->CanEnablePrivacyMode(url_, 168 url_); 169 privacy_mode_ = enable ? PRIVACY_MODE_ENABLED : PRIVACY_MODE_DISABLED; 170 // Disable Channel ID if privacy mode is enabled. 171 if (enable) 172 server_ssl_config_.channel_id_enabled = false; 173 } 174 } 175 176 void SocketStream::Connect() { 177 DCHECK(base::MessageLoop::current()) 178 << "The current base::MessageLoop must exist"; 179 DCHECK(base::MessageLoopForIO::IsCurrent()) 180 << "The current base::MessageLoop must be TYPE_IO"; 181 if (context_) { 182 context_->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 183 proxy_ssl_config_ = server_ssl_config_; 184 } 185 CheckPrivacyMode(); 186 187 DCHECK_EQ(next_state_, STATE_NONE); 188 189 AddRef(); // Released in Finish() 190 // Open a connection asynchronously, so that delegate won't be called 191 // back before returning Connect(). 192 next_state_ = STATE_BEFORE_CONNECT; 193 net_log_.BeginEvent( 194 NetLog::TYPE_SOCKET_STREAM_CONNECT, 195 NetLog::StringCallback("url", &url_.possibly_invalid_spec())); 196 base::MessageLoop::current()->PostTask( 197 FROM_HERE, base::Bind(&SocketStream::DoLoop, this, OK)); 198 } 199 200 size_t SocketStream::GetTotalSizeOfPendingWriteBufs() const { 201 size_t total_size = 0; 202 for (PendingDataQueue::const_iterator iter = pending_write_bufs_.begin(); 203 iter != pending_write_bufs_.end(); 204 ++iter) 205 total_size += (*iter)->size(); 206 return total_size; 207 } 208 209 bool SocketStream::SendData(const char* data, int len) { 210 DCHECK(base::MessageLoop::current()) 211 << "The current base::MessageLoop must exist"; 212 DCHECK(base::MessageLoopForIO::IsCurrent()) 213 << "The current base::MessageLoop must be TYPE_IO"; 214 DCHECK_GT(len, 0); 215 216 if (!connection_->socket() || 217 !connection_->socket()->IsConnected() || next_state_ == STATE_NONE) { 218 return false; 219 } 220 221 int total_buffered_bytes = len; 222 if (current_write_buf_.get()) { 223 // Since 224 // - the purpose of this check is to limit the amount of buffer used by 225 // this instance. 226 // - the DrainableIOBuffer doesn't release consumed memory. 227 // we need to use not BytesRemaining() but size() here. 228 total_buffered_bytes += current_write_buf_->size(); 229 } 230 total_buffered_bytes += GetTotalSizeOfPendingWriteBufs(); 231 if (total_buffered_bytes > max_pending_send_allowed_) 232 return false; 233 234 // TODO(tyoshino): Split data into smaller chunks e.g. 8KiB to free consumed 235 // buffer progressively 236 pending_write_bufs_.push_back(make_scoped_refptr( 237 new IOBufferWithSize(len))); 238 memcpy(pending_write_bufs_.back()->data(), data, len); 239 240 // If current_write_buf_ is not NULL, it means that a) there's ongoing write 241 // operation or b) the connection is being closed. If a), the buffer we just 242 // pushed will be automatically handled when the completion callback runs 243 // the loop, and therefore we don't need to enqueue DoLoop(). If b), it's ok 244 // to do nothing. If current_write_buf_ is NULL, to make sure DoLoop() is 245 // ran soon, enequeue it. 246 if (!current_write_buf_.get()) { 247 // Send pending data asynchronously, so that delegate won't be called 248 // back before returning from SendData(). 249 base::MessageLoop::current()->PostTask( 250 FROM_HERE, base::Bind(&SocketStream::DoLoop, this, OK)); 251 } 252 253 return true; 254 } 255 256 void SocketStream::Close() { 257 DCHECK(base::MessageLoop::current()) 258 << "The current base::MessageLoop must exist"; 259 DCHECK(base::MessageLoopForIO::IsCurrent()) 260 << "The current base::MessageLoop must be TYPE_IO"; 261 // If next_state_ is STATE_NONE, the socket was not opened, or already 262 // closed. So, return immediately. 263 // Otherwise, it might call Finish() more than once, so breaks balance 264 // of AddRef() and Release() in Connect() and Finish(), respectively. 265 if (next_state_ == STATE_NONE) 266 return; 267 base::MessageLoop::current()->PostTask( 268 FROM_HERE, base::Bind(&SocketStream::DoClose, this)); 269 } 270 271 void SocketStream::RestartWithAuth(const AuthCredentials& credentials) { 272 DCHECK(base::MessageLoop::current()) 273 << "The current base::MessageLoop must exist"; 274 DCHECK(base::MessageLoopForIO::IsCurrent()) 275 << "The current base::MessageLoop must be TYPE_IO"; 276 DCHECK(proxy_auth_controller_.get()); 277 if (!connection_->socket()) { 278 DVLOG(1) << "Socket is closed before restarting with auth."; 279 return; 280 } 281 282 proxy_auth_controller_->ResetAuth(credentials); 283 284 base::MessageLoop::current()->PostTask( 285 FROM_HERE, base::Bind(&SocketStream::DoRestartWithAuth, this)); 286 } 287 288 void SocketStream::DetachDelegate() { 289 if (!delegate_) 290 return; 291 delegate_ = NULL; 292 // Prevent the rest of the function from executing if we are being called from 293 // within Finish(). 294 if (next_state_ == STATE_NONE) 295 return; 296 net_log_.AddEvent(NetLog::TYPE_CANCELLED); 297 // We don't need to send pending data when client detach the delegate. 