1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_network_transaction.h" 6 7 #include <set> 8 #include <vector> 9 10 #include "base/bind.h" 11 #include "base/bind_helpers.h" 12 #include "base/compiler_specific.h" 13 #include "base/format_macros.h" 14 #include "base/memory/scoped_ptr.h" 15 #include "base/metrics/field_trial.h" 16 #include "base/metrics/histogram.h" 17 #include "base/metrics/stats_counters.h" 18 #include "base/stl_util.h" 19 #include "base/strings/string_number_conversions.h" 20 #include "base/strings/string_util.h" 21 #include "base/strings/stringprintf.h" 22 #include "base/time/time.h" 23 #include "base/values.h" 24 #include "build/build_config.h" 25 #include "net/base/auth.h" 26 #include "net/base/host_port_pair.h" 27 #include "net/base/io_buffer.h" 28 #include "net/base/load_flags.h" 29 #include "net/base/load_timing_info.h" 30 #include "net/base/net_errors.h" 31 #include "net/base/net_util.h" 32 #include "net/base/upload_data_stream.h" 33 #include "net/http/http_auth.h" 34 #include "net/http/http_auth_handler.h" 35 #include "net/http/http_auth_handler_factory.h" 36 #include "net/http/http_basic_stream.h" 37 #include "net/http/http_chunked_decoder.h" 38 #include "net/http/http_network_session.h" 39 #include "net/http/http_proxy_client_socket.h" 40 #include "net/http/http_proxy_client_socket_pool.h" 41 #include "net/http/http_request_headers.h" 42 #include "net/http/http_request_info.h" 43 #include "net/http/http_response_headers.h" 44 #include "net/http/http_response_info.h" 45 #include "net/http/http_server_properties.h" 46 #include "net/http/http_status_code.h" 47 #include "net/http/http_stream_base.h" 48 #include "net/http/http_stream_factory.h" 49 #include "net/http/http_util.h" 50 #include "net/http/transport_security_state.h" 51 #include "net/http/url_security_manager.h" 52 #include "net/socket/client_socket_factory.h" 53 #include "net/socket/socks_client_socket_pool.h" 54 #include "net/socket/ssl_client_socket.h" 55 #include "net/socket/ssl_client_socket_pool.h" 56 #include "net/socket/transport_client_socket_pool.h" 57 #include "net/spdy/hpack_huffman_aggregator.h" 58 #include "net/spdy/spdy_http_stream.h" 59 #include "net/spdy/spdy_session.h" 60 #include "net/spdy/spdy_session_pool.h" 61 #include "net/ssl/ssl_cert_request_info.h" 62 #include "net/ssl/ssl_connection_status_flags.h" 63 #include "url/gurl.h" 64 #include "url/url_canon.h" 65 66 using base::Time; 67 using base::TimeDelta; 68 69 namespace net { 70 71 namespace { 72 73 void ProcessAlternateProtocol( 74 HttpNetworkSession* session, 75 const HttpResponseHeaders& headers, 76 const HostPortPair& http_host_port_pair) { 77 if (!headers.HasHeader(kAlternateProtocolHeader)) 78 return; 79 80 std::vector<std::string> alternate_protocol_values; 81 void* iter = NULL; 82 std::string alternate_protocol_str; 83 while (headers.EnumerateHeader(&iter, kAlternateProtocolHeader, 84 &alternate_protocol_str)) { 85 alternate_protocol_values.push_back(alternate_protocol_str); 86 } 87 88 session->http_stream_factory()->ProcessAlternateProtocol( 89 session->http_server_properties(), 90 alternate_protocol_values, 91 http_host_port_pair, 92 *session); 93 } 94 95 // Returns true if |error| is a client certificate authentication error. 96 bool IsClientCertificateError(int error) { 97 switch (error) { 98 case ERR_BAD_SSL_CLIENT_AUTH_CERT: 99 case ERR_SSL_CLIENT_AUTH_PRIVATE_KEY_ACCESS_DENIED: 100 case ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY: 101 case ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: 102 return true; 103 default: 104 return false; 105 } 106 } 107 108 base::Value* NetLogSSLVersionFallbackCallback( 109 const GURL* url, 110 int net_error, 111 uint16 version_before, 112 uint16 version_after, 113 NetLog::LogLevel /* log_level */) { 114 base::DictionaryValue* dict = new base::DictionaryValue(); 115 dict->SetString("host_and_port", GetHostAndPort(*url)); 116 dict->SetInteger("net_error", net_error); 117 dict->SetInteger("version_before", version_before); 118 dict->SetInteger("version_after", version_after); 119 return dict; 120 } 121 122 } // namespace 123 124 //----------------------------------------------------------------------------- 125 126 HttpNetworkTransaction::HttpNetworkTransaction(RequestPriority priority, 127 HttpNetworkSession* session) 128 : pending_auth_target_(HttpAuth::AUTH_NONE), 129 io_callback_(base::Bind(&HttpNetworkTransaction::OnIOComplete, 130 base::Unretained(this))), 131 session_(session), 132 request_(NULL), 133 priority_(priority), 134 headers_valid_(false), 135 logged_response_time_(false), 136 fallback_error_code_(ERR_SSL_INAPPROPRIATE_FALLBACK), 137 request_headers_(), 138 read_buf_len_(0), 139 total_received_bytes_(0), 140 next_state_(STATE_NONE), 141 establishing_tunnel_(false), 142 websocket_handshake_stream_base_create_helper_(NULL) { 143 session->ssl_config_service()->GetSSLConfig(&server_ssl_config_); 144 session->GetNextProtos(&server_ssl_config_.next_protos); 145 proxy_ssl_config_ = server_ssl_config_; 146 } 147 148 HttpNetworkTransaction::~HttpNetworkTransaction() { 149 if (stream_.get()) { 150 HttpResponseHeaders* headers = GetResponseHeaders(); 151 // TODO(mbelshe): The stream_ should be able to compute whether or not the 152 // stream should be kept alive. No reason to compute here 153 // and pass it in. 154 bool try_to_keep_alive = 155 next_state_ == STATE_NONE && 156 stream_->CanFindEndOfResponse() && 157 (!headers || headers->IsKeepAlive()); 158 if (!try_to_keep_alive) { 159 stream_->Close(true /* not reusable */); 160 } else { 161 if (stream_->IsResponseBodyComplete()) { 162 // If the response body is complete, we can just reuse the socket. 163 stream_->Close(false /* reusable */); 164 } else if (stream_->IsSpdyHttpStream()) { 165 // Doesn't really matter for SpdyHttpStream. Just close it. 166 stream_->Close(true /* not reusable */); 167 } else { 168 // Otherwise, we try to drain the response body. 169 HttpStreamBase* stream = stream_.release(); 170 stream->Drain(session_); 171 } 172 } 173 } 174 175 if (request_ && request_->upload_data_stream) 176 request_->upload_data_stream->Reset(); // Invalidate pending callbacks. 177 } 178 179 int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info, 180 const CompletionCallback& callback, 181 const BoundNetLog& net_log) { 182 SIMPLE_STATS_COUNTER("HttpNetworkTransaction.Count"); 183 184 net_log_ = net_log; 185 request_ = request_info; 186 start_time_ = base::Time::Now(); 187 188 if (request_->load_flags & LOAD_DISABLE_CERT_REVOCATION_CHECKING) { 189 server_ssl_config_.rev_checking_enabled = false; 190 proxy_ssl_config_.rev_checking_enabled = false; 191 } 192 193 // Channel ID is disabled if privacy mode is enabled for this request. 