1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_network_transaction.h" 6 7 #include <set> 8 #include <vector> 9 10 #include "base/bind.h" 11 #include "base/bind_helpers.h" 12 #include "base/compiler_specific.h" 13 #include "base/format_macros.h" 14 #include "base/memory/scoped_ptr.h" 15 #include "base/metrics/field_trial.h" 16 #include "base/metrics/histogram.h" 17 #include "base/metrics/stats_counters.h" 18 #include "base/stl_util.h" 19 #include "base/strings/string_number_conversions.h" 20 #include "base/strings/string_util.h" 21 #include "base/strings/stringprintf.h" 22 #include "base/time/time.h" 23 #include "base/values.h" 24 #include "build/build_config.h" 25 #include "net/base/auth.h" 26 #include "net/base/host_port_pair.h" 27 #include "net/base/io_buffer.h" 28 #include "net/base/load_flags.h" 29 #include "net/base/load_timing_info.h" 30 #include "net/base/net_errors.h" 31 #include "net/base/net_util.h" 32 #include "net/base/upload_data_stream.h" 33 #include "net/http/http_auth.h" 34 #include "net/http/http_auth_handler.h" 35 #include "net/http/http_auth_handler_factory.h" 36 #include "net/http/http_basic_stream.h" 37 #include "net/http/http_chunked_decoder.h" 38 #include "net/http/http_network_session.h" 39 #include "net/http/http_proxy_client_socket.h" 40 #include "net/http/http_proxy_client_socket_pool.h" 41 #include "net/http/http_request_headers.h" 42 #include "net/http/http_request_info.h" 43 #include "net/http/http_response_headers.h" 44 #include "net/http/http_response_info.h" 45 #include "net/http/http_server_properties.h" 46 #include "net/http/http_status_code.h" 47 #include "net/http/http_stream_base.h" 48 #include "net/http/http_stream_factory.h" 49 #include "net/http/http_util.h" 50 #include "net/http/transport_security_state.h" 51 #include "net/http/url_security_manager.h" 52 #include "net/socket/client_socket_factory.h" 53 #include "net/socket/socks_client_socket_pool.h" 54 #include "net/socket/ssl_client_socket.h" 55 #include "net/socket/ssl_client_socket_pool.h" 56 #include "net/socket/transport_client_socket_pool.h" 57 #include "net/spdy/hpack_huffman_aggregator.h" 58 #include "net/spdy/spdy_http_stream.h" 59 #include "net/spdy/spdy_session.h" 60 #include "net/spdy/spdy_session_pool.h" 61 #include "net/ssl/ssl_cert_request_info.h" 62 #include "net/ssl/ssl_connection_status_flags.h" 63 #include "url/gurl.h" 64 65 #if defined(SPDY_PROXY_AUTH_ORIGIN) 66 #include <algorithm> 67 #include "net/proxy/proxy_server.h" 68 #endif 69 70 71 using base::Time; 72 using base::TimeDelta; 73 74 namespace net { 75 76 namespace { 77 78 void ProcessAlternateProtocol( 79 HttpNetworkSession* session, 80 const HttpResponseHeaders& headers, 81 const HostPortPair& http_host_port_pair) { 82 std::string alternate_protocol_str; 83 84 if (!headers.EnumerateHeader(NULL, kAlternateProtocolHeader, 85 &alternate_protocol_str)) { 86 // Header is not present. 87 return; 88 } 89 90 session->http_stream_factory()->ProcessAlternateProtocol( 91 session->http_server_properties(), 92 alternate_protocol_str, 93 http_host_port_pair, 94 *session); 95 } 96 97 // Returns true if |error| is a client certificate authentication error. 98 bool IsClientCertificateError(int error) { 99 switch (error) { 100 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 101 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 102 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 103 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 104 return true; 105 default: 106 return false; 107 } 108 } 109 110 base::Value* NetLogSSLVersionFallbackCallback( 111 const GURL* url, 112 int net_error, 113 uint16 version_before, 114 uint16 version_after, 115 NetLog::LogLevel /* log_level */) { 116 base::DictionaryValue* dict = new base::DictionaryValue(); 117 dict->SetString("host_and_port", GetHostAndPort(*url)); 118 dict->SetInteger("net_error", net_error); 119 dict->SetInteger("version_before", version_before); 120 dict->SetInteger("version_after", version_after); 121 return dict; 122 } 123 124 } // namespace 125 126 //----------------------------------------------------------------------------- 127 128 HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 129 HttpNetworkSession* session) 130 : pending_auth_target_(HttpAuth::AUTH_NONE), 131 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 132 base::Unretained(this))), 133 session_(session), 134 request_(NULL), 135 priority_(priority), 136 headers_valid_(false), 137 logged_response_time_(false), 138 fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK), 139 request_headers_(), 140 read_buf_len_(0), 141 total_received_bytes_(0), 142 next_state_(STATE_NONE), 143 establishing_tunnel_(false), 144 websocket_handshake_stream_base_create_helper_(NULL) { 145 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 146 session->GetNextProtos(&server_ssl_config_.next_protos); 147 proxy_ssl_config_ = server_ssl_config_; 148 } 149 150 HttpNetworkTransaction::~HttpNetworkTransaction() { 151 if (stream_.get()) { 152 HttpResponseHeaders* headers = GetResponseHeaders(); 153 // TODO(mbelshe): The stream_ should be able to compute whether or not the 154 // stream should be kept alive. No reason to compute here 155 // and pass it in. 156 bool try_to_keep_alive = 157 next_state_ == STATE_NONE && 158 stream_->CanFindEndOfResponse() && 159 (!headers || headers->IsKeepAlive()); 160 if (!try_to_keep_alive) { 161 stream_->Close(true /* not reusable */); 162 } else { 163 if (stream_->IsResponseBodyComplete()) { 164 // If the response body is complete, we can just reuse the socket. 165 stream_->Close(false /* reusable */); 166 } else if (stream_->IsSpdyHttpStream()) { 167 // Doesn't really matter for SpdyHttpStream. Just close it. 168 stream_->Close(true /* not reusable */); 169 } else { 170 // Otherwise, we try to drain the response body. 171 HttpStreamBase* stream = stream_.release(); 172 stream->Drain(session_); 173 } 174 } 175 } 176 177 if (request_ && request_->upload_data_stream) 178 request_->upload_data_stream->Reset(); // Invalidate pending callbacks. 179 } 180 181 int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 182 const CompletionCallback& callback, 183 const BoundNetLog& net_log) { 184 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 185 186 net_log_ = net_log; 187 request_ = request_info; 188 start_time_ = base::Time::Now(); 189 190 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 191 server_ssl_config_.rev_checking_enabled = false; 192 proxy_ssl_config_.rev_checking_enabled = false; 193 } 194 195 // Channel ID is disabled if privacy mode is enabled for this request. 