OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/socket/ssl_client_socket.h" | |
6 | |
7 #include "base/metrics/histogram.h" | |
8 #include "base/metrics/sparse_histogram.h" | |
9 #include "base/strings/string_util.h" | |
10 #include "crypto/ec_private_key.h" | |
11 #include "net/base/connection_type_histograms.h" | |
12 #include "net/base/host_port_pair.h" | |
13 #include "net/ssl/channel_id_service.h" | |
14 #include "net/ssl/ssl_cipher_suite_names.h" | |
15 #include "net/ssl/ssl_config_service.h" | |
16 #include "net/ssl/ssl_connection_status_flags.h" | |
17 | |
18 namespace net { | |
19 | |
20 SSLClientSocket::SSLClientSocket() | |
21 : was_npn_negotiated_(false), | |
22 was_spdy_negotiated_(false), | |
23 protocol_negotiated_(kProtoUnknown), | |
24 channel_id_sent_(false), | |
25 signed_cert_timestamps_received_(false), | |
26 stapled_ocsp_response_received_(false), | |
27 negotiation_extension_(kExtensionUnknown) { | |
28 } | |
29 | |
30 // static | |
31 NextProto SSLClientSocket::NextProtoFromString( | |
32 const std::string& proto_string) { | |
33 if (proto_string == "http1.1" || proto_string == "http/1.1") { | |
34 return kProtoHTTP11; | |
35 } else if (proto_string == "spdy/2") { | |
36 return kProtoDeprecatedSPDY2; | |
37 } else if (proto_string == "spdy/3") { | |
38 return kProtoSPDY3; | |
39 } else if (proto_string == "spdy/3.1") { | |
40 return kProtoSPDY31; | |
41 } else if (proto_string == "h2-14") { | |
42 // For internal consistency, HTTP/2 is named SPDY4 within Chromium. | |
43 // This is the HTTP/2 draft-14 identifier. | |
44 return kProtoSPDY4_14; | |
45 } else if (proto_string == "h2-15") { | |
46 // This is the HTTP/2 draft-15 identifier. | |
47 return kProtoSPDY4_15; | |
48 } else if (proto_string == "quic/1+spdy/3") { | |
49 return kProtoQUIC1SPDY3; | |
50 } else { | |
51 return kProtoUnknown; | |
52 } | |
53 } | |
54 | |
55 // static | |
56 const char* SSLClientSocket::NextProtoToString(NextProto next_proto) { | |
57 switch (next_proto) { | |
58 case kProtoHTTP11: | |
59 return "http/1.1"; | |
60 case kProtoDeprecatedSPDY2: | |
61 return "spdy/2"; | |
62 case kProtoSPDY3: | |
63 return "spdy/3"; | |
64 case kProtoSPDY31: | |
65 return "spdy/3.1"; | |
66 case kProtoSPDY4_14: | |
67 // For internal consistency, HTTP/2 is named SPDY4 within Chromium. | |
68 // This is the HTTP/2 draft-14 identifier. | |
69 return "h2-14"; | |
70 case kProtoSPDY4_15: | |
71 // This is the HTTP/2 draft-15 identifier. | |
72 return "h2-15"; | |
73 case kProtoQUIC1SPDY3: | |
74 return "quic/1+spdy/3"; | |
75 case kProtoUnknown: | |
76 break; | |
77 } | |
78 return "unknown"; | |
79 } | |
80 | |
81 // static | |
82 const char* SSLClientSocket::NextProtoStatusToString( | |
83 const SSLClientSocket::NextProtoStatus status) { | |
84 switch (status) { | |
85 case kNextProtoUnsupported: | |
86 return "unsupported"; | |
87 case kNextProtoNegotiated: | |
88 return "negotiated"; | |
89 case kNextProtoNoOverlap: | |
90 return "no-overlap"; | |
91 } | |
92 return NULL; | |
93 } | |
94 | |
95 bool SSLClientSocket::WasNpnNegotiated() const { | |
96 return was_npn_negotiated_; | |
97 } | |
98 | |
99 NextProto SSLClientSocket::GetNegotiatedProtocol() const { | |
100 return protocol_negotiated_; | |
101 } | |
102 | |
103 bool SSLClientSocket::IgnoreCertError(int error, int load_flags) { | |
104 return error == OK || (load_flags & LOAD_IGNORE_ALL_CERT_ERRORS); | |
