net/socket/ssl_client_socket.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/socket/ssl_client_socket.h"
   6
   7 #include "base/metrics/histogram.h"
   8 #include "base/metrics/sparse_histogram.h"
   9 #include "base/strings/string_util.h"
  10 #include "crypto/ec_private_key.h"
  11 #include "net/base/connection_type_histograms.h"
  12 #include "net/base/host_port_pair.h"
  13 #include "net/base/net_errors.h"
  14 #include "net/ssl/channel_id_service.h"
  15 #include "net/ssl/ssl_cipher_suite_names.h"
  16 #include "net/ssl/ssl_config_service.h"
  17 #include "net/ssl/ssl_connection_status_flags.h"
  18
  19 namespace net {
  20
  21 SSLClientSocket::SSLClientSocket()
  22     : was_npn_negotiated_(false),
  23       was_spdy_negotiated_(false),
  24       protocol_negotiated_(kProtoUnknown),
  25       channel_id_sent_(false),
  26       signed_cert_timestamps_received_(false),
  27       stapled_ocsp_response_received_(false),
  28       negotiation_extension_(kExtensionUnknown) {
  29 }
  30
  31 // static
  32 NextProto SSLClientSocket::NextProtoFromString(
  33     const std::string& proto_string) {
  34   if (proto_string == "http1.1" || proto_string == "http/1.1") {
  35     return kProtoHTTP11;
  36   } else if (proto_string == "spdy/2") {
  37     return kProtoDeprecatedSPDY2;
  38   } else if (proto_string == "spdy/3") {
  39     return kProtoSPDY3;
  40   } else if (proto_string == "spdy/3.1") {
  41     return kProtoSPDY31;
  42   } else if (proto_string == "h2-14") {
  43     // For internal consistency, HTTP/2 is named SPDY4 within Chromium.
  44     // This is the HTTP/2 draft-14 identifier.
  45     return kProtoSPDY4_14;
  46   } else if (proto_string == "h2-15") {
  47     // This is the HTTP/2 draft-15 identifier.
  48     return kProtoSPDY4_15;
  49   } else if (proto_string == "quic/1+spdy/3") {
  50     return kProtoQUIC1SPDY3;
  51   } else {
  52     return kProtoUnknown;
  53   }
  54 }
  55
  56 // static
  57 const char* SSLClientSocket::NextProtoToString(NextProto next_proto) {
  58   switch (next_proto) {
  59     case kProtoHTTP11:
  60       return "http/1.1";
  61     case kProtoDeprecatedSPDY2:
  62       return "spdy/2";
  63     case kProtoSPDY3:
  64       return "spdy/3";
  65     case kProtoSPDY31:
  66       return "spdy/3.1";
  67     case kProtoSPDY4_14:
  68       // For internal consistency, HTTP/2 is named SPDY4 within Chromium.
  69       // This is the HTTP/2 draft-14 identifier.
  70       return "h2-14";
  71     case kProtoSPDY4_15:
  72       // This is the HTTP/2 draft-15 identifier.
  73       return "h2-15";
  74     case kProtoQUIC1SPDY3:
  75       return "quic/1+spdy/3";
  76     case kProtoUnknown:
  77       break;
  78   }
  79   return "unknown";
  80 }
  81
  82 // static
  83 const char* SSLClientSocket::NextProtoStatusToString(
  84     const SSLClientSocket::NextProtoStatus status) {
  85   switch (status) {
  86     case kNextProtoUnsupported:
  87       return "unsupported";
  88     case kNextProtoNegotiated:
  89       return "negotiated";
  90     case kNextProtoNoOverlap:
  91       return "no-overlap";
  92   }
  93   return NULL;
  94 }
  95
  96 bool SSLClientSocket::WasNpnNegotiated() const {
  97   return was_npn_negotiated_;
  98 }
  99
 100 NextProto SSLClientSocket::GetNegotiatedProtocol() const {
 101   return protocol_negotiated_;
 102 }
 103
 104 bool SSLClientSocket::IgnoreCertError(int error, int load_flags) {
 105   if (error == OK)
 106     return true;
 107   return (load_flags & LOAD_IGNORE_ALL_CERT_ERRORS) &&
 108          IsCertificateError(error);
 109 }
 110
 111 bool SSLClientSocket::set_was_npn_negotiated(bool negotiated) {
 112   return was_npn_negotiated_ = negotiated;
 113 }
 114
 115 bool SSLClientSocket::was_spdy_negotiated() const {
 116   return was_spdy_negotiated_;
 117 }
 118
 119 bool SSLClientSocket::set_was_spdy_negotiated(bool negotiated) {
 120   return was_spdy_negotiated_ = negotiated;
 121 }
 122
 123 void SSLClientSocket::set_protocol_negotiated(NextProto protocol_negotiated) {
 124   protocol_negotiated_ = protocol_negotiated;
 125 }
 126
 127 void SSLClientSocket::set_negotiation_extension(
 128     SSLNegotiationExtension negotiation_extension) {
 129   negotiation_extension_ = negotiation_extension;
 130 }
 131
 132 bool SSLClientSocket::WasChannelIDSent() const {
 133   return channel_id_sent_;
 134 }
 135
 136 void SSLClientSocket::set_channel_id_sent(bool channel_id_sent) {
 137   channel_id_sent_ = channel_id_sent;
 138 }
 139
 140 void SSLClientSocket::set_signed_cert_timestamps_received(
 141     bool signed_cert_timestamps_received) {
 142   signed_cert_timestamps_received_ = signed_cert_timestamps_received;
 143 }
 144
 145 void SSLClientSocket::set_stapled_ocsp_response_received(
 146     bool stapled_ocsp_response_received) {
 147   stapled_ocsp_response_received_ = stapled_ocsp_response_received;
 148 }
 149
 150 // static
 151 void SSLClientSocket::RecordChannelIDSupport(
 152     ChannelIDService* channel_id_service,
 153     bool negotiated_channel_id,
 154     bool channel_id_enabled,
 155     bool supports_ecc) {
 156   // Since this enum is used for a histogram, do not change or re-use values.
