Change the bad-certificate handler for SSL (using NSS) to return an...

net/http/http_network_transaction.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/scoped_ptr.h"
 #include "base/compiler_specific.h"
 #include "base/field_trial.h"
 #include "base/string_util.h"
@@ skipping 62 matching lines @@
 
   next_state_ = STATE_RESOLVE_PROXY;
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     user_callback_ = callback;
   return rv;
 }
 
 int HttpNetworkTransaction::RestartIgnoringLastError(
     CompletionCallback* callback) {
-  // TODO(wtc): If the connection is no longer alive, call
-  // connection_.socket()->ReconnectIgnoringLastError().
-  next_state_ = STATE_WRITE_HEADERS;
+  if (connection_.socket()->IsConnected()) {
+    next_state_ = STATE_WRITE_HEADERS;
+  } else {
+    connection_.set_socket(NULL);
+    connection_.Reset();
+    next_state_ = STATE_INIT_CONNECTION;
+  }
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     user_callback_ = callback;
   return rv;
 }
 
 int HttpNetworkTransaction::RestartWithAuth(
     const std::wstring& username,
     const std::wstring& password,
     CompletionCallback* callback) {
@@ skipping 146 matching lines @@
 }
 
 LoadState HttpNetworkTransaction::GetLoadState() const {
   // TODO(wtc): Define a new LoadState value for the
   // STATE_INIT_CONNECTION_COMPLETE state, which delays the HTTP request.
   switch (next_state_) {
     case STATE_RESOLVE_PROXY_COMPLETE:
       return LOAD_STATE_RESOLVING_PROXY_FOR_URL;
     case STATE_RESOLVE_HOST_COMPLETE:
       return LOAD_STATE_RESOLVING_HOST;
-    case STATE_CONNECT_COMPLETE:
+    case STATE_TCP_CONNECT_COMPLETE:
       return LOAD_STATE_CONNECTING;
     case STATE_WRITE_HEADERS_COMPLETE:
     case STATE_WRITE_BODY_COMPLETE:
       return LOAD_STATE_SENDING_REQUEST;
     case STATE_READ_HEADERS_COMPLETE:
       return LOAD_STATE_WAITING_FOR_RESPONSE;
     case STATE_READ_BODY_COMPLETE:
       return LOAD_STATE_READING_RESPONSE;
     default:
       return LOAD_STATE_IDLE;
@@ skipping 138 matching lines @@
         break;
       case STATE_RESOLVE_HOST:
         DCHECK_EQ(OK, rv);
         TRACE_EVENT_BEGIN("http.resolve_host", request_, request_->url.spec());
         rv = DoResolveHost();
         break;
       case STATE_RESOLVE_HOST_COMPLETE:
         rv = DoResolveHostComplete(rv);
         TRACE_EVENT_END("http.resolve_host", request_, request_->url.spec());
         break;
-      case STATE_CONNECT:
+      case STATE_TCP_CONNECT:
         DCHECK_EQ(OK, rv);
         TRACE_EVENT_BEGIN("http.connect", request_, request_->url.spec());

[wtc, 2009/03/30 18:18:57]

Nit: Should we rename this event "http.tcp_connect"?

I hope there are no scripts that depend on the current event
name "http.connect".

-        rv = DoConnect();
+        rv = DoTCPConnect();
         break;
-      case STATE_CONNECT_COMPLETE:
-        rv = DoConnectComplete(rv);
+      case STATE_TCP_CONNECT_COMPLETE:
+        rv = DoTCPConnectComplete(rv);
         TRACE_EVENT_END("http.connect", request_, request_->url.spec());

[wtc, 2009/03/30 18:18:57]

Nit: Should we rename this event "http.tcp_connect"? 

         break;
-      case STATE_SSL_CONNECT_OVER_TUNNEL:
+      case STATE_SSL_CONNECT:
         DCHECK_EQ(OK, rv);
-        TRACE_EVENT_BEGIN("http.ssl_tunnel", request_, request_->url.spec());
-        rv = DoSSLConnectOverTunnel();
+        TRACE_EVENT_BEGIN("http.ssl_connect", request_, request_->url.spec());
+        rv = DoSSLConnect();
         break;
-      case STATE_SSL_CONNECT_OVER_TUNNEL_COMPLETE:
-        rv = DoSSLConnectOverTunnelComplete(rv);
-        TRACE_EVENT_END("http.ssl_tunnel", request_, request_->url.spec());
+      case STATE_SSL_CONNECT_COMPLETE:
+        rv = DoSSLConnectComplete(rv);
+        TRACE_EVENT_END("http.ssl_connect", request_, request_->url.spec());
         break;
       case STATE_WRITE_HEADERS:
         DCHECK_EQ(OK, rv);
         TRACE_EVENT_BEGIN("http.write_headers", request_, request_->url.spec());
         rv = DoWriteHeaders();
         break;
       case STATE_WRITE_HEADERS_COMPLETE:
         rv = DoWriteHeadersComplete(rv);
         TRACE_EVENT_END("http.write_headers", request_, request_->url.spec());
         break;
@@ skipping 133 matching lines @@
   }
 
   DidStartDnsResolution(host, this);
   return resolver_.Resolve(host, port, &addresses_, &io_callback_);
 }
 
 int HttpNetworkTransaction::DoResolveHostComplete(int result) {
   bool ok = (result == OK);
   DidFinishDnsResolutionWithStatus(ok, request_->referrer, this);
   if (ok) {
-    next_state_ = STATE_CONNECT;
+    next_state_ = STATE_TCP_CONNECT;
   } else {
     result = ReconsiderProxyAfterError(result);
   }
   return result;
 }
 
