| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/socket/ssl_client_socket.h" |
| |
| #include "base/metrics/histogram.h" |
| #include "base/strings/string_util.h" |
| #include "crypto/ec_private_key.h" |
| #include "net/ssl/server_bound_cert_service.h" |
| #include "net/ssl/ssl_config_service.h" |
| |
| namespace net { |
| |
| SSLClientSocket::SSLClientSocket() |
| : was_npn_negotiated_(false), |
| was_spdy_negotiated_(false), |
| protocol_negotiated_(kProtoUnknown), |
| channel_id_sent_(false), |
| signed_cert_timestamps_received_(false), |
| stapled_ocsp_response_received_(false) { |
| } |
| |
| // static |
| NextProto SSLClientSocket::NextProtoFromString( |
| const std::string& proto_string) { |
| if (proto_string == "http1.1" || proto_string == "http/1.1") { |
| return kProtoHTTP11; |
| } else if (proto_string == "spdy/2") { |
| return kProtoDeprecatedSPDY2; |
| } else if (proto_string == "spdy/3") { |
| return kProtoSPDY3; |
| } else if (proto_string == "spdy/3.1") { |
| return kProtoSPDY31; |
| } else if (proto_string == "spdy/4a2") { |
| return kProtoSPDY4a2; |
| } else if (proto_string == "HTTP-draft-04/2.0") { |
| return kProtoHTTP2Draft04; |
| } else if (proto_string == "quic/1+spdy/3") { |
| return kProtoQUIC1SPDY3; |
| } else { |
| return kProtoUnknown; |
| } |
| } |
| |
| // static |
| const char* SSLClientSocket::NextProtoToString(NextProto next_proto) { |
| switch (next_proto) { |
| case kProtoHTTP11: |
| return "http/1.1"; |
| case kProtoDeprecatedSPDY2: |
| return "spdy/2"; |
| case kProtoSPDY3: |
| return "spdy/3"; |
| case kProtoSPDY31: |
| return "spdy/3.1"; |
| case kProtoSPDY4a2: |
| return "spdy/4a2"; |
| case kProtoHTTP2Draft04: |
| return "HTTP-draft-04/2.0"; |
| case kProtoQUIC1SPDY3: |
| return "quic/1+spdy/3"; |
| case kProtoUnknown: |
| break; |
| } |
| return "unknown"; |
| } |
| |
| // static |
| const char* SSLClientSocket::NextProtoStatusToString( |
| const SSLClientSocket::NextProtoStatus status) { |
| switch (status) { |
| case kNextProtoUnsupported: |
| return "unsupported"; |
| case kNextProtoNegotiated: |
| return "negotiated"; |
| case kNextProtoNoOverlap: |
| return "no-overlap"; |
| } |
| return NULL; |
| } |
| |
| // static |
| std::string SSLClientSocket::ServerProtosToString( |
| const std::string& server_protos) { |
| const char* protos = server_protos.c_str(); |
| size_t protos_len = server_protos.length(); |
| std::vector<std::string> server_protos_with_commas; |
| for (size_t i = 0; i < protos_len; ) { |
| const size_t len = protos[i]; |
| std::string proto_str(&protos[i + 1], len); |
| server_protos_with_commas.push_back(proto_str); |
| i += len + 1; |
| } |
| return JoinString(server_protos_with_commas, ','); |
| } |
| |
| bool SSLClientSocket::WasNpnNegotiated() const { |
| return was_npn_negotiated_; |
| } |
| |
| NextProto SSLClientSocket::GetNegotiatedProtocol() const { |
| return protocol_negotiated_; |
| } |
| |
| bool SSLClientSocket::IgnoreCertError(int error, int load_flags) { |
| if (error == OK || load_flags & LOAD_IGNORE_ALL_CERT_ERRORS) |
| return true; |
| |
| if (error == ERR_CERT_COMMON_NAME_INVALID && |
