net/socket/ssl_client_socket.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/socket/ssl_client_socket.h"
   6
   7 #include "base/metrics/histogram.h"
   8 #include "base/metrics/sparse_histogram.h"
   9 #include "base/strings/string_util.h"
  10 #include "crypto/ec_private_key.h"
  11 #include "net/base/connection_type_histograms.h"
  12 #include "net/base/net_errors.h"
  13 #include "net/ssl/channel_id_service.h"
  14 #include "net/ssl/ssl_cipher_suite_names.h"
  15 #include "net/ssl/ssl_config_service.h"
  16 #include "net/ssl/ssl_connection_status_flags.h"
  17
  18 namespace net {
  19
  20 SSLClientSocket::SSLClientSocket()
  21     : was_npn_negotiated_(false),
  22       was_spdy_negotiated_(false),
  23       protocol_negotiated_(kProtoUnknown),
  24       channel_id_sent_(false),
  25       signed_cert_timestamps_received_(false),
  26       stapled_ocsp_response_received_(false),
  27       negotiation_extension_(kExtensionUnknown) {
  28 }
  29
  30 // static
  31 NextProto SSLClientSocket::NextProtoFromString(
  32     const std::string& proto_string) {
  33   if (proto_string == "http1.1" || proto_string == "http/1.1") {
  34     return kProtoHTTP11;
  35   } else if (proto_string == "spdy/2") {
  36     return kProtoDeprecatedSPDY2;
  37   } else if (proto_string == "spdy/3") {
  38     return kProtoSPDY3;
  39   } else if (proto_string == "spdy/3.1") {
  40     return kProtoSPDY31;
  41   } else if (proto_string == "h2-14") {
  42     // For internal consistency, HTTP/2 is named SPDY4 within Chromium.
  43     // This is the HTTP/2 draft-14 identifier.
  44     return kProtoSPDY4_14;
  45   } else if (proto_string == "h2") {
  46     return kProtoSPDY4;
  47   } else if (proto_string == "quic/1+spdy/3") {
  48     return kProtoQUIC1SPDY3;
  49   } else {
  50     return kProtoUnknown;
  51   }
  52 }
  53
  54 // static
  55 const char* SSLClientSocket::NextProtoToString(NextProto next_proto) {
  56   switch (next_proto) {
  57     case kProtoHTTP11:
  58       return "http/1.1";
  59     case kProtoDeprecatedSPDY2:
  60       return "spdy/2";
  61     case kProtoSPDY3:
  62       return "spdy/3";
  63     case kProtoSPDY31:
  64       return "spdy/3.1";
  65     case kProtoSPDY4_14:
  66       // For internal consistency, HTTP/2 is named SPDY4 within Chromium.
  67       // This is the HTTP/2 draft-14 identifier.
  68       return "h2-14";
  69     case kProtoSPDY4:
  70       return "h2";
  71     case kProtoQUIC1SPDY3:
  72       return "quic/1+spdy/3";
  73     case kProtoUnknown:
  74       break;
  75   }
  76   return "unknown";
  77 }
  78
  79 // static
  80 const char* SSLClientSocket::NextProtoStatusToString(
  81     const SSLClientSocket::NextProtoStatus status) {
  82   switch (status) {
  83     case kNextProtoUnsupported:
  84       return "unsupported";
  85     case kNextProtoNegotiated:
  86       return "negotiated";
  87     case kNextProtoNoOverlap:
  88       return "no-overlap";
  89   }
  90   return NULL;
  91 }
  92
  93 bool SSLClientSocket::WasNpnNegotiated() const {
  94   return was_npn_negotiated_;
  95 }
  96
  97 NextProto SSLClientSocket::GetNegotiatedProtocol() const {
  98   return protocol_negotiated_;
  99 }
 100
 101 bool SSLClientSocket::IgnoreCertError(int error, int load_flags) {
 102   if (error == OK)
 103     return true;
 104   return (load_flags & LOAD_IGNORE_ALL_CERT_ERRORS) &&
 105          IsCertificateError(error);
 106 }
 107
 108 bool SSLClientSocket::set_was_npn_negotiated(bool negotiated) {
 109   return was_npn_negotiated_ = negotiated;
 110 }
 111
 112 bool SSLClientSocket::was_spdy_negotiated() const {
 113   return was_spdy_negotiated_;
 114 }
 115
 116 bool SSLClientSocket::set_was_spdy_negotiated(bool negotiated) {
 117   return was_spdy_negotiated_ = negotiated;
 118 }
 119
 120 void SSLClientSocket::set_protocol_negotiated(NextProto protocol_negotiated) {
 121   protocol_negotiated_ = protocol_negotiated;
 122 }
 123
 124 void SSLClientSocket::set_negotiation_extension(
 125     SSLNegotiationExtension negotiation_extension) {
 126   negotiation_extension_ = negotiation_extension;
 127 }
 128
 129 bool SSLClientSocket::WasChannelIDSent() const {
 130   return channel_id_sent_;
 131 }
 132
 133 void SSLClientSocket::set_channel_id_sent(bool channel_id_sent) {
 134   channel_id_sent_ = channel_id_sent;
 135 }
 136
 137 void SSLClientSocket::set_signed_cert_timestamps_received(
 138     bool signed_cert_timestamps_received) {
 139   signed_cert_timestamps_received_ = signed_cert_timestamps_received;
 140 }
 141
 142 void SSLClientSocket::set_stapled_ocsp_response_received(
 143     bool stapled_ocsp_response_received) {
 144   stapled_ocsp_response_received_ = stapled_ocsp_response_received;
 145 }
 146
 147 // static
 148 void SSLClientSocket::RecordChannelIDSupport(
 149     ChannelIDService* channel_id_service,
 150     bool negotiated_channel_id,
 151     bool channel_id_enabled,
 152     bool supports_ecc) {
 153   // Since this enum is used for a histogram, do not change or re-use values.