194 if (request_->privacy_mode == PRIVACY_MODE_ENABLED) 195 server_ssl_config_.channel_id_enabled = false; 196 197 next_state_ = STATE_NOTIFY_BEFORE_CREATE_STREAM; 198 int rv = DoLoop(OK); 199 if (rv == ERR_IO_PENDING) 200 callback_ = callback; 201 return rv; 202 } 203 204 int HttpNetworkTransaction::RestartIgnoringLastError( 205 const CompletionCallback& callback) { 206 DCHECK(!stream_.get()); 207 DCHECK(!stream_request_.get()); 208 DCHECK_EQ(STATE_NONE, next_state_); 209 210 next_state_ = STATE_CREATE_STREAM; 211 212 int rv = DoLoop(OK); 213 if (rv == ERR_IO_PENDING) 214 callback_ = callback; 215 return rv; 216 } 217 218 int HttpNetworkTransaction::RestartWithCertificate( 219 X509Certificate* client_cert, const CompletionCallback& callback) { 220 // In HandleCertificateRequest(), we always tear down existing stream 221 // requests to force a new connection. So we shouldn't have one here. 222 DCHECK(!stream_request_.get()); 223 DCHECK(!stream_.get()); 224 DCHECK_EQ(STATE_NONE, next_state_); 225 226 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 227 &proxy_ssl_config_ : &server_ssl_config_; 228 ssl_config->send_client_cert = true; 229 ssl_config->client_cert = client_cert; 230 session_->ssl_client_auth_cache()->Add( 231 response_.cert_request_info->host_and_port, client_cert); 232 // Reset the other member variables. 233 // Note: this is necessary only with SSL renegotiation. 234 ResetStateForRestart(); 235 next_state_ = STATE_CREATE_STREAM; 236 int rv = DoLoop(OK); 237 if (rv == ERR_IO_PENDING) 238 callback_ = callback; 239 return rv; 240 } 241 242 int HttpNetworkTransaction::RestartWithAuth( 243 const AuthCredentials& credentials, const CompletionCallback& callback) { 244 HttpAuth::Target target = pending_auth_target_; 245 if (target == HttpAuth::AUTH_NONE) { 246 NOTREACHED(); 247 return ERR_UNEXPECTED; 248 } 249 pending_auth_target_ = HttpAuth::AUTH_NONE; 250 251 auth_controllers_[target]->ResetAuth(credentials); 252 253 DCHECK(callback_.is_null()); 254 255 int rv = OK; 256 if (target == HttpAuth::AUTH_PROXY && establishing_tunnel_) { 257 // In this case, we've gathered credentials for use with proxy 258 // authentication of a tunnel. 259 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 260 DCHECK(stream_request_ != NULL); 261 auth_controllers_[target] = NULL; 262 ResetStateForRestart(); 263 rv = stream_request_->RestartTunnelWithProxyAuth(credentials); 264 } else { 265 // In this case, we've gathered credentials for the server or the proxy 266 // but it is not during the tunneling phase. 267 DCHECK(stream_request_ == NULL); 268 PrepareForAuthRestart(target); 269 rv = DoLoop(OK); 270 } 271 272 if (rv == ERR_IO_PENDING) 273 callback_ = callback; 274 return rv; 275 } 276 277 void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) { 278 DCHECK(HaveAuth(target)); 279 DCHECK(!stream_request_.get()); 280 281 bool keep_alive = false; 282 // Even if the server says the connection is keep-alive, we have to be 283 // able to find the end of each response in order to reuse the connection. 284 if (GetResponseHeaders()->IsKeepAlive() && 285 stream_->CanFindEndOfResponse()) { 286 // If the response body hasn't been completely read, we need to drain 287 // it first. 288 if (!stream_->IsResponseBodyComplete()) { 289 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 290 read_buf_ = new IOBuffer(kDrainBodyBufferSize); // A bit bucket. 291 read_buf_len_ = kDrainBodyBufferSize; 292 return; 293 } 294 keep_alive = true; 295 } 296 297 // We don't need to drain the response body, so we act as if we had drained 298 // the response body. 299 DidDrainBodyForAuthRestart(keep_alive); 300 } 301 302 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) { 303 DCHECK(!stream_request_.get()); 304 305 if (stream_.get()) { 306 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 307 HttpStream* new_stream = NULL; 308 if (keep_alive && stream_->IsConnectionReusable()) { 309 // We should call connection_->set_idle_time(), but this doesn't occur 310 // often enough to be worth the trouble. 311 stream_->SetConnectionReused(); 312 new_stream = 313 static_cast<HttpStream*>(stream_.get())->RenewStreamForAuth(); 314 } 315 316 if (!new_stream) { 317 // Close the stream and mark it as not_reusable. Even in the 318 // keep_alive case, we've determined that the stream_ is not 319 // reusable if new_stream is NULL. 320 stream_->Close(true); 321 next_state_ = STATE_CREATE_STREAM; 322 } else { 323 // Renewed streams shouldn't carry over received bytes. 324 DCHECK_EQ(0, new_stream->GetTotalReceivedBytes()); 325 next_state_ = STATE_INIT_STREAM; 326 } 327 stream_.reset(new_stream); 328 } 329 330 // Reset the other member variables. 331 ResetStateForAuthRestart(); 332 } 333 334 bool HttpNetworkTransaction::IsReadyToRestartForAuth() { 335 return pending_auth_target_ != HttpAuth::AUTH_NONE && 336 HaveAuth(pending_auth_target_); 337 } 338 339 int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len, 340 const CompletionCallback& callback) { 341 DCHECK(buf); 342 DCHECK_LT(0, buf_len); 343 344 State next_state = STATE_NONE; 345 346 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 347 if (headers_valid_ && headers.get() && stream_request_.get()) { 348 // We're trying to read the body of the response but we're still trying 349 // to establish an SSL tunnel through an HTTP proxy. We can't read these 350 // bytes when establishing a tunnel because they might be controlled by 351 // an active network attacker. We don't worry about this for HTTP 352 // because an active network attacker can already control HTTP sessions. 353 // We reach this case when the user cancels a 407 proxy auth prompt. We 354 // also don't worry about this for an HTTPS Proxy, because the 355 // communication with the proxy is secure. 356 // See http://crbug.com/8473. 357 DCHECK(proxy_info_.is_http() || proxy_info_.is_https()); 358 DCHECK_EQ(headers->response_code(), HTTP_PROXY_AUTHENTICATION_REQUIRED); 359 LOG(WARNING) << "Blocked proxy response with status " 360 << headers->response_code() << " to CONNECT request for " 361 << GetHostAndPort(request_->url) << "."; 362 return ERR_TUNNEL_CONNECTION_FAILED; 363 } 364 365 // Are we using SPDY or HTTP? 366 next_state = STATE_READ_BODY; 367 368 read_buf_ = buf; 369 read_buf_len_ = buf_len; 370 371 next_state_ = next_state; 372 int rv = DoLoop(OK); 373 if (rv == ERR_IO_PENDING) 374 callback_ = callback; 375 return rv; 376 } 377 378 void HttpNetworkTransaction::StopCaching() {} 379 380 bool HttpNetworkTransaction::GetFullRequestHeaders( 381 HttpRequestHeaders* headers) const { 382 // TODO(ttuttle): Make sure we've populated request_headers_. 383 *headers = request_headers_; 384 return true; 385 } 386 387 int64 HttpNetworkTransaction::GetTotalReceivedBytes() const { 388 int64 total_received_bytes = total_received_bytes_; 389 if (stream_) 390 total_received_bytes += stream_->GetTotalReceivedBytes(); 391 return total_received_bytes; 392 } 393 394 void HttpNetworkTransaction::DoneReading() {} 395 396 const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const { 397 return ((headers_valid_ && response_.headers.get()) || 398 response_.ssl_info.cert.get() || response_.cert_request_info.get()) 399 ? &response_ 400 : NULL; 401 } 402 403 LoadState HttpNetworkTransaction::GetLoadState() const { 404 // TODO(wtc): Define a new LoadState value for the 405 // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request. 