1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/socket/ssl_client_socket.h"
7 #include "base/metrics/histogram.h"
8 #include "base/metrics/sparse_histogram.h"
9 #include "base/strings/string_util.h"
10 #include "crypto/ec_private_key.h"
11 #include "net/base/connection_type_histograms.h"
12 #include "net/base/host_port_pair.h"
13 #include "net/ssl/channel_id_service.h"
14 #include "net/ssl/ssl_cipher_suite_names.h"
15 #include "net/ssl/ssl_config_service.h"
16 #include "net/ssl/ssl_connection_status_flags.h"
20 SSLClientSocket::SSLClientSocket()
21 : was_npn_negotiated_(false),
22 was_spdy_negotiated_(false),
23 protocol_negotiated_(kProtoUnknown
),
24 channel_id_sent_(false),
25 signed_cert_timestamps_received_(false),
26 stapled_ocsp_response_received_(false),
27 negotiation_extension_(kExtensionUnknown
) {
31 NextProto
SSLClientSocket::NextProtoFromString(
32 const std::string
& proto_string
) {
33 if (proto_string
== "http1.1" || proto_string
== "http/1.1") {
35 } else if (proto_string
== "spdy/2") {
36 return kProtoDeprecatedSPDY2
;
37 } else if (proto_string
== "spdy/3") {
39 } else if (proto_string
== "spdy/3.1") {
41 } else if (proto_string
== "h2-14") {
42 // For internal consistency, HTTP/2 is named SPDY4 within Chromium.
43 // This is the HTTP/2 draft-14 identifier.
44 return kProtoSPDY4_14
;
45 } else if (proto_string
== "h2-15") {
46 // This is the HTTP/2 draft-15 identifier.
47 return kProtoSPDY4_15
;
48 } else if (proto_string
== "quic/1+spdy/3") {
49 return kProtoQUIC1SPDY3
;
56 const char* SSLClientSocket::NextProtoToString(NextProto next_proto
) {
60 case kProtoDeprecatedSPDY2
:
67 // For internal consistency, HTTP/2 is named SPDY4 within Chromium.
68 // This is the HTTP/2 draft-14 identifier.
71 // This is the HTTP/2 draft-15 identifier.
73 case kProtoQUIC1SPDY3
:
74 return "quic/1+spdy/3";
82 const char* SSLClientSocket::NextProtoStatusToString(
83 const SSLClientSocket::NextProtoStatus status
) {
85 case kNextProtoUnsupported
:
87 case kNextProtoNegotiated
:
89 case kNextProtoNoOverlap
:
95 bool SSLClientSocket::WasNpnNegotiated() const {
96 return was_npn_negotiated_
;
99 NextProto
SSLClientSocket::GetNegotiatedProtocol() const {
100 return protocol_negotiated_
;
103 bool SSLClientSocket::IgnoreCertError(int error
, int load_flags
) {
104 return error
== OK
|| (load_flags
& LOAD_IGNORE_ALL_CERT_ERRORS
);
107 bool SSLClientSocket::set_was_npn_negotiated(bool negotiated
) {
108 return was_npn_negotiated_
= negotiated
;
111 bool SSLClientSocket::was_spdy_negotiated() const {
112 return was_spdy_negotiated_
;
115 bool SSLClientSocket::set_was_spdy_negotiated(bool negotiated
) {
116 return was_spdy_negotiated_
= negotiated
;
119 void SSLClientSocket::set_protocol_negotiated(NextProto protocol_negotiated
) {
120 protocol_negotiated_
= protocol_negotiated
;
123 void SSLClientSocket::set_negotiation_extension(
124 SSLNegotiationExtension negotiation_extension
) {
125 negotiation_extension_
= negotiation_extension
;
128 bool SSLClientSocket::WasChannelIDSent() const {
129 return channel_id_sent_
;
132 void SSLClientSocket::set_channel_id_sent(bool channel_id_sent
) {
133 channel_id_sent_
= channel_id_sent
;
136 void SSLClientSocket::set_signed_cert_timestamps_received(
137 bool signed_cert_timestamps_received
) {
138 signed_cert_timestamps_received_
= signed_cert_timestamps_received
;
141 void SSLClientSocket::set_stapled_ocsp_response_received(
142 bool stapled_ocsp_response_received
) {
143 stapled_ocsp_response_received_
= stapled_ocsp_response_received
;
147 void SSLClientSocket::RecordChannelIDSupport(
148 ChannelIDService
* channel_id_service
,
149 bool negotiated_channel_id
,
150 bool channel_id_enabled
,
152 // Since this enum is used for a histogram, do not change or re-use values.
