Add support for speaking SSL to an HTTP Proxy, to HttpProxyClientSocketPool (and friends)

net/http/http_stream_request.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_request.h"
 
 #include "base/stl_util-inl.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "net/base/connection_type_histograms.h"
@@ skipping 377 matching lines @@
   pac_request_ = NULL;
 
   if (result != OK)
     return result;
 
   // TODO(mbelshe): consider retrying ResolveProxy if we came here via use of
   // AlternateProtocol.
 
   // Remove unsupported proxies from the list.
   proxy_info()->RemoveProxiesWithoutScheme(
-      ProxyServer::SCHEME_DIRECT | ProxyServer::SCHEME_HTTP |
+      ProxyServer::SCHEME_DIRECT |
+      ProxyServer::SCHEME_HTTP | ProxyServer::SCHEME_HTTPS |
       ProxyServer::SCHEME_SOCKS4 | ProxyServer::SCHEME_SOCKS5);
 
   if (proxy_info()->is_empty()) {
     // No proxies/direct to choose from. This happens when we don't support any
     // of the proxies in the returned list.
     return ERR_NO_SUPPORTED_PROXIES;
   }
 
   next_state_ = STATE_INIT_CONNECTION;
   return OK;
@@ skipping 45 matching lines @@
     tcp_params = new TCPSocketParams(endpoint_, request_info().priority,
                                      request_info().referrer,
                                      disable_resolver_cache);
   } else {
     ProxyServer proxy_server = proxy_info()->proxy_server();
     proxy_host_port.reset(new HostPortPair(proxy_server.host_port_pair()));
     scoped_refptr<TCPSocketParams> proxy_tcp_params =
         new TCPSocketParams(*proxy_host_port, request_info().priority,
                             request_info().referrer, disable_resolver_cache);
 
-    if (proxy_info()->is_http()) {
+    if (proxy_info()->is_http() || proxy_info()->is_https()) {
       GURL authentication_url = request_info().url;
       if (using_ssl_ && !authentication_url.SchemeIs("https")) {
         // If a proxy tunnel connection needs to be established due to
         // an Alternate-Protocol, the URL needs to be changed to indicate
         // https or digest authentication attempts will fail.
         // For example, suppose the initial request was for
         // "http://www.example.com/index.html". If this is an SSL
         // upgrade due to alternate protocol, the digest authorization
         // should have a uri="www.example.com:443" field rather than a
         // "/index.html" entry, even though the original request URL has not
         // changed.
         authentication_url = UpgradeUrlToHttps(authentication_url);
       }
       establishing_tunnel_ = using_ssl_;
       std::string user_agent;
       request_info().extra_headers.GetHeader(HttpRequestHeaders::kUserAgent,
                                              &user_agent);
+      scoped_refptr<SSLSocketParams> ssl_params;
+      if (proxy_info()->is_https())
+        // Set ssl_params, and unset proxy_tcp_params
+        ssl_params = GenerateSslParams(proxy_tcp_params.release(), NULL, NULL,
+                                       ProxyServer::SCHEME_DIRECT,
+                                       want_spdy_over_npn);
+
       http_proxy_params = new HttpProxySocketParams(proxy_tcp_params,
+                                                    ssl_params,
                                                     authentication_url,
                                                     user_agent,
                                                     endpoint_,
                                                     session_, using_ssl_);
     } else {
       DCHECK(proxy_info()->is_socks());
       char socks_version;
       if (proxy_server.scheme() == ProxyServer::SCHEME_SOCKS5)
         socks_version = '5';
       else
         socks_version = '4';
       connection_group =
           StringPrintf("socks%c/%s", socks_version, connection_group.c_str());
 
       socks_params = new SOCKSSocketParams(proxy_tcp_params,
                                            socks_version == '5',
                                            endpoint_,
                                            request_info().priority,
                                            request_info().referrer);
     }
   }
 
