Backout d45ca69b67a3 (bug 767516), 4ff98d3e4d8d (bug 767512), 70cc47076115 (bug 767505), 4eca26d02c84 (bug 766929) for mochitest-plain-5 failures

netwerk/protocol/http/NullHttpTransaction.cpp

@@ -152,7 +152,7 @@ NullHttpTransaction::TakeSubTransactions(
 }
 
 void
-NullHttpTransaction::SetProxyConnectFailed()
+NullHttpTransaction::SetSSLConnectFailed()
 {
 }
 

netwerk/protocol/http/NullHttpTransaction.h

@@ -18,7 +18,7 @@
 // This is the minimal nsAHttpTransaction implementation. A NullHttpTransaction
 // can be used to drive connection level semantics (such as SSL handshakes
 // tunnels) so that a nsHttpConnection becomes fully established in
-// anticipation of a real transaction needing to use it soon.
+// anticiation of a real transaction needing to use it soon.
 
 namespace mozilla { namespace net {
 

netwerk/protocol/http/SpdySession2.cpp

@@ -2161,9 +2161,9 @@ SpdySession2::GetSecurityCallbacks(nsIInterfaceRequestor **,
 }
 
 void
-SpdySession2::SetProxyConnectFailed()
+SpdySession2::SetSSLConnectFailed()
 {
-  NS_ABORT_IF_FALSE(false, "SpdySession2::SetProxyConnectFailed()");
+  NS_ABORT_IF_FALSE(false, "SpdySession2::SetSSLConnectFailed()");
 }
 
 bool

netwerk/protocol/http/SpdySession3.cpp

@@ -2218,9 +2218,9 @@ SpdySession3::GetSecurityCallbacks(nsIInterfaceRequestor **,
 }
 
 void
-SpdySession3::SetProxyConnectFailed()
+SpdySession3::SetSSLConnectFailed()
 {
-  NS_ABORT_IF_FALSE(false, "SpdySession3::SetProxyConnectFailed()");
+  NS_ABORT_IF_FALSE(false, "SpdySession3::SetSSLConnectFailed()");
 }
 
 bool

netwerk/protocol/http/nsAHttpTransaction.h

@@ -63,8 +63,8 @@ public:
     // called to close the transaction
     virtual void Close(nsresult reason) = 0;
 
-    // called to indicate a failure with proxy CONNECT
-    virtual void SetProxyConnectFailed() = 0;
+    // called to indicate a failure at the SSL setup level
+    virtual void SetSSLConnectFailed() = 0;
     
     // called to retrieve the request headers of the transaction
     virtual nsHttpRequestHead *RequestHead() = 0;
@@ -149,7 +149,7 @@ public:
     nsresult ReadSegments(nsAHttpSegmentReader *, PRUint32, PRUint32 *); \
     nsresult WriteSegments(nsAHttpSegmentWriter *, PRUint32, PRUint32 *); \
     void     Close(nsresult reason);                                    \
-    void     SetProxyConnectFailed();                                   \
+    void     SetSSLConnectFailed();                                     \
     nsHttpRequestHead *RequestHead();                                   \
     PRUint32 Http1xTransactionCount();                                  \
     nsresult TakeSubTransactions(nsTArray<nsRefPtr<nsAHttpTransaction> > &outTransactions); \

netwerk/protocol/http/nsHttpChannel.cpp

@@ -709,8 +709,8 @@ nsHttpChannel::SetupTransaction()
     if (!mAllowSpdy)
         mCaps |= NS_HTTP_DISALLOW_SPDY;
 
-    // Use the URI path if not proxying (transparent proxying such as proxy
-    // CONNECT does not count here). Also figure out what HTTP version to use.
+    // use the URI path if not proxying (transparent proxying such as SSL proxy
+    // does not count here). also, figure out what version we should be speaking.
     nsCAutoString buf, path;
     nsCString* requestURI;
     if (mConnectionInfo->UsingConnect() ||
@@ -986,21 +986,21 @@ nsHttpChannel::CallOnStartRequest()
 }
 
 nsresult
-nsHttpChannel::ProcessFailedProxyConnect(PRUint32 httpStatus)
+nsHttpChannel::ProcessFailedSSLConnect(PRUint32 httpStatus)
 {
-    // Failure to set up a proxy tunnel via CONNECT means one of the following:
+    // Failure to set up SSL proxy tunnel means one of the following:
     // 1) Proxy wants authorization, or forbids.
     // 2) DNS at proxy couldn't resolve target URL.
     // 3) Proxy connection to target failed or timed out.
-    // 4) Eve intercepted our CONNECT, and is replying with malicious HTML.
-    //
-    // Our current architecture would parse the proxy's response content with
-    // the permission of the target URL.  Given #4, we must avoid rendering the
-    // body of the reply, and instead give the user a (hopefully helpful)
+    // 4) Eve noticed our proxy CONNECT, and is replying with malicious HTML.
+    // 
+    // Our current architecture will parse response content with the
+    // permission of the target URL!  Given #4, we must avoid rendering the
+    // body of the reply, and instead give the user a (hopefully helpful) 
     // boilerplate error page, based on just the HTTP status of the reply.
 