298 pending_write_bufs_.clear(); 299 Close(); 300 } 301 302 const ProxyServer& SocketStream::proxy_server() const { 303 return proxy_info_.proxy_server(); 304 } 305 306 void SocketStream::SetClientSocketFactory( 307 ClientSocketFactory* factory) { 308 DCHECK(factory); 309 factory_ = factory; 310 } 311 312 void SocketStream::CancelWithError(int error) { 313 base::MessageLoop::current()->PostTask( 314 FROM_HERE, base::Bind(&SocketStream::DoLoop, this, error)); 315 } 316 317 void SocketStream::CancelWithSSLError(const SSLInfo& ssl_info) { 318 CancelWithError(MapCertStatusToNetError(ssl_info.cert_status)); 319 } 320 321 void SocketStream::ContinueDespiteError() { 322 base::MessageLoop::current()->PostTask( 323 FROM_HERE, base::Bind(&SocketStream::DoLoop, this, OK)); 324 } 325 326 SocketStream::~SocketStream() { 327 DetachContext(); 328 DCHECK(!delegate_); 329 DCHECK(!pac_request_); 330 } 331 332 SocketStream::RequestHeaders::~RequestHeaders() { data_ = NULL; } 333 334 void SocketStream::set_addresses(const AddressList& addresses) { 335 addresses_ = addresses; 336 } 337 338 void SocketStream::DoClose() { 339 closing_ = true; 340 // If next_state_ is: 341 // - STATE_TCP_CONNECT_COMPLETE, it's waiting other socket establishing 342 // connection. 343 // - STATE_AUTH_REQUIRED, it's waiting for restarting. 344 // - STATE_RESOLVE_PROTOCOL_COMPLETE, it's waiting for delegate_ to finish 345 // OnStartOpenConnection method call 346 // In these states, we'll close the SocketStream now. 347 if (next_state_ == STATE_TCP_CONNECT_COMPLETE || 348 next_state_ == STATE_AUTH_REQUIRED || 349 next_state_ == STATE_RESOLVE_PROTOCOL_COMPLETE) { 350 DoLoop(ERR_ABORTED); 351 return; 352 } 353 // If next_state_ is STATE_READ_WRITE, we'll run DoLoop and close 354 // the SocketStream. 355 // If it's writing now, we should defer the closing after the current 356 // writing is completed. 357 if (next_state_ == STATE_READ_WRITE && !current_write_buf_.get()) 358 DoLoop(ERR_ABORTED); 359 360 // In other next_state_, we'll wait for callback of other APIs, such as 361 // ResolveProxy(). 362 } 363 364 void SocketStream::Finish(int result) { 365 DCHECK(base::MessageLoop::current()) 366 << "The current base::MessageLoop must exist"; 367 DCHECK(base::MessageLoopForIO::IsCurrent()) 368 << "The current base::MessageLoop must be TYPE_IO"; 369 DCHECK_LE(result, OK); 370 if (result == OK) 371 result = ERR_CONNECTION_CLOSED; 372 DCHECK_EQ(next_state_, STATE_NONE); 373 DVLOG(1) << "Finish result=" << ErrorToString(result); 374 375 metrics_->OnClose(); 376 377 if (result != ERR_CONNECTION_CLOSED && delegate_) 378 delegate_->OnError(this, result); 379 if (result != ERR_PROTOCOL_SWITCHED && delegate_) 380 delegate_->OnClose(this); 381 delegate_ = NULL; 382 383 Release(); 384 } 385 386 int SocketStream::DidEstablishConnection() { 387 if (!connection_->socket() || !connection_->socket()->IsConnected()) { 388 next_state_ = STATE_CLOSE; 389 return ERR_CONNECTION_FAILED; 390 } 391 next_state_ = STATE_READ_WRITE; 392 metrics_->OnConnected(); 393 394 net_log_.EndEvent(NetLog::TYPE_SOCKET_STREAM_CONNECT); 395 if (delegate_) 396 delegate_->OnConnected(this, max_pending_send_allowed_); 397 398 return OK; 399 } 400 401 int SocketStream::DidReceiveData(int result) { 402 DCHECK(read_buf_.get()); 403 DCHECK_GT(result, 0); 404 net_log_.AddEvent(NetLog::TYPE_SOCKET_STREAM_RECEIVED); 405 int len = result; 406 metrics_->OnRead(len); 407 if (delegate_) { 408 // Notify recevied data to delegate. 409 delegate_->OnReceivedData(this, read_buf_->data(), len); 410 } 411 read_buf_ = NULL; 412 return OK; 413 } 414 415 void SocketStream::DidSendData(int result) { 416 DCHECK_GT(result, 0); 417 DCHECK(current_write_buf_.get()); 418 net_log_.AddEvent(NetLog::TYPE_SOCKET_STREAM_SENT); 419 420 int bytes_sent = result; 421 422 metrics_->OnWrite(bytes_sent); 423 424 current_write_buf_->DidConsume(result); 425 426 if (current_write_buf_->BytesRemaining()) 427 return; 428 429 size_t bytes_freed = current_write_buf_->size(); 430 431 current_write_buf_ = NULL; 432 433 // We freed current_write_buf_ and this instance is now able to accept more 434 // data via SendData() (note that DidConsume() doesn't free consumed memory). 435 // We can tell that to delegate_ by calling OnSentData(). 436 if (delegate_) 437 delegate_->OnSentData(this, bytes_freed); 438 } 439 440 void SocketStream::OnIOCompleted(int result) { 441 DoLoop(result); 442 } 443 444 void SocketStream::OnReadCompleted(int result) { 445 if (result == 0) { 446 // 0 indicates end-of-file, so socket was closed. 447 // Don't close the socket if it's still writing. 448 server_closed_ = true; 449 } else if (result > 0 && read_buf_.get()) { 450 result = DidReceiveData(result); 451 } 452 DoLoop(result); 453 } 454 455 void SocketStream::OnWriteCompleted(int result) { 456 waiting_for_write_completion_ = false; 457 if (result > 0) { 458 DidSendData(result); 459 result = OK; 460 } 461 DoLoop(result); 462 } 463 464 void SocketStream::DoLoop(int result) { 465 if (next_state_ == STATE_NONE) 466 return; 467 468 // If context was not set, close immediately. 