Add histogram to track NPN/ALPN.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 389 matching lines @@
 // but which also need to be read from the network task runner. The NSS task
 // runner will notify the network task runner whenever this state changes, so
 // that the network task runner can safely make a copy, which avoids the need
 // for locking.
 struct HandshakeState {
   HandshakeState() { Reset(); }
 
   void Reset() {
     next_proto_status = SSLClientSocket::kNextProtoUnsupported;
     next_proto.clear();
+    negotiation_extension_ = SSLClientSocket::kExtensionUnknown;
     channel_id_sent = false;
     server_cert_chain.Reset(NULL);
     server_cert = NULL;
     sct_list_from_tls_extension.clear();
     stapled_ocsp_response.clear();
     resumed_handshake = false;
     ssl_connection_status = 0;
   }
 
   // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
   // negotiated protocol stored in |next_proto|.
   SSLClientSocket::NextProtoStatus next_proto_status;
   std::string next_proto;
 
+  // TLS extension used for protocol negotiation.
+  SSLClientSocket::SSLNegotiationExtension negotiation_extension_;
+
   // True if a channel ID was sent.
   bool channel_id_sent;
 
   // List of DER-encoded X.509 DistinguishedName of certificate authorities
   // allowed by the server.
   std::vector<std::string> cert_authorities;
 
   // Set when the handshake fully completes.
   //
   // The server certificate is first received from NSS as an NSS certificate
@@ skipping 318 matching lines @@
   // the SignedCertificateTimestampList received in the stapled OCSP response.
   void UpdateStapledOCSPResponse();
   // Updates the nss_handshake_state_ with the negotiated security parameters.
   void UpdateConnectionStatus();
   // Record histograms for channel id support during full handshakes - resumed
   // handshakes are ignored.
   void RecordChannelIDSupportOnNSSTaskRunner();
   // UpdateNextProto gets any application-layer protocol that may have been
   // negotiated by the TLS connection.
   void UpdateNextProto();
+  // Record TLS extension used for protocol negotiation (NPN or ALPN).
+  void UpdateExtensionUsed();
 
   ////////////////////////////////////////////////////////////////////////////
   // Methods that are ONLY called on the network task runner:
   ////////////////////////////////////////////////////////////////////////////
   int DoBufferRecv(IOBuffer* buffer, int len);
   int DoBufferSend(IOBuffer* buffer, int len);
   int DoGetChannelID(const std::string& host);
 
   void OnGetChannelIDComplete(int result);
   void OnHandshakeStateUpdated(const HandshakeState& state);
@@ skipping 861 matching lines @@
   } else {
     nss_handshake_state_.resumed_handshake = false;
   }
 
   RecordChannelIDSupportOnNSSTaskRunner();
   UpdateServerCert();
   UpdateSignedCertTimestamps();
   UpdateStapledOCSPResponse();
   UpdateConnectionStatus();
   UpdateNextProto();
+  UpdateExtensionUsed();
 
   // Update the network task runners view of the handshake state whenever
   // a handshake has completed.
   PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
                             nss_handshake_state_));
 }
 
 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error) {
   DCHECK(OnNSSTaskRunner());
@@ skipping 831 matching lines @@
       break;
     case SSL_NEXT_PROTO_NO_SUPPORT:
       nss_handshake_state_.next_proto_status = kNextProtoUnsupported;
       break;
     default:
       NOTREACHED();
       break;
   }
 }
 
+void SSLClientSocketNSS::Core::UpdateExtensionUsed() {
+  PRBool negotiated_extension;
+  SECStatus rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
+                                                  ssl_app_layer_protocol_xtn,
+                                                  &negotiated_extension);
+  if (rv == SECSuccess && negotiated_extension) {
+    nss_handshake_state_.negotiation_extension_ = kExtensionALPN;
+  } else {
+    rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
+                                          ssl_next_proto_nego_xtn,
+                                          &negotiated_extension);
+    if (rv == SECSuccess && negotiated_extension) {
+      nss_handshake_state_.negotiation_extension_ = kExtensionNPN;
+    }
+  }
+}
+
 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
   DCHECK(OnNSSTaskRunner());
   if (nss_handshake_state_.resumed_handshake)
     return;
 
   // Copy the NSS task runner-only state to the network task runner and
   // log histograms from there, since the histograms also need access to the
   // network task runner state.
   PostOrRunCallback(
       FROM_HERE,
@@ skipping 812 matching lines @@
   if (result == OK) {
     // SSL handshake is completed. Let's verify the certificate.
     GotoState(STATE_VERIFY_CERT);
     // Done!
   }
   set_channel_id_sent(core_->state().channel_id_sent);
   set_signed_cert_timestamps_received(
       !core_->state().sct_list_from_tls_extension.empty());
   set_stapled_ocsp_response_received(
       !core_->state().stapled_ocsp_response.empty());
+  set_negotiation_extension(core_->state().negotiation_extension_);
 
   LeaveFunction(result);
   return result;
 }
 
 int SSLClientSocketNSS::DoVerifyCert(int result) {
   DCHECK(!core_->state().server_cert_chain.empty());
   DCHECK(core_->state().server_cert_chain[0]);
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
@@ skipping 187 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net