secure proxy support in websocket

net/socket_stream/socket_stream.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // TODO(ukai): code is similar with http_network_transaction.cc.  We should
 //   think about ways to share code, if possible.
 
 #include "net/socket_stream/socket_stream.h"
 
 #include <set>
@@ skipping 286 matching lines @@
   Delegate* delegate = delegate_;
   delegate_ = NULL;
   if (delegate) {
     delegate->OnError(this, result);
     if (result != ERR_PROTOCOL_SWITCHED)
       delegate->OnClose(this);
   }
   Release();
 }
 
+int SocketStream::DidEstablishSSL(int result) {
+  if (IsCertificateError(result)) {
+    if (socket_->IsConnectedAndIdle()) {
+      result = HandleCertificateError(result);
+    } else {
+      // SSLClientSocket for Mac will report socket is not connected,
+      // if it returns cert verification error.  It didn't perform
+      // SSLHandshake yet.
+      // So, we should restart establishing connection with the
+      // certificate in allowed bad certificates in |ssl_config_|.
+      // See also net/http/http_network_transaction.cc
+      //  HandleCertificateError() and RestartIgnoringLastError().
+      SSLClientSocket* ssl_socket =
+        reinterpret_cast<SSLClientSocket*>(socket_.get());
+      SSLInfo ssl_info;
+      ssl_socket->GetSSLInfo(&ssl_info);
+      if (ssl_info.cert == NULL ||
+          ssl_config_.IsAllowedBadCert(ssl_info.cert, NULL)) {
+        // If we already have the certificate in the set of allowed bad
+        // certificates, we did try it and failed again, so we should not
+        // retry again: the connection should fail at last.
+        next_state_ = STATE_CLOSE;
+        return result;
+      }
+      // Add the bad certificate to the set of allowed certificates in the
+      // SSL config object.
+      SSLConfig::CertAndStatus bad_cert;
+      if (!ssl_info.cert->GetDEREncoded(&bad_cert.der_cert)) {
+        next_state_ = STATE_CLOSE;
+        return result;
+      }
+      bad_cert.cert_status = ssl_info.cert_status;
+      ssl_config_.allowed_bad_certs.push_back(bad_cert);
+      // Restart connection ignoring the bad certificate.
+      socket_->Disconnect();
+      socket_.reset();
+      next_state_ = STATE_TCP_CONNECT;
+      return OK;
+    }
+  }
+  return result;
+}
+
 int SocketStream::DidEstablishConnection() {
   if (!socket_.get() || !socket_->IsConnected()) {
     next_state_ = STATE_CLOSE;
     return ERR_CONNECTION_FAILED;
   }
   next_state_ = STATE_READ_WRITE;
   metrics_->OnConnected();
 
   net_log_.EndEvent(NetLog::TYPE_SOCKET_STREAM_CONNECT, NULL);
   if (delegate_)
@@ skipping 116 matching lines @@
       case STATE_READ_TUNNEL_HEADERS_COMPLETE:
         result = DoReadTunnelHeadersComplete(result);
         break;
       case STATE_SOCKS_CONNECT:
         DCHECK_EQ(OK, result);
         result = DoSOCKSConnect();
         break;
       case STATE_SOCKS_CONNECT_COMPLETE:
         result = DoSOCKSConnectComplete(result);
         break;
+      case STATE_SECURE_PROXY_CONNECT:
+        DCHECK_EQ(OK, result);
+        result = DoSecureProxyConnect();
+        break;
+      case STATE_SECURE_PROXY_CONNECT_COMPLETE:
+        result = DoSecureProxyConnectComplete(result);
+        break;
       case STATE_SSL_CONNECT:
         DCHECK_EQ(OK, result);
         result = DoSSLConnect();
         break;
       case STATE_SSL_CONNECT_COMPLETE:
         result = DoSSLConnectComplete(result);
         break;
       case STATE_READ_WRITE:
         result = DoReadWrite(result);
         break;
       case STATE_AUTH_REQUIRED:
         // It might be called when DoClose is called while waiting in
         // STATE_AUTH_REQUIRED.
         Finish(result);
         return;
       case STATE_CLOSE:
         DCHECK_LE(result, OK);
         Finish(result);
         return;
       default:
         NOTREACHED() << "bad state " << state;
         Finish(result);
         return;
     }
     if (state == STATE_RESOLVE_PROTOCOL && result == ERR_PROTOCOL_SWITCHED)
       continue;
     // If the connection is not established yet and had actual errors,
     // close the connection.
     if (state != STATE_READ_WRITE && result < ERR_IO_PENDING) {
-      DCHECK_EQ(next_state_, STATE_CLOSE);
+      next_state_ = STATE_CLOSE;

[ukai, 2011/07/25 12:33:14]

hmm, we might not need this.
If Do* method returns error, then Do*Complete() method will check the error and
set next_state_ to STATE_CLOSE.