-    NS_ABORT_IF_FALSE(mConnectionInfo->UsingConnect(),
-                      "proxy connect failed but not using CONNECT?");
+    NS_ABORT_IF_FALSE(mConnectionInfo->UsingSSL(),
+                      "SSL connect failed but not using SSL?");
     nsresult rv;
     switch (httpStatus) 
     {
@@ -1051,13 +1051,21 @@ nsHttpChannel::ProcessFailedProxyConnect(PRUint32 httpStatus)
         rv = NS_ERROR_PROXY_CONNECTION_REFUSED; 
         break;
     }
-    LOG(("Cancelling failed proxy CONNECT [this=%p httpStatus=%u]\n",
+    LOG(("Cancelling failed SSL proxy connection [this=%p httpStatus=%u]\n",
          this, httpStatus)); 
     Cancel(rv);
     CallOnStartRequest();
     return rv;
 }
 
+bool
+nsHttpChannel::ShouldSSLProxyResponseContinue(PRUint32 httpStatus)
+{
+    // When SSL connect has failed, allow proxy reply to continue only if it's
+    // a 407 (proxy authentication required) response
+    return (httpStatus == 407);
+}
+
 /**
  * Decide whether or not to remember Strict-Transport-Security, and whether
  * or not to enforce channel integrity.
@@ -1155,11 +1163,10 @@ nsHttpChannel::ProcessResponse()
     LOG(("nsHttpChannel::ProcessResponse [this=%p httpStatus=%u]\n",
         this, httpStatus));
 
-    if (mTransaction->ProxyConnectFailed()) {
-        // Only allow 407 (authentication required) to continue
-        if (httpStatus != 407)
-            return ProcessFailedProxyConnect(httpStatus);
-        // If proxy CONNECT response needs to complete, wait to process connection
+    if (mTransaction->SSLConnectFailed()) {
+        if (!ShouldSSLProxyResponseContinue(httpStatus))
+            return ProcessFailedSSLConnect(httpStatus);
+        // If SSL proxy response needs to complete, wait to process connection
         // for Strict-Transport-Security.
     } else {
         // Given a successful connection, process any STS data that's relevant.
@@ -1263,7 +1270,8 @@ nsHttpChannel::ProcessResponse()
     case 401:
     case 407:
         rv = mAuthProvider->ProcessAuthentication(
-            httpStatus, mTransaction->ProxyConnectFailed());
+            httpStatus, mConnectionInfo->UsingSSL() &&
+                        mTransaction->SSLConnectFailed());
         if (rv == NS_ERROR_IN_PROGRESS)  {
             // authentication prompt has been invoked and result
             // is expected asynchronously
@@ -1278,8 +1286,8 @@ nsHttpChannel::ProcessResponse()
         }
         else if (NS_FAILED(rv)) {
             LOG(("ProcessAuthentication failed [rv=%x]\n", rv));
-           if (mTransaction->ProxyConnectFailed())
-               return ProcessFailedProxyConnect(httpStatus);
+            if (mTransaction->SSLConnectFailed())
+                return ProcessFailedSSLConnect(httpStatus);
             if (!mAuthRetryPending)
                 mAuthProvider->CheckForSuperfluousAuth();
             rv = ProcessNormal();
@@ -1350,8 +1358,8 @@ nsHttpChannel::ContinueProcessResponse(nsresult rv)
     }
 
     LOG(("ContinueProcessResponse got failure result [rv=%x]\n", rv));
-    if (mTransaction->ProxyConnectFailed()) {
-        return ProcessFailedProxyConnect(mRedirectType);
+    if (mTransaction->SSLConnectFailed()) {
+        return ProcessFailedSSLConnect(mRedirectType);
     }
     return ProcessNormal();
 }

netwerk/protocol/http/nsHttpChannel.h

@@ -172,7 +172,8 @@ private:
     nsresult AsyncProcessRedirection(PRUint32 httpStatus);
     nsresult ContinueProcessRedirection(nsresult);
     nsresult ContinueProcessRedirectionAfterFallback(nsresult);
-    nsresult ProcessFailedProxyConnect(PRUint32 httpStatus);
+    bool     ShouldSSLProxyResponseContinue(PRUint32 httpStatus);
+    nsresult ProcessFailedSSLConnect(PRUint32 httpStatus);
     nsresult ProcessFallback(bool *waitingForRedirectCallback);
     nsresult ContinueProcessFallback(nsresult);
     void     HandleAsyncAbort();

netwerk/protocol/http/nsHttpChannelAuthProvider.cpp

@@ -68,11 +68,11 @@ nsHttpChannelAuthProvider::Init(nsIHttpAuthenticableChannel *channel)
 
