Eliminate the establishing_tunnel_ internal state and move to explicit...

net/http/http_network_transaction.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/compiler_specific.h"
 #include "base/field_trial.h"
 #include "base/format_macros.h"
 #include "base/histogram.h"
@@ skipping 274 matching lines @@
           io_callback_(this, &HttpNetworkTransaction::OnIOComplete)),
       user_callback_(NULL),
       session_(session),
       request_(NULL),
       pac_request_(NULL),
       connection_(new ClientSocketHandle),
       reused_socket_(false),
       headers_valid_(false),
       logged_response_time(false),
       using_ssl_(false),
-      establishing_tunnel_(false),
       using_spdy_(false),
       alternate_protocol_mode_(
           g_use_alternate_protocols ? kUnspecified :
           kDoNotUseAlternateProtocol),
       embedded_identity_used_(false),
       default_credentials_used_(false),
       read_buf_len_(0),
       next_state_(STATE_NONE) {
   session->ssl_config_service()->GetSSLConfig(&ssl_config_);
   if (g_next_protos)
@@ skipping 167 matching lines @@
 
   // We don't need to drain the response body, so we act as if we had drained
   // the response body.
   DidDrainBodyForAuthRestart(keep_alive);
 }
 
 void HttpNetworkTransaction::DidDrainBodyForAuthRestart(bool keep_alive) {
   if (keep_alive && connection_->socket()->IsConnectedAndIdle()) {
     // We should call connection_->set_idle_time(), but this doesn't occur
     // often enough to be worth the trouble.
-    next_state_ = STATE_SEND_REQUEST;
+    if (using_ssl_ && proxy_info_.is_http() &&
+        ssl_connect_start_time_.is_null())

[eroman, 2010/05/26 03:21:27]

Using the time variable feels a bit hockey.

+      next_state_ = STATE_TUNNEL_SEND_REQUEST;
+    else
+      next_state_ = STATE_SEND_REQUEST;
     connection_->set_is_reused(true);
     reused_socket_ = true;
   } else {
     next_state_ = STATE_INIT_CONNECTION;
     connection_->socket()->Disconnect();
     connection_->Reset();
   }
 
   // Reset the other member variables.
   ResetStateForRestart();
 }
 
 int HttpNetworkTransaction::Read(IOBuffer* buf, int buf_len,
                                  CompletionCallback* callback) {
   DCHECK(buf);
   DCHECK_LT(0, buf_len);
 
   State next_state = STATE_NONE;
 
   // Are we using SPDY or HTTP?
   if (using_spdy_) {
     DCHECK(!http_stream_.get());
     DCHECK(spdy_stream_->GetResponseInfo()->headers);
     next_state = STATE_SPDY_READ_BODY;
   } else {
     DCHECK(!spdy_stream_.get());
-    scoped_refptr<HttpResponseHeaders> headers = GetResponseHeaders();
-    DCHECK(headers.get());
     next_state = STATE_READ_BODY;
 
     if (!connection_->is_initialized())
       return 0;  // connection_->has been reset.  Treat like EOF.
+  }
 
-    if (establishing_tunnel_) {
-      // We're trying to read the body of the response but we're still trying
-      // to establish an SSL tunnel through the proxy.  We can't read these
-      // bytes when establishing a tunnel because they might be controlled by
-      // an active network attacker.  We don't worry about this for HTTP
-      // because an active network attacker can already control HTTP sessions.
-      // We reach this case when the user cancels a 407 proxy auth prompt.
-      // See http://crbug.com/8473.
-      DCHECK_EQ(407, headers->response_code());
-      LogBlockedTunnelResponse(headers->response_code());
-      return ERR_TUNNEL_CONNECTION_FAILED;
-    }
+  scoped_refptr<HttpResponseHeaders> headers = GetResponseHeaders();
+  DCHECK(headers.get());
+  if (headers->response_code() == 407) {

[eroman, 2010/05/26 03:21:27]

Before it was only failing in the case where the URL was using SSL (i.e.
establishing tunnel), whereas now it always fails to read on 407.