156 CLIENT_AND_SERVER
= 2,
158 CLIENT_BAD_SYSTEM_TIME
= 4,
159 CLIENT_NO_CHANNEL_ID_SERVICE
= 5,
161 } supported
= DISABLED
;
162 if (negotiated_channel_id
) {
163 supported
= CLIENT_AND_SERVER
;
164 } else if (channel_id_enabled
) {
165 if (!channel_id_service
)
166 supported
= CLIENT_NO_CHANNEL_ID_SERVICE
;
167 else if (!supports_ecc
)
168 supported
= CLIENT_NO_ECC
;
169 else if (!channel_id_service
->IsSystemTimeValid())
170 supported
= CLIENT_BAD_SYSTEM_TIME
;
172 supported
= CLIENT_ONLY
;
174 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported
,
175 CHANNEL_ID_USAGE_MAX
);
179 void SSLClientSocket::RecordConnectionTypeMetrics(int ssl_version
) {
180 UpdateConnectionTypeHistograms(CONNECTION_SSL
);
181 switch (ssl_version
) {
182 case SSL_CONNECTION_VERSION_SSL2
:
183 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2
);
185 case SSL_CONNECTION_VERSION_SSL3
:
186 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3
);
188 case SSL_CONNECTION_VERSION_TLS1
:
189 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1
);
191 case SSL_CONNECTION_VERSION_TLS1_1
:
192 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1
);
194 case SSL_CONNECTION_VERSION_TLS1_2
:
195 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2
);
201 bool SSLClientSocket::IsChannelIDEnabled(
202 const SSLConfig
& ssl_config
,
203 ChannelIDService
* channel_id_service
) {
204 if (!ssl_config
.channel_id_enabled
)
206 if (!channel_id_service
) {
207 DVLOG(1) << "NULL channel_id_service_, not enabling channel ID.";
210 if (!crypto::ECPrivateKey::IsSupported()) {
211 DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
214 if (!channel_id_service
->IsSystemTimeValid()) {
215 DVLOG(1) << "System time is not within the supported range for certificate "
216 "generation, not enabling channel ID.";
223 bool SSLClientSocket::HasCipherAdequateForHTTP2(
224 const std::vector
<uint16
>& cipher_suites
) {
225 for (uint16 cipher
: cipher_suites
) {
226 if (IsSecureTLSCipherSuite(cipher
))
233 bool SSLClientSocket::IsTLSVersionAdequateForHTTP2(
234 const SSLConfig
& ssl_config
) {
235 return ssl_config
.version_max
>= SSL_PROTOCOL_VERSION_TLS1_2
;
239 std::vector
<uint8_t> SSLClientSocket::SerializeNextProtos(
240 const NextProtoVector
& next_protos
,
241 bool can_advertise_http2
) {
242 std::vector
<uint8_t> wire_protos
;
243 for (const NextProto next_proto
: next_protos
) {
244 if (!can_advertise_http2
&& kProtoSPDY4MinimumVersion
<= next_proto
&&
245 next_proto
<= kProtoSPDY4MaximumVersion
) {
248 const std::string proto
= NextProtoToString(next_proto
);
249 if (proto
.size() > 255) {
250 LOG(WARNING
) << "Ignoring overlong NPN/ALPN protocol: " << proto
;
253 if (proto
.size() == 0) {
254 LOG(WARNING
) << "Ignoring empty NPN/ALPN protocol";
257 wire_protos
.push_back(proto
.size());
258 for (const char ch
: proto
) {
259 wire_protos
.push_back(static_cast<uint8_t>(ch
));
266 void SSLClientSocket::RecordNegotiationExtension() {
267 if (negotiation_extension_
== kExtensionUnknown
)
270 SSLClientSocket::NextProtoStatus status
= GetNextProto(&proto
);
271 if (status
== kNextProtoUnsupported
)
273 // Convert protocol into numerical value for histogram.
274 NextProto protocol_negotiated
= SSLClientSocket::NextProtoFromString(proto
);
275 base::HistogramBase::Sample sample
=
276 static_cast<base::HistogramBase::Sample
>(protocol_negotiated
);
277 // In addition to the protocol negotiated, we want to record which TLS
278 // extension was used, and in case of NPN, whether there was overlap between
279 // server and client list of supported protocols.
280 if (negotiation_extension_
== kExtensionNPN
) {
281 if (status
== kNextProtoNoOverlap
) {
287 DCHECK_EQ(kExtensionALPN
, negotiation_extension_
);
289 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLProtocolNegotiation", sample
);