196 if (request_->privacy_mode == PRIVACY_MODE_ENABLED) 197 server_ssl_config_.channel_id_enabled = false; 198 199 next_state_ = STATE_NOTIFY_BEFORE_CREATE_STREAM; 200 int rv = DoLoop(OK); 201 if (rv == ERR_IO_PENDING) 202 callback_ = callback; 203 return rv; 204 } 205 206 int HttpNetworkTransaction::RestartIgnoringLastError( 207 const CompletionCallback& callback) { 208 DCHECK(!stream_.get()); 209 DCHECK(!stream_request_.get()); 210 DCHECK_EQ(STATE_NONE, next_state_); 211 212 next_state_ = STATE_CREATE_STREAM; 213 214 int rv = DoLoop(OK); 215 if (rv == ERR_IO_PENDING) 216 callback_ = callback; 217 return rv; 218 } 219 220 int HttpNetworkTransaction::RestartWithCertificate( 221 X509Certificate* client_cert, const CompletionCallback& callback) { 222 // In HandleCertificateRequest(), we always tear down existing stream 223 // requests to force a new connection. So we shouldn't have one here. 224 DCHECK(!stream_request_.get()); 225 DCHECK(!stream_.get()); 226 DCHECK_EQ(STATE_NONE, next_state_); 227 228 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 229 &proxy_ssl_config_ : &server_ssl_config_; 230 ssl_config->send_client_cert = true; 231 ssl_config->client_cert = client_cert; 232 session_->ssl_client_auth_cache()->Add( 233 response_.cert_request_info->host_and_port, client_cert); 234 // Reset the other member variables. 235 // Note: this is necessary only with SSL renegotiation. 236 ResetStateForRestart(); 237 next_state_ = STATE_CREATE_STREAM; 238 int rv = DoLoop(OK); 239 if (rv == ERR_IO_PENDING) 240 callback_ = callback; 241 return rv; 242 } 243 244 int HttpNetworkTransaction::RestartWithAuth( 245 const AuthCredentials& credentials, const CompletionCallback& callback) { 246 HttpAuth::Target target = pending_auth_target_; 247 if (target == HttpAuth::AUTH_NONE) { 248 NOTREACHED(); 249 return ERR_UNEXPECTED; 250 } 251 pending_auth_target_ = HttpAuth::AUTH_NONE; 252 253 auth_controllers_[target]->ResetAuth(credentials); 254 255 DCHECK(callback_.is_null()); 256 257 int rv = OK; 258 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 259 // In this case, we've gathered credentials for use with proxy 260 // authentication of a tunnel. 261 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 262 DCHECK(stream_request_ != NULL); 263 auth_controllers_[target] = NULL; 264 ResetStateForRestart(); 265 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 266 } else { 267 // In this case, we've gathered credentials for the server or the proxy 268 // but it is not during the tunneling phase. 269 DCHECK(stream_request_ == NULL); 270 PrepareForAuthRestart(target); 271 rv = DoLoop(OK); 272 } 273 274 if (rv == ERR_IO_PENDING) 275 callback_ = callback; 276 return rv; 277 } 278 279 void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 280 DCHECK(HaveAuth(target)); 281 DCHECK(!stream_request_.get()); 282 283 bool keep_alive = false; 284 // Even if the server says the connection is keep-alive, we have to be 285 // able to find the end of each response in order to reuse the connection. 286 if (GetResponseHeaders()->IsKeepAlive() && 287 stream_->CanFindEndOfResponse()) { 288 // If the response body hasn't been completely read, we need to drain 289 // it first. 290 if (!stream_->IsResponseBodyComplete()) { 291 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 292 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 293 read_buf_len_ = kDrainBodyBufferSize; 294 return; 295 } 296 keep_alive = true; 297 } 298 299 // We don't need to drain the response body, so we act as if we had drained 300 // the response body. 301 DidDrainBodyForAuthRestart(keep_alive); 302 } 303 304 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 305 DCHECK(!stream_request_.get()); 306 307 if (stream_.get()) { 308 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 309 HttpStream* new_stream = NULL; 310 if (keep_alive && stream_->IsConnectionReusable()) { 311 // We should call connection_->set_idle_time(), but this doesn't occur 312 // often enough to be worth the trouble. 313 stream_->SetConnectionReused(); 314 new_stream = 315 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 316 } 317 318 if (!new_stream) { 319 // Close the stream and mark it as not_reusable. Even in the 320 // keep_alive case, we've determined that the stream_ is not 321 // reusable if new_stream is NULL. 322 stream_->Close(true); 323 next_state_ = STATE_CREATE_STREAM; 324 } else { 325 // Renewed streams shouldn't carry over received bytes. 326 DCHECK_EQ(0, new_stream->GetTotalReceivedBytes()); 327 next_state_ = STATE_INIT_STREAM; 328 } 329 stream_.reset(new_stream); 330 } 331 332 // Reset the other member variables. 333 ResetStateForAuthRestart(); 334 } 335 336 bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 337 return pending_auth_target_ != HttpAuth::AUTH_NONE && 338 HaveAuth(pending_auth_target_); 339 } 340 341 int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 342 const CompletionCallback& callback) { 343 DCHECK(buf); 344 DCHECK_LT(0, buf_len); 345 346 State next_state = STATE_NONE; 347 348 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 349 if (headers_valid_ && headers.get() && stream_request_.get()) { 350 // We're trying to read the body of the response but we're still trying 351 // to establish an SSL tunnel through an HTTP proxy. We can't read these 352 // bytes when establishing a tunnel because they might be controlled by 353 // an active network attacker. We don't worry about this for HTTP 354 // because an active network attacker can already control HTTP sessions. 355 // We reach this case when the user cancels a 407 proxy auth prompt. We 356 // also don't worry about this for an HTTPS Proxy, because the 357 // communication with the proxy is secure. 358 // See http://crbug.com/8473. 359 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 360 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 361 LOG(WARNING) << "Blocked proxy response with status " 362 << headers->response_code() << " to CONNECT request for " 363 << GetHostAndPort(request_->url) << "."; 364 return ERR_TUNNEL_CONNECTION_FAILED; 365 } 366 367 // Are we using SPDY or HTTP? 368 next_state = STATE_READ_BODY; 369 370 read_buf_ = buf; 371 read_buf_len_ = buf_len; 372 373 next_state_ = next_state; 374 int rv = DoLoop(OK); 375 if (rv == ERR_IO_PENDING) 376 callback_ = callback; 377 return rv; 378 } 379 380 void HttpNetworkTransaction::StopCaching() {} 381 382 bool HttpNetworkTransaction::GetFullRequestHeaders( 383 HttpRequestHeaders* headers) const { 384 // TODO(ttuttle): Make sure we've populated request_headers_. 