At the very least the error code is wrong now (since this may not apply to the
tunnel case). Even if the error code were correct, I don't think we want this
new behavior, but should continue to show the error page for failed 407 when on
non-https.

+    // We're trying to read the body of the response but we're still trying
+    // to establish an SSL tunnel through the proxy.  We can't read these
+    // bytes when establishing a tunnel because they might be controlled by
+    // an active network attacker.  We don't worry about this for HTTP
+    // because an active network attacker can already control HTTP sessions.
+    // We reach this case when the user cancels a 407 proxy auth prompt.
+    // See http://crbug.com/8473.
+    DCHECK(proxy_info_.is_http());
+    LogBlockedTunnelResponse(headers->response_code());
+    return ERR_TUNNEL_CONNECTION_FAILED;
   }
 
   read_buf_ = buf;
   read_buf_len_ = buf_len;
 
   next_state_ = next_state;
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     user_callback_ = callback;
   return rv;
 }
 
 const HttpResponseInfo* HttpNetworkTransaction::GetResponseInfo() const {
   return ((headers_valid_ && response_.headers) || response_.ssl_info.cert ||
           response_.cert_request_info) ? &response_ : NULL;
 }
 
 LoadState HttpNetworkTransaction::GetLoadState() const {
   // TODO(wtc): Define a new LoadState value for the
   // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request.
   switch (next_state_) {
     case STATE_RESOLVE_PROXY_COMPLETE:
       return LOAD_STATE_RESOLVING_PROXY_FOR_URL;
     case STATE_INIT_CONNECTION_COMPLETE:
       return connection_->GetLoadState();
+    case STATE_TUNNEL_SEND_REQUEST_COMPLETE:
+    case STATE_TUNNEL_READ_HEADERS_COMPLETE:
+      return LOAD_STATE_ESTABLISHING_PROXY_TUNNEL;
     case STATE_SEND_REQUEST_COMPLETE:
       return LOAD_STATE_SENDING_REQUEST;
     case STATE_READ_HEADERS_COMPLETE:
       return LOAD_STATE_WAITING_FOR_RESPONSE;
     case STATE_READ_BODY_COMPLETE:
       return LOAD_STATE_READING_RESPONSE;
     default:
       return LOAD_STATE_IDLE;
   }
 }
@@ skipping 49 matching lines @@
       case STATE_RESOLVE_PROXY_COMPLETE:
         rv = DoResolveProxyComplete(rv);
         break;
       case STATE_INIT_CONNECTION:
         DCHECK_EQ(OK, rv);
         rv = DoInitConnection();
         break;
       case STATE_INIT_CONNECTION_COMPLETE:
         rv = DoInitConnectionComplete(rv);
         break;
+      case STATE_TUNNEL_SEND_REQUEST:
+        DCHECK_EQ(OK, rv);
+        net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_SEND_REQUEST,
+            NULL);

[eroman, 2010/05/26 03:21:27]

nit: line these up with the paren of the previous line.