406 switch (next_state_) { 407 case STATE_CREATE_STREAM: 408 return LOAD_STATE_WAITING_FOR_DELEGATE; 409 case STATE_CREATE_STREAM_COMPLETE: 410 return stream_request_->GetLoadState(); 411 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 412 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 413 case STATE_SEND_REQUEST_COMPLETE: 414 return LOAD_STATE_SENDING_REQUEST; 415 case STATE_READ_HEADERS_COMPLETE: 416 return LOAD_STATE_WAITING_FOR_RESPONSE; 417 case STATE_READ_BODY_COMPLETE: 418 return LOAD_STATE_READING_RESPONSE; 419 default: 420 return LOAD_STATE_IDLE; 421 } 422 } 423 424 UploadProgress HttpNetworkTransaction::GetUploadProgress() const { 425 if (!stream_.get()) 426 return UploadProgress(); 427 428 // TODO(bashi): This cast is temporary. Remove later. 429 return static_cast<HttpStream*>(stream_.get())->GetUploadProgress(); 430 } 431 432 void HttpNetworkTransaction::SetQuicServerInfo( 433 QuicServerInfo* quic_server_info) {} 434 435 bool HttpNetworkTransaction::GetLoadTimingInfo( 436 LoadTimingInfo* load_timing_info) const { 437 if (!stream_ || !stream_->GetLoadTimingInfo(load_timing_info)) 438 return false; 439 440 load_timing_info->proxy_resolve_start = 441 proxy_info_.proxy_resolve_start_time(); 442 load_timing_info->proxy_resolve_end = proxy_info_.proxy_resolve_end_time(); 443 load_timing_info->send_start = send_start_time_; 444 load_timing_info->send_end = send_end_time_; 445 return true; 446 } 447 448 void HttpNetworkTransaction::SetPriority(RequestPriority priority) { 449 priority_ = priority; 450 if (stream_request_) 451 stream_request_->SetPriority(priority); 452 if (stream_) 453 stream_->SetPriority(priority); 454 } 455 456 void HttpNetworkTransaction::SetWebSocketHandshakeStreamCreateHelper( 457 WebSocketHandshakeStreamBase::CreateHelper* create_helper) { 458 websocket_handshake_stream_base_create_helper_ = create_helper; 459 } 460 461 void HttpNetworkTransaction::SetBeforeNetworkStartCallback( 462 const BeforeNetworkStartCallback& callback) { 463 before_network_start_callback_ = callback; 464 } 465 466 void HttpNetworkTransaction::SetBeforeProxyHeadersSentCallback( 467 const BeforeProxyHeadersSentCallback& callback) { 468 before_proxy_headers_sent_callback_ = callback; 469 } 470 471 int HttpNetworkTransaction::ResumeNetworkStart() { 472 DCHECK_EQ(next_state_, STATE_CREATE_STREAM); 473 return DoLoop(OK); 474 } 475 476 void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config, 477 const ProxyInfo& used_proxy_info, 478 HttpStreamBase* stream) { 479 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 480 DCHECK(stream_request_.get()); 481 482 if (stream_) 483 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 484 stream_.reset(stream); 485 server_ssl_config_ = used_ssl_config; 486 proxy_info_ = used_proxy_info; 487 response_.was_npn_negotiated = stream_request_->was_npn_negotiated(); 488 response_.npn_negotiated_protocol = SSLClientSocket::NextProtoToString( 489 stream_request_->protocol_negotiated()); 490 response_.was_fetched_via_spdy = stream_request_->using_spdy(); 491 response_.was_fetched_via_proxy = !proxy_info_.is_direct(); 492 if (response_.was_fetched_via_proxy && !proxy_info_.is_empty()) 493 response_.proxy_server = proxy_info_.proxy_server().host_port_pair(); 494 OnIOComplete(OK); 495 } 496 497 void HttpNetworkTransaction::OnWebSocketHandshakeStreamReady( 498 const SSLConfig& used_ssl_config, 499 const ProxyInfo& used_proxy_info, 500 WebSocketHandshakeStreamBase* stream) { 501 OnStreamReady(used_ssl_config, used_proxy_info, stream); 502 } 503 504 void HttpNetworkTransaction::OnStreamFailed(int result, 505 const SSLConfig& used_ssl_config) { 506 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 507 DCHECK_NE(OK, result); 508 DCHECK(stream_request_.get()); 509 DCHECK(!stream_.get()); 510 server_ssl_config_ = used_ssl_config; 511 512 OnIOComplete(result); 513 } 514 515 void HttpNetworkTransaction::OnCertificateError( 516 int result, 517 const SSLConfig& used_ssl_config, 518 const SSLInfo& ssl_info) { 519 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 520 DCHECK_NE(OK, result); 521 DCHECK(stream_request_.get()); 522 DCHECK(!stream_.get()); 523 524 response_.ssl_info = ssl_info; 525 server_ssl_config_ = used_ssl_config; 526 527 // TODO(mbelshe): For now, we're going to pass the error through, and that 528 // will close the stream_request in all cases. This means that we're always 529 // going to restart an entire STATE_CREATE_STREAM, even if the connection is 530 // good and the user chooses to ignore the error. This is not ideal, but not 531 // the end of the world either. 532 533 OnIOComplete(result); 534 } 535 536 void HttpNetworkTransaction::OnNeedsProxyAuth( 537 const HttpResponseInfo& proxy_response, 538 const SSLConfig& used_ssl_config, 539 const ProxyInfo& used_proxy_info, 540 HttpAuthController* auth_controller) { 541 DCHECK(stream_request_.get()); 542 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 543 544 establishing_tunnel_ = true; 545 response_.headers = proxy_response.headers; 546 response_.auth_challenge = proxy_response.auth_challenge; 547 headers_valid_ = true; 548 server_ssl_config_ = used_ssl_config; 549 proxy_info_ = used_proxy_info; 550 551 auth_controllers_[HttpAuth::AUTH_PROXY] = auth_controller; 552 pending_auth_target_ = HttpAuth::AUTH_PROXY; 553 554 DoCallback(OK); 555 } 556 557 void HttpNetworkTransaction::OnNeedsClientAuth( 558 const SSLConfig& used_ssl_config, 559 SSLCertRequestInfo* cert_info) { 560 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 561 562 server_ssl_config_ = used_ssl_config; 563 response_.cert_request_info = cert_info; 564 OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 565 } 566 567 void HttpNetworkTransaction::OnHttpsProxyTunnelResponse( 568 const HttpResponseInfo& response_info, 569 const SSLConfig& used_ssl_config, 570 const ProxyInfo& used_proxy_info, 571 HttpStreamBase* stream) { 572 DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_); 573 574 headers_valid_ = true; 575 response_ = response_info; 576 server_ssl_config_ = used_ssl_config; 577 proxy_info_ = used_proxy_info; 578 if (stream_) 579 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 580 stream_.reset(stream); 581 stream_request_.reset(); // we're done with the stream request 582 OnIOComplete(ERR_HTTPS_PROXY_TUNNEL_RESPONSE); 583 } 584 585 bool HttpNetworkTransaction::is_https_request() const { 586 return request_->url.SchemeIs("https"); 587 } 588 589 void HttpNetworkTransaction::DoCallback(int rv) { 590 DCHECK_NE(rv, ERR_IO_PENDING); 591 DCHECK(!callback_.is_null()); 592 593 // Since Run may result in Read being called, clear user_callback_ up front. 