   // Deal with SSL - which layers on top of any given proxy.
   if (using_ssl_) {
-    if (factory_->IsTLSIntolerantServer(request_info().url)) {
-      LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
-                   << GetHostAndPort(request_info().url);
-      ssl_config()->ssl3_fallback = true;
-      ssl_config()->tls1_enabled = false;
-    }
-
-    UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback",
-                              static_cast<int>(ssl_config()->ssl3_fallback), 2);
-
-    int load_flags = request_info().load_flags;
-    if (factory_->ignore_certificate_errors())
-      load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS;
-    if (request_info().load_flags & LOAD_VERIFY_EV_CERT)
-      ssl_config()->verify_ev_cert = true;
-
-    if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP ||
-        proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTPS) {
-      ssl_config()->mitm_proxies_allowed = true;
-    }
-
     scoped_refptr<SSLSocketParams> ssl_params =
-        new SSLSocketParams(tcp_params, http_proxy_params, socks_params,
-                            proxy_info()->proxy_server().scheme(),
-                            request_info().url.HostNoBrackets(), *ssl_config(),
-                            load_flags,
-                            force_spdy_always_ && force_spdy_over_ssl_,
-                            want_spdy_over_npn);
-
+        GenerateSslParams(tcp_params, http_proxy_params, socks_params,
+                          proxy_info()->proxy_server().scheme(),
+                          want_spdy_over_npn);
     scoped_refptr<SSLClientSocketPool> ssl_pool;
     if (proxy_info()->is_direct())
       ssl_pool = session_->ssl_socket_pool();
     else
       ssl_pool = session_->GetSocketPoolForSSLWithProxy(*proxy_host_port);
 
     return connection_->Init(connection_group, ssl_params,
                              request_info().priority, &io_callback_, ssl_pool,
                              net_log_);
   }
 
   // Finally, get the connection started.
-  if (proxy_info()->is_http()) {
+  if (proxy_info()->is_http() || proxy_info()->is_https()) {
     return connection_->Init(
         connection_group, http_proxy_params, request_info().priority,
         &io_callback_, session_->GetSocketPoolForHTTPProxy(*proxy_host_port),
         net_log_);
   }
 
   if (proxy_info()->is_socks()) {
     return connection_->Init(
         connection_group, socks_params, request_info().priority, &io_callback_,
         session_->GetSocketPoolForSOCKSProxy(*proxy_host_port), net_log_);
@@ skipping 177 matching lines @@
     // socket, but there will be forward progress.
     connection_->Reset();
     establishing_tunnel_ = false;
     next_state_ = STATE_INIT_CONNECTION;
     return OK;
   }
 
   return ReconsiderProxyAfterError(result);
 }
 
+// Returns a newly create SSLSocketParams, and sets several
+// fields of ssl_config_.
+scoped_refptr<SSLSocketParams> HttpStreamRequest::GenerateSslParams(
+    scoped_refptr<TCPSocketParams> tcp_params,
+    scoped_refptr<HttpProxySocketParams> http_proxy_params,
+    scoped_refptr<SOCKSSocketParams> socks_params,
+    ProxyServer::Scheme proxy_scheme,
+    bool want_spdy_over_npn) {
+
+  if (factory_->IsTLSIntolerantServer(request_info().url)) {
+    LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
+        << GetHostAndPort(request_info().url);
+    ssl_config()->ssl3_fallback = true;
+    ssl_config()->tls1_enabled = false;
+  }
+
+  UMA_HISTOGRAM_ENUMERATION("Net.ConnectionUsedSSLv3Fallback",
+                            static_cast<int>(ssl_config()->ssl3_fallback), 2);
+
+  int load_flags = request_info().load_flags;
+  if (factory_->ignore_certificate_errors())
+    load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS;
+  if (request_info().load_flags & LOAD_VERIFY_EV_CERT)
+    ssl_config()->verify_ev_cert = true;
+
+    if (proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTP ||
+        proxy_info()->proxy_server().scheme() == ProxyServer::SCHEME_HTTPS) {
+      ssl_config()->mitm_proxies_allowed = true;
+    }
+
+  scoped_refptr<SSLSocketParams> ssl_params =
+      new SSLSocketParams(tcp_params, http_proxy_params, socks_params,
+                          proxy_scheme, request_info().url.HostNoBrackets(),
+                          *ssl_config(), load_flags,
+                          force_spdy_always_ && force_spdy_over_ssl_,
+                          want_spdy_over_npn);
+
+  return ssl_params;
+}
+
+
 void HttpStreamRequest::MarkBrokenAlternateProtocolAndFallback() {
   // We have to:
   // * Reset the endpoint to be the unmodified URL specified destination.
   // * Mark the endpoint as broken so we don't try again.
   // * Set the alternate protocol mode to kDoNotUseAlternateProtocol so we
   // ignore future Alternate-Protocol headers from the HostPortPair.
   // * Reset the connection and go back to STATE_INIT_CONNECTION.
 
   endpoint_ = HostPortPair(request_info().url.HostNoBrackets(),
                            request_info().url.EffectiveIntPort());
@@ skipping 152 matching lines @@
                                  base::TimeDelta::FromMinutes(6),
                                  100);
       break;
     default:
       NOTREACHED();
       break;
   }
 }
 
 }  // namespace net
-