 154   enum {
 155     DISABLED = 0,
 156     CLIENT_ONLY = 1,
 157     CLIENT_AND_SERVER = 2,
 158     CLIENT_NO_ECC = 3,
 159     CLIENT_BAD_SYSTEM_TIME = 4,
 160     CLIENT_NO_CHANNEL_ID_SERVICE = 5,
 161     CHANNEL_ID_USAGE_MAX
 162   } supported = DISABLED;
 163   if (negotiated_channel_id) {
 164     supported = CLIENT_AND_SERVER;
 165   } else if (channel_id_enabled) {
 166     if (!channel_id_service)
 167       supported = CLIENT_NO_CHANNEL_ID_SERVICE;
 168     else if (!supports_ecc)
 169       supported = CLIENT_NO_ECC;
 170     else if (!channel_id_service->IsSystemTimeValid())
 171       supported = CLIENT_BAD_SYSTEM_TIME;
 172     else
 173       supported = CLIENT_ONLY;
 174   }
 175   UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
 176                             CHANNEL_ID_USAGE_MAX);
 177 }
 178
 179 // static
 180 bool SSLClientSocket::IsChannelIDEnabled(
 181     const SSLConfig& ssl_config,
 182     ChannelIDService* channel_id_service) {
 183   if (!ssl_config.channel_id_enabled)
 184     return false;
 185   if (!channel_id_service) {
 186     DVLOG(1) << "NULL channel_id_service_, not enabling channel ID.";
 187     return false;
 188   }
 189   if (!crypto::ECPrivateKey::IsSupported()) {
 190     DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
 191     return false;
 192   }
 193   if (!channel_id_service->IsSystemTimeValid()) {
 194     DVLOG(1) << "System time is not within the supported range for certificate "
 195                 "generation, not enabling channel ID.";
 196     return false;
 197   }
 198   return true;
 199 }
 200
 201 // static
 202 bool SSLClientSocket::HasCipherAdequateForHTTP2(
 203     const std::vector<uint16>& cipher_suites) {
 204   for (uint16 cipher : cipher_suites) {
 205     if (IsSecureTLSCipherSuite(cipher))
 206       return true;
 207   }
 208   return false;
 209 }
 210
 211 // static
 212 bool SSLClientSocket::IsTLSVersionAdequateForHTTP2(
 213     const SSLConfig& ssl_config) {
 214   return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1_2;
 215 }
 216
 217 // static
 218 std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
 219     const NextProtoVector& next_protos,
 220     bool can_advertise_http2) {
 221   std::vector<uint8_t> wire_protos;
 222   for (const NextProto next_proto : next_protos) {
 223     if (!can_advertise_http2 && kProtoSPDY4MinimumVersion <= next_proto &&
 224         next_proto <= kProtoSPDY4MaximumVersion) {
 225       continue;
 226     }
 227     const std::string proto = NextProtoToString(next_proto);
 228     if (proto.size() > 255) {
 229       LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << proto;
 230       continue;
 231     }
 232     if (proto.size() == 0) {
 233       LOG(WARNING) << "Ignoring empty NPN/ALPN protocol";
 234       continue;
 235     }
 236     wire_protos.push_back(proto.size());
 237     for (const char ch : proto) {
 238       wire_protos.push_back(static_cast<uint8_t>(ch));
 239     }
 240   }
 241
 242   return wire_protos;
 243 }
 244
 245 void SSLClientSocket::RecordNegotiationExtension() {
 246   if (negotiation_extension_ == kExtensionUnknown)
 247     return;
 248   std::string proto;
 249   SSLClientSocket::NextProtoStatus status = GetNextProto(&proto);
 250   if (status == kNextProtoUnsupported)
 251     return;
 252   // Convert protocol into numerical value for histogram.
 253   NextProto protocol_negotiated = SSLClientSocket::NextProtoFromString(proto);
 254   base::HistogramBase::Sample sample =
 255       static_cast<base::HistogramBase::Sample>(protocol_negotiated);
 256   // In addition to the protocol negotiated, we want to record which TLS
 257   // extension was used, and in case of NPN, whether there was overlap between
 258   // server and client list of supported protocols.
 259   if (negotiation_extension_ == kExtensionNPN) {
 260     if (status == kNextProtoNoOverlap) {
 261       sample += 1000;
 262     } else {
 263       sample += 500;
 264     }
 265   } else {
 266     DCHECK_EQ(kExtensionALPN, negotiation_extension_);
 267   }
 268   UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLProtocolNegotiation", sample);
 269 }
 270
 271 }  // namespace net