385 *headers = request_headers_; 386 return true; 387 } 388 389 int64 HttpNetworkTransaction::GetTotalReceivedBytes() const { 390 int64 total_received_bytes = total_received_bytes_; 391 if (stream_) 392 total_received_bytes += stream_->GetTotalReceivedBytes(); 393 return total_received_bytes; 394 } 395 396 void HttpNetworkTransaction::DoneReading() {} 397 398 const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 399 return ((headers_valid_ && response_.headers.get()) || 400 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 401 ? &response_ 402 : NULL; 403 } 404 405 LoadState HttpNetworkTransaction::GetLoadState() const { 406 // TODO(wtc): Define a new LoadState value for the 407 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 408 switch (next_state_) { 409 case STATE_CREATE_STREAM: 410 return LOAD_STATE_WAITING_FOR_DELEGATE; 411 case STATE_CREATE_STREAM_COMPLETE: 412 return stream_request_->GetLoadState(); 413 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 414 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 415 case STATE_SEND_REQUEST_COMPLETE: 416 return LOAD_STATE_SENDING_REQUEST; 417 case STATE_READ_HEADERS_COMPLETE: 418 return LOAD_STATE_WAITING_FOR_RESPONSE; 419 case STATE_READ_BODY_COMPLETE: 420 return LOAD_STATE_READING_RESPONSE; 421 default: 422 return LOAD_STATE_IDLE; 423 } 424 } 425 426 UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 427 if (!stream_.get()) 428 return UploadProgress(); 429 430 // TODO(bashi): This cast is temporary. Remove later. 431 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 432 } 433 434 void HttpNetworkTransaction::SetQuicServerInfo( 435 QuicServerInfo* quic_server_info) {} 436 437 bool HttpNetworkTransaction::GetLoadTimingInfo( 438 LoadTimingInfo* load_timing_info) const { 439 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 440 return false; 441 442 load_timing_info->proxy_resolve_start = 443 proxy_info_.proxy_resolve_start_time(); 444 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 445 load_timing_info->send_start = send_start_time_; 446 load_timing_info->send_end = send_end_time_; 447 return true; 448 } 449 450 void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 451 priority_ = priority; 452 if (stream_request_) 453 stream_request_->SetPriority(priority); 454 if (stream_) 455 stream_->SetPriority(priority); 456 } 457 458 void HttpNetworkTransaction::SetWebSocketHandshakeStreamCreateHelper( 459 WebSocketHandshakeStreamBase::CreateHelper* create_helper) { 460 websocket_handshake_stream_base_create_helper_ = create_helper; 461 } 462 463 void HttpNetworkTransaction::SetBeforeNetworkStartCallback( 464 const BeforeNetworkStartCallback& callback) { 465 before_network_start_callback_ = callback; 466 } 467 468 int HttpNetworkTransaction::ResumeNetworkStart() { 469 DCHECK_EQ(next_state_, STATE_CREATE_STREAM); 470 return DoLoop(OK); 471 } 472 473 void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 474 const ProxyInfo& used_proxy_info, 475 HttpStreamBase* stream) { 476 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 477 DCHECK(stream_request_.get()); 478 479 if (stream_) 480 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 481 stream_.reset(stream); 482 server_ssl_config_ = used_ssl_config; 483 proxy_info_ = used_proxy_info; 484 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 485 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 486 stream_request_->protocol_negotiated()); 487 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 488 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 489 if (response_.was_fetched_via_proxy && !proxy_info_.is_empty()) 490 response_.proxy_server = proxy_info_.proxy_server().host_port_pair(); 491 OnIOComplete(OK); 492 } 493 494 void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady( 495 const SSLConfig& used_ssl_config, 496 const ProxyInfo& used_proxy_info, 497 WebSocketHandshakeStreamBase* stream) { 498 OnStreamReady(used_ssl_config, used_proxy_info, stream); 499 } 500 501 void HttpNetworkTransaction::OnStreamFailed(int result, 502 const SSLConfig& used_ssl_config) { 503 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 504 DCHECK_NE(OK, result); 505 DCHECK(stream_request_.get()); 506 DCHECK(!stream_.get()); 507 server_ssl_config_ = used_ssl_config; 508 509 OnIOComplete(result); 510 } 511 512 void HttpNetworkTransaction::OnCertificateError( 513 int result, 514 const SSLConfig& used_ssl_config, 515 const SSLInfo& ssl_info) { 516 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 517 DCHECK_NE(OK, result); 518 DCHECK(stream_request_.get()); 519 DCHECK(!stream_.get()); 520 521 response_.ssl_info = ssl_info; 522 server_ssl_config_ = used_ssl_config; 523 524 // TODO(mbelshe): For now, we're going to pass the error through, and that 525 // will close the stream_request in all cases. This means that we're always 526 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 527 // good and the user chooses to ignore the error. This is not ideal, but not 528 // the end of the world either. 529 530 OnIOComplete(result); 531 } 532 533 void HttpNetworkTransaction::OnNeedsProxyAuth( 534 const HttpResponseInfo& proxy_response, 535 const SSLConfig& used_ssl_config, 536 const ProxyInfo& used_proxy_info, 537 HttpAuthController* auth_controller) { 538 DCHECK(stream_request_.get()); 539 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 540 541 establishing_tunnel_ = true; 542 response_.headers = proxy_response.headers; 543 response_.auth_challenge = proxy_response.auth_challenge; 544 headers_valid_ = true; 545 server_ssl_config_ = used_ssl_config; 546 proxy_info_ = used_proxy_info; 547 548 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 549 pending_auth_target_ = HttpAuth::AUTH_PROXY; 550 551 DoCallback(OK); 552 } 553 554 void HttpNetworkTransaction::OnNeedsClientAuth( 555 const SSLConfig& used_ssl_config, 556 SSLCertRequestInfo* cert_info) { 557 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 558 559 server_ssl_config_ = used_ssl_config; 560 response_.cert_request_info = cert_info; 561 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 562 } 563 564 void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 565 const HttpResponseInfo& response_info, 566 const SSLConfig& used_ssl_config, 567 const ProxyInfo& used_proxy_info, 568 HttpStreamBase* stream) { 569 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 570 571 headers_valid_ = true; 572 response_ = response_info; 573 server_ssl_config_ = used_ssl_config; 574 proxy_info_ = used_proxy_info; 575 if (stream_) 576 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 577 stream_.reset(stream); 578 stream_request_.reset(); // we're done with the stream request 579 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 580 } 581 582 bool HttpNetworkTransaction::is_https_request() const { 583 return request_->url.SchemeIs("https"); 584 } 585 586 void HttpNetworkTransaction::DoCallback(int rv) { 587 DCHECK_NE(rv, ERR_IO_PENDING); 588 DCHECK(!callback_.is_null()); 589 590 // Since Run may result in Read being called, clear user_callback_ up front. 