+        rv = DoTunnelSendRequest();
+        break;
+      case STATE_TUNNEL_SEND_REQUEST_COMPLETE:
+        rv = DoTunnelSendRequestComplete(rv);
+        net_log_.EndEvent(NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_SEND_REQUEST,
+            NULL);
+        break;
+      case STATE_TUNNEL_READ_HEADERS:
+        DCHECK_EQ(OK, rv);
+        net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS,
+            NULL);
+        rv = DoTunnelReadHeaders();
+        break;
+      case STATE_TUNNEL_READ_HEADERS_COMPLETE:
+        rv = DoTunnelReadHeadersComplete(rv);
+        net_log_.EndEvent(NetLog::TYPE_HTTP_TRANSACTION_TUNNEL_READ_HEADERS,
+            NULL);
+        break;
       case STATE_SSL_CONNECT:
         DCHECK_EQ(OK, rv);
         rv = DoSSLConnect();
         break;
       case STATE_SSL_CONNECT_COMPLETE:
         rv = DoSSLConnectComplete(rv);
         break;
       case STATE_SEND_REQUEST:
         DCHECK_EQ(OK, rv);
         net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST, NULL);
@@ skipping 281 matching lines @@
     if (using_ssl_) {
       SSLClientSocket* ssl_socket =
           reinterpret_cast<SSLClientSocket*>(connection_->socket());
       response_.was_npn_negotiated = ssl_socket->wasNpnNegotiated();
     }
     next_state_ = STATE_SEND_REQUEST;
   } else {
     // Now we have a TCP connected socket.  Perform other connection setup as
     // needed.
     UpdateConnectionTypeHistograms(CONNECTION_HTTP);
-    if (using_ssl_ && (proxy_info_.is_direct() || proxy_info_.is_socks())) {
-      next_state_ = STATE_SSL_CONNECT;
+    if (using_ssl_) {
+      if (proxy_info_.is_direct() || proxy_info_.is_socks())
+        next_state_ = STATE_SSL_CONNECT;
+      else
+        next_state_ = STATE_TUNNEL_SEND_REQUEST;
     } else {
       next_state_ = STATE_SEND_REQUEST;
-      if (using_ssl_)
-        establishing_tunnel_ = true;
     }
   }
 
   return OK;
 }
 
+void HttpNetworkTransaction::ClearTunnelState() {
+  http_stream_.reset();
+  request_headers_.clear();
+  response_ = HttpResponseInfo();
+  headers_valid_ = false;
+}
+
+int HttpNetworkTransaction::DoTunnelSendRequest() {
+  next_state_ = STATE_TUNNEL_SEND_REQUEST_COMPLETE;
+
+  // This is constructed lazily (instead of within our Start method), so that
+  // we have proxy info available.
+  if (request_headers_.empty()) {
+    // Figure out if we can/should add Proxy-Authentication headers.
+    bool have_proxy_auth =
+        HaveAuth(HttpAuth::AUTH_PROXY) ||
+        SelectPreemptiveAuth(HttpAuth::AUTH_PROXY);
+
+    std::string request_line;
+    HttpRequestHeaders request_headers;
+    HttpRequestHeaders authorization_headers;
+
+    // TODO(wtc): If BuildAuthorizationHeader fails (returns an authorization
+    // header with no credentials), we should return an error to prevent
+    // entering an infinite auth restart loop.  See http://crbug.com/21050.
+    if (have_proxy_auth)
+      AddAuthorizationHeader(HttpAuth::AUTH_PROXY, &authorization_headers);
+
+    BuildTunnelRequest(request_, authorization_headers, endpoint_,
+                       &request_line, &request_headers);
+    if (net_log_.HasListener()) {
+      net_log_.AddEvent(
+          NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
+          new NetLogHttpRequestParameter(
+              request_line, request_headers));
+    }
+    request_headers_ = request_line + request_headers.ToString();
+  }
+
+  http_stream_.reset(new HttpBasicStream(connection_.get(), net_log_));
+
+  return http_stream_->SendRequest(request_, request_headers_, NULL, &response_,
+                                   &io_callback_);
+}
+
+int HttpNetworkTransaction::DoTunnelSendRequestComplete(int result) {
+  if (result < 0)
+    return result;

[eroman, 2010/05/26 03:21:27]

No call to ClearTunnelState() in this case?

+
+  next_state_ = STATE_TUNNEL_READ_HEADERS;
+  return OK;
+}
+
+int HttpNetworkTransaction::DoTunnelReadHeaders() {
+  next_state_ = STATE_TUNNEL_READ_HEADERS_COMPLETE;
+
+  return http_stream_->ReadResponseHeaders(&io_callback_);
+}
+
+int HttpNetworkTransaction::DoTunnelReadHeadersComplete(int result) {
+  if (result < 0) {
+    if (result == ERR_CONNECTION_CLOSED)
+      result = ERR_TUNNEL_CONNECTION_FAILED;
+    ClearTunnelState();

[eroman, 2010/05/26 03:21:27]

The repeated calls to ClearTunnelState() seems pretty error prone. Especially if
someone else modifies this function in the future.

