// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/http/http_proxy_client_socket.h" #include "base/bind.h" #include "base/bind_helpers.h" #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "net/base/auth.h" #include "net/base/host_port_pair.h" #include "net/base/io_buffer.h" #include "net/base/net_log.h" #include "net/base/net_util.h" #include "net/http/http_basic_stream.h" #include "net/http/http_network_session.h" #include "net/http/http_request_info.h" #include "net/http/http_response_headers.h" #include "net/http/http_stream_parser.h" #include "net/http/proxy_connect_redirect_http_stream.h" #include "net/socket/client_socket_handle.h" #include "url/gurl.h" namespace net { HttpProxyClientSocket::HttpProxyClientSocket( ClientSocketHandle* transport_socket, const GURL& request_url, const std::string& user_agent, const HostPortPair& endpoint, const HostPortPair& proxy_server, HttpAuthCache* http_auth_cache, HttpAuthHandlerFactory* http_auth_handler_factory, bool tunnel, bool using_spdy, NextProto protocol_negotiated, bool is_https_proxy) : io_callback_(base::Bind(&HttpProxyClientSocket::OnIOComplete, base::Unretained(this))), next_state_(STATE_NONE), transport_(transport_socket), endpoint_(endpoint), auth_(tunnel ? new HttpAuthController(HttpAuth::AUTH_PROXY, GURL((is_https_proxy ? "https://" : "http://") + proxy_server.ToString()), http_auth_cache, http_auth_handler_factory) : NULL), tunnel_(tunnel), using_spdy_(using_spdy), protocol_negotiated_(protocol_negotiated), is_https_proxy_(is_https_proxy), redirect_has_load_timing_info_(false), net_log_(transport_socket->socket()->NetLog()) { // Synthesize the bits of a request that we actually use. request_.url = request_url; request_.method = "GET"; if (!user_agent.empty()) request_.extra_headers.SetHeader(HttpRequestHeaders::kUserAgent, user_agent); } HttpProxyClientSocket::~HttpProxyClientSocket() { Disconnect(); } int HttpProxyClientSocket::RestartWithAuth(const CompletionCallback& callback) { DCHECK_EQ(STATE_NONE, next_state_); DCHECK(user_callback_.is_null()); int rv = PrepareForAuthRestart(); if (rv != OK) return rv; rv = DoLoop(OK); if (rv == ERR_IO_PENDING) { if (!callback.is_null()) user_callback_ = callback; } return rv; } const scoped_refptr& HttpProxyClientSocket::GetAuthController() const { return auth_; } bool HttpProxyClientSocket::IsUsingSpdy() const { return using_spdy_; } NextProto HttpProxyClientSocket::GetProtocolNegotiated() const { return protocol_negotiated_; } const HttpResponseInfo* HttpProxyClientSocket::GetConnectResponseInfo() const { return response_.headers.get() ? &response_ : NULL; } HttpStream* HttpProxyClientSocket::CreateConnectResponseStream() { return new ProxyConnectRedirectHttpStream( redirect_has_load_timing_info_ ? &redirect_load_timing_info_ : NULL); } int HttpProxyClientSocket::Connect(const CompletionCallback& callback) { DCHECK(transport_.get()); DCHECK(transport_->socket()); DCHECK(user_callback_.is_null()); // TODO(rch): figure out the right way to set up a tunnel with SPDY. // This approach sends the complete HTTPS request to the proxy // which allows the proxy to see "private" data. Instead, we should // create an SSL tunnel to the origin server using the CONNECT method // inside a single SPDY stream. if (using_spdy_ || !tunnel_) next_state_ = STATE_DONE; if (next_state_ == STATE_DONE) return OK; DCHECK_EQ(STATE_NONE, next_state_); next_state_ = STATE_GENERATE_AUTH_TOKEN; int rv = DoLoop(OK); if (rv == ERR_IO_PENDING) user_callback_ = callback; return rv; } void HttpProxyClientSocket::Disconnect() { if (transport_.get()) transport_->socket()->Disconnect(); // Reset other states to make sure they aren't mistakenly used later. // These are the states initialized by Connect(). next_state_ = STATE_NONE; user_callback_.Reset(); } bool