469 if (!context_) 470 next_state_ = STATE_CLOSE; 471 472 do { 473 State state = next_state_; 474 next_state_ = STATE_NONE; 475 switch (state) { 476 case STATE_BEFORE_CONNECT: 477 DCHECK_EQ(OK, result); 478 result = DoBeforeConnect(); 479 break; 480 case STATE_BEFORE_CONNECT_COMPLETE: 481 result = DoBeforeConnectComplete(result); 482 break; 483 case STATE_RESOLVE_PROXY: 484 DCHECK_EQ(OK, result); 485 result = DoResolveProxy(); 486 break; 487 case STATE_RESOLVE_PROXY_COMPLETE: 488 result = DoResolveProxyComplete(result); 489 break; 490 case STATE_RESOLVE_HOST: 491 DCHECK_EQ(OK, result); 492 result = DoResolveHost(); 493 break; 494 case STATE_RESOLVE_HOST_COMPLETE: 495 result = DoResolveHostComplete(result); 496 break; 497 case STATE_RESOLVE_PROTOCOL: 498 result = DoResolveProtocol(result); 499 break; 500 case STATE_RESOLVE_PROTOCOL_COMPLETE: 501 result = DoResolveProtocolComplete(result); 502 break; 503 case STATE_TCP_CONNECT: 504 result = DoTcpConnect(result); 505 break; 506 case STATE_TCP_CONNECT_COMPLETE: 507 result = DoTcpConnectComplete(result); 508 break; 509 case STATE_GENERATE_PROXY_AUTH_TOKEN: 510 result = DoGenerateProxyAuthToken(); 511 break; 512 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 513 result = DoGenerateProxyAuthTokenComplete(result); 514 break; 515 case STATE_WRITE_TUNNEL_HEADERS: 516 DCHECK_EQ(OK, result); 517 result = DoWriteTunnelHeaders(); 518 break; 519 case STATE_WRITE_TUNNEL_HEADERS_COMPLETE: 520 result = DoWriteTunnelHeadersComplete(result); 521 break; 522 case STATE_READ_TUNNEL_HEADERS: 523 DCHECK_EQ(OK, result); 524 result = DoReadTunnelHeaders(); 525 break; 526 case STATE_READ_TUNNEL_HEADERS_COMPLETE: 527 result = DoReadTunnelHeadersComplete(result); 528 break; 529 case STATE_SOCKS_CONNECT: 530 DCHECK_EQ(OK, result); 531 result = DoSOCKSConnect(); 532 break; 533 case STATE_SOCKS_CONNECT_COMPLETE: 534 result = DoSOCKSConnectComplete(result); 535 break; 536 case STATE_SECURE_PROXY_CONNECT: 537 DCHECK_EQ(OK, result); 538 result = DoSecureProxyConnect(); 539 break; 540 case STATE_SECURE_PROXY_CONNECT_COMPLETE: 541 result = DoSecureProxyConnectComplete(result); 542 break; 543 case STATE_SECURE_PROXY_HANDLE_CERT_ERROR: 544 result = DoSecureProxyHandleCertError(result); 545 break; 546 case STATE_SECURE_PROXY_HANDLE_CERT_ERROR_COMPLETE: 547 result = DoSecureProxyHandleCertErrorComplete(result); 548 break; 549 case STATE_SSL_CONNECT: 550 DCHECK_EQ(OK, result); 551 result = DoSSLConnect(); 552 break; 553 case STATE_SSL_CONNECT_COMPLETE: 554 result = DoSSLConnectComplete(result); 555 break; 556 case STATE_SSL_HANDLE_CERT_ERROR: 557 result = DoSSLHandleCertError(result); 558 break; 559 case STATE_SSL_HANDLE_CERT_ERROR_COMPLETE: 560 result = DoSSLHandleCertErrorComplete(result); 561 break; 562 case STATE_READ_WRITE: 563 result = DoReadWrite(result); 564 break; 565 case STATE_AUTH_REQUIRED: 566 // It might be called when DoClose is called while waiting in 567 // STATE_AUTH_REQUIRED. 568 Finish(result); 569 return; 570 case STATE_CLOSE: 571 DCHECK_LE(result, OK); 572 Finish(result); 573 return; 574 default: 575 NOTREACHED() << "bad state " << state; 576 Finish(result); 577 return; 578 } 579 if (state == STATE_RESOLVE_PROTOCOL && result == ERR_PROTOCOL_SWITCHED) 580 continue; 581 // If the connection is not established yet and had actual errors, 582 // record the error. In next iteration, it will close the connection. 583 if (state != STATE_READ_WRITE && result < ERR_IO_PENDING) { 584 net_log_.EndEventWithNetErrorCode( 585 NetLog::TYPE_SOCKET_STREAM_CONNECT, result); 586 } 587 } while (result != ERR_IO_PENDING); 588 } 589 590 int SocketStream::DoBeforeConnect() { 591 next_state_ = STATE_BEFORE_CONNECT_COMPLETE; 592 if (!context_ || !context_->network_delegate()) 593 return OK; 594 595 int result = context_->network_delegate()->NotifyBeforeSocketStreamConnect( 596 this, io_callback_); 597 if (result != OK && result != ERR_IO_PENDING) 598 next_state_ = STATE_CLOSE; 599 600 return result; 601 } 602 603 int SocketStream::DoBeforeConnectComplete(int result) { 604 DCHECK_NE(ERR_IO_PENDING, result); 605 606 if (result == OK) 607 next_state_ = STATE_RESOLVE_PROXY; 608 else 609 next_state_ = STATE_CLOSE; 610 611 return result; 612 } 613 614 int SocketStream::DoResolveProxy() { 615 DCHECK(context_); 616 DCHECK(!pac_request_); 617 next_state_ = STATE_RESOLVE_PROXY_COMPLETE; 618 619 if (!proxy_url_.is_valid()) { 620 next_state_ = STATE_CLOSE; 621 return ERR_INVALID_ARGUMENT; 622 } 623 624 // TODO(toyoshim): Check server advertisement of SPDY through the HTTP 625 // Alternate-Protocol header, then switch to SPDY if SPDY is available. 