Chromium Code Reviews Chromium Code Reviews
Issue 4339001:
Correctly handle SSL Client Authentication requests when connecting... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_pool.h" | 5 #include "net/socket/ssl_client_socket_pool.h" |
| 6 | 6 |
| 7 #include "base/metrics/histogram.h" | 7 #include "base/metrics/histogram.h" |
| 8 #include "base/values.h" | 8 #include "base/values.h" |
| 9 #include "net/base/net_errors.h" | 9 #include "net/base/net_errors.h" |
| 10 #include "net/base/ssl_cert_request_info.h" | 10 #include "net/base/ssl_cert_request_info.h" |
| 11 #include "net/http/http_proxy_client_socket.h" | 11 #include "net/http/http_proxy_client_socket.h" |
| 12 #include "net/http/http_proxy_client_socket_pool.h" | 12 #include "net/http/http_proxy_client_socket_pool.h" |
| 13 #include "net/socket/client_socket_factory.h" | 13 #include "net/socket/client_socket_factory.h" |
| 14 #include "net/socket/client_socket_handle.h" | 14 #include "net/socket/client_socket_handle.h" |
| 15 #include "net/socket/socks_client_socket_pool.h" | 15 #include "net/socket/socks_client_socket_pool.h" |
| 16 #include "net/socket/ssl_client_socket.h" | 16 #include "net/socket/ssl_client_socket.h" |
| 17 #include "net/socket/ssl_host_info.h" | 17 #include "net/socket/ssl_host_info.h" |
| 18 #include "net/socket/tcp_client_socket_pool.h" | 18 #include "net/socket/tcp_client_socket_pool.h" |
| 19 | 19 |
| 20 namespace net { | 20 namespace net { |
| 21 | 21 |
| 22 SSLSocketParams::SSLSocketParams( | 22 SSLSocketParams::SSLSocketParams( |
| 23 const scoped_refptr<TCPSocketParams>& tcp_params, | 23 const scoped_refptr<TCPSocketParams>& tcp_params, |
| 24 const scoped_refptr<SOCKSSocketParams>& socks_params, | 24 const scoped_refptr<SOCKSSocketParams>& socks_params, |
| 25 const scoped_refptr<HttpProxySocketParams>& http_proxy_params, | 25 const scoped_refptr<HttpProxySocketParams>& http_proxy_params, |
| 26 ProxyServer::Scheme proxy, | 26 ProxyServer::Scheme proxy, |
| 27 const std::string& hostname, | 27 const std::string& hostname, |
| 28 uint16 port, | |
| 28 const SSLConfig& ssl_config, | 29 const SSLConfig& ssl_config, |
| 29 int load_flags, | 30 int load_flags, |
| 30 bool force_spdy_over_ssl, | 31 bool force_spdy_over_ssl, |
| 31 bool want_spdy_over_npn) | 32 bool want_spdy_over_npn) |
| 32 : tcp_params_(tcp_params), | 33 : tcp_params_(tcp_params), |
| 33 http_proxy_params_(http_proxy_params), | 34 http_proxy_params_(http_proxy_params), |
| 34 socks_params_(socks_params), | 35 socks_params_(socks_params), |
| 35 proxy_(proxy), | 36 proxy_(proxy), |
| 36 hostname_(hostname), | 37 hostname_(hostname), |
| 38 port_(port), | |
| 37 ssl_config_(ssl_config), | 39 ssl_config_(ssl_config), |
| 38 load_flags_(load_flags), | 40 load_flags_(load_flags), |
| 39 force_spdy_over_ssl_(force_spdy_over_ssl), | 41 force_spdy_over_ssl_(force_spdy_over_ssl), |
| 40 want_spdy_over_npn_(want_spdy_over_npn) { | 42 want_spdy_over_npn_(want_spdy_over_npn) { |
| 41 switch (proxy_) { | 43 switch (proxy_) { |
| 42 case ProxyServer::SCHEME_DIRECT: | 44 case ProxyServer::SCHEME_DIRECT: |
| 43 DCHECK(tcp_params_.get() != NULL); | 45 DCHECK(tcp_params_.get() != NULL); |
| 44 DCHECK(http_proxy_params_.get() == NULL); | 46 DCHECK(http_proxy_params_.get() == NULL); |
| 45 DCHECK(socks_params_.get() == NULL); | 47 DCHECK(socks_params_.get() == NULL); |
| 46 break; | 48 break; |
| (...skipping 194 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 241 transport_socket_handle_.reset(new ClientSocketHandle()); | 243 transport_socket_handle_.reset(new ClientSocketHandle()); |
| 242 scoped_refptr<HttpProxySocketParams> http_proxy_params = | 244 scoped_refptr<HttpProxySocketParams> http_proxy_params = |
| 243 params_->http_proxy_params(); | 245 params_->http_proxy_params(); |
| 244 return transport_socket_handle_->Init( | 246 return transport_socket_handle_->Init( |
| 245 group_name(), http_proxy_params, | 247 group_name(), http_proxy_params, |
| 246 http_proxy_params->destination().priority(), &callback_, | 248 http_proxy_params->destination().priority(), &callback_, |
| 247 http_proxy_pool_, net_log()); | 249 http_proxy_pool_, net_log()); |
| 248 } | 250 } |
| 249 | 251 |
| 250 int SSLConnectJob::DoTunnelConnectComplete(int result) { | 252 int SSLConnectJob::DoTunnelConnectComplete(int result) { |
| 251 ClientSocket* socket = transport_socket_handle_->socket(); | 253 // Extract the information needed to prompt for the proxy client auth. |
| 252 HttpProxyClientSocket* tunnel_socket = | 254 // so that when ClientSocketPoolBaseHelper calls |GetAdditionalErrorState|, |
| 253 static_cast<HttpProxyClientSocket*>(socket); | 255 // we can easily set the state. |
| 254 | 256 if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) |
|
wtc
2010/11/11 01:11:35
Add curly braces. This is required by the Style G
Ryan Hamilton
2010/11/11 18:57:00
Done.