594 CompletionCallback c = callback_; 595 callback_.Reset(); 596 c.Run(rv); 597 } 598 599 void HttpNetworkTransaction::OnIOComplete(int result) { 600 int rv = DoLoop(result); 601 if (rv != ERR_IO_PENDING) 602 DoCallback(rv); 603 } 604 605 int HttpNetworkTransaction::DoLoop(int result) { 606 DCHECK(next_state_ != STATE_NONE); 607 608 int rv = result; 609 do { 610 State state = next_state_; 611 next_state_ = STATE_NONE; 612 switch (state) { 613 case STATE_NOTIFY_BEFORE_CREATE_STREAM: 614 DCHECK_EQ(OK, rv); 615 rv = DoNotifyBeforeCreateStream(); 616 break; 617 case STATE_CREATE_STREAM: 618 DCHECK_EQ(OK, rv); 619 rv = DoCreateStream(); 620 break; 621 case STATE_CREATE_STREAM_COMPLETE: 622 rv = DoCreateStreamComplete(rv); 623 break; 624 case STATE_INIT_STREAM: 625 DCHECK_EQ(OK, rv); 626 rv = DoInitStream(); 627 break; 628 case STATE_INIT_STREAM_COMPLETE: 629 rv = DoInitStreamComplete(rv); 630 break; 631 case STATE_GENERATE_PROXY_AUTH_TOKEN: 632 DCHECK_EQ(OK, rv); 633 rv = DoGenerateProxyAuthToken(); 634 break; 635 case STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE: 636 rv = DoGenerateProxyAuthTokenComplete(rv); 637 break; 638 case STATE_GENERATE_SERVER_AUTH_TOKEN: 639 DCHECK_EQ(OK, rv); 640 rv = DoGenerateServerAuthToken(); 641 break; 642 case STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE: 643 rv = DoGenerateServerAuthTokenComplete(rv); 644 break; 645 case STATE_INIT_REQUEST_BODY: 646 DCHECK_EQ(OK, rv); 647 rv = DoInitRequestBody(); 648 break; 649 case STATE_INIT_REQUEST_BODY_COMPLETE: 650 rv = DoInitRequestBodyComplete(rv); 651 break; 652 case STATE_BUILD_REQUEST: 653 DCHECK_EQ(OK, rv); 654 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST); 655 rv = DoBuildRequest(); 656 break; 657 case STATE_BUILD_REQUEST_COMPLETE: 658 rv = DoBuildRequestComplete(rv); 659 break; 660 case STATE_SEND_REQUEST: 661 DCHECK_EQ(OK, rv); 662 rv = DoSendRequest(); 663 break; 664 case STATE_SEND_REQUEST_COMPLETE: 665 rv = DoSendRequestComplete(rv); 666 net_log_.EndEventWithNetErrorCode( 667 NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, rv); 668 break; 669 case STATE_READ_HEADERS: 670 DCHECK_EQ(OK, rv); 671 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS); 672 rv = DoReadHeaders(); 673 break; 674 case STATE_READ_HEADERS_COMPLETE: 675 rv = DoReadHeadersComplete(rv); 676 net_log_.EndEventWithNetErrorCode( 677 NetLog::TYPE_HTTP_TRANSACTION_READ_HEADERS, rv); 678 break; 679 case STATE_READ_BODY: 680 DCHECK_EQ(OK, rv); 681 net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_READ_BODY); 682 rv = DoReadBody(); 683 break; 684 case STATE_READ_BODY_COMPLETE: 685 rv = DoReadBodyComplete(rv); 686 net_log_.EndEventWithNetErrorCode( 687 NetLog::TYPE_HTTP_TRANSACTION_READ_BODY, rv); 688 break; 689 case STATE_DRAIN_BODY_FOR_AUTH_RESTART: 690 DCHECK_EQ(OK, rv); 691 net_log_.BeginEvent( 692 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART); 693 rv = DoDrainBodyForAuthRestart(); 694 break; 695 case STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE: 696 rv = DoDrainBodyForAuthRestartComplete(rv); 697 net_log_.EndEventWithNetErrorCode( 698 NetLog::TYPE_HTTP_TRANSACTION_DRAIN_BODY_FOR_AUTH_RESTART, rv); 699 break; 700 default: 701 NOTREACHED() << "bad state"; 702 rv = ERR_FAILED; 703 break; 704 } 705 } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE); 706 707 return rv; 708 } 709 710 int HttpNetworkTransaction::DoNotifyBeforeCreateStream() { 711 next_state_ = STATE_CREATE_STREAM; 712 bool defer = false; 713 if (!before_network_start_callback_.is_null()) 714 before_network_start_callback_.Run(&defer); 715 if (!defer) 716 return OK; 717 return ERR_IO_PENDING; 718 } 719 720 int HttpNetworkTransaction::DoCreateStream() { 721 next_state_ = STATE_CREATE_STREAM_COMPLETE; 722 if (ForWebSocketHandshake()) { 723 stream_request_.reset( 724 session_->http_stream_factory_for_websocket() 725 ->RequestWebSocketHandshakeStream( 726 *request_, 727 priority_, 728 server_ssl_config_, 729 proxy_ssl_config_, 730 this, 731 websocket_handshake_stream_base_create_helper_, 732 net_log_)); 733 } else { 734 stream_request_.reset( 735 session_->http_stream_factory()->RequestStream( 736 *request_, 737 priority_, 738 server_ssl_config_, 739 proxy_ssl_config_, 740 this, 741 net_log_)); 742 } 743 DCHECK(stream_request_.get()); 744 return ERR_IO_PENDING; 745 } 746 747 int HttpNetworkTransaction::DoCreateStreamComplete(int result) { 748 if (result == OK) { 749 next_state_ = STATE_INIT_STREAM; 750 DCHECK(stream_.get()); 751 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 752 result = HandleCertificateRequest(result); 753 } else if (result == ERR_HTTPS_PROXY_TUNNEL_RESPONSE) { 754 // Return OK and let the caller read the proxy's error page 755 next_state_ = STATE_NONE; 756 return OK; 757 } 758 759 // Handle possible handshake errors that may have occurred if the stream 760 // used SSL for one or more of the layers. 761 result = HandleSSLHandshakeError(result); 762 763 // At this point we are done with the stream_request_. 764 stream_request_.reset(); 765 return result; 766 } 767 768 int HttpNetworkTransaction::DoInitStream() { 769 DCHECK(stream_.get()); 770 next_state_ = STATE_INIT_STREAM_COMPLETE; 771 return stream_->InitializeStream(request_, priority_, net_log_, io_callback_); 772 } 773 774 int HttpNetworkTransaction::DoInitStreamComplete(int result) { 775 if (result == OK) { 776 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN; 777 } else { 778 if (result < 0) 779 result = HandleIOError(result); 780 781 // The stream initialization failed, so this stream will never be useful. 782 if (stream_) 783 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 784 stream_.reset(); 785 } 786 787 return result; 788 } 789 790 int HttpNetworkTransaction::DoGenerateProxyAuthToken() { 791 next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN_COMPLETE; 792 if (!ShouldApplyProxyAuth()) 793 return OK; 794 HttpAuth::Target target = HttpAuth::AUTH_PROXY; 795 if (!auth_controllers_[target].get()) 796 auth_controllers_[target] = 797 new HttpAuthController(target, 798 AuthURL(target), 799 session_->http_auth_cache(), 800 session_->http_auth_handler_factory()); 801 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 802 io_callback_, 803 net_log_); 804 } 805 806 int HttpNetworkTransaction::DoGenerateProxyAuthTokenComplete(int rv) { 807 DCHECK_NE(ERR_IO_PENDING, rv); 808 if (rv == OK) 809 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN; 810 return rv; 811 } 812 813 int HttpNetworkTransaction::DoGenerateServerAuthToken() { 814 next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE; 815 HttpAuth::Target target = HttpAuth::AUTH_SERVER; 816 if (!auth_controllers_[target].get()) { 817 auth_controllers_[target] = 818 new HttpAuthController(target, 819 AuthURL(target), 820 session_->http_auth_cache(), 821 session_->http_auth_handler_factory()); 822 if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY) 823 auth_controllers_[target]->DisableEmbeddedIdentity(); 824 } 825 if (!ShouldApplyServerAuth()) 826 return OK; 827 return auth_controllers_[target]->MaybeGenerateAuthToken(request_, 828 io_callback_, 829 net_log_); 830 } 831 832 int HttpNetworkTransaction::DoGenerateServerAuthTokenComplete(int rv) { 833 DCHECK_NE(ERR_IO_PENDING, rv); 834 if (rv == OK) 835 next_state_ = STATE_INIT_REQUEST_BODY; 836 return rv; 837 } 838 839 void HttpNetworkTransaction::BuildRequestHeaders(bool using_proxy) { 840 request_headers_.SetHeader(HttpRequestHeaders::kHost, 841 GetHostAndOptionalPort(request_->url)); 842 843 // For compat with HTTP/1.0 servers and proxies: 844 if (using_proxy) { 845 request_headers_.SetHeader(HttpRequestHeaders::kProxyConnection, 846 "keep-alive"); 847 } else { 848 request_headers_.SetHeader(HttpRequestHeaders::kConnection, "keep-alive"); 849 } 850 851 // Add a content length header? 