626 // Usually we already have a session to the SPDY server because JavaScript 627 // running WebSocket itself would be served by SPDY. But, in some situation 628 // (E.g. Used by Chrome Extensions or used for cross origin connection), this 629 // connection might be the first one. At that time, we should check 630 // Alternate-Protocol header here for ws:// or TLS NPN extension for wss:// . 631 632 return context_->proxy_service()->ResolveProxy( 633 proxy_url_, &proxy_info_, io_callback_, &pac_request_, net_log_); 634 } 635 636 int SocketStream::DoResolveProxyComplete(int result) { 637 pac_request_ = NULL; 638 if (result != OK) { 639 DVLOG(1) << "Failed to resolve proxy: " << result; 640 if (delegate_) 641 delegate_->OnError(this, result); 642 proxy_info_.UseDirect(); 643 } 644 if (proxy_info_.is_direct()) { 645 // If proxy was not found for original URL (i.e. websocket URL), 646 // try again with https URL, like Safari implementation. 647 // Note that we don't want to use http proxy, because we'll use tunnel 648 // proxy using CONNECT method, which is used by https proxy. 649 if (!proxy_url_.SchemeIs("https")) { 650 const std::string scheme = "https"; 651 GURL::Replacements repl; 652 repl.SetSchemeStr(scheme); 653 proxy_url_ = url_.ReplaceComponents(repl); 654 DVLOG(1) << "Try https proxy: " << proxy_url_; 655 next_state_ = STATE_RESOLVE_PROXY; 656 return OK; 657 } 658 } 659 660 if (proxy_info_.is_empty()) { 661 // No proxies/direct to choose from. This happens when we don't support any 662 // of the proxies in the returned list. 663 return ERR_NO_SUPPORTED_PROXIES; 664 } 665 666 next_state_ = STATE_RESOLVE_HOST; 667 return OK; 668 } 669 670 int SocketStream::DoResolveHost() { 671 next_state_ = STATE_RESOLVE_HOST_COMPLETE; 672 673 DCHECK(!proxy_info_.is_empty()); 674 if (proxy_info_.is_direct()) 675 proxy_mode_ = kDirectConnection; 676 else if (proxy_info_.proxy_server().is_socks()) 677 proxy_mode_ = kSOCKSProxy; 678 else 679 proxy_mode_ = kTunnelProxy; 680 681 // Determine the host and port to connect to. 682 HostPortPair host_port_pair; 683 if (proxy_mode_ != kDirectConnection) { 684 host_port_pair = proxy_info_.proxy_server().host_port_pair(); 685 } else { 686 host_port_pair = HostPortPair::FromURL(url_); 687 } 688 689 HostResolver::RequestInfo resolve_info(host_port_pair); 690 691 DCHECK(context_->host_resolver()); 692 resolver_.reset(new SingleRequestHostResolver(context_->host_resolver())); 693 return resolver_->Resolve(resolve_info, 694 DEFAULT_PRIORITY, 695 &addresses_, 696 base::Bind(&SocketStream::OnIOCompleted, this), 697 net_log_); 698 } 699 700 int SocketStream::DoResolveHostComplete(int result) { 701 if (result == OK) 702 next_state_ = STATE_RESOLVE_PROTOCOL; 703 else 704 next_state_ = STATE_CLOSE; 705 // TODO(ukai): if error occured, reconsider proxy after error. 706 return result; 707 } 708 709 int SocketStream::DoResolveProtocol(int result) { 710 DCHECK_EQ(OK, result); 711 712 if (!delegate_) { 713 next_state_ = STATE_CLOSE; 714 return result; 715 } 716 717 next_state_ = STATE_RESOLVE_PROTOCOL_COMPLETE; 718 result = delegate_->OnStartOpenConnection(this, io_callback_); 719 if (result == ERR_IO_PENDING) 720 metrics_->OnWaitConnection(); 721 else if (result != OK && result != ERR_PROTOCOL_SWITCHED) 722 next_state_ = STATE_CLOSE; 723 return result; 724 } 725 726 int SocketStream::DoResolveProtocolComplete(int result) { 727 DCHECK_NE(ERR_IO_PENDING, result); 728 729 if (result == ERR_PROTOCOL_SWITCHED) { 730 next_state_ = STATE_CLOSE; 731 metrics_->OnCountWireProtocolType( 732 SocketStreamMetrics::WIRE_PROTOCOL_SPDY); 733 } else if (result == OK) { 734 next_state_ = STATE_TCP_CONNECT; 735 metrics_->OnCountWireProtocolType( 736 SocketStreamMetrics::WIRE_PROTOCOL_WEBSOCKET); 737 } else { 738 next_state_ = STATE_CLOSE; 739 } 740 return result; 741 } 742 743 int SocketStream::DoTcpConnect(int result) { 744 if (result != OK) { 745 next_state_ = STATE_CLOSE; 746 return result; 747 } 748 next_state_ = STATE_TCP_CONNECT_COMPLETE; 749 DCHECK(factory_); 750 connection_->SetSocket( 751 factory_->CreateTransportClientSocket(addresses_, 752 net_log_.net_log(), 753 net_log_.source())); 754 metrics_->OnStartConnection(); 755 return connection_->socket()->Connect(io_callback_); 756 } 757 758 int SocketStream::DoTcpConnectComplete(int result) { 759 // TODO(ukai): if error occured, reconsider proxy after error. 760 if (result != OK) { 761 next_state_ = STATE_CLOSE; 762 return result; 763 } 764 765 if (proxy_mode_ == kTunnelProxy) { 766 if (proxy_info_.is_https()) 767 next_state_ = STATE_SECURE_PROXY_CONNECT; 768 else 769 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 770 } else if (proxy_mode_ == kSOCKSProxy) { 771 next_state_ = STATE_SOCKS_CONNECT; 772 } else if (is_secure()) { 773 next_state_ = STATE_SSL_CONNECT; 774 } else { 775 result = DidEstablishConnection(); 776 } 777 return result; 778 } 779 780 int SocketStream::DoGenerateProxyAuthToken() { 781 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 782 if (!proxy_auth_controller_.get()) { 783 DCHECK(context_); 784 DCHECK(context_->http_transaction_factory()); 785 DCHECK(context_->http_transaction_factory()->GetSession()); 