+    return result;
+  }
+
+  // Require the "HTTP/1.x" status line for SSL CONNECT.
+  if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) {
+    ClearTunnelState();
+    return ERR_TUNNEL_CONNECTION_FAILED;
+  }
+
+  if (net_log_.HasListener()) {
+    net_log_.AddEvent(
+        NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
+        new NetLogHttpResponseParameter(response_.headers));
+  }
+
+  int rv = result;
+  switch (response_.headers->response_code()) {
+    case 200:  // OK
+      if (http_stream_->IsMoreDataBuffered()) {
+        // The proxy sent extraneous data after the headers.
+        rv = ERR_TUNNEL_CONNECTION_FAILED;
+      } else {
+        next_state_ = STATE_SSL_CONNECT;
+        rv = OK;
+      }
+      break;
+
+      // We aren't able to CONNECT to the remote host through the proxy.  We
+      // need to be very suspicious about the response because an active network
+      // attacker can force us into this state by masquerading as the proxy.
+      // The only safe thing to do here is to fail the connection because our
+      // client is expecting an SSL protected response.
+      // See http://crbug.com/7338.
+    case 407:  // Proxy Authentication Required
+      // We need this status code to allow proxy authentication.  Our
+      // authentication code is smart enough to avoid being tricked by an
+      // active network attacker.
+      headers_valid_ = true;
+      return HandleAuthChallenge(true);
+
+    default:
+      // For all other status codes, we conservatively fail the CONNECT
+      // request.
+      // We lose something by doing this.  We have seen proxy 403, 404, and
+      // 501 response bodies that contain a useful error message.  For
+      // example, Squid uses a 404 response to report the DNS error: "The
+      // domain name does not exist."
+      LogBlockedTunnelResponse(response_.headers->response_code());
+      rv = ERR_TUNNEL_CONNECTION_FAILED;
+  }
+  ClearTunnelState();
+  return rv;
+}
+
 int HttpNetworkTransaction::DoSSLConnect() {
   next_state_ = STATE_SSL_CONNECT_COMPLETE;
 
   if (ContainsKey(*g_tls_intolerant_servers, GetHostAndPort(request_->url))) {
     LOG(WARNING) << "Falling back to SSLv3 because host is TLS intolerant: "
                  << GetHostAndPort(request_->url);
     ssl_config_.tls1_enabled = false;
   }
 
   if (request_->load_flags & LOAD_VERIFY_EV_CERT)
@@ skipping 78 matching lines @@
   } else {
     result = HandleSSLHandshakeError(result);
   }
   return result;
 }
 
 int HttpNetworkTransaction::DoSendRequest() {
   next_state_ = STATE_SEND_REQUEST_COMPLETE;
 
   UploadDataStream* request_body = NULL;
-  if (!establishing_tunnel_ && request_->upload_data) {
+  if (request_->upload_data) {
     int error_code;
     request_body = UploadDataStream::Create(request_->upload_data, &error_code);
     if (!request_body)
       return error_code;
   }
 
   // This is constructed lazily (instead of within our Start method), so that
   // we have proxy info available.
   if (request_headers_.empty()) {
     // Figure out if we can/should add Proxy-Authentication & Authentication
@@ skipping 12 matching lines @@
     HttpRequestHeaders authorization_headers;
 
     // TODO(wtc): If BuildAuthorizationHeader fails (returns an authorization
     // header with no credentials), we should return an error to prevent
     // entering an infinite auth restart loop.  See http://crbug.com/21050.
     if (have_proxy_auth)
       AddAuthorizationHeader(HttpAuth::AUTH_PROXY, &authorization_headers);
     if (have_server_auth)
       AddAuthorizationHeader(HttpAuth::AUTH_SERVER, &authorization_headers);
 