HttpProxyClientSocket::IsConnected() const { return next_state_ == STATE_DONE && transport_->socket()->IsConnected(); } bool HttpProxyClientSocket::IsConnectedAndIdle() const { return next_state_ == STATE_DONE && transport_->socket()->IsConnectedAndIdle(); } const BoundNetLog& HttpProxyClientSocket::NetLog() const { return net_log_; } void HttpProxyClientSocket::SetSubresourceSpeculation() { if (transport_.get() && transport_->socket()) { transport_->socket()->SetSubresourceSpeculation(); } else { NOTREACHED(); } } void HttpProxyClientSocket::SetOmniboxSpeculation() { if (transport_.get() && transport_->socket()) { transport_->socket()->SetOmniboxSpeculation(); } else { NOTREACHED(); } } bool HttpProxyClientSocket::WasEverUsed() const { if (transport_.get() && transport_->socket()) { return transport_->socket()->WasEverUsed(); } NOTREACHED(); return false; } bool HttpProxyClientSocket::UsingTCPFastOpen() const { if (transport_.get() && transport_->socket()) { return transport_->socket()->UsingTCPFastOpen(); } NOTREACHED(); return false; } bool HttpProxyClientSocket::WasNpnNegotiated() const { if (transport_.get() && transport_->socket()) { return transport_->socket()->WasNpnNegotiated(); } NOTREACHED(); return false; } NextProto HttpProxyClientSocket::GetNegotiatedProtocol() const { if (transport_.get() && transport_->socket()) { return transport_->socket()->GetNegotiatedProtocol(); } NOTREACHED(); return kProtoUnknown; } bool HttpProxyClientSocket::GetSSLInfo(SSLInfo* ssl_info) { if (transport_.get() && transport_->socket()) { return transport_->socket()->GetSSLInfo(ssl_info); } NOTREACHED(); return false; } int HttpProxyClientSocket::Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { DCHECK(user_callback_.is_null()); if (next_state_ != STATE_DONE) { // We're trying to read the body of the response but we're still trying // to establish an SSL tunnel through the proxy. We can't read these // bytes when establishing a tunnel because they might be controlled by // an active network attacker. We don't worry about this for HTTP // because an active network attacker can already control HTTP sessions. // We reach this case when the user cancels a 407 proxy auth prompt. // See http://crbug.com/8473. DCHECK_EQ(407, response_.headers->response_code()); LogBlockedTunnelResponse(); return ERR_TUNNEL_CONNECTION_FAILED; } return transport_->socket()->Read(buf, buf_len, callback); } int HttpProxyClientSocket::Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { DCHECK_EQ(STATE_DONE, next_state_); DCHECK(user_callback_.is_null()); return transport_->socket()->Write(buf, buf_len, callback); } bool HttpProxyClientSocket::SetReceiveBufferSize(int32 size) { return transport_->socket()->SetReceiveBufferSize(size); } bool HttpProxyClientSocket::SetSendBufferSize(int32 size) { return transport_->socket()->SetSendBufferSize(size); } int HttpProxyClientSocket::GetPeerAddress(IPEndPoint* address) const { return transport_->socket()->GetPeerAddress(address); } int HttpProxyClientSocket::GetLocalAddress(IPEndPoint* address) const { return transport_->socket()->GetLocalAddress(address); } int HttpProxyClientSocket::PrepareForAuthRestart() { if (!response_.headers.get()) return ERR_CONNECTION_RESET; bool keep_alive = false; if (response_.headers->IsKeepAlive() && http_stream_parser_->CanFindEndOfResponse()) { if (!http_stream_parser_->IsResponseBodyComplete()) { next_state_ = STATE_DRAIN_BODY; drain_buf_ = new IOBuffer(kDrainBodyBufferSize); return OK; } keep_alive = true; } // We don't need to drain the response body, so we act as if we had drained // the response body. return DidDrainBodyForAuthRestart(keep_alive); } int HttpProxyClientSocket::DidDrainBodyForAuthRestart(bool keep_alive) { if (keep_alive && transport_->socket()->IsConnectedAndIdle()) { next_state_ = STATE_GENERATE_AUTH_TOKEN; transport_->set_is_reused(true); } else { // This assumes that the underlying transport socket is a TCP socket, // since only TCP sockets are restartable. next_state_ = STATE_TCP_RESTART; transport_->socket()->Disconnect(); } // Reset the other member variables. drain_buf_ = NULL; parser_buf_ = NULL; http_stream_parser_.reset(); request_line_.clear(); request_headers_.Clear(); response_ = HttpResponseInfo(); return OK; } void HttpProxyClientSocket::LogBlockedTunnelResponse() const { ProxyClientSocket::LogBlockedTunnelResponse( response_.headers->response_code(), request_.url, is_https_proxy_); } void HttpProxyClientSocket::DoCallback(int result) { DCHECK_NE(ERR_IO_PENDING, result); DCHECK(!user_callback_.is_null()); // Since Run() may result in Read being called, // clear user_callback_ up front. CompletionCallback c = user_callback_; user_callback_.Reset(); c.Run(result); } void HttpProxyClientSocket::OnIOComplete(int result) { DCHECK_NE(STATE_NONE, next_state_); DCHECK_NE(STATE_DONE, next_state_); int rv = DoLoop(result); if (rv != ERR_IO_PENDING) DoCallback(rv); } int HttpProxyClientSocket::DoLoop(int last_io_result) { DCHECK_NE(next_state_, STATE_NONE); DCHECK_NE(next_state_, STATE_DONE); int rv = last_io_result; do { State state = next_state_; next_state_ = STATE_NONE; switch (state) { case STATE_GENERATE_AUTH_TOKEN: DCHECK_EQ(OK, rv); rv = DoGenerateAuthToken(); break; case STATE_GENERATE_AUTH_TOKEN_COMPLETE: rv = DoGenerateAuthTokenComplete(rv); break; case STATE_SEND_REQUEST: DCHECK_EQ(OK, rv); net_log_.BeginEvent( NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_SEND_REQUEST); rv = DoSendRequest(); break; case STATE_SEND_REQUEST_COMPLETE: rv = DoSendRequestComplete(rv); net_log_.EndEventWithNetErrorCode( NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_SEND_REQUEST, rv); break; case STATE_READ_HEADERS: DCHECK_EQ(OK, rv); net_log_.BeginEvent( NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS); rv = DoReadHeaders(); break; case STATE_READ_HEADERS_COMPLETE: rv = DoReadHeadersComplete(rv); net_log_.EndEventWithNetErrorCode( NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS, rv); break; case STATE_DRAIN_BODY: DCHECK_EQ(OK, rv); rv = DoDrainBody(); break; case STATE_DRAIN_BODY_COMPLETE: rv = DoDrainBodyComplete(rv); break; case STATE_TCP_RESTART: DCHECK_EQ(OK, rv); rv = DoTCPRestart(); break; case STATE_TCP_RESTART_COMPLETE: rv = DoTCPRestartComplete(rv); break; case STATE_DONE: break; default: NOTREACHED() << "bad state"; rv = ERR_UNEXPECTED; break; } } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE && next_state_ != STATE_DONE); return rv; } int HttpProxyClientSocket::DoGenerateAuthToken() { next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; return auth_->MaybeGenerateAuthToken(&request_, io_callback_, net_log_); } int HttpProxyClientSocket::DoGenerateAuthTokenComplete(int result) { DCHECK_NE(ERR_IO_PENDING, result); if (result == OK) next_state_ = STATE_SEND_REQUEST; return result; } int HttpProxyClientSocket::DoSendRequest() { next_state_ = STATE_SEND_REQUEST_COMPLETE; // This is constructed lazily (instead of within our Start method), so that // we have proxy info available. if (request_line_.empty()) { DCHECK(request_headers_.IsEmpty()); HttpRequestHeaders authorization_headers; if (auth_->HaveAuth()) auth_->AddAuthorizationHeader(&authorization_headers); BuildTunnelRequest(request_, authorization_headers, endpoint_, &request_line_, &request_headers_); net_log_.AddEvent( NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS, base::Bind(&HttpRequestHeaders::NetLogCallback, base::Unretained(&request_headers_), &request_line_)); } parser_buf_ = new GrowableIOBuffer(); http_stream_parser_.reset(new HttpStreamParser( transport_.get(), &request_, parser_buf_.get(), net_log_)); return