| |
| 257 error_response_info_ = transport_socket_handle_->ssl_error_response_info(); | |
| 255 // Extract the information needed to prompt for the proxy authentication. | 258 // Extract the information needed to prompt for the proxy authentication. |
| 256 // so that when ClientSocketPoolBaseHelper calls |GetAdditionalErrorState|, | 259 // so that when ClientSocketPoolBaseHelper calls |GetAdditionalErrorState|, |
| 257 // we can easily set the state. | 260 // we can easily set the state. |
| 258 if (result == ERR_PROXY_AUTH_REQUESTED) | 261 else if (result == ERR_PROXY_AUTH_REQUESTED) { |
| 262 ClientSocket* socket = transport_socket_handle_->socket(); | |
| 263 HttpProxyClientSocket* tunnel_socket = | |
| 264 static_cast<HttpProxyClientSocket*>(socket); | |
| 259 error_response_info_ = *tunnel_socket->GetResponseInfo(); | 265 error_response_info_ = *tunnel_socket->GetResponseInfo(); |
| 260 | 266 } |
| 261 if (result < 0) | 267 if (result < 0) |
| 262 return result; | 268 return result; |
| 263 | 269 |
| 264 next_state_ = STATE_SSL_CONNECT; | 270 next_state_ = STATE_SSL_CONNECT; |
| 265 return result; | 271 return result; |
| 266 } | 272 } |
| 267 | 273 |
| 268 void SSLConnectJob::GetAdditionalErrorState(ClientSocketHandle * handle) { | 274 void SSLConnectJob::GetAdditionalErrorState(ClientSocketHandle * handle) { |
| 269 // Headers in |error_response_info_| indicate a proxy tunnel setup | 275 // Headers in |error_response_info_| indicate a proxy tunnel setup |
| 270 // problem. See DoTunnelConnectComplete. | 276 // problem. See DoTunnelConnectComplete. |
| 271 if (error_response_info_.headers) { | 277 if (error_response_info_.headers) { |
| 272 handle->set_pending_http_proxy_connection( | 278 handle->set_pending_http_proxy_connection( |
| 273 transport_socket_handle_.release()); | 279 transport_socket_handle_.release()); |
| 274 } | 280 } |
| 275 handle->set_ssl_error_response_info(error_response_info_); | 281 handle->set_ssl_error_response_info(error_response_info_); |
| 276 if (!ssl_connect_start_time_.is_null()) | 282 if (!ssl_connect_start_time_.is_null()) |
| 277 handle->set_is_ssl_error(true); | 283 handle->set_is_ssl_error(true); |
| 278 } | 284 } |
| 279 | 285 |
| 280 int SSLConnectJob::DoSSLConnect() { | 286 int SSLConnectJob::DoSSLConnect() { |
| 281 next_state_ = STATE_SSL_CONNECT_COMPLETE; | 287 next_state_ = STATE_SSL_CONNECT_COMPLETE; |
| 282 // Reset the timeout to just the time allowed for the SSL handshake. | 288 // Reset the timeout to just the time allowed for the SSL handshake. |
| 283 ResetTimer(base::TimeDelta::FromSeconds(kSSLHandshakeTimeoutInSeconds)); | 289 ResetTimer(base::TimeDelta::FromSeconds(kSSLHandshakeTimeoutInSeconds)); |
| 284 ssl_connect_start_time_ = base::TimeTicks::Now(); | 290 ssl_connect_start_time_ = base::TimeTicks::Now(); |
| 285 | 291 |
| 286 ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( | 292 ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( |
| 287 transport_socket_handle_.release(), params_->hostname(), | 293 transport_socket_handle_.release(), params_->hostname(), |
| 294 params_->port(), | |
|
wtc
2010/11/11 01:11:35
Nit: merge these two lines.