105 } | |
106 | |
107 bool SSLClientSocket::set_was_npn_negotiated(bool negotiated) { | |
108 return was_npn_negotiated_ = negotiated; | |
109 } | |
110 | |
111 bool SSLClientSocket::was_spdy_negotiated() const { | |
112 return was_spdy_negotiated_; | |
113 } | |
114 | |
115 bool SSLClientSocket::set_was_spdy_negotiated(bool negotiated) { | |
116 return was_spdy_negotiated_ = negotiated; | |
117 } | |
118 | |
119 void SSLClientSocket::set_protocol_negotiated(NextProto protocol_negotiated) { | |
120 protocol_negotiated_ = protocol_negotiated; | |
121 } | |
122 | |
123 void SSLClientSocket::set_negotiation_extension( | |
124 SSLNegotiationExtension negotiation_extension) { | |
125 negotiation_extension_ = negotiation_extension; | |
126 } | |
127 | |
128 bool SSLClientSocket::WasChannelIDSent() const { | |
129 return channel_id_sent_; | |
130 } | |
131 | |
132 void SSLClientSocket::set_channel_id_sent(bool channel_id_sent) { | |
133 channel_id_sent_ = channel_id_sent; | |
134 } | |
135 | |
136 void SSLClientSocket::set_signed_cert_timestamps_received( | |
137 bool signed_cert_timestamps_received) { | |
138 signed_cert_timestamps_received_ = signed_cert_timestamps_received; | |
139 } | |
140 | |
141 void SSLClientSocket::set_stapled_ocsp_response_received( | |
142 bool stapled_ocsp_response_received) { | |
143 stapled_ocsp_response_received_ = stapled_ocsp_response_received; | |
144 } | |
145 | |
146 // static | |
147 void SSLClientSocket::RecordChannelIDSupport( | |
148 ChannelIDService* channel_id_service, | |
149 bool negotiated_channel_id, | |
150 bool channel_id_enabled, | |
151 bool supports_ecc) { | |
152 // Since this enum is used for a histogram, do not change or re-use values. | |
153 enum { | |
154 DISABLED = 0, | |
155 CLIENT_ONLY = 1, | |
156 CLIENT_AND_SERVER = 2, | |
157 CLIENT_NO_ECC = 3, | |
158 CLIENT_BAD_SYSTEM_TIME = 4, | |
159 CLIENT_NO_CHANNEL_ID_SERVICE = 5, | |
160 CHANNEL_ID_USAGE_MAX | |
161 } supported = DISABLED; | |
162 if (negotiated_channel_id) { | |
163 supported = CLIENT_AND_SERVER; | |
164 } else if (channel_id_enabled) { | |
165 if (!channel_id_service) | |
166 supported = CLIENT_NO_CHANNEL_ID_SERVICE; | |
167 else if (!supports_ecc) | |
168 supported = CLIENT_NO_ECC; | |
169 else if (!channel_id_service->IsSystemTimeValid()) | |
170 supported = CLIENT_BAD_SYSTEM_TIME; | |
171 else | |
172 supported = CLIENT_ONLY; | |
173 } | |
174 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, | |
175 CHANNEL_ID_USAGE_MAX); | |
176 } | |
177 | |
178 // static | |
179 void SSLClientSocket::RecordConnectionTypeMetrics(int ssl_version) { | |
180 UpdateConnectionTypeHistograms(CONNECTION_SSL); | |
181 switch (ssl_version) { | |
182 case SSL_CONNECTION_VERSION_SSL2: | |
183 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); | |
184 break; | |
185 case SSL_CONNECTION_VERSION_SSL3: | |
186 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); | |
187 break; | |
188 case SSL_CONNECTION_VERSION_TLS1: | |
189 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1); | |
190 break; | |
191 case SSL_CONNECTION_VERSION_TLS1_1: | |
192 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | |
193 break; | |
194 case SSL_CONNECTION_VERSION_TLS1_2: | |
195 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | |
196 break; | |
197 } | |
198 } | |
199 | |
200 // static | |