786 HttpNetworkSession* session = 787 context_->http_transaction_factory()->GetSession(); 788 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 789 GURL auth_url(scheme + 790 proxy_info_.proxy_server().host_port_pair().ToString()); 791 proxy_auth_controller_ = 792 new HttpAuthController(HttpAuth::AUTH_PROXY, 793 auth_url, 794 session->http_auth_cache(), 795 session->http_auth_handler_factory()); 796 } 797 HttpRequestInfo request_info; 798 request_info.url = url_; 799 request_info.method = "CONNECT"; 800 return proxy_auth_controller_->MaybeGenerateAuthToken( 801 &request_info, io_callback_, net_log_); 802 } 803 804 int SocketStream::DoGenerateProxyAuthTokenComplete(int result) { 805 if (result != OK) { 806 next_state_ = STATE_CLOSE; 807 return result; 808 } 809 810 next_state_ = STATE_WRITE_TUNNEL_HEADERS; 811 return result; 812 } 813 814 int SocketStream::DoWriteTunnelHeaders() { 815 DCHECK_EQ(kTunnelProxy, proxy_mode_); 816 817 next_state_ = STATE_WRITE_TUNNEL_HEADERS_COMPLETE; 818 819 if (!tunnel_request_headers_.get()) { 820 metrics_->OnCountConnectionType(SocketStreamMetrics::TUNNEL_CONNECTION); 821 tunnel_request_headers_ = new RequestHeaders(); 822 tunnel_request_headers_bytes_sent_ = 0; 823 } 824 if (tunnel_request_headers_->headers_.empty()) { 825 HttpRequestHeaders request_headers; 826 request_headers.SetHeader("Host", GetHostAndOptionalPort(url_)); 827 request_headers.SetHeader("Proxy-Connection", "keep-alive"); 828 if (proxy_auth_controller_.get() && proxy_auth_controller_->HaveAuth()) 829 proxy_auth_controller_->AddAuthorizationHeader(&request_headers); 830 tunnel_request_headers_->headers_ = base::StringPrintf( 831 "CONNECT %s HTTP/1.1\r\n" 832 "%s", 833 GetHostAndPort(url_).c_str(), 834 request_headers.ToString().c_str()); 835 } 836 tunnel_request_headers_->SetDataOffset(tunnel_request_headers_bytes_sent_); 837 int buf_len = static_cast<int>(tunnel_request_headers_->headers_.size() - 838 tunnel_request_headers_bytes_sent_); 839 DCHECK_GT(buf_len, 0); 840 return connection_->socket()->Write( 841 tunnel_request_headers_.get(), buf_len, io_callback_); 842 } 843 844 int SocketStream::DoWriteTunnelHeadersComplete(int result) { 845 DCHECK_EQ(kTunnelProxy, proxy_mode_); 846 847 if (result < 0) { 848 next_state_ = STATE_CLOSE; 849 return result; 850 } 851 852 tunnel_request_headers_bytes_sent_ += result; 853 if (tunnel_request_headers_bytes_sent_ < 854 tunnel_request_headers_->headers_.size()) { 855 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 856 } else { 857 // Handling a cert error or a client cert request requires reconnection. 858 // DoWriteTunnelHeaders() will be called again. 859 // Thus |tunnel_request_headers_bytes_sent_| should be reset to 0 for 860 // sending |tunnel_request_headers_| correctly. 861 tunnel_request_headers_bytes_sent_ = 0; 862 next_state_ = STATE_READ_TUNNEL_HEADERS; 863 } 864 return OK; 865 } 866 867 int SocketStream::DoReadTunnelHeaders() { 868 DCHECK_EQ(kTunnelProxy, proxy_mode_); 869 870 next_state_ = STATE_READ_TUNNEL_HEADERS_COMPLETE; 871 872 if (!tunnel_response_headers_.get()) { 873 tunnel_response_headers_ = new ResponseHeaders(); 874 tunnel_response_headers_capacity_ = kMaxTunnelResponseHeadersSize; 875 tunnel_response_headers_->Realloc(tunnel_response_headers_capacity_); 876 tunnel_response_headers_len_ = 0; 877 } 878 879 int buf_len = tunnel_response_headers_capacity_ - 880 tunnel_response_headers_len_; 881 tunnel_response_headers_->SetDataOffset(tunnel_response_headers_len_); 882 CHECK(tunnel_response_headers_->data()); 883 884 return connection_->socket()->Read( 885 tunnel_response_headers_.get(), buf_len, io_callback_); 886 } 887 888 int SocketStream::DoReadTunnelHeadersComplete(int result) { 889 DCHECK_EQ(kTunnelProxy, proxy_mode_); 890 891 if (result < 0) { 892 next_state_ = STATE_CLOSE; 893 return result; 894 } 895 896 if (result == 0) { 897 // 0 indicates end-of-file, so socket was closed. 898 next_state_ = STATE_CLOSE; 899 return ERR_CONNECTION_CLOSED; 900 } 901 902 tunnel_response_headers_len_ += result; 903 DCHECK(tunnel_response_headers_len_ <= tunnel_response_headers_capacity_); 904 905 int eoh = HttpUtil::LocateEndOfHeaders( 906 tunnel_response_headers_->headers(), tunnel_response_headers_len_, 0); 907 if (eoh == -1) { 908 if (tunnel_response_headers_len_ >= kMaxTunnelResponseHeadersSize) { 909 next_state_ = STATE_CLOSE; 910 return ERR_RESPONSE_HEADERS_TOO_BIG; 911 } 912 913 next_state_ = STATE_READ_TUNNEL_HEADERS; 914 return OK; 915 } 916 // DidReadResponseHeaders 917 scoped_refptr<HttpResponseHeaders> headers; 918 headers = new HttpResponseHeaders( 919 HttpUtil::AssembleRawHeaders(tunnel_response_headers_->headers(), eoh)); 920 if (headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 921 // Require the "HTTP/1.x" status line. 922 next_state_ = STATE_CLOSE; 923 return ERR_TUNNEL_CONNECTION_FAILED; 924 } 925 switch (headers->response_code()) { 926 case 200: // OK 927 if (is_secure()) { 928 DCHECK_EQ(eoh, tunnel_response_headers_len_); 929 next_state_ = STATE_SSL_CONNECT; 930 } else { 931 result = DidEstablishConnection(); 932 if (result < 0) { 933 next_state_ = STATE_CLOSE; 934 return result; 935 } 936 if ((eoh < tunnel_response_headers_len_) && delegate_) 937 delegate_->OnReceivedData( 938 this, tunnel_response_headers_->headers() + eoh, 939 tunnel_response_headers_len_ - eoh); 940 } 941 return OK; 942 case 407: // Proxy Authentication Required. 