Chromium Code Reviews Chromium Code Reviews
Issue 1127623005:
Gather metrics classifying the cause of the TLS fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@fallback-required| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 31 #include "net/cert/cert_verifier.h" | 31 #include "net/cert/cert_verifier.h" |
| 32 #include "net/cert/ct_ev_whitelist.h" | 32 #include "net/cert/ct_ev_whitelist.h" |
| 33 #include "net/cert/ct_verifier.h" | 33 #include "net/cert/ct_verifier.h" |
| 34 #include "net/cert/x509_certificate_net_log_param.h" | 34 #include "net/cert/x509_certificate_net_log_param.h" |
| 35 #include "net/cert/x509_util_openssl.h" | 35 #include "net/cert/x509_util_openssl.h" |
| 36 #include "net/http/transport_security_state.h" | 36 #include "net/http/transport_security_state.h" |
| 37 #include "net/ssl/scoped_openssl_types.h" | 37 #include "net/ssl/scoped_openssl_types.h" |
| 38 #include "net/ssl/ssl_cert_request_info.h" | 38 #include "net/ssl/ssl_cert_request_info.h" |
| 39 #include "net/ssl/ssl_client_session_cache_openssl.h" | 39 #include "net/ssl/ssl_client_session_cache_openssl.h" |
| 40 #include "net/ssl/ssl_connection_status_flags.h" | 40 #include "net/ssl/ssl_connection_status_flags.h" |
| 41 #include "net/ssl/ssl_failure_state.h" | |
| 41 #include "net/ssl/ssl_info.h" | 42 #include "net/ssl/ssl_info.h" |
| 42 | 43 |
| 43 #if defined(OS_WIN) | 44 #if defined(OS_WIN) |
| 44 #include "base/win/windows_version.h" | 45 #include "base/win/windows_version.h" |
| 45 #endif | 46 #endif |
| 46 | 47 |
| 47 #if defined(USE_OPENSSL_CERTS) | 48 #if defined(USE_OPENSSL_CERTS) |
| 48 #include "net/ssl/openssl_client_key_store.h" | 49 #include "net/ssl/openssl_client_key_store.h" |
| 49 #else | 50 #else |
| 50 #include "net/ssl/openssl_platform_key.h" | 51 #include "net/ssl/openssl_platform_key.h" |
| (...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 364 transport_bio_(NULL), | 365 transport_bio_(NULL), |
| 365 transport_(transport_socket.Pass()), | 366 transport_(transport_socket.Pass()), |
| 366 host_and_port_(host_and_port), | 367 host_and_port_(host_and_port), |
| 367 ssl_config_(ssl_config), | 368 ssl_config_(ssl_config), |
| 368 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 369 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 369 next_handshake_state_(STATE_NONE), | 370 next_handshake_state_(STATE_NONE), |
| 370 npn_status_(kNextProtoUnsupported), | 371 npn_status_(kNextProtoUnsupported), |
| 371 channel_id_sent_(false), | 372 channel_id_sent_(false), |
| 372 handshake_completed_(false), | 373 handshake_completed_(false), |
| 373 certificate_verified_(false), | 374 certificate_verified_(false), |
| 375 ssl_failure_state_(kSSLFailureNone), | |
| 374 transport_security_state_(context.transport_security_state), | 376 transport_security_state_(context.transport_security_state), |
| 375 policy_enforcer_(context.cert_policy_enforcer), | 377 policy_enforcer_(context.cert_policy_enforcer), |
| 376 net_log_(transport_->socket()->NetLog()), | 378 net_log_(transport_->socket()->NetLog()), |
| 377 weak_factory_(this) { | 379 weak_factory_(this) { |
| 378 DCHECK(cert_verifier_); | 380 DCHECK(cert_verifier_); |
| 379 } | 381 } |
| 380 | 382 |
| 381 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 383 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
| 382 Disconnect(); | 384 Disconnect(); |
| 383 } | 385 } |
| 384 | 386 |
| 385 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( | 387 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo( |
| 386 SSLCertRequestInfo* cert_request_info) { | 388 SSLCertRequestInfo* cert_request_info) { |
| 387 cert_request_info->host_and_port = host_and_port_; | 389 cert_request_info->host_and_port = host_and_port_; |
| 388 cert_request_info->cert_authorities = cert_authorities_; | 390 cert_request_info->cert_authorities = cert_authorities_; |
| 389 cert_request_info->cert_key_types = cert_key_types_; | 391 cert_request_info->cert_key_types = cert_key_types_; |
| 390 } | 392 } |
| 391 | 393 |
| 392 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( | 394 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( |
| 393 std::string* proto) const { | 395 std::string* proto) const { |
| 394 *proto = npn_proto_; | 396 *proto = npn_proto_; |
| 395 return npn_status_; | 397 return npn_status_; |
| 396 } | 398 } |
| 397 | 399 |
| 398 ChannelIDService* | 400 ChannelIDService* |
| 399 SSLClientSocketOpenSSL::GetChannelIDService() const { | 401 SSLClientSocketOpenSSL::GetChannelIDService() const { |
| 400 return channel_id_service_; | 402 return channel_id_service_; |
| 401 } | 403 } |
| 402 | 404 |
| 405 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { | |
| 406 return ssl_failure_state_; | |
|
Ryan Sleevi
2015/05/13 22:26:36
BUG: You never reset this in Disconnect()
DOUBLE
davidben
2015/05/14 23:24:34
Done.