591 CompletionCallback c = callback_; 592 callback_.Reset(); 593 c.Run(rv); 594 } 595 596 void HttpNetworkTransaction::OnIOComplete(int result) { 597 int rv = DoLoop(result); 598 if (rv != ERR_IO_PENDING) 599 DoCallback(rv); 600 } 601 602 int HttpNetworkTransaction::DoLoop(int result) { 603 DCHECK(next_state_ != STATE_NONE); 604 605 int rv = result; 606 do { 607 State state = next_state_; 608 next_state_ = STATE_NONE; 609 switch (state) { 610 case STATE_NOTIFY_BEFORE_CREATE_STREAM: 611 DCHECK_EQ(OK, rv); 612 rv = DoNotifyBeforeCreateStream(); 613 break; 614 case STATE_CREATE_STREAM: 615 DCHECK_EQ(OK, rv); 616 rv = DoCreateStream(); 617 break; 618 case STATE_CREATE_STREAM_COMPLETE: 619 rv = DoCreateStreamComplete(rv); 620 break; 621 case STATE_INIT_STREAM: 622 DCHECK_EQ(OK, rv); 623 rv = DoInitStream(); 624 break; 625 case STATE_INIT_STREAM_COMPLETE: 626 rv = DoInitStreamComplete(rv); 627 break; 628 case STATE_GENERATE_PROXY_AUTH_TOKEN: 629 DCHECK_EQ(OK, rv); 630 rv = DoGenerateProxyAuthToken(); 631 break; 632 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 633 rv = DoGenerateProxyAuthTokenComplete(rv); 634 break; 635 case STATE_GENERATE_SERVER_AUTH_TOKEN: 636 DCHECK_EQ(OK, rv); 637 rv = DoGenerateServerAuthToken(); 638 break; 639 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 640 rv = DoGenerateServerAuthTokenComplete(rv); 641 break; 642 case STATE_INIT_REQUEST_BODY: 643 DCHECK_EQ(OK, rv); 644 rv = DoInitRequestBody(); 645 break; 646 case STATE_INIT_REQUEST_BODY_COMPLETE: 647 rv = DoInitRequestBodyComplete(rv); 648 break; 649 case STATE_BUILD_REQUEST: 650 DCHECK_EQ(OK, rv); 651 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 652 rv = DoBuildRequest(); 653 break; 654 case STATE_BUILD_REQUEST_COMPLETE: 655 rv = DoBuildRequestComplete(rv); 656 break; 657 case STATE_SEND_REQUEST: 658 DCHECK_EQ(OK, rv); 659 rv = DoSendRequest(); 660 break; 661 case STATE_SEND_REQUEST_COMPLETE: 662 rv = DoSendRequestComplete(rv); 663 net_log_.EndEventWithNetErrorCode( 664 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 665 break; 666 case STATE_READ_HEADERS: 667 DCHECK_EQ(OK, rv); 668 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 669 rv = DoReadHeaders(); 670 break; 671 case STATE_READ_HEADERS_COMPLETE: 672 rv = DoReadHeadersComplete(rv); 673 net_log_.EndEventWithNetErrorCode( 674 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 675 break; 676 case STATE_READ_BODY: 677 DCHECK_EQ(OK, rv); 678 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 679 rv = DoReadBody(); 680 break; 681 case STATE_READ_BODY_COMPLETE: 682 rv = DoReadBodyComplete(rv); 683 net_log_.EndEventWithNetErrorCode( 684 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 685 break; 686 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 687 DCHECK_EQ(OK, rv); 688 net_log_.BeginEvent( 689 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 690 rv = DoDrainBodyForAuthRestart(); 691 break; 692 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 693 rv = DoDrainBodyForAuthRestartComplete(rv); 694 net_log_.EndEventWithNetErrorCode( 695 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 696 break; 697 default: 698 NOTREACHED() << "bad state"; 699 rv = ERR_FAILED; 700 break; 701 } 702 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 703 704 return rv; 705 } 706 707 int HttpNetworkTransaction::DoNotifyBeforeCreateStream() { 708 next_state_ = STATE_CREATE_STREAM; 709 bool defer = false; 710 if (!before_network_start_callback_.is_null()) 711 before_network_start_callback_.Run(&defer); 712 if (!defer) 713 return OK; 714 return ERR_IO_PENDING; 715 } 716 717 int HttpNetworkTransaction::DoCreateStream() { 718 next_state_ = STATE_CREATE_STREAM_COMPLETE; 719 if (ForWebSocketHandshake()) { 720 stream_request_.reset( 721 session_->http_stream_factory_for_websocket() 722 ->RequestWebSocketHandshakeStream( 723 *request_, 724 priority_, 725 server_ssl_config_, 726 proxy_ssl_config_, 727 this, 728 websocket_handshake_stream_base_create_helper_, 729 net_log_)); 730 } else { 731 stream_request_.reset( 732 session_->http_stream_factory()->RequestStream( 733 *request_, 734 priority_, 735 server_ssl_config_, 736 proxy_ssl_config_, 737 this, 738 net_log_)); 739 } 740 DCHECK(stream_request_.get()); 741 return ERR_IO_PENDING; 742 } 743 744 int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 745 if (result == OK) { 746 next_state_ = STATE_INIT_STREAM; 747 DCHECK(stream_.get()); 748 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 749 result = HandleCertificateRequest(result); 750 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 751 // Return OK and let the caller read the proxy's error page 752 next_state_ = STATE_NONE; 753 return OK; 754 } 755 756 // Handle possible handshake errors that may have occurred if the stream 757 // used SSL for one or more of the layers. 758 result = HandleSSLHandshakeError(result); 759 760 // At this point we are done with the stream_request_. 761 stream_request_.reset(); 762 return result; 763 } 764 765 int HttpNetworkTransaction::DoInitStream() { 766 DCHECK(stream_.get()); 767 next_state_ = STATE_INIT_STREAM_COMPLETE; 768 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 769 } 770 771 int HttpNetworkTransaction::DoInitStreamComplete(int result) { 772 if (result == OK) { 773 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 774 } else { 775 if (result < 0) 776 result = HandleIOError(result); 777 778 // The stream initialization failed, so this stream will never be useful. 779 if (stream_) 780 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 781 stream_.reset(); 782 } 783 784 return result; 785 } 786 787 int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 788 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 789 if (!ShouldApplyProxyAuth()) 790 return OK; 791 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 792 if (!auth_controllers_[target].get()) 793 auth_controllers_[target] = 794 new HttpAuthController(target, 795 AuthURL(target), 796 session_->http_auth_cache(), 797 session_->http_auth_handler_factory()); 798 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 799 io_callback_, 800 net_log_); 801 } 802 803 int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 804 DCHECK_NE(ERR_IO_PENDING, rv); 805 if (rv == OK) 806 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 807 return rv; 808 } 809 810 int HttpNetworkTransaction::DoGenerateServerAuthToken() { 811 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 812 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 813 if (!auth_controllers_[target].get()) { 814 auth_controllers_[target] = 815 new HttpAuthController(target, 816 AuthURL(target), 817 session_->http_auth_cache(), 818 session_->http_auth_handler_factory()); 819 if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY) 820 auth_controllers_[target]->DisableEmbeddedIdentity(); 821 } 822 if (!ShouldApplyServerAuth()) 823 return OK; 824 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 825 io_callback_, 826 net_log_); 827 } 828 829 int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 830 DCHECK_NE(ERR_IO_PENDING, rv); 831 if (rv == OK) 832 next_state_ = STATE_INIT_REQUEST_BODY; 833 return rv; 834 } 835 836 void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 837 request_headers_.SetHeader(HttpRequestHeaders::kHost, 838 GetHostAndOptionalPort(request_->url)); 839 840 // For compat with HTTP/1.0 servers and proxies: 841 if (using_proxy) { 842 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 843 "keep-alive"); 844 } else { 845 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 846 } 847 848 // Add a content length header? 