-int HttpNetworkTransaction::DoConnect() {
-  next_state_ = STATE_CONNECT_COMPLETE;
+int HttpNetworkTransaction::DoTCPConnect() {
+  next_state_ = STATE_TCP_CONNECT_COMPLETE;
 
   DCHECK(!connection_.socket());
 
   ClientSocket* s = socket_factory_->CreateTCPClientSocket(addresses_);
-
-  // If we are using a direct SSL connection, then go ahead and create the SSL
-  // wrapper socket now.  Otherwise, we need to first issue a CONNECT request.
-  if (using_ssl_ && !using_tunnel_)
-    s = socket_factory_->CreateSSLClientSocket(s, request_->url.host(),
-                                               ssl_config_);
-
   connection_.set_socket(s);
   return connection_.socket()->Connect(&io_callback_);
 }
 
-int HttpNetworkTransaction::DoConnectComplete(int result) {
-  if (IsCertificateError(result))
-    result = HandleCertificateError(result);
-
+int HttpNetworkTransaction::DoTCPConnectComplete(int result) {
+  // If we are using a direct SSL connection, then go ahead and establish the
+  // SSL connection, now.  Otherwise, we need to first issue a CONNECT request.

[wtc, 2009/03/30 18:18:57]

Nit: remove the comma (,) before "now".

   if (result == OK) {
-    next_state_ = STATE_WRITE_HEADERS;
-    if (using_tunnel_)
-      establishing_tunnel_ = true;
+    if (using_ssl_ && !using_tunnel_) {
+      next_state_ = STATE_SSL_CONNECT;
+    } else {
+      next_state_ = STATE_WRITE_HEADERS;
+      if (using_tunnel_)
+        establishing_tunnel_ = true;
+    }
   } else {
-    result = HandleSSLHandshakeError(result);
-    if (result != OK)
-      result = ReconsiderProxyAfterError(result);
+    result = ReconsiderProxyAfterError(result);
   }
   return result;
 }
 
-int HttpNetworkTransaction::DoSSLConnectOverTunnel() {
-  next_state_ = STATE_SSL_CONNECT_OVER_TUNNEL_COMPLETE;
+int HttpNetworkTransaction::DoSSLConnect() {
+  next_state_ = STATE_SSL_CONNECT_COMPLETE;
 
   // Add a SSL socket on top of our existing transport socket.
   ClientSocket* s = connection_.release_socket();
   s = socket_factory_->CreateSSLClientSocket(s, request_->url.host(),
                                              ssl_config_);
   connection_.set_socket(s);
   return connection_.socket()->Connect(&io_callback_);
 }
 
-int HttpNetworkTransaction::DoSSLConnectOverTunnelComplete(int result) {
+int HttpNetworkTransaction::DoSSLConnectComplete(int result) {
   if (IsCertificateError(result))
     result = HandleCertificateError(result);
 
   if (result == OK) {
     next_state_ = STATE_WRITE_HEADERS;
   } else {
     result = HandleSSLHandshakeError(result);
   }
   return result;
 }
@@ skipping 362 matching lines @@
       return ERR_METHOD_NOT_SUPPORTED;
   }
 
   if (establishing_tunnel_) {
     switch (headers->response_code()) {
       case 200:  // OK
         if (header_buf_body_offset_ != header_buf_len_) {
           // The proxy sent extraneous data after the headers.
           return ERR_TUNNEL_CONNECTION_FAILED;
         }
-        next_state_ = STATE_SSL_CONNECT_OVER_TUNNEL;
+        next_state_ = STATE_SSL_CONNECT;
         // Reset for the real request and response headers.
         request_headers_.clear();
         request_headers_bytes_sent_ = 0;
         header_buf_len_ = 0;
         header_buf_body_offset_ = 0;
         establishing_tunnel_ = false;
         return OK;
 
       // We aren't able to CONNECT to the remote host through the proxy.  We
       // need to be very suspicious about the response because an active network
@@ skipping 110 matching lines @@
         if (request_->load_flags & LOAD_IGNORE_CERT_AUTHORITY_INVALID)
           error = OK;
         break;
     }
   }
 
   if (error != OK) {
     SSLClientSocket* ssl_socket =
         reinterpret_cast<SSLClientSocket*>(connection_.socket());
     ssl_socket->GetSSLInfo(&response_.ssl_info);
+
+    // Add the bad certificate to the set of allowed certificates in the
+    // SSL info object. This data structure will be consulted after calling
+    // RestartIgnoringLastError(). And the user will be asked interactively
+    // before RestartIgnoringLastError() is ever called.
+    ssl_config_.allowed_bad_certs_.insert(response_.ssl_info.cert);
   }
   return error;
 }
 
 int HttpNetworkTransaction::HandleSSLHandshakeError(int error) {
   switch (error) {
     case ERR_SSL_PROTOCOL_ERROR:
     case ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
       if (ssl_config_.tls1_enabled) {
         // This could be a TLS-intolerant server or an SSL 3.0 server that
@@ skipping 361 matching lines @@
   if (target == HttpAuth::AUTH_PROXY) {
     auth_info->host = ASCIIToWide(proxy_info_.proxy_server().host_and_port());
   } else {
     DCHECK(target == HttpAuth::AUTH_SERVER);
     auth_info->host = ASCIIToWide(request_->url.host());
   }
   response_.auth_challenge = auth_info;
 }
 
 }  // namespace net