943 if (proxy_mode_ != kTunnelProxy) 944 return ERR_UNEXPECTED_PROXY_AUTH; 945 946 result = proxy_auth_controller_->HandleAuthChallenge( 947 headers, false, true, net_log_); 948 if (result != OK) 949 return result; 950 DCHECK(!proxy_info_.is_empty()); 951 next_state_ = STATE_AUTH_REQUIRED; 952 if (proxy_auth_controller_->HaveAuth()) { 953 base::MessageLoop::current()->PostTask( 954 FROM_HERE, base::Bind(&SocketStream::DoRestartWithAuth, this)); 955 return ERR_IO_PENDING; 956 } 957 if (delegate_) { 958 // Wait until RestartWithAuth or Close is called. 959 base::MessageLoop::current()->PostTask( 960 FROM_HERE, base::Bind(&SocketStream::DoAuthRequired, this)); 961 return ERR_IO_PENDING; 962 } 963 break; 964 default: 965 break; 966 } 967 next_state_ = STATE_CLOSE; 968 return ERR_TUNNEL_CONNECTION_FAILED; 969 } 970 971 int SocketStream::DoSOCKSConnect() { 972 DCHECK_EQ(kSOCKSProxy, proxy_mode_); 973 974 next_state_ = STATE_SOCKS_CONNECT_COMPLETE; 975 976 HostResolver::RequestInfo req_info(HostPortPair::FromURL(url_)); 977 978 DCHECK(!proxy_info_.is_empty()); 979 scoped_ptr<StreamSocket> s; 980 if (proxy_info_.proxy_server().scheme() == ProxyServer::SCHEME_SOCKS5) { 981 s.reset(new SOCKS5ClientSocket(connection_.Pass(), req_info)); 982 } else { 983 s.reset(new SOCKSClientSocket(connection_.Pass(), 984 req_info, 985 DEFAULT_PRIORITY, 986 context_->host_resolver())); 987 } 988 connection_.reset(new ClientSocketHandle); 989 connection_->SetSocket(s.Pass()); 990 metrics_->OnCountConnectionType(SocketStreamMetrics::SOCKS_CONNECTION); 991 return connection_->socket()->Connect(io_callback_); 992 } 993 994 int SocketStream::DoSOCKSConnectComplete(int result) { 995 DCHECK_EQ(kSOCKSProxy, proxy_mode_); 996 997 if (result == OK) { 998 if (is_secure()) 999 next_state_ = STATE_SSL_CONNECT; 1000 else 1001 result = DidEstablishConnection(); 1002 } else { 1003 next_state_ = STATE_CLOSE; 1004 } 1005 return result; 1006 } 1007 1008 int SocketStream::DoSecureProxyConnect() { 1009 DCHECK(factory_); 1010 SSLClientSocketContext ssl_context; 1011 ssl_context.cert_verifier = context_->cert_verifier(); 1012 ssl_context.transport_security_state = context_->transport_security_state(); 1013 ssl_context.server_bound_cert_service = context_->server_bound_cert_service(); 1014 scoped_ptr<StreamSocket> socket(factory_->CreateSSLClientSocket( 1015 connection_.Pass(), 1016 proxy_info_.proxy_server().host_port_pair(), 1017 proxy_ssl_config_, 1018 ssl_context)); 1019 connection_.reset(new ClientSocketHandle); 1020 connection_->SetSocket(socket.Pass()); 1021 next_state_ = STATE_SECURE_PROXY_CONNECT_COMPLETE; 1022 metrics_->OnCountConnectionType(SocketStreamMetrics::SECURE_PROXY_CONNECTION); 1023 return connection_->socket()->Connect(io_callback_); 1024 } 1025 1026 int SocketStream::DoSecureProxyConnectComplete(int result) { 1027 DCHECK_EQ(STATE_NONE, next_state_); 1028 // Reconnect with client authentication. 1029 if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) 1030 return HandleCertificateRequest(result, &proxy_ssl_config_); 1031 1032 if (IsCertificateError(result)) 1033 next_state_ = STATE_SECURE_PROXY_HANDLE_CERT_ERROR; 1034 else if (result == OK) 1035 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 1036 else 1037 next_state_ = STATE_CLOSE; 1038 return result; 1039 } 1040 1041 int SocketStream::DoSecureProxyHandleCertError(int result) { 1042 DCHECK_EQ(STATE_NONE, next_state_); 1043 DCHECK(IsCertificateError(result)); 1044 result = HandleCertificateError(result); 1045 if (result == ERR_IO_PENDING) 1046 next_state_ = STATE_SECURE_PROXY_HANDLE_CERT_ERROR_COMPLETE; 1047 else 1048 next_state_ = STATE_CLOSE; 1049 return result; 1050 } 1051 1052 int SocketStream::DoSecureProxyHandleCertErrorComplete(int result) { 1053 DCHECK_EQ(STATE_NONE, next_state_); 1054 if (result == OK) { 1055 if (!connection_->socket()->IsConnectedAndIdle()) 1056 return AllowCertErrorForReconnection(&proxy_ssl_config_); 1057 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 1058 } else { 1059 next_state_ = STATE_CLOSE; 1060 } 1061 return result; 1062 } 1063 1064 int SocketStream::DoSSLConnect() { 1065 DCHECK(factory_); 1066 SSLClientSocketContext ssl_context; 1067 ssl_context.cert_verifier = context_->cert_verifier(); 1068 ssl_context.transport_security_state = context_->transport_security_state(); 1069 ssl_context.server_bound_cert_service = context_->server_bound_cert_service(); 1070 scoped_ptr<StreamSocket> socket( 1071 factory_->CreateSSLClientSocket(connection_.Pass(), 1072 HostPortPair::FromURL(url_), 1073 server_ssl_config_, 1074 ssl_context)); 1075 connection_.reset(new ClientSocketHandle); 1076 connection_->SetSocket(socket.Pass()); 1077 next_state_ = STATE_SSL_CONNECT_COMPLETE; 1078 metrics_->OnCountConnectionType(SocketStreamMetrics::SSL_CONNECTION); 1079 return connection_->socket()->Connect(io_callback_); 1080 } 1081 1082 int SocketStream::DoSSLConnectComplete(int result) { 1083 DCHECK_EQ(STATE_NONE, next_state_); 1084 // Reconnect with client authentication. 