849 if (request_->upload_data_stream) { 850 if (request_->upload_data_stream->is_chunked()) { 851 request_headers_.SetHeader( 852 HttpRequestHeaders::kTransferEncoding, "chunked"); 853 } else { 854 request_headers_.SetHeader( 855 HttpRequestHeaders::kContentLength, 856 base::Uint64ToString(request_->upload_data_stream->size())); 857 } 858 } else if (request_->method == "POST" || request_->method == "PUT" || 859 request_->method == "HEAD") { 860 // An empty POST/PUT request still needs a content length. As for HEAD, 861 // IE and Safari also add a content length header. Presumably it is to 862 // support sending a HEAD request to an URL that only expects to be sent a 863 // POST or some other method that normally would have a message body. 864 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 865 } 866 867 // Honor load flags that impact proxy caches. 868 if (request_->load_flags & LOAD_BYPASS_CACHE) { 869 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 870 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 871 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 872 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 873 } 874 875 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 876 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 877 &request_headers_); 878 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 879 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 880 &request_headers_); 881 882 request_headers_.MergeFrom(request_->extra_headers); 883 response_.did_use_http_auth = 884 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 885 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 886 } 887 888 int HttpNetworkTransaction::DoInitRequestBody() { 889 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 890 int rv = OK; 891 if (request_->upload_data_stream) 892 rv = request_->upload_data_stream->Init(io_callback_); 893 return rv; 894 } 895 896 int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 897 if (result == OK) 898 next_state_ = STATE_BUILD_REQUEST; 899 return result; 900 } 901 902 int HttpNetworkTransaction::DoBuildRequest() { 903 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 904 headers_valid_ = false; 905 906 // This is constructed lazily (instead of within our Start method), so that 907 // we have proxy info available. 908 if (request_headers_.IsEmpty()) { 909 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 910 !is_https_request(); 911 BuildRequestHeaders(using_proxy); 912 } 913 914 return OK; 915 } 916 917 int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 918 if (result == OK) 919 next_state_ = STATE_SEND_REQUEST; 920 return result; 921 } 922 923 int HttpNetworkTransaction::DoSendRequest() { 924 send_start_time_ = base::TimeTicks::Now(); 925 next_state_ = STATE_SEND_REQUEST_COMPLETE; 926 927 return stream_->SendRequest(request_headers_, &response_, io_callback_); 928 } 929 930 int HttpNetworkTransaction::DoSendRequestComplete(int result) { 931 send_end_time_ = base::TimeTicks::Now(); 932 if (result < 0) 933 return HandleIOError(result); 934 response_.network_accessed = true; 935 next_state_ = STATE_READ_HEADERS; 936 return OK; 937 } 938 939 int HttpNetworkTransaction::DoReadHeaders() { 940 next_state_ = STATE_READ_HEADERS_COMPLETE; 941 return stream_->ReadResponseHeaders(io_callback_); 942 } 943 944 int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 945 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 946 // due to SSL renegotiation. 947 if (IsCertificateError(result)) { 948 // We don't handle a certificate error during SSL renegotiation, so we 949 // have to return an error that's not in the certificate error range 950 // (-2xx). 951 LOG(ERROR) << "Got a server certificate with error " << result 952 << " during SSL renegotiation"; 953 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 954 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 955 // TODO(wtc): Need a test case for this code path! 956 DCHECK(stream_.get()); 957 DCHECK(is_https_request()); 958 response_.cert_request_info = new SSLCertRequestInfo; 959 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 960 result = HandleCertificateRequest(result); 961 if (result == OK) 962 return result; 963 } 964 965 if (result == ERR_QUIC_HANDSHAKE_FAILED) { 966 ResetConnectionAndRequestForResend(); 967 return OK; 968 } 969 970 // After we call RestartWithAuth a new response_time will be recorded, and 971 // we need to be cautious about incorrectly logging the duration across the 972 // authentication activity. 973 if (result == OK) 974 LogTransactionConnectedMetrics(); 975 976 // ERR_CONNECTION_CLOSED is treated differently at this point; if partial 977 // response headers were received, we do the best we can to make sense of it 978 // and send it back up the stack. 979 // 980 // TODO(davidben): Consider moving this to HttpBasicStream, It's a little 981 // bizarre for SPDY. Assuming this logic is useful at all. 982 // TODO(davidben): Bubble the error code up so we do not cache? 983 if (result == ERR_CONNECTION_CLOSED && response_.headers.get()) 984 result = OK; 985 986 if (result < 0) 987 return HandleIOError(result); 988 989 DCHECK(response_.headers.get()); 990 991 // On a 408 response from the server ("Request Timeout") on a stale socket, 992 // retry the request. 993 // Headers can be NULL because of http://crbug.com/384554. 