852 if (request_->upload_data_stream) { 853 if (request_->upload_data_stream->is_chunked()) { 854 request_headers_.SetHeader( 855 HttpRequestHeaders::kTransferEncoding, "chunked"); 856 } else { 857 request_headers_.SetHeader( 858 HttpRequestHeaders::kContentLength, 859 base::Uint64ToString(request_->upload_data_stream->size())); 860 } 861 } else if (request_->method == "POST" || request_->method == "PUT" || 862 request_->method == "HEAD") { 863 // An empty POST/PUT request still needs a content length. As for HEAD, 864 // IE and Safari also add a content length header. Presumably it is to 865 // support sending a HEAD request to an URL that only expects to be sent a 866 // POST or some other method that normally would have a message body. 867 request_headers_.SetHeader(HttpRequestHeaders::kContentLength, "0"); 868 } 869 870 // Honor load flags that impact proxy caches. 871 if (request_->load_flags & LOAD_BYPASS_CACHE) { 872 request_headers_.SetHeader(HttpRequestHeaders::kPragma, "no-cache"); 873 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "no-cache"); 874 } else if (request_->load_flags & LOAD_VALIDATE_CACHE) { 875 request_headers_.SetHeader(HttpRequestHeaders::kCacheControl, "max-age=0"); 876 } 877 878 if (ShouldApplyProxyAuth() && HaveAuth(HttpAuth::AUTH_PROXY)) 879 auth_controllers_[HttpAuth::AUTH_PROXY]->AddAuthorizationHeader( 880 &request_headers_); 881 if (ShouldApplyServerAuth() && HaveAuth(HttpAuth::AUTH_SERVER)) 882 auth_controllers_[HttpAuth::AUTH_SERVER]->AddAuthorizationHeader( 883 &request_headers_); 884 885 request_headers_.MergeFrom(request_->extra_headers); 886 887 if (using_proxy && !before_proxy_headers_sent_callback_.is_null()) 888 before_proxy_headers_sent_callback_.Run(proxy_info_, &request_headers_); 889 890 response_.did_use_http_auth = 891 request_headers_.HasHeader(HttpRequestHeaders::kAuthorization) || 892 request_headers_.HasHeader(HttpRequestHeaders::kProxyAuthorization); 893 } 894 895 int HttpNetworkTransaction::DoInitRequestBody() { 896 next_state_ = STATE_INIT_REQUEST_BODY_COMPLETE; 897 int rv = OK; 898 if (request_->upload_data_stream) 899 rv = request_->upload_data_stream->Init(io_callback_); 900 return rv; 901 } 902 903 int HttpNetworkTransaction::DoInitRequestBodyComplete(int result) { 904 if (result == OK) 905 next_state_ = STATE_BUILD_REQUEST; 906 return result; 907 } 908 909 int HttpNetworkTransaction::DoBuildRequest() { 910 next_state_ = STATE_BUILD_REQUEST_COMPLETE; 911 headers_valid_ = false; 912 913 // This is constructed lazily (instead of within our Start method), so that 914 // we have proxy info available. 915 if (request_headers_.IsEmpty()) { 916 bool using_proxy = (proxy_info_.is_http() || proxy_info_.is_https()) && 917 !is_https_request(); 918 BuildRequestHeaders(using_proxy); 919 } 920 921 return OK; 922 } 923 924 int HttpNetworkTransaction::DoBuildRequestComplete(int result) { 925 if (result == OK) 926 next_state_ = STATE_SEND_REQUEST; 927 return result; 928 } 929 930 int HttpNetworkTransaction::DoSendRequest() { 931 send_start_time_ = base::TimeTicks::Now(); 932 next_state_ = STATE_SEND_REQUEST_COMPLETE; 933 934 return stream_->SendRequest(request_headers_, &response_, io_callback_); 935 } 936 937 int HttpNetworkTransaction::DoSendRequestComplete(int result) { 938 send_end_time_ = base::TimeTicks::Now(); 939 if (result < 0) 940 return HandleIOError(result); 941 response_.network_accessed = true; 942 next_state_ = STATE_READ_HEADERS; 943 return OK; 944 } 945 946 int HttpNetworkTransaction::DoReadHeaders() { 947 next_state_ = STATE_READ_HEADERS_COMPLETE; 948 return stream_->ReadResponseHeaders(io_callback_); 949 } 950 951 int HttpNetworkTransaction::DoReadHeadersComplete(int result) { 952 // We can get a certificate error or ERR_SSL_CLIENT_AUTH_CERT_NEEDED here 953 // due to SSL renegotiation. 954 if (IsCertificateError(result)) { 955 // We don't handle a certificate error during SSL renegotiation, so we 956 // have to return an error that's not in the certificate error range 957 // (-2xx). 958 LOG(ERROR) << "Got a server certificate with error " << result 959 << " during SSL renegotiation"; 960 result = ERR_CERT_ERROR_IN_SSL_RENEGOTIATION; 961 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { 962 // TODO(wtc): Need a test case for this code path! 963 DCHECK(stream_.get()); 964 DCHECK(is_https_request()); 965 response_.cert_request_info = new SSLCertRequestInfo; 966 stream_->GetSSLCertRequestInfo(response_.cert_request_info.get()); 967 result = HandleCertificateRequest(result); 968 if (result == OK) 969 return result; 970 } 971 972 if (result == ERR_QUIC_HANDSHAKE_FAILED) { 973 ResetConnectionAndRequestForResend(); 974 return OK; 975 } 976 977 // After we call RestartWithAuth a new response_time will be recorded, and 978 // we need to be cautious about incorrectly logging the duration across the 979 // authentication activity. 980 if (result == OK) 981 LogTransactionConnectedMetrics(); 982 983 // ERR_CONNECTION_CLOSED is treated differently at this point; if partial 984 // response headers were received, we do the best we can to make sense of it 985 // and send it back up the stack. 986 // 987 // TODO(davidben): Consider moving this to HttpBasicStream, It's a little 988 // bizarre for SPDY. Assuming this logic is useful at all. 989 // TODO(davidben): Bubble the error code up so we do not cache? 990 if (result == ERR_CONNECTION_CLOSED && response_.headers.get()) 991 result = OK; 992 993 if (result < 0) 994 return HandleIOError(result); 995 996 DCHECK(response_.headers.get()); 997 998 // On a 408 response from the server ("Request Timeout") on a stale socket, 999 // retry the request. 1000 // Headers can be NULL because of http://crbug.com/384554. 1001 if (response_.headers.get() && response_.headers->response_code() == 408 && 1002 stream_->IsConnectionReused()) { 1003 net_log_.AddEventWithNetErrorCode( 1004 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, 1005 response_.headers->response_code()); 1006 // This will close the socket - it would be weird to try and reuse it, even 1007 // if the server doesn't actually close it. 1008 ResetConnectionAndRequestForResend(); 1009 return OK; 1010 } 1011 1012 // Like Net.HttpResponseCode, but only for MAIN_FRAME loads. 1013 if (request_->load_flags & LOAD_MAIN_FRAME) { 1014 const int response_code = response_.headers->response_code(); 1015 UMA_HISTOGRAM_ENUMERATION( 1016 "Net.HttpResponseCode_Nxx_MainFrame", response_code/100, 10); 1017 } 1018 1019 net_log_.AddEvent( 1020 NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS, 1021 base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); 1022 1023 if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) { 1024 // HTTP/0.9 doesn't support the PUT method, so lack of response headers 1025 // indicates a buggy server. See: 1026 // https://bugzilla.mozilla.org/show_bug.cgi?id=193921 1027 if (request_->method == "PUT") 1028 return ERR_METHOD_NOT_SUPPORTED; 1029 } 1030 1031 // Check for an intermediate 100 Continue response. An origin server is 1032 // allowed to send this response even if we didn't ask for it, so we just 1033 // need to skip over it. 1034 // We treat any other 1xx in this same way (although in practice getting 1035 // a 1xx that isn't a 100 is rare). 