Ryan Hamilton
2010/11/11 18:57:00
Done.
| |
| 288 params_->ssl_config(), ssl_host_info_.release(), | 295 params_->ssl_config(), ssl_host_info_.release(), |
| 289 dnsrr_resolver_)); | 296 dnsrr_resolver_)); |
| 290 return ssl_socket_->Connect(&callback_); | 297 return ssl_socket_->Connect(&callback_); |
| 291 } | 298 } |
| 292 | 299 |
| 293 int SSLConnectJob::DoSSLConnectComplete(int result) { | 300 int SSLConnectJob::DoSSLConnectComplete(int result) { |
| 294 SSLClientSocket::NextProtoStatus status = | 301 SSLClientSocket::NextProtoStatus status = |
| 295 SSLClientSocket::kNextProtoUnsupported; | 302 SSLClientSocket::kNextProtoUnsupported; |
| 296 std::string proto; | 303 std::string proto; |
| 297 // GetNextProto will fail and and trigger a NOTREACHED if we pass in a socket | 304 // GetNextProto will fail and and trigger a NOTREACHED if we pass in a socket |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 313 ssl_socket_->set_was_spdy_negotiated(true); | 320 ssl_socket_->set_was_spdy_negotiated(true); |
| 314 } | 321 } |
| 315 } | 322 } |
| 316 if (params_->want_spdy_over_npn() && !ssl_socket_->was_spdy_negotiated()) | 323 if (params_->want_spdy_over_npn() && !ssl_socket_->was_spdy_negotiated()) |
| 317 return ERR_NPN_NEGOTIATION_FAILED; | 324 return ERR_NPN_NEGOTIATION_FAILED; |
| 318 | 325 |
| 319 // Spdy might be turned on by default, or it might be over npn. | 326 // Spdy might be turned on by default, or it might be over npn. |
| 320 bool using_spdy = params_->force_spdy_over_ssl() || | 327 bool using_spdy = params_->force_spdy_over_ssl() || |
| 321 params_->want_spdy_over_npn(); | 328 params_->want_spdy_over_npn(); |
| 322 | 329 |
| 330 if (ProxyServer::SCHEME_HTTPS) | |
| 331 LOG(INFO) << "Connected to host through proxy, over spdy: " << (using_spdy ? "yes" : "no"); | |
|
wtc
2010/11/11 01:11:35
Is this line longer than 80 characters?
Replace L
Ryan Hamilton
2010/11/11 18:57:00
Sorry, removed the line.
| |
| 332 | |
| 323 if (result == OK || | 333 if (result == OK || |
| 324 ssl_socket_->IgnoreCertError(result, params_->load_flags())) { | 334 ssl_socket_->IgnoreCertError(result, params_->load_flags())) { |
| 325 DCHECK(ssl_connect_start_time_ != base::TimeTicks()); | 335 DCHECK(ssl_connect_start_time_ != base::TimeTicks()); |
| 326 base::TimeDelta connect_duration = | 336 base::TimeDelta connect_duration = |
| 327 base::TimeTicks::Now() - ssl_connect_start_time_; | 337 base::TimeTicks::Now() - ssl_connect_start_time_; |
| 328 if (using_spdy) { | 338 if (using_spdy) { |
| 329 UMA_HISTOGRAM_CUSTOM_TIMES("Net.SpdyConnectionLatency", | 339 UMA_HISTOGRAM_CUSTOM_TIMES("Net.SpdyConnectionLatency", |
| 330 connect_duration, | 340 connect_duration, |
| 331 base::TimeDelta::FromMilliseconds(1), | 341 base::TimeDelta::FromMilliseconds(1), |
| 332 base::TimeDelta::FromMinutes(10), | 342 base::TimeDelta::FromMinutes(10), |
| (...skipping 174 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 507 list->Append(http_proxy_pool_->GetInfoAsValue("http_proxy_pool", | 517 list->Append(http_proxy_pool_->GetInfoAsValue("http_proxy_pool", |
| 508 "http_proxy_pool", | 518 "http_proxy_pool", |
| 509 true)); | 519 true)); |
| 510 } | 520 } |
| 511 dict->Set("nested_pools", list); | 521 dict->Set("nested_pools", list); |
| 512 } | 522 } |
| 513 return dict; | 523 return dict; |
| 514 } | 524 } |
| 515 | 525 |
| 516 } // namespace net | 526 } // namespace net |
| OLD | NEW |