994 if (response_.headers.get() && response_.headers->response_code() == 408 && 995 stream_->IsConnectionReused()) { 996 net_log_.AddEventWithNetErrorCode( 997 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, 998 response_.headers->response_code()); 999 // This will close the socket - it would be weird to try and reuse it, even 1000 // if the server doesn't actually close it. 1001 ResetConnectionAndRequestForResend(); 1002 return OK; 1003 } 1004 1005 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 1006 if (request_->load_flags & LOAD_MAIN_FRAME) { 1007 const int response_code = response_.headers->response_code(); 1008 UMA_HISTOGRAM_ENUMERATION( 1009 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 1010 } 1011 1012 net_log_.AddEvent( 1013 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 1014 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 1015 1016 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 1017 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 1018 // indicates a buggy server. See: 1019 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 1020 if (request_->method == "PUT") 1021 return ERR_METHOD_NOT_SUPPORTED; 1022 } 1023 1024 // Check for an intermediate 100 Continue response. An origin server is 1025 // allowed to send this response even if we didn't ask for it, so we just 1026 // need to skip over it. 1027 // We treat any other 1xx in this same way (although in practice getting 1028 // a 1xx that isn't a 100 is rare). 1029 // Unless this is a WebSocket request, in which case we pass it on up. 1030 if (response_.headers->response_code() / 100 == 1 && 1031 !ForWebSocketHandshake()) { 1032 response_.headers = new HttpResponseHeaders(std::string()); 1033 next_state_ = STATE_READ_HEADERS; 1034 return OK; 1035 } 1036 1037 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 1038 request_->url.EffectiveIntPort()); 1039 ProcessAlternateProtocol(session_, 1040 *response_.headers.get(), 1041 endpoint); 1042 1043 int rv = HandleAuthChallenge(); 1044 if (rv != OK) 1045 return rv; 1046 1047 if (is_https_request()) 1048 stream_->GetSSLInfo(&response_.ssl_info); 1049 1050 headers_valid_ = true; 1051 1052 if (session_->huffman_aggregator()) { 1053 session_->huffman_aggregator()->AggregateTransactionCharacterCounts( 1054 *request_, 1055 request_headers_, 1056 proxy_info_.proxy_server(), 1057 *response_.headers); 1058 } 1059 return OK; 1060 } 1061 1062 int HttpNetworkTransaction::DoReadBody() { 1063 DCHECK(read_buf_.get()); 1064 DCHECK_GT(read_buf_len_, 0); 1065 DCHECK(stream_ != NULL); 1066 1067 next_state_ = STATE_READ_BODY_COMPLETE; 1068 return stream_->ReadResponseBody( 1069 read_buf_.get(), read_buf_len_, io_callback_); 1070 } 1071 1072 int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1073 // We are done with the Read call. 1074 bool done = false; 1075 if (result <= 0) { 1076 DCHECK_NE(ERR_IO_PENDING, result); 1077 done = true; 1078 } 1079 1080 bool keep_alive = false; 1081 if (stream_->IsResponseBodyComplete()) { 1082 // Note: Just because IsResponseBodyComplete is true, we're not 1083 // necessarily "done". We're only "done" when it is the last 1084 // read on this HttpNetworkTransaction, which will be signified 1085 // by a zero-length read. 1086 // TODO(mbelshe): The keepalive property is really a property of 1087 // the stream. No need to compute it here just to pass back 1088 // to the stream's Close function. 1089 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1090 // ResponseHeaders. 1091 if (stream_->CanFindEndOfResponse()) { 1092 HttpResponseHeaders* headers = GetResponseHeaders(); 1093 if (headers) 1094 keep_alive = headers->IsKeepAlive(); 1095 } 1096 } 1097 1098 // Clean up connection if we are done. 1099 if (done) { 1100 LogTransactionMetrics(); 1101 stream_->Close(!keep_alive); 1102 // Note: we don't reset the stream here. We've closed it, but we still 1103 // need it around so that callers can call methods such as 1104 // GetUploadProgress() and have them be meaningful. 1105 // TODO(mbelshe): This means we closed the stream here, and we close it 1106 // again in ~HttpNetworkTransaction. Clean that up. 1107 1108 // The next Read call will return 0 (EOF). 1109 } 1110 1111 // Clear these to avoid leaving around old state. 1112 read_buf_ = NULL; 1113 read_buf_len_ = 0; 1114 1115 return result; 1116 } 1117 1118 int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1119 // This method differs from DoReadBody only in the next_state_. So we just 1120 // call DoReadBody and override the next_state_. Perhaps there is a more 1121 // elegant way for these two methods to share code. 1122 int rv = DoReadBody(); 1123 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1124 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1125 return rv; 1126 } 1127 1128 // TODO(wtc): This method and the DoReadBodyComplete method are almost 1129 // the same. Figure out a good way for these two methods to share code. 1130 int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1131 // keep_alive defaults to true because the very reason we're draining the 1132 // response body is to reuse the connection for auth restart. 1133 bool done = false, keep_alive = true; 1134 if (result < 0) { 1135 // Error or closed connection while reading the socket. 1136 done = true; 1137 keep_alive = false; 1138 } else if (stream_->IsResponseBodyComplete()) { 1139 done = true; 1140 } 1141 1142 if (done) { 1143 DidDrainBodyForAuthRestart(keep_alive); 1144 } else { 1145 // Keep draining. 1146 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1147 } 1148 1149 return OK; 1150 } 1151 1152 void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1153 if (logged_response_time_) 1154 return; 1155 1156 logged_response_time_ = true; 1157 1158 base::TimeDelta total_duration = response_.response_time - start_time_; 1159 1160 UMA_HISTOGRAM_CUSTOM_TIMES( 1161 "Net.Transaction_Connected", 1162 total_duration, 1163 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1164 100); 1165 1166 bool reused_socket = stream_->IsConnectionReused(); 1167 if (!reused_socket) { 1168 UMA_HISTOGRAM_CUSTOM_TIMES( 1169 "Net.Transaction_Connected_New_b", 1170 total_duration, 1171 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1172 100); 1173 } 1174 1175 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1176 // types. This will change when we also prioritize certain subresources like 1177 // css, js, etc. 1178 if (priority_ != HIGHEST) { 1179 UMA_HISTOGRAM_CUSTOM_TIMES( 1180 "Net.Priority_High_Latency_b", 1181 total_duration, 1182 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1183 100); 1184 } else { 1185 UMA_HISTOGRAM_CUSTOM_TIMES( 1186 "Net.Priority_Low_Latency_b", 1187 total_duration, 1188 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1189 100); 1190 } 1191 } 1192 1193 void HttpNetworkTransaction::LogTransactionMetrics() const { 1194 base::TimeDelta duration = base::Time::Now() - 1195 response_.request_time; 1196 if (60 < duration.InMinutes()) 1197 return; 1198 1199 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1200 1201 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1202 base::TimeDelta::FromMilliseconds(1), 1203 base::TimeDelta::FromMinutes(10), 1204 100); 1205 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1206 total_duration, 1207 base::TimeDelta::FromMilliseconds(1), 1208 base::TimeDelta::FromMinutes(10), 100); 1209 1210 if (!stream_->IsConnectionReused()) { 1211 UMA_HISTOGRAM_CUSTOM_TIMES( 1212 "Net.Transaction_Latency_Total_New_Connection", 1213 total_duration, base::TimeDelta::FromMilliseconds(1), 1214 base::TimeDelta::FromMinutes(10), 100); 1215 } 1216 } 1217 1218 int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1219 // There are two paths through which the server can request a certificate 1220 // from us. The first is during the initial handshake, the second is 1221 // during SSL renegotiation. 