| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 79 #include "base/strings/stringprintf.h" | 79 #include "base/strings/stringprintf.h" |
| 80 #include "base/thread_task_runner_handle.h" | 80 #include "base/thread_task_runner_handle.h" |
| 81 #include "base/threading/thread_restrictions.h" | 81 #include "base/threading/thread_restrictions.h" |
| 82 #include "base/values.h" | 82 #include "base/values.h" |
| 83 #include "crypto/ec_private_key.h" | 83 #include "crypto/ec_private_key.h" |
| 84 #include "crypto/nss_util.h" | 84 #include "crypto/nss_util.h" |
| 85 #include "crypto/nss_util_internal.h" | 85 #include "crypto/nss_util_internal.h" |
| 86 #include "crypto/rsa_private_key.h" | 86 #include "crypto/rsa_private_key.h" |
| 87 #include "crypto/scoped_nss_types.h" | 87 #include "crypto/scoped_nss_types.h" |
| 88 #include "net/base/address_list.h" | 88 #include "net/base/address_list.h" |
| 89 #include "net/base/connection_type_histograms.h" | |
| 90 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
| 91 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
| 92 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
| 93 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
| 94 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
| 95 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
| 96 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
| 97 #include "net/cert/ct_ev_whitelist.h" | 96 #include "net/cert/ct_ev_whitelist.h" |
| 98 #include "net/cert/ct_verifier.h" | 97 #include "net/cert/ct_verifier.h" |
| 99 #include "net/cert/ct_verify_result.h" | 98 #include "net/cert/ct_verify_result.h" |
| (...skipping 3385 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3485 // shuts down. If the file system where the database resides is gone, | 3484 // shuts down. If the file system where the database resides is gone, |
| 3486 // the database connection goes bad. What's worse, the connection won't | 3485 // the database connection goes bad. What's worse, the connection won't |
| 3487 // recover when the file system comes back. Until this NSS or SQLite bug | 3486 // recover when the file system comes back. Until this NSS or SQLite bug |
| 3488 // is fixed, we need to avoid using the NSS database for non-essential | 3487 // is fixed, we need to avoid using the NSS database for non-essential |
| 3489 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and | 3488 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and |
| 3490 // http://crbug.com/15630 for more info. | 3489 // http://crbug.com/15630 for more info. |
| 3491 | 3490 |
| 3492 // TODO(hclam): Skip logging if server cert was expected to be bad because | 3491 // TODO(hclam): Skip logging if server cert was expected to be bad because |
| 3493 // |server_cert_verify_result_| doesn't contain all the information about | 3492 // |server_cert_verify_result_| doesn't contain all the information about |
| 3494 // the cert. | 3493 // the cert. |
| 3495 if (result == OK) | 3494 if (result == OK) { |
| 3496 LogConnectionTypeMetrics(); | 3495 int ssl_version = |
| 3496 SSLConnectionStatusToVersion(core_->state().ssl_connection_status); |
| 3497 RecordConnectionTypeMetrics(ssl_version); |
| 3498 } |
| 3497 | 3499 |
| 3498 const CertStatus cert_status = server_cert_verify_result_.cert_status; | 3500 const CertStatus cert_status = server_cert_verify_result_.cert_status; |
| 3499 if (transport_security_state_ && | 3501 if (transport_security_state_ && |
| 3500 (result == OK || | 3502 (result == OK || |
| 3501 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 3503 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 3502 !transport_security_state_->CheckPublicKeyPins( | 3504 !transport_security_state_->CheckPublicKeyPins( |
| 3503 host_and_port_.host(), | 3505 host_and_port_.host(), |
| 3504 server_cert_verify_result_.is_issued_by_known_root, | 3506 server_cert_verify_result_.is_issued_by_known_root, |
| 3505 server_cert_verify_result_.public_key_hashes, | 3507 server_cert_verify_result_.public_key_hashes, |
| 3506 &pinning_failure_log_)) { | 3508 &pinning_failure_log_)) { |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3554 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3556 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
| 3555 // from the state after verification is complete, to conserve memory. | 3557 // from the state after verification is complete, to conserve memory. |
| 3556 | 3558 |
| 3557 VLOG(1) << "CT Verification complete: result " << result | 3559 VLOG(1) << "CT Verification complete: result " << result |
| 3558 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3560 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
| 3559 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3561 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
| 3560 << " scts from unknown logs: " | 3562 << " scts from unknown logs: " |
| 3561 << ct_verify_result_.unknown_logs_scts.size(); | 3563 << ct_verify_result_.unknown_logs_scts.size(); |
| 3562 } | 3564 } |
| 3563 | 3565 |
| 3564 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | |
| 3565 UpdateConnectionTypeHistograms(CONNECTION_SSL); | |
| 3566 int ssl_version = SSLConnectionStatusToVersion( | |
| 3567 core_->state().ssl_connection_status); | |
| 3568 switch (ssl_version) { | |
| 3569 case SSL_CONNECTION_VERSION_SSL2: | |
| 3570 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); | |
| 3571 break; | |
| 3572 case SSL_CONNECTION_VERSION_SSL3: | |
| 3573 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); | |
| 3574 break; | |
| 3575 case SSL_CONNECTION_VERSION_TLS1: | |
| 3576 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1); | |
| 3577 break; | |
| 3578 case SSL_CONNECTION_VERSION_TLS1_1: | |
| 3579 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | |
| 3580 break; | |
| 3581 case SSL_CONNECTION_VERSION_TLS1_2: | |
| 3582 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | |
| 3583 break; | |
| 3584 }; | |
| 3585 } | |
| 3586 | |
| 3587 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3566 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
| 3588 base::AutoLock auto_lock(lock_); | 3567 base::AutoLock auto_lock(lock_); |
| 3589 if (valid_thread_id_ != base::kInvalidThreadId) | 3568 if (valid_thread_id_ != base::kInvalidThreadId) |
| 3590 return; | 3569 return; |
| 3591 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3570 valid_thread_id_ = base::PlatformThread::CurrentId(); |
| 3592 } | 3571 } |
| 3593 | 3572 |
| 3594 bool SSLClientSocketNSS::CalledOnValidThread() const { | 3573 bool SSLClientSocketNSS::CalledOnValidThread() const { |
| 3595 EnsureThreadIdAssigned(); | 3574 EnsureThreadIdAssigned(); |
| 3596 base::AutoLock auto_lock(lock_); | 3575 base::AutoLock auto_lock(lock_); |
| (...skipping 25 matching lines...) Expand all Loading... |
| 3622 scoped_refptr<X509Certificate> | 3601 scoped_refptr<X509Certificate> |
| 3623 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3602 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
| 3624 return core_->state().server_cert.get(); | 3603 return core_->state().server_cert.get(); |
| 3625 } | 3604 } |
| 3626 | 3605 |
| 3627 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3606 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
| 3628 return channel_id_service_; | 3607 return channel_id_service_; |
| 3629 } | 3608 } |
| 3630 | 3609 |
| 3631 } // namespace net | 3610 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 698283003:
Record ConnectionType metrics in OpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master