[Yuta Kitamura, 2011/07/25 12:39:47]

I think that's better.

       net_log_.EndEventWithNetErrorCode(
           NetLog::TYPE_SOCKET_STREAM_CONNECT, result);
     }
   } while (result != ERR_IO_PENDING);
 }
 
 int SocketStream::DoResolveProxy() {
   DCHECK(!pac_request_);
   next_state_ = STATE_RESOLVE_PROXY_COMPLETE;
 
@@ skipping 126 matching lines @@
   return socket_->Connect(&io_callback_);
 }
 
 int SocketStream::DoTcpConnectComplete(int result) {
   // TODO(ukai): if error occured, reconsider proxy after error.
   if (result != OK) {
     next_state_ = STATE_CLOSE;
     return result;
   }
 
-  if (proxy_mode_ == kTunnelProxy)
-    next_state_ = STATE_WRITE_TUNNEL_HEADERS;
-  else if (proxy_mode_ == kSOCKSProxy)
+  if (proxy_mode_ == kTunnelProxy) {
+    if (proxy_info_.is_https())
+      next_state_ = STATE_SECURE_PROXY_CONNECT;
+    else
+      next_state_ = STATE_WRITE_TUNNEL_HEADERS;
+  } else if (proxy_mode_ == kSOCKSProxy) {
     next_state_ = STATE_SOCKS_CONNECT;
-  else if (is_secure()) {
+  } else if (is_secure()) {
     next_state_ = STATE_SSL_CONNECT;
   } else {
     result = DidEstablishConnection();
   }
   return result;
 }
 
 int SocketStream::DoWriteTunnelHeaders() {
   DCHECK_EQ(kTunnelProxy, proxy_mode_);
 
@@ skipping 209 matching lines @@
     if (is_secure())
       next_state_ = STATE_SSL_CONNECT;
     else
       result = DidEstablishConnection();
   } else {
     next_state_ = STATE_CLOSE;
   }
   return result;
 }
 
+int SocketStream::DoSecureProxyConnect() {
+  DCHECK(factory_);
+  SSLClientSocketContext ssl_context;
+  ssl_context.cert_verifier = cert_verifier_;
+  ssl_context.origin_bound_cert_service = origin_bound_cert_service_;
+  // TODO(agl): look into plumbing SSLHostInfo here.
+  socket_.reset(factory_->CreateSSLClientSocket(
+      socket_.release(),
+      proxy_info_.proxy_server().host_port_pair(),
+      ssl_config_,
+      NULL /* ssl_host_info */,
+      ssl_context));
+  next_state_ = STATE_SECURE_PROXY_CONNECT_COMPLETE;
+  metrics_->OnCountConnectionType(SocketStreamMetrics::SECURE_PROXY_CONNECTION);
+  return socket_->Connect(&io_callback_);

[Yuta Kitamura, 2011/07/25 10:24:44]

Can't you set STATE_CLOSE to next_state_ if Connect() has failed?

[ukai, 2011/07/25 10:29:59]

It's possible, but other methods (Read, Write, ...) might return the error too.
So it would be better to handle in DoLoop, I think.

[Yuta Kitamura, 2011/07/25 10:44:48]

Um... if I read DoReadWrite() correctly, it always changes the state to
STATE_CLOSE if |result| indicates an error (i.e. neither OK nor ERR_IO_PENDING).

I'm still thinking it's better to change the state here.

[ukai, 2011/07/25 11:49:04]

not only DoReadWrite().
We had a potential bug when other Do* method other than Do*Complete() returns
error other than OK or ERR_IO_PENDING.