1222 // 1223 // In both cases, we want to close the connection before proceeding. 1224 // We do this for two reasons: 1225 // First, we don't want to keep the connection to the server hung for a 1226 // long time while the user selects a certificate. 1227 // Second, even if we did keep the connection open, NSS has a bug where 1228 // restarting the handshake for ClientAuth is currently broken. 1229 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1230 1231 if (stream_.get()) { 1232 // Since we already have a stream, we're being called as part of SSL 1233 // renegotiation. 1234 DCHECK(!stream_request_.get()); 1235 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 1236 stream_->Close(true); 1237 stream_.reset(); 1238 } 1239 1240 // The server is asking for a client certificate during the initial 1241 // handshake. 1242 stream_request_.reset(); 1243 1244 // If the user selected one of the certificates in client_certs or declined 1245 // to provide one for this server before, use the past decision 1246 // automatically. 1247 scoped_refptr<X509Certificate> client_cert; 1248 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1249 response_.cert_request_info->host_and_port, &client_cert); 1250 if (!found_cached_cert) 1251 return error; 1252 1253 // Check that the certificate selected is still a certificate the server 1254 // is likely to accept, based on the criteria supplied in the 1255 // CertificateRequest message. 1256 if (client_cert.get()) { 1257 const std::vector<std::string>& cert_authorities = 1258 response_.cert_request_info->cert_authorities; 1259 1260 bool cert_still_valid = cert_authorities.empty() || 1261 client_cert->IsIssuedByEncoded(cert_authorities); 1262 if (!cert_still_valid) 1263 return error; 1264 } 1265 1266 // TODO(davidben): Add a unit test which covers this path; we need to be 1267 // able to send a legitimate certificate and also bypass/clear the 1268 // SSL session cache. 1269 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1270 &proxy_ssl_config_ : &server_ssl_config_; 1271 ssl_config->send_client_cert = true; 1272 ssl_config->client_cert = client_cert; 1273 next_state_ = STATE_CREATE_STREAM; 1274 // Reset the other member variables. 1275 // Note: this is necessary only with SSL renegotiation. 1276 ResetStateForRestart(); 1277 return OK; 1278 } 1279 1280 void HttpNetworkTransaction::HandleClientAuthError(int error) { 1281 if (server_ssl_config_.send_client_cert && 1282 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1283 session_->ssl_client_auth_cache()->Remove( 1284 HostPortPair::FromURL(request_->url)); 1285 } 1286 } 1287 1288 // TODO(rch): This does not correctly handle errors when an SSL proxy is 1289 // being used, as all of the errors are handled as if they were generated 1290 // by the endpoint host, request_->url, rather than considering if they were 1291 // generated by the SSL proxy. http://crbug.com/69329 1292 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1293 DCHECK(request_); 1294 HandleClientAuthError(error); 1295 1296 bool should_fallback = false; 1297 uint16 version_max = server_ssl_config_.version_max; 1298 1299 switch (error) { 1300 case ERR_SSL_PROTOCOL_ERROR: 1301 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1302 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1303 version_max > server_ssl_config_.version_min) { 1304 // This could be a TLS-intolerant server or a server that chose a 1305 // cipher suite defined only for higher protocol versions (such as 1306 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1307 // back to the next lower version and retry. 1308 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1309 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1310 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1311 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1312 // version_max should match the maximum protocol version supported 1313 // by the SSLClientSocket class. 1314 version_max--; 1315 1316 // Fallback to the lower SSL version. 1317 // While SSL 3.0 fallback should be eliminated because of security 1318 // reasons, there is a high risk of breaking the servers if this is 1319 // done in general. 1320 should_fallback = true; 1321 } 1322 break; 1323 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1324 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1325 version_max > server_ssl_config_.version_min) { 1326 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1327 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1328 // crbug.com/260358. In order to make the fallback as minimal as 1329 // possible, this fallback is only triggered for >= TLS 1.1. 1330 version_max--; 1331 should_fallback = true; 1332 } 1333 break; 1334 case ERR_SSL_INAPPROPRIATE_FALLBACK: 1335 // The server told us that we should not have fallen back. A buggy server 1336 // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial 1337 // connection. |fallback_error_code_| is initialised to 1338 // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case. 1339 error = fallback_error_code_; 1340 break; 1341 } 1342 1343 if (should_fallback) { 1344 net_log_.AddEvent( 1345 NetLog::TYPE_SSL_VERSION_FALLBACK, 1346 base::Bind(&NetLogSSLVersionFallbackCallback, 1347 &request_->url, error, server_ssl_config_.version_max, 1348 version_max)); 1349 fallback_error_code_ = error; 1350 server_ssl_config_.version_max = version_max; 1351 server_ssl_config_.version_fallback = true; 1352 ResetConnectionAndRequestForResend(); 1353 error = OK; 1354 } 1355 1356 return error; 1357 } 1358 1359 // This method determines whether it is safe to resend the request after an 1360 // IO error. It can only be called in response to request header or body 1361 // write errors or response header read errors. It should not be used in 1362 // other cases, such as a Connect error. 1363 int HttpNetworkTransaction::HandleIOError(int error) { 1364 // Because the peer may request renegotiation with client authentication at 1365 // any time, check and handle client authentication errors. 1366 HandleClientAuthError(error); 1367 1368 switch (error) { 1369 // If we try to reuse a connection that the server is in the process of 1370 // closing, we may end up successfully writing out our request (or a 1371 // portion of our request) only to find a connection error when we try to 1372 // read from (or finish writing to) the socket. 