1036 // Unless this is a WebSocket request, in which case we pass it on up. 1037 if (response_.headers->response_code() / 100 == 1 && 1038 !ForWebSocketHandshake()) { 1039 response_.headers = new HttpResponseHeaders(std::string()); 1040 next_state_ = STATE_READ_HEADERS; 1041 return OK; 1042 } 1043 1044 HostPortPair endpoint = HostPortPair(request_->url.HostNoBrackets(), 1045 request_->url.EffectiveIntPort()); 1046 ProcessAlternateProtocol(session_, 1047 *response_.headers.get(), 1048 endpoint); 1049 1050 int rv = HandleAuthChallenge(); 1051 if (rv != OK) 1052 return rv; 1053 1054 if (is_https_request()) 1055 stream_->GetSSLInfo(&response_.ssl_info); 1056 1057 headers_valid_ = true; 1058 1059 if (session_->huffman_aggregator()) { 1060 session_->huffman_aggregator()->AggregateTransactionCharacterCounts( 1061 *request_, 1062 request_headers_, 1063 proxy_info_.proxy_server(), 1064 *response_.headers.get()); 1065 } 1066 return OK; 1067 } 1068 1069 int HttpNetworkTransaction::DoReadBody() { 1070 DCHECK(read_buf_.get()); 1071 DCHECK_GT(read_buf_len_, 0); 1072 DCHECK(stream_ != NULL); 1073 1074 next_state_ = STATE_READ_BODY_COMPLETE; 1075 return stream_->ReadResponseBody( 1076 read_buf_.get(), read_buf_len_, io_callback_); 1077 } 1078 1079 int HttpNetworkTransaction::DoReadBodyComplete(int result) { 1080 // We are done with the Read call. 1081 bool done = false; 1082 if (result <= 0) { 1083 DCHECK_NE(ERR_IO_PENDING, result); 1084 done = true; 1085 } 1086 1087 bool keep_alive = false; 1088 if (stream_->IsResponseBodyComplete()) { 1089 // Note: Just because IsResponseBodyComplete is true, we're not 1090 // necessarily "done". We're only "done" when it is the last 1091 // read on this HttpNetworkTransaction, which will be signified 1092 // by a zero-length read. 1093 // TODO(mbelshe): The keepalive property is really a property of 1094 // the stream. No need to compute it here just to pass back 1095 // to the stream's Close function. 1096 // TODO(rtenneti): CanFindEndOfResponse should return false if there are no 1097 // ResponseHeaders. 1098 if (stream_->CanFindEndOfResponse()) { 1099 HttpResponseHeaders* headers = GetResponseHeaders(); 1100 if (headers) 1101 keep_alive = headers->IsKeepAlive(); 1102 } 1103 } 1104 1105 // Clean up connection if we are done. 1106 if (done) { 1107 LogTransactionMetrics(); 1108 stream_->Close(!keep_alive); 1109 // Note: we don't reset the stream here. We've closed it, but we still 1110 // need it around so that callers can call methods such as 1111 // GetUploadProgress() and have them be meaningful. 1112 // TODO(mbelshe): This means we closed the stream here, and we close it 1113 // again in ~HttpNetworkTransaction. Clean that up. 1114 1115 // The next Read call will return 0 (EOF). 1116 } 1117 1118 // Clear these to avoid leaving around old state. 1119 read_buf_ = NULL; 1120 read_buf_len_ = 0; 1121 1122 return result; 1123 } 1124 1125 int HttpNetworkTransaction::DoDrainBodyForAuthRestart() { 1126 // This method differs from DoReadBody only in the next_state_. So we just 1127 // call DoReadBody and override the next_state_. Perhaps there is a more 1128 // elegant way for these two methods to share code. 1129 int rv = DoReadBody(); 1130 DCHECK(next_state_ == STATE_READ_BODY_COMPLETE); 1131 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE; 1132 return rv; 1133 } 1134 1135 // TODO(wtc): This method and the DoReadBodyComplete method are almost 1136 // the same. Figure out a good way for these two methods to share code. 1137 int HttpNetworkTransaction::DoDrainBodyForAuthRestartComplete(int result) { 1138 // keep_alive defaults to true because the very reason we're draining the 1139 // response body is to reuse the connection for auth restart. 1140 bool done = false, keep_alive = true; 1141 if (result < 0) { 1142 // Error or closed connection while reading the socket. 1143 done = true; 1144 keep_alive = false; 1145 } else if (stream_->IsResponseBodyComplete()) { 1146 done = true; 1147 } 1148 1149 if (done) { 1150 DidDrainBodyForAuthRestart(keep_alive); 1151 } else { 1152 // Keep draining. 1153 next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART; 1154 } 1155 1156 return OK; 1157 } 1158 1159 void HttpNetworkTransaction::LogTransactionConnectedMetrics() { 1160 if (logged_response_time_) 1161 return; 1162 1163 logged_response_time_ = true; 1164 1165 base::TimeDelta total_duration = response_.response_time - start_time_; 1166 1167 UMA_HISTOGRAM_CUSTOM_TIMES( 1168 "Net.Transaction_Connected", 1169 total_duration, 1170 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1171 100); 1172 1173 bool reused_socket = stream_->IsConnectionReused(); 1174 if (!reused_socket) { 1175 UMA_HISTOGRAM_CUSTOM_TIMES( 1176 "Net.Transaction_Connected_New_b", 1177 total_duration, 1178 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1179 100); 1180 } 1181 1182 // Currently, non-HIGHEST priority requests are frame or sub-frame resource 1183 // types. This will change when we also prioritize certain subresources like 1184 // css, js, etc. 1185 if (priority_ != HIGHEST) { 1186 UMA_HISTOGRAM_CUSTOM_TIMES( 1187 "Net.Priority_High_Latency_b", 1188 total_duration, 1189 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1190 100); 1191 } else { 1192 UMA_HISTOGRAM_CUSTOM_TIMES( 1193 "Net.Priority_Low_Latency_b", 1194 total_duration, 1195 base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 1196 100); 1197 } 1198 } 1199 1200 void HttpNetworkTransaction::LogTransactionMetrics() const { 1201 base::TimeDelta duration = base::Time::Now() - 1202 response_.request_time; 1203 if (60 < duration.InMinutes()) 1204 return; 1205 1206 base::TimeDelta total_duration = base::Time::Now() - start_time_; 1207 1208 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_b", duration, 1209 base::TimeDelta::FromMilliseconds(1), 1210 base::TimeDelta::FromMinutes(10), 1211 100); 1212 UMA_HISTOGRAM_CUSTOM_TIMES("Net.Transaction_Latency_Total", 1213 total_duration, 1214 base::TimeDelta::FromMilliseconds(1), 1215 base::TimeDelta::FromMinutes(10), 100); 1216 1217 if (!stream_->IsConnectionReused()) { 1218 UMA_HISTOGRAM_CUSTOM_TIMES( 1219 "Net.Transaction_Latency_Total_New_Connection", 1220 total_duration, base::TimeDelta::FromMilliseconds(1), 1221 base::TimeDelta::FromMinutes(10), 100); 1222 } 1223 } 1224 1225 int HttpNetworkTransaction::HandleCertificateRequest(int error) { 1226 // There are two paths through which the server can request a certificate 1227 // from us. The first is during the initial handshake, the second is 1228 // during SSL renegotiation. 1229 // 1230 // In both cases, we want to close the connection before proceeding. 1231 // We do this for two reasons: 1232 // First, we don't want to keep the connection to the server hung for a 1233 // long time while the user selects a certificate. 1234 // Second, even if we did keep the connection open, NSS has a bug where 1235 // restarting the handshake for ClientAuth is currently broken. 