For example, DoResolveProxy() returns ResolveProxy() without checking. So if
ResolveProxy() returns an error synchronously, next_state_ is
STATE_RESOLVE_PROXY_COMPLETE and error is not ERR_IO_PENDING, so it fails
DCHECK_EQ in DoLoop().  We can say the same thing in other Do* method.

We can add error check in every Do* method, but I think it's ok to set
next_state_ to STATE_CLOSE in DoLoop if some error is returned.

+}
+
+int SocketStream::DoSecureProxyConnectComplete(int result) {
+  DCHECK_EQ(STATE_NONE, next_state_);
+  result = DidEstablishSSL(result);
+  if (next_state_ != STATE_NONE)
+    return result;
+  if (result == OK)
+    next_state_ = STATE_WRITE_TUNNEL_HEADERS;
+  else
+    next_state_ = STATE_CLOSE;
+  return result;
+}
+
 int SocketStream::DoSSLConnect() {
   DCHECK(factory_);
   SSLClientSocketContext ssl_context;
   ssl_context.cert_verifier = cert_verifier_;
   ssl_context.origin_bound_cert_service = origin_bound_cert_service_;
   // TODO(agl): look into plumbing SSLHostInfo here.
   socket_.reset(factory_->CreateSSLClientSocket(socket_.release(),
                                                 HostPortPair::FromURL(url_),
                                                 ssl_config_,
                                                 NULL /* ssl_host_info */,
                                                 ssl_context));
   next_state_ = STATE_SSL_CONNECT_COMPLETE;
   metrics_->OnCountConnectionType(SocketStreamMetrics::SSL_CONNECTION);
   return socket_->Connect(&io_callback_);
 }
 
 int SocketStream::DoSSLConnectComplete(int result) {
-  if (IsCertificateError(result)) {
-    if (socket_->IsConnectedAndIdle()) {
-      result = HandleCertificateError(result);
-    } else {
-      // SSLClientSocket for Mac will report socket is not connected,
-      // if it returns cert verification error.  It didn't perform
-      // SSLHandshake yet.
-      // So, we should restart establishing connection with the
-      // certificate in allowed bad certificates in |ssl_config_|.
-      // See also net/http/http_network_transaction.cc
-      //  HandleCertificateError() and RestartIgnoringLastError().
-      SSLClientSocket* ssl_socket =
-        reinterpret_cast<SSLClientSocket*>(socket_.get());
-      SSLInfo ssl_info;
-      ssl_socket->GetSSLInfo(&ssl_info);
-      if (ssl_info.cert == NULL ||
-          ssl_config_.IsAllowedBadCert(ssl_info.cert, NULL)) {
-        // If we already have the certificate in the set of allowed bad
-        // certificates, we did try it and failed again, so we should not
-        // retry again: the connection should fail at last.
-        next_state_ = STATE_CLOSE;
-        return result;
-      }
-      // Add the bad certificate to the set of allowed certificates in the
-      // SSL config object.
-      SSLConfig::CertAndStatus bad_cert;
-      if (!ssl_info.cert->GetDEREncoded(&bad_cert.der_cert)) {
-        next_state_ = STATE_CLOSE;
-        return result;
-      }
-      bad_cert.cert_status = ssl_info.cert_status;
-      ssl_config_.allowed_bad_certs.push_back(bad_cert);
-      // Restart connection ignoring the bad certificate.
-      socket_->Disconnect();
-      socket_.reset();
-      next_state_ = STATE_TCP_CONNECT;
-      return OK;
-    }
-  }
-
+  DCHECK_EQ(STATE_NONE, next_state_);
+  result = DidEstablishSSL(result);
+  if (next_state_ != STATE_NONE)
+    return result;
   // TODO(toyoshim): Upgrade to SPDY through TLS NPN extension if possible.
   // If we use HTTPS and this is the first connection to the SPDY server,
   // we should take care of TLS NPN extension here.
 
   if (result == OK)
     result = DidEstablishConnection();
   else
     next_state_ = STATE_CLOSE;
   return result;
 }
@@ skipping 167 matching lines @@
 
 SSLConfigService* SocketStream::ssl_config_service() const {
   return context_->ssl_config_service();
 }
 
 ProxyService* SocketStream::proxy_service() const {
   return context_->proxy_service();
 }
 
 }  // namespace net