 NS_IMETHODIMP
 nsHttpChannelAuthProvider::ProcessAuthentication(PRUint32 httpStatus,
-                                                 bool     ProxyConnectFailed)
+                                                 bool     SSLConnectFailed)
 {
     LOG(("nsHttpChannelAuthProvider::ProcessAuthentication "
-         "[this=%p channel=%p code=%u ProxyConnectFailed=%d]\n",
-         this, mAuthChannel, httpStatus, ProxyConnectFailed));
+         "[this=%p channel=%p code=%u SSLConnectFailed=%d]\n",
+         this, mAuthChannel, httpStatus, SSLConnectFailed));
 
     NS_ASSERTION(mAuthChannel, "Channel not initialized");
 
@@ -113,7 +113,7 @@ nsHttpChannelAuthProvider::ProcessAuthentication(PRUint32 httpStatus,
             LOG(("rejecting 407 when proxy server not configured!\n"));
             return NS_ERROR_UNEXPECTED;
         }
-        if (!ProxyConnectFailed) {
+        if (UsingSSL() && !SSLConnectFailed) {
             // we need to verify that this challenge came from the proxy
             // server itself, and not some server on the other side of the
             // SSL tunnel.

netwerk/protocol/http/nsHttpConnection.cpp

@@ -828,9 +828,9 @@ nsHttpConnection::OnHeadersAvailable(nsAHttpTransaction *trans,
     if (!mProxyConnectStream)
         HandleAlternateProtocol(responseHead);
 
-    // If we're doing a proxy connect, we need to check whether or not
-    // it was successful.  If so, we have to reset the transaction and step-up
-    // the socket connection if using SSL. Finally, we have to wake up the
+    // if we're doing an SSL proxy connect, then we need to check whether or not
+    // the connect was successful.  if so, then we have to reset the transaction
+    // and step-up the socket connection to SSL. finally, we have to wake up the
     // socket write request.
     if (mProxyConnectStream) {
         NS_ABORT_IF_FALSE(!mUsingSpdyVersion,
@@ -855,7 +855,7 @@ nsHttpConnection::OnHeadersAvailable(nsAHttpTransaction *trans,
         else {
             LOG(("proxy CONNECT failed! ssl=%s\n",
                  mConnInfo->UsingSSL() ? "true" :"false"));
-            mTransaction->SetProxyConnectFailed();
+            mTransaction->SetSSLConnectFailed();
         }
     }
     
@@ -1195,8 +1195,8 @@ nsHttpConnection::OnSocketWritable()
     do {
         mSocketOutCondition = NS_OK;
 
-        // If we're doing a proxy connect, then we need to bypass calling into
-        // the transaction.
+        // if we're doing an SSL proxy connect, then we need to bypass calling
+        // into the transaction.
         //
         // NOTE: this code path can't be shared since the transaction doesn't
         // implement nsIInputStream.  doing so is not worth the added cost of

netwerk/protocol/http/nsHttpConnectionMgr.cpp

@@ -1379,7 +1379,7 @@ nsHttpConnectionMgr::IsUnderPressure(nsConnectionEntry *ent,
     // favor existing pipelines over more parallelism so as to reserve any
     // unused parallel connections for types that don't have existing pipelines.
     //
-    // The definition of connection pressure is a pretty liberal one here - that
+    // The defintion of connection pressure is a pretty liberal one here - that
     // is why we are using the more restrictive maxPersist* counters.
     //
     // Pipelines are also favored when the requested classification is already
@@ -1389,7 +1389,7 @@ nsHttpConnectionMgr::IsUnderPressure(nsConnectionEntry *ent,
     
     PRInt32 currentConns = ent->mActiveConns.Length();
     PRInt32 maxConns =
-        (ent->mConnInfo->UsingHttpProxy() && !ent->mConnInfo->UsingConnect()) ?
+        (ent->mConnInfo->UsingHttpProxy() && !ent->mConnInfo->UsingSSL()) ?
         mMaxPersistConnsPerProxy : mMaxPersistConnsPerHost;
 