| (load_flags & LOAD_IGNORE_CERT_COMMON_NAME_INVALID)) |
| return true; |
| |
| if (error == ERR_CERT_DATE_INVALID && |
| (load_flags & LOAD_IGNORE_CERT_DATE_INVALID)) |
| return true; |
| |
| if (error == ERR_CERT_AUTHORITY_INVALID && |
| (load_flags & LOAD_IGNORE_CERT_AUTHORITY_INVALID)) |
| return true; |
| |
| return false; |
| } |
| |
| bool SSLClientSocket::set_was_npn_negotiated(bool negotiated) { |
| return was_npn_negotiated_ = negotiated; |
| } |
| |
| bool SSLClientSocket::was_spdy_negotiated() const { |
| return was_spdy_negotiated_; |
| } |
| |
| bool SSLClientSocket::set_was_spdy_negotiated(bool negotiated) { |
| return was_spdy_negotiated_ = negotiated; |
| } |
| |
| void SSLClientSocket::set_protocol_negotiated(NextProto protocol_negotiated) { |
| protocol_negotiated_ = protocol_negotiated; |
| } |
| |
| bool SSLClientSocket::WasChannelIDSent() const { |
| return channel_id_sent_; |
| } |
| |
| void SSLClientSocket::set_channel_id_sent(bool channel_id_sent) { |
| channel_id_sent_ = channel_id_sent; |
| } |
| |
| void SSLClientSocket::set_signed_cert_timestamps_received( |
| bool signed_cert_timestamps_received) { |
| signed_cert_timestamps_received_ = signed_cert_timestamps_received; |
| } |
| |
| void SSLClientSocket::set_stapled_ocsp_response_received( |
| bool stapled_ocsp_response_received) { |
| stapled_ocsp_response_received_ = stapled_ocsp_response_received; |
| } |
| |
| // static |
| void SSLClientSocket::RecordChannelIDSupport( |
| ServerBoundCertService* server_bound_cert_service, |
| bool negotiated_channel_id, |
| bool channel_id_enabled, |
| bool supports_ecc) { |
| // Since this enum is used for a histogram, do not change or re-use values. |
| enum { |
| DISABLED = 0, |
| CLIENT_ONLY = 1, |
| CLIENT_AND_SERVER = 2, |
| CLIENT_NO_ECC = 3, |
| CLIENT_BAD_SYSTEM_TIME = 4, |
| CLIENT_NO_SERVER_BOUND_CERT_SERVICE = 5, |
| DOMAIN_BOUND_CERT_USAGE_MAX |
| } supported = DISABLED; |
| if (negotiated_channel_id) { |
| supported = CLIENT_AND_SERVER; |
| } else if (channel_id_enabled) { |
| if (!server_bound_cert_service) |
| supported = CLIENT_NO_SERVER_BOUND_CERT_SERVICE; |
| else if (!supports_ecc) |
| supported = CLIENT_NO_ECC; |
| else if (!server_bound_cert_service->IsSystemTimeValid()) |
| supported = CLIENT_BAD_SYSTEM_TIME; |
| else |
| supported = CLIENT_ONLY; |
| } |
| UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, |
| DOMAIN_BOUND_CERT_USAGE_MAX); |
| } |
| |
| // static |
| bool SSLClientSocket::IsChannelIDEnabled( |
| const SSLConfig& ssl_config, |
| ServerBoundCertService* server_bound_cert_service) { |
| if (!ssl_config.channel_id_enabled) |
| return false; |
| if (!server_bound_cert_service) { |
| DVLOG(1) << "NULL server_bound_cert_service_, not enabling channel ID."; |
| return false; |
| } |
| if (!crypto::ECPrivateKey::IsSupported()) { |
| DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID."; |
| return false; |
| } |
| if (!server_bound_cert_service->IsSystemTimeValid()) { |
| DVLOG(1) << "System time is not within the supported range for certificate " |
| "generation, not enabling channel ID."; |
| return false; |
| } |
| return true; |
| } |
| |
| } // namespace net |