1085 if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) 1086 return HandleCertificateRequest(result, &server_ssl_config_); 1087 1088 if (IsCertificateError(result)) 1089 next_state_ = STATE_SSL_HANDLE_CERT_ERROR; 1090 else if (result == OK) 1091 result = DidEstablishConnection(); 1092 else 1093 next_state_ = STATE_CLOSE; 1094 return result; 1095 } 1096 1097 int SocketStream::DoSSLHandleCertError(int result) { 1098 DCHECK_EQ(STATE_NONE, next_state_); 1099 DCHECK(IsCertificateError(result)); 1100 result = HandleCertificateError(result); 1101 if (result == OK || result == ERR_IO_PENDING) 1102 next_state_ = STATE_SSL_HANDLE_CERT_ERROR_COMPLETE; 1103 else 1104 next_state_ = STATE_CLOSE; 1105 return result; 1106 } 1107 1108 int SocketStream::DoSSLHandleCertErrorComplete(int result) { 1109 DCHECK_EQ(STATE_NONE, next_state_); 1110 // TODO(toyoshim): Upgrade to SPDY through TLS NPN extension if possible. 1111 // If we use HTTPS and this is the first connection to the SPDY server, 1112 // we should take care of TLS NPN extension here. 1113 1114 if (result == OK) { 1115 if (!connection_->socket()->IsConnectedAndIdle()) 1116 return AllowCertErrorForReconnection(&server_ssl_config_); 1117 result = DidEstablishConnection(); 1118 } else { 1119 next_state_ = STATE_CLOSE; 1120 } 1121 return result; 1122 } 1123 1124 int SocketStream::DoReadWrite(int result) { 1125 if (result < OK) { 1126 next_state_ = STATE_CLOSE; 1127 return result; 1128 } 1129 if (!connection_->socket() || !connection_->socket()->IsConnected()) { 1130 next_state_ = STATE_CLOSE; 1131 return ERR_CONNECTION_CLOSED; 1132 } 1133 1134 // If client has requested close(), and there's nothing to write, then 1135 // let's close the socket. 1136 // We don't care about receiving data after the socket is closed. 1137 if (closing_ && !current_write_buf_.get() && pending_write_bufs_.empty()) { 1138 connection_->socket()->Disconnect(); 1139 next_state_ = STATE_CLOSE; 1140 return OK; 1141 } 1142 1143 next_state_ = STATE_READ_WRITE; 1144 1145 // If server already closed the socket, we don't try to read. 1146 if (!server_closed_) { 1147 if (!read_buf_.get()) { 1148 // No read pending and server didn't close the socket. 1149 read_buf_ = new IOBuffer(kReadBufferSize); 1150 result = connection_->socket()->Read( 1151 read_buf_.get(), 1152 kReadBufferSize, 1153 base::Bind(&SocketStream::OnReadCompleted, base::Unretained(this))); 1154 if (result > 0) { 1155 return DidReceiveData(result); 1156 } else if (result == 0) { 1157 // 0 indicates end-of-file, so socket was closed. 1158 next_state_ = STATE_CLOSE; 1159 server_closed_ = true; 1160 return ERR_CONNECTION_CLOSED; 1161 } 1162 // If read is pending, try write as well. 1163 // Otherwise, return the result and do next loop (to close the 1164 // connection). 1165 if (result != ERR_IO_PENDING) { 1166 next_state_ = STATE_CLOSE; 1167 server_closed_ = true; 1168 return result; 1169 } 1170 } 1171 // Read is pending. 1172 DCHECK(read_buf_.get()); 1173 } 1174 1175 if (waiting_for_write_completion_) 1176 return ERR_IO_PENDING; 1177 1178 if (!current_write_buf_.get()) { 1179 if (pending_write_bufs_.empty()) { 1180 // Nothing buffered for send. 1181 return ERR_IO_PENDING; 1182 } 1183 1184 current_write_buf_ = new DrainableIOBuffer( 1185 pending_write_bufs_.front().get(), pending_write_bufs_.front()->size()); 1186 pending_write_bufs_.pop_front(); 1187 } 1188 1189 result = connection_->socket()->Write( 1190 current_write_buf_.get(), 1191 current_write_buf_->BytesRemaining(), 1192 base::Bind(&SocketStream::OnWriteCompleted, base::Unretained(this))); 1193 1194 if (result == ERR_IO_PENDING) { 1195 waiting_for_write_completion_ = true; 1196 } else if (result < 0) { 1197 // Shortcut. Enter STATE_CLOSE now by changing next_state_ here than by 1198 // calling DoReadWrite() again with the error code. 1199 next_state_ = STATE_CLOSE; 1200 } else if (result > 0) { 1201 // Write is not pending. Return OK and do next loop. 1202 DidSendData(result); 1203 result = OK; 1204 } 1205 1206 return result; 1207 } 1208 1209 GURL SocketStream::ProxyAuthOrigin() const { 1210 DCHECK(!proxy_info_.is_empty()); 1211 return GURL("http://" + 1212 proxy_info_.proxy_server().host_port_pair().ToString()); 1213 } 1214 1215 int SocketStream::HandleCertificateRequest(int result, SSLConfig* ssl_config) { 1216 if (ssl_config->send_client_cert) { 1217 // We already have performed SSL client authentication once and failed. 