1373 case ERR_CONNECTION_RESET: 1374 case ERR_CONNECTION_CLOSED: 1375 case ERR_CONNECTION_ABORTED: 1376 // There can be a race between the socket pool checking checking whether a 1377 // socket is still connected, receiving the FIN, and sending/reading data 1378 // on a reused socket. If we receive the FIN between the connectedness 1379 // check and writing/reading from the socket, we may first learn the socket 1380 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1381 // likely happen when trying to retrieve its IP address. 1382 // See http://crbug.com/105824 for more details. 1383 case ERR_SOCKET_NOT_CONNECTED: 1384 // If a socket is closed on its initial request, HttpStreamParser returns 1385 // ERR_EMPTY_RESPONSE. This may still be close/reuse race if the socket was 1386 // preconnected but failed to be used before the server timed it out. 1387 case ERR_EMPTY_RESPONSE: 1388 if (ShouldResendRequest()) { 1389 net_log_.AddEventWithNetErrorCode( 1390 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1391 ResetConnectionAndRequestForResend(); 1392 error = OK; 1393 } 1394 break; 1395 case ERR_SPDY_PING_FAILED: 1396 case ERR_SPDY_SERVER_REFUSED_STREAM: 1397 case ERR_QUIC_HANDSHAKE_FAILED: 1398 net_log_.AddEventWithNetErrorCode( 1399 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1400 ResetConnectionAndRequestForResend(); 1401 error = OK; 1402 break; 1403 } 1404 return error; 1405 } 1406 1407 void HttpNetworkTransaction::ResetStateForRestart() { 1408 ResetStateForAuthRestart(); 1409 if (stream_) 1410 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 1411 stream_.reset(); 1412 } 1413 1414 void HttpNetworkTransaction::ResetStateForAuthRestart() { 1415 send_start_time_ = base::TimeTicks(); 1416 send_end_time_ = base::TimeTicks(); 1417 1418 pending_auth_target_ = HttpAuth::AUTH_NONE; 1419 read_buf_ = NULL; 1420 read_buf_len_ = 0; 1421 headers_valid_ = false; 1422 request_headers_.Clear(); 1423 response_ = HttpResponseInfo(); 1424 establishing_tunnel_ = false; 1425 } 1426 1427 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1428 return response_.headers.get(); 1429 } 1430 1431 bool HttpNetworkTransaction::ShouldResendRequest() const { 1432 bool connection_is_proven = stream_->IsConnectionReused(); 1433 bool has_received_headers = GetResponseHeaders() != NULL; 1434 1435 // NOTE: we resend a request only if we reused a keep-alive connection. 1436 // This automatically prevents an infinite resend loop because we'll run 1437 // out of the cached keep-alive connections eventually. 1438 if (connection_is_proven && !has_received_headers) 1439 return true; 1440 return false; 1441 } 1442 1443 void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1444 if (stream_.get()) { 1445 stream_->Close(true); 1446 stream_.reset(); 1447 } 1448 1449 // We need to clear request_headers_ because it contains the real request 1450 // headers, but we may need to resend the CONNECT request first to recreate 1451 // the SSL tunnel. 1452 request_headers_.Clear(); 1453 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1454 } 1455 1456 bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1457 return !is_https_request() && 1458 (proxy_info_.is_https() || proxy_info_.is_http()); 1459 } 1460 1461 bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1462 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1463 } 1464 1465 int HttpNetworkTransaction::HandleAuthChallenge() { 1466 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1467 DCHECK(headers.get()); 1468 1469 int status = headers->response_code(); 1470 if (status != HTTP_UNAUTHORIZED && 1471 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1472 return OK; 1473 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1474 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1475 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1476 return ERR_UNEXPECTED_PROXY_AUTH; 1477 1478 // This case can trigger when an HTTPS server responds with a "Proxy 1479 // authentication required" status code through a non-authenticating 1480 // proxy. 1481 if (!auth_controllers_[target].get()) 1482 return ERR_UNEXPECTED_PROXY_AUTH; 1483 1484 int rv = auth_controllers_[target]->HandleAuthChallenge( 1485 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1486 net_log_); 1487 if (auth_controllers_[target]->HaveAuthHandler()) 1488 pending_auth_target_ = target; 1489 1490 scoped_refptr<AuthChallengeInfo> auth_info = 1491 auth_controllers_[target]->auth_info(); 1492 if (auth_info.get()) 1493 response_.auth_challenge = auth_info; 1494 1495 return rv; 1496 } 1497 1498 bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1499 return auth_controllers_[target].get() && 1500 auth_controllers_[target]->HaveAuth(); 1501 } 1502 1503 GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1504 switch (target) { 1505 case HttpAuth::AUTH_PROXY: { 1506 if (!proxy_info_.proxy_server().is_valid() || 1507 proxy_info_.proxy_server().is_direct()) { 1508 return GURL(); // There is no proxy server. 1509 } 1510 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1511 return GURL(scheme + 1512 proxy_info_.proxy_server().host_port_pair().ToString()); 1513 } 1514 case HttpAuth::AUTH_SERVER: 1515 return request_->url; 1516 default: 1517 return GURL(); 1518 } 1519 } 1520 1521 bool HttpNetworkTransaction::ForWebSocketHandshake() const { 1522 return websocket_handshake_stream_base_create_helper_ && 1523 request_->url.SchemeIsWSOrWSS(); 1524 } 1525 1526 #define STATE_CASE(s) \ 1527 case s: \ 1528 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1529 break 1530 1531 std::string HttpNetworkTransaction::DescribeState(State state) { 1532 std::string description; 1533 switch (state) { 1534 STATE_CASE(STATE_NOTIFY_BEFORE_CREATE_STREAM); 1535 STATE_CASE(STATE_CREATE_STREAM); 1536 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1537 STATE_CASE(STATE_INIT_REQUEST_BODY); 1538 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1539 STATE_CASE(STATE_BUILD_REQUEST); 1540 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1541 STATE_CASE(STATE_SEND_REQUEST); 1542 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1543 STATE_CASE(STATE_READ_HEADERS); 1544 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1545 STATE_CASE(STATE_READ_BODY); 1546 STATE_CASE(STATE_READ_BODY_COMPLETE); 1547 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1548 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1549 STATE_CASE(STATE_NONE); 1550 default: 1551 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1552 state); 1553 break; 1554 } 1555 return description; 1556 } 1557 1558 #undef STATE_CASE 1559 1560 } // namespace net 1561