     // Leave room for at least 3 distinct types to operate concurrently,

netwerk/protocol/http/nsHttpPipeline.cpp

@@ -345,12 +345,12 @@ nsHttpPipeline::Classification()
 }
 
 void
-nsHttpPipeline::SetProxyConnectFailed()
+nsHttpPipeline::SetSSLConnectFailed()
 {
     nsAHttpTransaction *trans = Request(0);
 
     if (trans)
-        trans->SetProxyConnectFailed();
+        trans->SetSSLConnectFailed();
 }
 
 nsHttpRequestHead *
@@ -647,7 +647,7 @@ nsHttpPipeline::WriteSegments(nsAHttpSegmentWriter *writer,
     trans = Response(0);
     // This code deals with the establishment of a CONNECT tunnel through
     // an HTTP proxy. It allows the connection to do the CONNECT/200
-    // HTTP transaction to establish a tunnel as a precursor to the
+    // HTTP transaction to establish an SSL tunnel as a precursor to the
     // actual pipeline of regular HTTP transactions.
     if (!trans && mRequestQ.Length() &&
         mConnection->IsProxyConnectInProgress()) {

netwerk/protocol/http/nsHttpTransaction.cpp

@@ -101,7 +101,7 @@ nsHttpTransaction::nsHttpTransaction()
     , mReceivedData(false)
     , mStatusEventPending(false)
     , mHasRequestBody(false)
-    , mProxyConnectFailed(false)
+    , mSSLConnectFailed(false)
     , mHttpResponseMatched(false)
     , mPreserveStream(false)
     , mReportedStart(false)
@@ -352,9 +352,9 @@ nsHttpTransaction::TakeResponseHead()
 }
 
 void
-nsHttpTransaction::SetProxyConnectFailed()
+nsHttpTransaction::SetSSLConnectFailed()
 {
-    mProxyConnectFailed = true;
+    mSSLConnectFailed = true;
 }
 
 nsHttpRequestHead *

netwerk/protocol/http/nsHttpTransaction.h

@@ -94,7 +94,7 @@ public:
     // Called to find out if the transaction generated a complete response.
     bool ResponseIsComplete() { return mResponseIsComplete; }
 
-    bool      ProxyConnectFailed() { return mProxyConnectFailed; }
+    bool      SSLConnectFailed() { return mSSLConnectFailed; }
 
     // SetPriority() may only be used by the connection manager.
     void    SetPriority(PRInt32 priority) { mPriority = priority; }
@@ -189,7 +189,7 @@ private:
     bool                            mReceivedData;
     bool                            mStatusEventPending;
     bool                            mHasRequestBody;
-    bool                            mProxyConnectFailed;
+    bool                            mSSLConnectFailed;
     bool                            mHttpResponseMatched;
     bool                            mPreserveStream;
 

netwerk/protocol/http/nsIHttpAuthManager.idl

@@ -27,7 +27,7 @@ interface nsIHttpAuthManager : nsISupports
      *
      * @param aScheme
      *        the URL scheme (e.g., "http").  NOTE: for proxy authentication,
-     *        this should be "http" (this includes authentication for CONNECT
+     *        this should be "http" (this includes authentication for SSL
      *        tunneling).
      * @param aHost
      *        the host of the server issuing a challenge (ASCII only).
@@ -61,7 +61,7 @@ interface nsIHttpAuthManager : nsISupports
      *
      * @param aScheme
      *        the URL scheme (e.g., "http").  NOTE: for proxy authentication,
-     *        this should be "http" (this includes authentication for CONNECT
+     *        this should be "http" (this includes authentication for SSL
      *        tunneling).
      * @param aHost
      *        the host of the server issuing a challenge (ASCII only).

netwerk/protocol/http/nsIHttpChannelAuthProvider.idl

@@ -40,8 +40,8 @@ interface nsIHttpChannelAuthProvider : nsICancelable
    *
    * @param httpStatus
    *        the http status received.
-   * @param proxyConnectFailed
-   *        if attempt to create CONNECT tunnel via proxy failed.
+   * @param sslConnectFailed
+   *        if the last ssl tunnel connection attempt was or not successful.
    * @param callback
    *        the callback to be called when it returns NS_ERROR_IN_PROGRESS.
    *        The implementation must hold a weak reference.
@@ -54,7 +54,7 @@ interface nsIHttpChannelAuthProvider : nsICancelable
    *                               until disconnect be called.
    */
   void processAuthentication(in unsigned long httpStatus,
-                             in boolean proxyConnectFailed);
+                             in boolean sslConnectFailed);
 
   /**
    * Add credentials from the http auth cache.