| |
| 407 } | |
| 408 | |
| 403 int SSLClientSocketOpenSSL::ExportKeyingMaterial( | 409 int SSLClientSocketOpenSSL::ExportKeyingMaterial( |
| 404 const base::StringPiece& label, | 410 const base::StringPiece& label, |
| 405 bool has_context, const base::StringPiece& context, | 411 bool has_context, const base::StringPiece& context, |
| 406 unsigned char* out, unsigned int outlen) { | 412 unsigned char* out, unsigned int outlen) { |
| 407 if (!IsConnected()) | 413 if (!IsConnected()) |
| 408 return ERR_SOCKET_NOT_CONNECTED; | 414 return ERR_SOCKET_NOT_CONNECTED; |
| 409 | 415 |
| 410 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 416 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 411 | 417 |
| 412 int rv = SSL_export_keying_material( | 418 int rv = SSL_export_keying_material( |
| (...skipping 520 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 933 // If not done, stay in this state | 939 // If not done, stay in this state |
| 934 GotoState(STATE_HANDSHAKE); | 940 GotoState(STATE_HANDSHAKE); |
| 935 return ERR_IO_PENDING; | 941 return ERR_IO_PENDING; |
| 936 } | 942 } |
| 937 | 943 |
| 938 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " | 944 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code " |
| 939 << ssl_error << ", net_error " << net_error; | 945 << ssl_error << ", net_error " << net_error; |
| 940 net_log_.AddEvent( | 946 net_log_.AddEvent( |
| 941 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 947 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 942 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); | 948 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info)); |
| 949 | |
| 950 // Classify the handshake failure. This is used to determine causes of the | |
| 951 // TLS version fallback. | |
| 952 | |
| 953 // |cipher| is the current outgoing cipher suite, so it is non-null iff | |
| 954 // ChangeCipherSpec was sent. | |
| 955 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); | |
| 956 if (SSL_get_state(ssl_) == SSL3_ST_CR_SRVR_HELLO_A) { | |
| 957 ssl_failure_state_ = kSSLFailureClientHello; | |
| 958 } else if (cipher && (SSL_CIPHER_get_id(cipher) == | |
| 959 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 || | |
| 960 SSL_CIPHER_get_id(cipher) == | |
| 961 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256)) { | |
| 962 ssl_failure_state_ = kSSLFailureBuggyGCM; | |
| 963 } else if (cipher && ssl_config_.send_client_cert) { | |
| 964 ssl_failure_state_ = kSSLFailureClientAuth; | |
| 965 } else if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL && | |
| 966 ERR_GET_REASON(error_info.error_code) == | |
| 967 SSL_R_OLD_SESSION_VERSION_NOT_RETURNED) { | |
| 968 ssl_failure_state_ = kSSLFailureSessionMismatch; | |
| 969 } else if (cipher && npn_status_ != kNextProtoUnsupported) { | |
| 970 ssl_failure_state_ = kSSLFailureNextProto; | |
| 971 } else { | |
| 972 ssl_failure_state_ = kSSLFailureUnknown; | |
| 973 } | |
| 943 } | 974 } |
| 944 | 975 |
| 945 GotoState(STATE_HANDSHAKE_COMPLETE); | 976 GotoState(STATE_HANDSHAKE_COMPLETE); |
| 946 return net_error; | 977 return net_error; |
| 947 } | 978 } |
| 948 | 979 |
| 949 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { | 980 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) { |
| 950 if (result < 0) | 981 if (result < 0) |
| 951 return result; | 982 return result; |
| 952 | 983 |
| (...skipping 961 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1914 } | 1945 } |
| 1915 return false; | 1946 return false; |
| 1916 } | 1947 } |
| 1917 | 1948 |
| 1918 scoped_refptr<X509Certificate> | 1949 scoped_refptr<X509Certificate> |
| 1919 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1950 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1920 return server_cert_; | 1951 return server_cert_; |
| 1921 } | 1952 } |
| 1922 | 1953 |
| 1923 } // namespace net | 1954 } // namespace net |
| OLD | NEW |