-    if (establishing_tunnel_) {
-      BuildTunnelRequest(request_, authorization_headers, endpoint_,
-                         &request_line, &request_headers);
-      if (net_log_.HasListener()) {
-        net_log_.AddEvent(
-            NetLog::TYPE_HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
-            new NetLogHttpRequestParameter(
-                request_line, request_headers));
-      }
-    } else {
-      BuildRequestHeaders(request_, authorization_headers, request_body,
-                          !using_ssl_ && proxy_info_.is_http(), &request_line,
-                          &request_headers);
-      if (net_log_.HasListener()) {
-        net_log_.AddEvent(
-            NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST_HEADERS,
-            new NetLogHttpRequestParameter(
-                request_line, request_headers));
-      }
+    BuildRequestHeaders(request_, authorization_headers, request_body,
+                        !using_ssl_ && proxy_info_.is_http(), &request_line,
+                        &request_headers);
+    if (net_log_.HasListener()) {
+      net_log_.AddEvent(
+          NetLog::TYPE_HTTP_TRANSACTION_SEND_REQUEST_HEADERS,
+          new NetLogHttpRequestParameter(
+              request_line, request_headers));
     }
-
     request_headers_ = request_line + request_headers.ToString();
   }
 
   headers_valid_ = false;
   http_stream_.reset(new HttpBasicStream(connection_.get(), net_log_));
 
   return http_stream_->SendRequest(request_, request_headers_,
                                    request_body, &response_, &io_callback_);
 }
 
 int HttpNetworkTransaction::DoSendRequestComplete(int result) {
   if (result < 0)
     return HandleIOError(result);
 
   next_state_ = STATE_READ_HEADERS;
 
   return OK;
 }
 
 int HttpNetworkTransaction::DoReadHeaders() {
   next_state_ = STATE_READ_HEADERS_COMPLETE;
 
   return http_stream_->ReadResponseHeaders(&io_callback_);
 }
 
 int HttpNetworkTransaction::HandleConnectionClosedBeforeEndOfHeaders() {
-  if (establishing_tunnel_) {
-    // The connection was closed before the tunnel could be established.
-    return ERR_TUNNEL_CONNECTION_FAILED;
-  }
-
   if (!response_.headers) {
     // The connection was closed before any data was sent. Likely an error
     // rather than empty HTTP/0.9 response.
     return ERR_EMPTY_RESPONSE;
   }
 
   return OK;
 }
 
 int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
@@ skipping 48 matching lines @@
 
   if (result == ERR_CONNECTION_CLOSED) {
     // For now, if we get at least some data, we do the best we can to make
     // sense of it and send it back up the stack.
     int rv = HandleConnectionClosedBeforeEndOfHeaders();
     if (rv != OK)
       return rv;
   }
 
   if (net_log_.HasListener()) {
-    if (establishing_tunnel_) {
-      net_log_.AddEvent(
-          NetLog::TYPE_HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
-          new NetLogHttpResponseParameter(response_.headers));
-    } else {
-      net_log_.AddEvent(
-          NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
-          new NetLogHttpResponseParameter(response_.headers));
-    }
+    net_log_.AddEvent(
+        NetLog::TYPE_HTTP_TRANSACTION_READ_RESPONSE_HEADERS,
+        new NetLogHttpResponseParameter(response_.headers));
   }
 
   if (response_.headers->GetParsedHttpVersion() < HttpVersion(1, 0)) {
-    // Require the "HTTP/1.x" status line for SSL CONNECT.
-    if (establishing_tunnel_)
-      return ERR_TUNNEL_CONNECTION_FAILED;
-
     // HTTP/0.9 doesn't support the PUT method, so lack of response headers
     // indicates a buggy server.  See:
     // https://bugzilla.mozilla.org/show_bug.cgi?id=193921
     if (request_->method == "PUT")
       return ERR_METHOD_NOT_SUPPORTED;
   }
 