http_stream_parser_->SendRequest( request_line_, request_headers_, &response_, io_callback_); } int HttpProxyClientSocket::DoSendRequestComplete(int result) { if (result < 0) return result; next_state_ = STATE_READ_HEADERS; return OK; } int HttpProxyClientSocket::DoReadHeaders() { next_state_ = STATE_READ_HEADERS_COMPLETE; return http_stream_parser_->ReadResponseHeaders(io_callback_); } int HttpProxyClientSocket::DoReadHeadersComplete(int result) { if (result < 0) return result; // Require the "HTTP/1.x" status line for SSL CONNECT. if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) return ERR_TUNNEL_CONNECTION_FAILED; net_log_.AddEvent( NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS, base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers)); switch (response_.headers->response_code()) { case 200: // OK if (http_stream_parser_->IsMoreDataBuffered()) // The proxy sent extraneous data after the headers. return ERR_TUNNEL_CONNECTION_FAILED; next_state_ = STATE_DONE; return OK; // We aren't able to CONNECT to the remote host through the proxy. We // need to be very suspicious about the response because an active network // attacker can force us into this state by masquerading as the proxy. // The only safe thing to do here is to fail the connection because our // client is expecting an SSL protected response. // See http://crbug.com/7338. case 302: // Found / Moved Temporarily // Attempt to follow redirects from HTTPS proxies, but only if we can // sanitize the response. This still allows a rogue HTTPS proxy to // redirect an HTTPS site load to a similar-looking site, but no longer // allows it to impersonate the site the user requested. if (is_https_proxy_ && SanitizeProxyRedirect(&response_, request_.url)) { bool is_connection_reused = http_stream_parser_->IsConnectionReused(); redirect_has_load_timing_info_ = transport_->GetLoadTimingInfo( is_connection_reused, &redirect_load_timing_info_); transport_.reset(); http_stream_parser_.reset(); return ERR_HTTPS_PROXY_TUNNEL_RESPONSE; } // We're not using an HTTPS proxy, or we couldn't sanitize the redirect. LogBlockedTunnelResponse(); return ERR_TUNNEL_CONNECTION_FAILED; case 407: // Proxy Authentication Required // We need this status code to allow proxy authentication. Our // authentication code is smart enough to avoid being tricked by an // active network attacker. // The next state is intentionally not set as it should be STATE_NONE; return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_); default: // Ignore response to avoid letting the proxy impersonate the target // server. (See http://crbug.com/137891.) // We lose something by doing this. We have seen proxy 403, 404, and // 501 response bodies that contain a useful error message. For // example, Squid uses a 404 response to report the DNS error: "The // domain name does not exist." LogBlockedTunnelResponse(); return ERR_TUNNEL_CONNECTION_FAILED; } } int HttpProxyClientSocket::DoDrainBody() { DCHECK(drain_buf_.get()); DCHECK(transport_->is_initialized()); next_state_ = STATE_DRAIN_BODY_COMPLETE; return http_stream_parser_->ReadResponseBody( drain_buf_.get(), kDrainBodyBufferSize, io_callback_); } int HttpProxyClientSocket::DoDrainBodyComplete(int result) { if (result < 0) return result; if (http_stream_parser_->IsResponseBodyComplete()) return DidDrainBodyForAuthRestart(true); // Keep draining. next_state_ = STATE_DRAIN_BODY; return OK; } int HttpProxyClientSocket::DoTCPRestart() { next_state_ = STATE_TCP_RESTART_COMPLETE; return transport_->socket()->Connect( base::Bind(&HttpProxyClientSocket::OnIOComplete, base::Unretained(this))); } int HttpProxyClientSocket::DoTCPRestartComplete(int result) { if (result != OK) return result; next_state_ = STATE_GENERATE_AUTH_TOKEN; return result; } } // namespace net