 157   enum {
 158     DISABLED = 0,
 159     CLIENT_ONLY = 1,
 160     CLIENT_AND_SERVER = 2,
 161     CLIENT_NO_ECC = 3,
 162     CLIENT_BAD_SYSTEM_TIME = 4,
 163     CLIENT_NO_CHANNEL_ID_SERVICE = 5,
 164     CHANNEL_ID_USAGE_MAX
 165   } supported = DISABLED;
 166   if (negotiated_channel_id) {
 167     supported = CLIENT_AND_SERVER;
 168   } else if (channel_id_enabled) {
 169     if (!channel_id_service)
 170       supported = CLIENT_NO_CHANNEL_ID_SERVICE;
 171     else if (!supports_ecc)
 172       supported = CLIENT_NO_ECC;
 173     else if (!channel_id_service->IsSystemTimeValid())
 174       supported = CLIENT_BAD_SYSTEM_TIME;
 175     else
 176       supported = CLIENT_ONLY;
 177   }
 178   UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
 179                             CHANNEL_ID_USAGE_MAX);
 180 }
 181
 182 // static
 183 bool SSLClientSocket::IsChannelIDEnabled(
 184     const SSLConfig& ssl_config,
 185     ChannelIDService* channel_id_service) {
 186   if (!ssl_config.channel_id_enabled)
 187     return false;
 188   if (!channel_id_service) {
 189     DVLOG(1) << "NULL channel_id_service_, not enabling channel ID.";
 190     return false;
 191   }
 192   if (!crypto::ECPrivateKey::IsSupported()) {
 193     DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
 194     return false;
 195   }
 196   if (!channel_id_service->IsSystemTimeValid()) {
 197     DVLOG(1) << "System time is not within the supported range for certificate "
 198                 "generation, not enabling channel ID.";
 199     return false;
 200   }
 201   return true;
 202 }
 203
 204 // static
 205 bool SSLClientSocket::HasCipherAdequateForHTTP2(
 206     const std::vector<uint16>& cipher_suites) {
 207   for (uint16 cipher : cipher_suites) {
 208     if (IsSecureTLSCipherSuite(cipher))
 209       return true;
 210   }
 211   return false;
 212 }
 213
 214 // static
 215 bool SSLClientSocket::IsTLSVersionAdequateForHTTP2(
 216     const SSLConfig& ssl_config) {
 217   return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1_2;
 218 }
 219
 220 // static
 221 std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
 222     const NextProtoVector& next_protos,
 223     bool can_advertise_http2) {
 224   std::vector<uint8_t> wire_protos;
 225   for (const NextProto next_proto : next_protos) {
 226     if (!can_advertise_http2 && kProtoSPDY4MinimumVersion <= next_proto &&
 227         next_proto <= kProtoSPDY4MaximumVersion) {
 228       continue;
 229     }
 230     const std::string proto = NextProtoToString(next_proto);
 231     if (proto.size() > 255) {
 232       LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << proto;
 233       continue;
 234     }
 235     if (proto.size() == 0) {
 236       LOG(WARNING) << "Ignoring empty NPN/ALPN protocol";
 237       continue;
 238     }
 239     wire_protos.push_back(proto.size());
 240     for (const char ch : proto) {
 241       wire_protos.push_back(static_cast<uint8_t>(ch));
 242     }
 243   }
 244
 245   return wire_protos;
 246 }
 247
 248 void SSLClientSocket::RecordNegotiationExtension() {
 249   if (negotiation_extension_ == kExtensionUnknown)
 250     return;
 251   std::string proto;
 252   SSLClientSocket::NextProtoStatus status = GetNextProto(&proto);
 253   if (status == kNextProtoUnsupported)
 254     return;
 255   // Convert protocol into numerical value for histogram.
 256   NextProto protocol_negotiated = SSLClientSocket::NextProtoFromString(proto);
 257   base::HistogramBase::Sample sample =
 258       static_cast<base::HistogramBase::Sample>(protocol_negotiated);
 259   // In addition to the protocol negotiated, we want to record which TLS
 260   // extension was used, and in case of NPN, whether there was overlap between
 261   // server and client list of supported protocols.
 262   if (negotiation_extension_ == kExtensionNPN) {
 263     if (status == kNextProtoNoOverlap) {
 264       sample += 1000;
 265     } else {
 266       sample += 500;
 267     }
 268   } else {
 269     DCHECK_EQ(kExtensionALPN, negotiation_extension_);
 270   }
 271   UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLProtocolNegotiation", sample);
 272 }
 273
 274 }  // namespace net