-  if (establishing_tunnel_) {
-    switch (response_.headers->response_code()) {
-      case 200:  // OK
-        if (http_stream_->IsMoreDataBuffered()) {
-          // The proxy sent extraneous data after the headers.
-          return ERR_TUNNEL_CONNECTION_FAILED;
-        }
-        next_state_ = STATE_SSL_CONNECT;
-        // Reset for the real request and response headers.
-        request_headers_.clear();
-        http_stream_.reset(NULL);
-        headers_valid_ = false;
-        establishing_tunnel_ = false;
-        // TODO(mbelshe): We should put in a test case to trip this code path.
-        response_ = HttpResponseInfo();
-        return OK;
-
-        // We aren't able to CONNECT to the remote host through the proxy.  We
-        // need to be very suspicious about the response because an active
-        // network attacker can force us into this state by masquerading as the
-        // proxy. The only safe thing to do here is to fail the connection
-        // because our client is expecting an SSL protected response.
-        // See http://crbug.com/7338.
-      case 407:  // Proxy Authentication Required
-        // We need this status code to allow proxy authentication.  Our
-        // authentication code is smart enough to avoid being tricked by an
-        // active network attacker.
-        break;
-      default:
-        // For all other status codes, we conservatively fail the CONNECT
-        // request.
-        // We lose something by doing this.  We have seen proxy 403, 404, and
-        // 501 response bodies that contain a useful error message.  For
-        // example, Squid uses a 404 response to report the DNS error: "The
-        // domain name does not exist."
-        LogBlockedTunnelResponse(response_.headers->response_code());
-        return ERR_TUNNEL_CONNECTION_FAILED;
-    }
-  }
-
   // Check for an intermediate 100 Continue response.  An origin server is
   // allowed to send this response even if we didn't ask for it, so we just
   // need to skip over it.
   // We treat any other 1xx in this same way (although in practice getting
   // a 1xx that isn't a 100 is rare).
   if (response_.headers->response_code() / 100 == 1) {
     response_.headers = new HttpResponseHeaders("");
     next_state_ = STATE_READ_HEADERS;
     return OK;
   }
 
   ProcessAlternateProtocol(*response_.headers,
                            endpoint_,
                            session_->mutable_alternate_protocols());
 
-  int rv = HandleAuthChallenge();
+  int rv = HandleAuthChallenge(false);
   if (rv != OK)
     return rv;
 
-  if (using_ssl_ && !establishing_tunnel_) {
+  if (using_ssl_) {
     SSLClientSocket* ssl_socket =
         reinterpret_cast<SSLClientSocket*>(connection_->socket());
     ssl_socket->GetSSLInfo(&response_.ssl_info);
   }
 
   headers_valid_ = true;
   return OK;
 }
 
 int HttpNetworkTransaction::DoResolveCanonicalName() {
@@ skipping 18 matching lines @@
   DCHECK_GT(read_buf_len_, 0);
   DCHECK(connection_->is_initialized());
 
   next_state_ = STATE_READ_BODY_COMPLETE;
   return http_stream_->ReadResponseBody(read_buf_, read_buf_len_,
                                         &io_callback_);
 }
 
 int HttpNetworkTransaction::DoReadBodyComplete(int result) {
   // We are done with the Read call.
-  DCHECK(!establishing_tunnel_) <<
-      "We should never read a response body of a tunnel.";
-
   bool done = false, keep_alive = false;
   if (result <= 0)
     done = true;
 
   if (http_stream_->IsResponseBodyComplete()) {
     done = true;
     if (http_stream_->CanFindEndOfResponse())
       keep_alive = GetResponseHeaders()->IsKeepAlive();
   }
 