1236 DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED); 1237 1238 if (stream_.get()) { 1239 // Since we already have a stream, we're being called as part of SSL 1240 // renegotiation. 1241 DCHECK(!stream_request_.get()); 1242 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 1243 stream_->Close(true); 1244 stream_.reset(); 1245 } 1246 1247 // The server is asking for a client certificate during the initial 1248 // handshake. 1249 stream_request_.reset(); 1250 1251 // If the user selected one of the certificates in client_certs or declined 1252 // to provide one for this server before, use the past decision 1253 // automatically. 1254 scoped_refptr<X509Certificate> client_cert; 1255 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( 1256 response_.cert_request_info->host_and_port, &client_cert); 1257 if (!found_cached_cert) 1258 return error; 1259 1260 // Check that the certificate selected is still a certificate the server 1261 // is likely to accept, based on the criteria supplied in the 1262 // CertificateRequest message. 1263 if (client_cert.get()) { 1264 const std::vector<std::string>& cert_authorities = 1265 response_.cert_request_info->cert_authorities; 1266 1267 bool cert_still_valid = cert_authorities.empty() || 1268 client_cert->IsIssuedByEncoded(cert_authorities); 1269 if (!cert_still_valid) 1270 return error; 1271 } 1272 1273 // TODO(davidben): Add a unit test which covers this path; we need to be 1274 // able to send a legitimate certificate and also bypass/clear the 1275 // SSL session cache. 1276 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? 1277 &proxy_ssl_config_ : &server_ssl_config_; 1278 ssl_config->send_client_cert = true; 1279 ssl_config->client_cert = client_cert; 1280 next_state_ = STATE_CREATE_STREAM; 1281 // Reset the other member variables. 1282 // Note: this is necessary only with SSL renegotiation. 1283 ResetStateForRestart(); 1284 return OK; 1285 } 1286 1287 void HttpNetworkTransaction::HandleClientAuthError(int error) { 1288 if (server_ssl_config_.send_client_cert && 1289 (error == ERR_SSL_PROTOCOL_ERROR || IsClientCertificateError(error))) { 1290 session_->ssl_client_auth_cache()->Remove( 1291 HostPortPair::FromURL(request_->url)); 1292 } 1293 } 1294 1295 // TODO(rch): This does not correctly handle errors when an SSL proxy is 1296 // being used, as all of the errors are handled as if they were generated 1297 // by the endpoint host, request_->url, rather than considering if they were 1298 // generated by the SSL proxy. http://crbug.com/69329 1299 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) { 1300 DCHECK(request_); 1301 HandleClientAuthError(error); 1302 1303 bool should_fallback = false; 1304 uint16 version_max = server_ssl_config_.version_max; 1305 1306 switch (error) { 1307 case ERR_CONNECTION_CLOSED: 1308 case ERR_SSL_PROTOCOL_ERROR: 1309 case ERR_SSL_VERSION_OR_CIPHER_MISMATCH: 1310 if (version_max >= SSL_PROTOCOL_VERSION_TLS1 && 1311 version_max > server_ssl_config_.version_min) { 1312 // This could be a TLS-intolerant server or a server that chose a 1313 // cipher suite defined only for higher protocol versions (such as 1314 // an SSL 3.0 server that chose a TLS-only cipher suite). Fall 1315 // back to the next lower version and retry. 1316 // NOTE: if the SSLClientSocket class doesn't support TLS 1.1, 1317 // specifying TLS 1.1 in version_max will result in a TLS 1.0 1318 // handshake, so falling back from TLS 1.1 to TLS 1.0 will simply 1319 // repeat the TLS 1.0 handshake. To avoid this problem, the default 1320 // version_max should match the maximum protocol version supported 1321 // by the SSLClientSocket class. 1322 version_max--; 1323 1324 // Fallback to the lower SSL version. 1325 // While SSL 3.0 fallback should be eliminated because of security 1326 // reasons, there is a high risk of breaking the servers if this is 1327 // done in general. 1328 should_fallback = true; 1329 } 1330 break; 1331 case ERR_CONNECTION_RESET: 1332 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1333 version_max > server_ssl_config_.version_min) { 1334 // Some network devices that inspect application-layer packets seem to 1335 // inject TCP reset packets to break the connections when they see TLS 1336 // 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. 1337 // 1338 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or 1339 // 1.2. We don't lose much in this fallback because the explicit IV for 1340 // CBC mode in TLS 1.1 is approximated by record splitting in TLS 1341 // 1.0. The fallback will be more painful for TLS 1.2 when we have GCM 1342 // support. 1343 // 1344 // ERR_CONNECTION_RESET is a common network error, so we don't want it 1345 // to trigger a version fallback in general, especially the TLS 1.0 -> 1346 // SSL 3.0 fallback, which would drop TLS extensions. 1347 version_max--; 1348 should_fallback = true; 1349 } 1350 break; 1351 case ERR_SSL_BAD_RECORD_MAC_ALERT: 1352 if (version_max >= SSL_PROTOCOL_VERSION_TLS1_1 && 1353 version_max > server_ssl_config_.version_min) { 1354 // Some broken SSL devices negotiate TLS 1.0 when sent a TLS 1.1 or 1355 // 1.2 ClientHello, but then return a bad_record_mac alert. See 1356 // crbug.com/260358. In order to make the fallback as minimal as 1357 // possible, this fallback is only triggered for >= TLS 1.1. 1358 version_max--; 1359 should_fallback = true; 1360 } 1361 break; 1362 case ERR_SSL_INAPPROPRIATE_FALLBACK: 1363 // The server told us that we should not have fallen back. A buggy server 1364 // could trigger ERR_SSL_INAPPROPRIATE_FALLBACK with the initial 1365 // connection. |fallback_error_code_| is initialised to 1366 // ERR_SSL_INAPPROPRIATE_FALLBACK to catch this case. 1367 error = fallback_error_code_; 1368 break; 1369 } 1370 1371 if (should_fallback) { 1372 net_log_.AddEvent( 1373 NetLog::TYPE_SSL_VERSION_FALLBACK, 1374 base::Bind(&NetLogSSLVersionFallbackCallback, 1375 &request_->url, error, server_ssl_config_.version_max, 1376 version_max)); 1377 fallback_error_code_ = error; 1378 server_ssl_config_.version_max = version_max; 1379 server_ssl_config_.version_fallback = true; 1380 ResetConnectionAndRequestForResend(); 1381 error = OK; 1382 } 1383 1384 return error; 1385 } 1386 1387 // This method determines whether it is safe to resend the request after an 1388 // IO error. It can only be called in response to request header or body 1389 // write errors or response header read errors. It should not be used in 1390 // other cases, such as a Connect error. 1391 int HttpNetworkTransaction::HandleIOError(int error) { 1392 // Because the peer may request renegotiation with client authentication at 1393 // any time, check and handle client authentication errors. 1394 HandleClientAuthError(error); 1395 1396 switch (error) { 1397 // If we try to reuse a connection that the server is in the process of 1398 // closing, we may end up successfully writing out our request (or a 1399 // portion of our request) only to find a connection error when we try to 1400 // read from (or finish writing to) the socket. 