201 bool SSLClientSocket::IsChannelIDEnabled( | |
202 const SSLConfig& ssl_config, | |
203 ChannelIDService* channel_id_service) { | |
204 if (!ssl_config.channel_id_enabled) | |
205 return false; | |
206 if (!channel_id_service) { | |
207 DVLOG(1) << "NULL channel_id_service_, not enabling channel ID."; | |
208 return false; | |
209 } | |
210 if (!crypto::ECPrivateKey::IsSupported()) { | |
211 DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID."; | |
212 return false; | |
213 } | |
214 if (!channel_id_service->IsSystemTimeValid()) { | |
215 DVLOG(1) << "System time is not within the supported range for certificate " | |
216 "generation, not enabling channel ID."; | |
217 return false; | |
218 } | |
219 return true; | |
220 } | |
221 | |
222 // static | |
223 bool SSLClientSocket::HasCipherAdequateForHTTP2( | |
224 const std::vector<uint16>& cipher_suites) { | |
225 for (uint16 cipher : cipher_suites) { | |
226 if (IsSecureTLSCipherSuite(cipher)) | |
227 return true; | |
228 } | |
229 return false; | |
230 } | |
231 | |
232 // static | |
233 bool SSLClientSocket::IsTLSVersionAdequateForHTTP2( | |
234 const SSLConfig& ssl_config) { | |
235 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1_2; | |
236 } | |
237 | |
238 // static | |
239 std::vector<uint8_t> SSLClientSocket::SerializeNextProtos( | |
240 const NextProtoVector& next_protos, | |
241 bool can_advertise_http2) { | |
242 std::vector<uint8_t> wire_protos; | |
243 for (const NextProto next_proto : next_protos) { | |
244 if (!can_advertise_http2 && kProtoSPDY4MinimumVersion <= next_proto && | |
245 next_proto <= kProtoSPDY4MaximumVersion) { | |
246 continue; | |
247 } | |
248 const std::string proto = NextProtoToString(next_proto); | |
249 if (proto.size() > 255) { | |
250 LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << proto; | |
251 continue; | |
252 } | |
253 if (proto.size() == 0) { | |
254 LOG(WARNING) << "Ignoring empty NPN/ALPN protocol"; | |
255 continue; | |
256 } | |
257 wire_protos.push_back(proto.size()); | |
258 for (const char ch : proto) { | |
259 wire_protos.push_back(static_cast<uint8_t>(ch)); | |
260 } | |
261 } | |
262 | |
263 return wire_protos; | |
264 } | |
265 | |
266 void SSLClientSocket::RecordNegotiationExtension() { | |
267 if (negotiation_extension_ == kExtensionUnknown) | |
268 return; | |
269 std::string proto; | |
270 SSLClientSocket::NextProtoStatus status = GetNextProto(&proto); | |
271 if (status == kNextProtoUnsupported) | |
272 return; | |
273 // Convert protocol into numerical value for histogram. | |
274 NextProto protocol_negotiated = SSLClientSocket::NextProtoFromString(proto); | |
275 base::HistogramBase::Sample sample = | |
276 static_cast<base::HistogramBase::Sample>(protocol_negotiated); | |
277 // In addition to the protocol negotiated, we want to record which TLS | |
278 // extension was used, and in case of NPN, whether there was overlap between | |
279 // server and client list of supported protocols. | |
280 if (negotiation_extension_ == kExtensionNPN) { | |
281 if (status == kNextProtoNoOverlap) { | |
282 sample += 1000; | |
283 } else { | |
284 sample += 500; | |
285 } | |
286 } else { | |
287 DCHECK_EQ(kExtensionALPN, negotiation_extension_); | |
288 } | |
289 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLProtocolNegotiation", sample); | |
290 } | |
291 | |
292 } // namespace net | |
OLD | NEW |