@@ skipping 393 matching lines @@
 }
 
 HttpResponseHeaders* HttpNetworkTransaction::GetResponseHeaders() const {
   return response_.headers;
 }
 
 bool HttpNetworkTransaction::ShouldResendRequest(int error) const {
   // NOTE: we resend a request only if we reused a keep-alive connection.
   // This automatically prevents an infinite resend loop because we'll run
   // out of the cached keep-alive connections eventually.
-  if (establishing_tunnel_ ||
-      !connection_->ShouldResendFailedRequest(error) ||
+  if (!connection_->ShouldResendFailedRequest(error) ||
       GetResponseHeaders()) {  // We have received some response headers.
     return false;
   }
   return true;
 }
 
 void HttpNetworkTransaction::ResetConnectionAndRequestForResend() {
   connection_->socket()->Disconnect();
   connection_->Reset();
   // We need to clear request_headers_ because it contains the real request
@@ skipping 58 matching lines @@
     // there was nothing left to fall-back to, so fail the transaction
     // with the last connection error we got.
     // TODO(eroman): This is a confusing contract, make it more obvious.
     rv = error;
   }
 
   return rv;
 }
 
 bool HttpNetworkTransaction::ShouldApplyProxyAuth() const {
-  return (!using_ssl_ && proxy_info_.is_http()) || establishing_tunnel_;
+  return !using_ssl_ && proxy_info_.is_http();
 }
 
 bool HttpNetworkTransaction::ShouldApplyServerAuth() const {
-  return !establishing_tunnel_ &&
-      !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA);
+  return !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA);
 }
 
 void HttpNetworkTransaction::AddAuthorizationHeader(
     HttpAuth::Target target, HttpRequestHeaders* authorization_headers) const {
   DCHECK(HaveAuth(target));
 
   // Add a Authorization/Proxy-Authorization header line.
   std::string auth_token;
   int rv;
   if (auth_identity_[target].source ==
@@ skipping 180 matching lines @@
   // response header.
   iter = NULL;
   while (headers->EnumerateHeader(&iter, "proxy-support", &header_val)) {
     msg.append("\n  Has header Proxy-Support: ");
     msg.append(header_val);
   }
 
   return msg;
 }
 
-int HttpNetworkTransaction::HandleAuthChallenge() {
+int HttpNetworkTransaction::HandleAuthChallenge(bool establishing_tunnel) {
   scoped_refptr<HttpResponseHeaders> headers = GetResponseHeaders();
   DCHECK(headers);
 
   int status = headers->response_code();
   if (status != 401 && status != 407)
     return OK;
   HttpAuth::Target target = status == 407 ?
                             HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
   GURL auth_origin = PossiblyInvalidAuthOrigin(target);
 
@@ skipping 22 matching lines @@
 
   if (target != HttpAuth::AUTH_SERVER ||
       !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA)) {
     // Find the best authentication challenge that we support.
     HttpAuth::ChooseBestChallenge(session_->http_auth_handler_factory(),
                                   headers, target,
                                   auth_origin, &auth_handler_[target]);
   }
 
   if (!auth_handler_[target]) {
-    if (establishing_tunnel_) {
+    if (establishing_tunnel) {
       LOG(ERROR) << "Can't perform auth to the " << AuthTargetString(target)
                  << " " << auth_origin << " when establishing a tunnel"
                  << AuthChallengeLogMessage();
 
       // We are establishing a tunnel, we can't show the error page because an
       // active network attacker could control its contents.  Instead, we just
       // fail to establish the tunnel.
       DCHECK(target == HttpAuth::AUTH_PROXY);
       return ERR_PROXY_AUTH_REQUESTED;
     }
@@ skipping 62 matching lines @@
       endpoint_);
 
   alternate_protocol_mode_ = kDoNotUseAlternateProtocol;
   if (connection_->socket())
     connection_->socket()->Disconnect();
   connection_->Reset();
   next_state_ = STATE_INIT_CONNECTION;
 }
 
 }  // namespace net