1401 case ERR_CONNECTION_RESET: 1402 case ERR_CONNECTION_CLOSED: 1403 case ERR_CONNECTION_ABORTED: 1404 // There can be a race between the socket pool checking checking whether a 1405 // socket is still connected, receiving the FIN, and sending/reading data 1406 // on a reused socket. If we receive the FIN between the connectedness 1407 // check and writing/reading from the socket, we may first learn the socket 1408 // is disconnected when we get a ERR_SOCKET_NOT_CONNECTED. This will most 1409 // likely happen when trying to retrieve its IP address. 1410 // See http://crbug.com/105824 for more details. 1411 case ERR_SOCKET_NOT_CONNECTED: 1412 // If a socket is closed on its initial request, HttpStreamParser returns 1413 // ERR_EMPTY_RESPONSE. This may still be close/reuse race if the socket was 1414 // preconnected but failed to be used before the server timed it out. 1415 case ERR_EMPTY_RESPONSE: 1416 if (ShouldResendRequest()) { 1417 net_log_.AddEventWithNetErrorCode( 1418 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1419 ResetConnectionAndRequestForResend(); 1420 error = OK; 1421 } 1422 break; 1423 case ERR_SPDY_PING_FAILED: 1424 case ERR_SPDY_SERVER_REFUSED_STREAM: 1425 case ERR_QUIC_HANDSHAKE_FAILED: 1426 net_log_.AddEventWithNetErrorCode( 1427 NetLog::TYPE_HTTP_TRANSACTION_RESTART_AFTER_ERROR, error); 1428 ResetConnectionAndRequestForResend(); 1429 error = OK; 1430 break; 1431 } 1432 return error; 1433 } 1434 1435 void HttpNetworkTransaction::ResetStateForRestart() { 1436 ResetStateForAuthRestart(); 1437 if (stream_) 1438 total_received_bytes_ += stream_->GetTotalReceivedBytes(); 1439 stream_.reset(); 1440 } 1441 1442 void HttpNetworkTransaction::ResetStateForAuthRestart() { 1443 send_start_time_ = base::TimeTicks(); 1444 send_end_time_ = base::TimeTicks(); 1445 1446 pending_auth_target_ = HttpAuth::AUTH_NONE; 1447 read_buf_ = NULL; 1448 read_buf_len_ = 0; 1449 headers_valid_ = false; 1450 request_headers_.Clear(); 1451 response_ = HttpResponseInfo(); 1452 establishing_tunnel_ = false; 1453 } 1454 1455 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const { 1456 return response_.headers.get(); 1457 } 1458 1459 bool HttpNetworkTransaction::ShouldResendRequest() const { 1460 bool connection_is_proven = stream_->IsConnectionReused(); 1461 bool has_received_headers = GetResponseHeaders() != NULL; 1462 1463 // NOTE: we resend a request only if we reused a keep-alive connection. 1464 // This automatically prevents an infinite resend loop because we'll run 1465 // out of the cached keep-alive connections eventually. 1466 if (connection_is_proven && !has_received_headers) 1467 return true; 1468 return false; 1469 } 1470 1471 void HttpNetworkTransaction::ResetConnectionAndRequestForResend() { 1472 if (stream_.get()) { 1473 stream_->Close(true); 1474 stream_.reset(); 1475 } 1476 1477 // We need to clear request_headers_ because it contains the real request 1478 // headers, but we may need to resend the CONNECT request first to recreate 1479 // the SSL tunnel. 1480 request_headers_.Clear(); 1481 next_state_ = STATE_CREATE_STREAM; // Resend the request. 1482 } 1483 1484 bool HttpNetworkTransaction::ShouldApplyProxyAuth() const { 1485 return !is_https_request() && 1486 (proxy_info_.is_https() || proxy_info_.is_http()); 1487 } 1488 1489 bool HttpNetworkTransaction::ShouldApplyServerAuth() const { 1490 return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA); 1491 } 1492 1493 int HttpNetworkTransaction::HandleAuthChallenge() { 1494 scoped_refptr<HttpResponseHeaders> headers(GetResponseHeaders()); 1495 DCHECK(headers.get()); 1496 1497 int status = headers->response_code(); 1498 if (status != HTTP_UNAUTHORIZED && 1499 status != HTTP_PROXY_AUTHENTICATION_REQUIRED) 1500 return OK; 1501 HttpAuth::Target target = status == HTTP_PROXY_AUTHENTICATION_REQUIRED ? 1502 HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER; 1503 if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct()) 1504 return ERR_UNEXPECTED_PROXY_AUTH; 1505 1506 // This case can trigger when an HTTPS server responds with a "Proxy 1507 // authentication required" status code through a non-authenticating 1508 // proxy. 1509 if (!auth_controllers_[target].get()) 1510 return ERR_UNEXPECTED_PROXY_AUTH; 1511 1512 int rv = auth_controllers_[target]->HandleAuthChallenge( 1513 headers, (request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA) != 0, false, 1514 net_log_); 1515 if (auth_controllers_[target]->HaveAuthHandler()) 1516 pending_auth_target_ = target; 1517 1518 scoped_refptr<AuthChallengeInfo> auth_info = 1519 auth_controllers_[target]->auth_info(); 1520 if (auth_info.get()) 1521 response_.auth_challenge = auth_info; 1522 1523 return rv; 1524 } 1525 1526 bool HttpNetworkTransaction::HaveAuth(HttpAuth::Target target) const { 1527 return auth_controllers_[target].get() && 1528 auth_controllers_[target]->HaveAuth(); 1529 } 1530 1531 GURL HttpNetworkTransaction::AuthURL(HttpAuth::Target target) const { 1532 switch (target) { 1533 case HttpAuth::AUTH_PROXY: { 1534 if (!proxy_info_.proxy_server().is_valid() || 1535 proxy_info_.proxy_server().is_direct()) { 1536 return GURL(); // There is no proxy server. 1537 } 1538 const char* scheme = proxy_info_.is_https() ? "https://" : "http://"; 1539 return GURL(scheme + 1540 proxy_info_.proxy_server().host_port_pair().ToString()); 1541 } 1542 case HttpAuth::AUTH_SERVER: 1543 if (ForWebSocketHandshake()) { 1544 const GURL& url = request_->url; 1545 url::Replacements<char> ws_to_http; 1546 if (url.SchemeIs("ws")) { 1547 ws_to_http.SetScheme("http", url::Component(0, 4)); 1548 } else { 1549 DCHECK(url.SchemeIs("wss")); 1550 ws_to_http.SetScheme("https", url::Component(0, 5)); 1551 } 1552 return url.ReplaceComponents(ws_to_http); 1553 } 1554 return request_->url; 1555 default: 1556 return GURL(); 1557 } 1558 } 1559 1560 bool HttpNetworkTransaction::ForWebSocketHandshake() const { 1561 return websocket_handshake_stream_base_create_helper_ && 1562 request_->url.SchemeIsWSOrWSS(); 1563 } 1564 1565 #define STATE_CASE(s) \ 1566 case s: \ 1567 description = base::StringPrintf("%s (0x%08X)", #s, s); \ 1568 break 1569 1570 std::string HttpNetworkTransaction::DescribeState(State state) { 1571 std::string description; 1572 switch (state) { 1573 STATE_CASE(STATE_NOTIFY_BEFORE_CREATE_STREAM); 1574 STATE_CASE(STATE_CREATE_STREAM); 1575 STATE_CASE(STATE_CREATE_STREAM_COMPLETE); 1576 STATE_CASE(STATE_INIT_REQUEST_BODY); 1577 STATE_CASE(STATE_INIT_REQUEST_BODY_COMPLETE); 1578 STATE_CASE(STATE_BUILD_REQUEST); 1579 STATE_CASE(STATE_BUILD_REQUEST_COMPLETE); 1580 STATE_CASE(STATE_SEND_REQUEST); 1581 STATE_CASE(STATE_SEND_REQUEST_COMPLETE); 1582 STATE_CASE(STATE_READ_HEADERS); 1583 STATE_CASE(STATE_READ_HEADERS_COMPLETE); 1584 STATE_CASE(STATE_READ_BODY); 1585 STATE_CASE(STATE_READ_BODY_COMPLETE); 1586 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART); 1587 STATE_CASE(STATE_DRAIN_BODY_FOR_AUTH_RESTART_COMPLETE); 1588 STATE_CASE(STATE_NONE); 1589 default: 1590 description = base::StringPrintf("Unknown state 0x%08X (%u)", state, 1591 state); 1592 break; 1593 } 1594 return description; 1595 } 1596 1597 #undef STATE_CASE 1598 1599 } // namespace net 1600