net: Make Snap Start check cert verification and add metrics

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 462 matching lines @@
   if (!ssl_host_info_.get())
     return;
 
   SECStatus rv;
   SSLSnapStartResult snap_start_type;
   rv = SSL_GetSnapStartResult(nss_fd_, &snap_start_type);
   if (rv != SECSuccess) {
     NOTREACHED();
     return;
   }
+  net_log_.AddEvent(NetLog::TYPE_SSL_SNAP_START,
+                    new NetLogIntegerParameter("type", snap_start_type));
   LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_;
   if (snap_start_type == SSL_SNAP_START_FULL ||
       snap_start_type == SSL_SNAP_START_RESUME) {
     // If we did a successful Snap Start then our information was correct and
     // there's no point saving it again.
     return;
   }
 
   const unsigned char* hello_data;
   unsigned hello_data_len;
@@ skipping 243 matching lines @@
       ssl_config_.false_start_enabled &&
       !SSLConfigService::IsKnownFalseStartIncompatibleServer(hostname_));
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
 #endif
 
 #ifdef SSL_ENABLE_SNAP_START
   // TODO(agl): check that SSL_ENABLE_SNAP_START actually does something in the
   // current NSS code.
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SNAP_START,
-                     SSLConfigService::snap_start_enabled());
+                     ssl_config_.snap_start_enabled);
   if (rv != SECSuccess)
     VLOG(1) << "SSL_ENABLE_SNAP_START failed.  Old system nss?";
 #endif
 
 #ifdef SSL_ENABLE_RENEGOTIATION
   // Deliberately disable this check for now: http://crbug.com/55410
   if (false &&
       SSLConfigService::IsKnownStrictTLSServer(hostname_) &&
       !ssl_config_.mitm_proxies_allowed) {
     rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
@@ skipping 1085 matching lines @@
 
   that->handshake_callback_called_ = true;
 
   that->UpdateServerCert();
   that->UpdateConnectionStatus();
 }
 
 int SSLClientSocketNSS::DoSnapStartLoadInfo() {
   EnterFunction("");
   int rv = ssl_host_info_->WaitForDataReady(&handshake_io_callback_);
+  GotoState(STATE_HANDSHAKE);
 
   if (rv == OK) {
-    if (LoadSnapStartInfo()) {
-      pseudo_connected_ = true;
-      GotoState(STATE_SNAP_START_WAIT_FOR_WRITE);
-      if (user_connect_callback_)
-        DoConnectCallback(OK);
-    } else {
-      GotoState(STATE_HANDSHAKE);
+    if (ssl_host_info_->WaitForCertVerification(NULL) == OK) {
+      if (LoadSnapStartInfo()) {
+        pseudo_connected_ = true;
+        GotoState(STATE_SNAP_START_WAIT_FOR_WRITE);
+        if (user_connect_callback_)
+          DoConnectCallback(OK);
+      }
+    } else if (!ssl_host_info_->state().server_hello.empty()) {
+      // A non-empty ServerHello suggests that we would have tried a Snap Start
+      // connection.
+      base::TimeTicks now = base::TimeTicks::Now();
+      const base::TimeDelta duration =
+          now - ssl_host_info_->verification_start_time();
+      UMA_HISTOGRAM_TIMES("Net.SSLSnapStartNeededVerificationInMs", duration);
+      VLOG(1) << "Cannot snap start because verification isn't ready. "
+              << "Wanted verification after "
+              << duration.InMilliseconds() << "ms";
     }
   } else {
     DCHECK_EQ(ERR_IO_PENDING, rv);
-    GotoState(STATE_SNAP_START_LOAD_INFO);
   }
 
   LeaveFunction("");
   return rv;
 }
 
 int SSLClientSocketNSS::DoSnapStartWaitForWrite() {
   EnterFunction("");
   // In this state, we're waiting for the first Write call so that we can merge
   // it into the Snap Start handshake.
@@ skipping 342 matching lines @@
   DCHECK(server_cert_);
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
 
   if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() &&
       predicted_cert_chain_correct_) {
     // If the SSLHostInfo had a prediction for the certificate chain of this
     // server then it will have optimistically started a verification of that
     // chain. So, if the prediction was correct, we should wait for that
     // verification to finish rather than start our own.
+    net_log_.AddEvent(NetLog::TYPE_SSL_VERIFICATION_MERGED, NULL);
+    UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 1 /* true */, 2);
+    base::TimeTicks now = base::TimeTicks::Now();
+    UMA_HISTOGRAM_TIMES("Net.SSLVerificationMergedMsSaved",
+                        now - ssl_host_info_->verification_start_time());
     server_cert_verify_result_ = &ssl_host_info_->cert_verify_result();
     return ssl_host_info_->WaitForCertVerification(&handshake_io_callback_);
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 0 /* false */, 2);
   }
 
   int flags = 0;
   if (ssl_config_.rev_checking_enabled)
     flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
   if (ssl_config_.verify_ev_cert)
     flags |= X509Certificate::VERIFY_EV_CERT;
   verifier_.reset(new CertVerifier);
   server_cert_verify_result_ = &local_server_cert_verify_result_;
   return verifier_->Verify(server_cert_, hostname_, flags,
                            &local_server_cert_verify_result_,
                            &handshake_io_callback_);
 }
 
 // Derived from AuthCertificateCallback() in
 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   verifier_.reset();
 
-  // Using Snap Start disables certificate verification for now.
-  if (SSLConfigService::snap_start_enabled())
-    result = OK;
-
   // We used to remember the intermediate CA certs in the NSS database
   // persistently.  However, NSS opens a connection to the SQLite database
   // during NSS initialization and doesn't close the connection until NSS
   // shuts down.  If the file system where the database resides is gone,
   // the database connection goes bad.  What's worse, the connection won't
   // recover when the file system comes back.  Until this NSS or SQLite bug
   // is fixed, we need to  avoid using the NSS database for non-essential
   // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
   // http://crbug.com/15630 for more info.
 
@@ skipping 127 matching lines @@
     case SSL_CONNECTION_VERSION_TLS1_1:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
       break;
     case SSL_CONNECTION_VERSION_TLS1_2:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
       break;
   };
 }
 
 }  // namespace net