wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 959026: Add telemetry about cases where we don't do OCSP fetching when we expect to, r=keeler

Browse Source 
--HG--
extra : rebase_source : f7e9826569325f497273a92eec5127c414baa8bc
extra : source : bb5bb5a1b571e54695a4c8d5be0cc447f29f0358
This commit is contained in:
Brian Smith 2014-01-12 19:31:40 -08:00
parent 6bcc300a5c
commit c2e23acd65
5 changed files with 44 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -95,6 +95,9 @@
*/
#include "SSLServerCertVerification.h"
#include <cstring>
#include "CertVerifier.h"
#include "nsIBadCertListener2.h"
#include "nsICertOverrideService.h"
@ -633,7 +636,7 @@ class SSLServerCertVerificationJob : public nsRunnable
public:
// Must be called only on the socket transport thread
static SECStatus Dispatch(const void * fdForLogging,
TransportSecurityInfo * infoObject,
nsNSSSocketInfo * infoObject,
CERTCertificate * serverCert,
SECItem * stapledOCSPResponse,
uint32_t providerFlags);
@ -642,12 +645,12 @@ private:
// Must be called only on the socket transport thread
SSLServerCertVerificationJob(const void * fdForLogging,
TransportSecurityInfo * infoObject,
nsNSSSocketInfo * infoObject,
CERTCertificate * cert,
SECItem * stapledOCSPResponse,
uint32_t providerFlags);
const void * const mFdForLogging;
const RefPtr<TransportSecurityInfo> mInfoObject;
const RefPtr<nsNSSSocketInfo> mInfoObject;
const ScopedCERTCertificate mCert;
const uint32_t mProviderFlags;
const TimeStamp mJobStartTime;
@ -655,7 +658,7 @@ private:
};
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
const void * fdForLogging, TransportSecurityInfo * infoObject,
const void * fdForLogging, nsNSSSocketInfo * infoObject,
CERTCertificate * cert, SECItem * stapledOCSPResponse,
uint32_t providerFlags)
: mFdForLogging(fdForLogging)
@ -855,7 +858,7 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo *infoObject,
}
SECStatus
AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
AuthCertificate(nsNSSSocketInfo * infoObject, CERTCertificate * cert,
SECItem * stapledOCSPResponse, uint32_t providerFlags)
{
if (cert->serialNumber.data &&
@ -923,6 +926,25 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
} else {
// no stapled OCSP response
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
uint32_t reasonsForNotFetching = 0;
char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
if (!ocspURI) {
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
} else {
if (std::strncmp(ocspURI, "http://", 7)) { // approximation
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
}
PORT_Free(ocspURI);
}
if (!infoObject->SharedState().IsOCSPFetchingEnabled()) {
reasonsForNotFetching |= 2;
}
Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
reasonsForNotFetching);
}
CERTCertList *verifyCertChain = nullptr;
@ -1044,7 +1066,7 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
/*static*/ SECStatus
SSLServerCertVerificationJob::Dispatch(const void * fdForLogging,
TransportSecurityInfo * infoObject,
nsNSSSocketInfo * infoObject,
CERTCertificate * serverCert,
SECItem * stapledOCSPResponse,
uint32_t providerFlags)

1
security/manager/ssl/src/SharedSSLState.cpp
View File

@ -136,6 +136,7 @@ SharedSSLState::SharedSSLState()
, mMutex("SharedSSLState::mMutex")
, mSocketCreated(false)
, mOCSPStaplingEnabled(false)
, mOCSPFetchingEnabled(false)
{
mIOLayerHelpers.Init();
mClientAuthRemember->Init();

8
security/manager/ssl/src/SharedSSLState.h
View File

@ -36,7 +36,11 @@ public:
// Main-thread only
void ResetStoredData();
void NotePrivateBrowsingStatus();
void SetOCSPStaplingEnabled(bool enabled) { mOCSPStaplingEnabled = enabled; }
void SetOCSPOptions(bool fetchingEnabled, bool staplingEnabled)
{
mOCSPFetchingEnabled = fetchingEnabled;
mOCSPStaplingEnabled = staplingEnabled;
}
// The following methods may be called from any thread
bool SocketCreated();
@ -44,6 +48,7 @@ public:
static void NoteCertOverrideServiceInstantiated();
static void NoteCertDBServiceInstantiated();
bool IsOCSPStaplingEnabled() const { return mOCSPStaplingEnabled; }
bool IsOCSPFetchingEnabled() const { return mOCSPFetchingEnabled; }
private:
void Cleanup();
@ -58,6 +63,7 @@ private:
Mutex mMutex;
bool mSocketCreated;
bool mOCSPStaplingEnabled;
bool mOCSPFetchingEnabled;
};
SharedSSLState* PublicSSLState();

4
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -1022,8 +1022,8 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)
if (!ocspEnabled) {
ocspStaplingEnabled = false;
}
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PublicSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
PrivateSSLState()->SetOCSPOptions(ocspEnabled, ocspStaplingEnabled);
setNonPkixOcspEnabled(ocspEnabled);

6
toolkit/components/telemetry/Histograms.json
View File

@ -5584,6 +5584,12 @@
"n_values": 8,
"description": "Status of OCSP stapling on this handshake (1=present, good; 2=none; 3=present, expired; 4=present, other error)"
},
"SSL_OCSP_MAY_FETCH": {
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 8,
"description": "For non-stapling cases, is OCSP fetching a possibility? (0=yes, 1=no because missing/invalid OCSP URI, 2=no because fetching disabled, 3=no because both)"
},
"TELEMETRY_TEST_EXPIRED": {
"expires_in_version": "4.0a1",
"kind": "flag",