1218 return result; 1219 } 1220 1221 DCHECK(connection_->socket()); 1222 scoped_refptr<SSLCertRequestInfo> cert_request_info = new SSLCertRequestInfo; 1223 SSLClientSocket* ssl_socket = 1224 static_cast<SSLClientSocket*>(connection_->socket()); 1225 ssl_socket->GetSSLCertRequestInfo(cert_request_info.get()); 1226 1227 HttpTransactionFactory* factory = context_->http_transaction_factory(); 1228 if (!factory) 1229 return result; 1230 scoped_refptr<HttpNetworkSession> session = factory->GetSession(); 1231 if (!session.get()) 1232 return result; 1233 1234 // If the user selected one of the certificates in client_certs or declined 1235 // to provide one for this server before, use the past decision 1236 // automatically. 1237 scoped_refptr<X509Certificate> client_cert; 1238 if (!session->ssl_client_auth_cache()->Lookup( 1239 cert_request_info->host_and_port, &client_cert)) { 1240 return result; 1241 } 1242 1243 // Note: |client_cert| may be NULL, indicating that the caller 1244 // wishes to proceed anonymously (eg: continue the handshake 1245 // without sending a client cert) 1246 // 1247 // Check that the certificate selected is still a certificate the server 1248 // is likely to accept, based on the criteria supplied in the 1249 // CertificateRequest message. 1250 const std::vector<std::string>& cert_authorities = 1251 cert_request_info->cert_authorities; 1252 if (client_cert.get() && !cert_authorities.empty() && 1253 !client_cert->IsIssuedByEncoded(cert_authorities)) { 1254 return result; 1255 } 1256 1257 ssl_config->send_client_cert = true; 1258 ssl_config->client_cert = client_cert; 1259 next_state_ = STATE_TCP_CONNECT; 1260 return OK; 1261 } 1262 1263 int SocketStream::AllowCertErrorForReconnection(SSLConfig* ssl_config) { 1264 DCHECK(ssl_config); 1265 // The SSL handshake didn't finish, or the server closed the SSL connection. 1266 // So, we should restart establishing connection with the certificate in 1267 // allowed bad certificates in |ssl_config|. 1268 // See also net/http/http_network_transaction.cc HandleCertificateError() and 1269 // RestartIgnoringLastError(). 1270 SSLClientSocket* ssl_socket = 1271 static_cast<SSLClientSocket*>(connection_->socket()); 1272 SSLInfo ssl_info; 1273 ssl_socket->GetSSLInfo(&ssl_info); 1274 if (ssl_info.cert.get() == NULL || 1275 ssl_config->IsAllowedBadCert(ssl_info.cert.get(), NULL)) { 1276 // If we already have the certificate in the set of allowed bad 1277 // certificates, we did try it and failed again, so we should not 1278 // retry again: the connection should fail at last. 1279 next_state_ = STATE_CLOSE; 1280 return ERR_UNEXPECTED; 1281 } 1282 // Add the bad certificate to the set of allowed certificates in the 1283 // SSL config object. 1284 SSLConfig::CertAndStatus bad_cert; 1285 if (!X509Certificate::GetDEREncoded(ssl_info.cert->os_cert_handle(), 1286 &bad_cert.der_cert)) { 1287 next_state_ = STATE_CLOSE; 1288 return ERR_UNEXPECTED; 1289 } 1290 bad_cert.cert_status = ssl_info.cert_status; 1291 ssl_config->allowed_bad_certs.push_back(bad_cert); 1292 // Restart connection ignoring the bad certificate. 1293 connection_->socket()->Disconnect(); 1294 connection_->SetSocket(scoped_ptr<StreamSocket>()); 1295 next_state_ = STATE_TCP_CONNECT; 1296 return OK; 1297 } 1298 1299 void SocketStream::DoAuthRequired() { 1300 if (delegate_ && proxy_auth_controller_.get()) 1301 delegate_->OnAuthRequired(this, proxy_auth_controller_->auth_info().get()); 1302 else 1303 DoLoop(ERR_UNEXPECTED); 1304 } 1305 1306 void SocketStream::DoRestartWithAuth() { 1307 DCHECK_EQ(next_state_, STATE_AUTH_REQUIRED); 1308 tunnel_request_headers_ = NULL; 1309 tunnel_request_headers_bytes_sent_ = 0; 1310 tunnel_response_headers_ = NULL; 1311 tunnel_response_headers_capacity_ = 0; 1312 tunnel_response_headers_len_ = 0; 1313 1314 next_state_ = STATE_TCP_CONNECT; 1315 DoLoop(OK); 1316 } 1317 1318 int SocketStream::HandleCertificateError(int result) { 1319 DCHECK(IsCertificateError(result)); 1320 SSLClientSocket* ssl_socket = 1321 static_cast<SSLClientSocket*>(connection_->socket()); 1322 DCHECK(ssl_socket); 1323 1324 if (!context_) 1325 return result; 1326 1327 if (SSLClientSocket::IgnoreCertError(result, LOAD_IGNORE_ALL_CERT_ERRORS)) { 1328 const HttpNetworkSession::Params* session_params = 1329 context_->GetNetworkSessionParams(); 1330 if (session_params && session_params->ignore_certificate_errors) 1331 return OK; 1332 } 1333 1334 if (!delegate_) 1335 return result; 1336 1337 SSLInfo ssl_info; 1338 ssl_socket->GetSSLInfo(&ssl_info); 1339 1340 TransportSecurityState* state = context_->transport_security_state(); 1341 const bool fatal = 1342 state && 1343 state->ShouldSSLErrorsBeFatal( 1344 url_.host(), 1345 SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); 1346 1347 delegate_->OnSSLCertificateError(this, ssl_info, fatal); 1348 return ERR_IO_PENDING; 1349 } 1350 1351 CookieStore* SocketStream::cookie_store() const { 1352 return cookie_store_; 1353 } 1354 1355 } // namespace net 1356