[net/http auth] Make HttpAuthHandler challenge handling asynchronous.

net/http/http_proxy_client_socket.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_proxy_client_socket.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/strings/string_util.h"
@@ skipping 348 matching lines @@
         DCHECK_EQ(OK, rv);
         net_log_.BeginEvent(
             NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS);
         rv = DoReadHeaders();
         break;
       case STATE_READ_HEADERS_COMPLETE:
         rv = DoReadHeadersComplete(rv);
         net_log_.EndEventWithNetErrorCode(
             NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS, rv);
         break;
+      case STATE_HANDLE_PROXY_AUTH_CHALLENGE:
+        rv = DoHandleProxyAuthChallenge();
+        break;
+      case STATE_HANDLE_PROXY_AUTH_CHALLENGE_COMPLETE:
+        rv = DoHandleProxyAuthChallengeComplete(rv);
+        break;
       case STATE_DRAIN_BODY:
         DCHECK_EQ(OK, rv);
         rv = DoDrainBody();
         break;
       case STATE_DRAIN_BODY_COMPLETE:
         rv = DoDrainBodyComplete(rv);
         break;
       case STATE_TCP_RESTART:
         DCHECK_EQ(OK, rv);
         rv = DoTCPRestart();
@@ skipping 120 matching lines @@
       }
 
       redirect_has_load_timing_info_ = transport_->GetLoadTimingInfo(
           http_stream_parser_->IsConnectionReused(),
           &redirect_load_timing_info_);
       transport_.reset();
       http_stream_parser_.reset();
       return ERR_HTTPS_PROXY_TUNNEL_RESPONSE;
 
     case 407:  // Proxy Authentication Required
-      // We need this status code to allow proxy authentication.  Our
-      // authentication code is smart enough to avoid being tricked by an
-      // active network attacker.
-      // The next state is intentionally not set as it should be STATE_NONE;
-      if (!SanitizeProxyAuth(&response_)) {
-        LogBlockedTunnelResponse();
-        return ERR_TUNNEL_CONNECTION_FAILED;
-      }
-      return HandleProxyAuthChallenge(auth_.get(), &response_, net_log_);
+      next_state_ = STATE_HANDLE_PROXY_AUTH_CHALLENGE;
+      return OK;
 
     default:
       // Ignore response to avoid letting the proxy impersonate the target
       // server.  (See http://crbug.com/137891.)
       // We lose something by doing this.  We have seen proxy 403, 404, and
       // 501 response bodies that contain a useful error message.  For
       // example, Squid uses a 404 response to report the DNS error: "The
       // domain name does not exist."
       LogBlockedTunnelResponse();
       return ERR_TUNNEL_CONNECTION_FAILED;
   }
 }
 
+int HttpProxyClientSocket::DoHandleProxyAuthChallenge() {
+  if (!SanitizeProxyAuth(&response_)) {
+    LogBlockedTunnelResponse();
+    return ERR_TUNNEL_CONNECTION_FAILED;
+  }
+  next_state_ = STATE_HANDLE_PROXY_AUTH_CHALLENGE_COMPLETE;
+  return auth_->HandleAuthChallenge(response_, io_callback_, net_log_);
+}
+
+int HttpProxyClientSocket::DoHandleProxyAuthChallengeComplete(int result) {
+  if (result != OK)
+    return result;
+  if (auth_->HaveAuthHandler()) {
+    response_.auth_challenge = auth_->auth_info();
+    return ERR_PROXY_AUTH_REQUESTED;
+  }
+  return ERR_PROXY_AUTH_UNSUPPORTED;
+}
+
 int HttpProxyClientSocket::DoDrainBody() {
   DCHECK(drain_buf_.get());
   DCHECK(transport_->is_initialized());
   next_state_ = STATE_DRAIN_BODY_COMPLETE;
   return http_stream_parser_->ReadResponseBody(
       drain_buf_.get(), kDrainBodyBufferSize, io_callback_);
 }
 
 int HttpProxyClientSocket::DoDrainBodyComplete(int result) {
   if (result < 0)
@@ skipping 20 matching lines @@
           "462784 HttpProxyClientSocket::DoTCPRestartComplete"));
 
   if (result != OK)
     return result;
 
   next_state_ = STATE_GENERATE_AUTH_TOKEN;
   return result;
 }
 
 }  // namespace net