Measure how often the users are encountering MD5

certificates.

R=jar
BUG=6102
Review URL: http://codereview.chromium.org/17471

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@7882 0039d316-1c4b-4281-b951-d872f2087c98

8 files changed, 133 insertions, 2 deletions

diff --git a/net/base/connection_type_histograms.cc b/net/base/connection_type_histograms.cc
new file mode 100644
index 0000000..e01ee8c
--- /dev/null
+++ b/net/base/connection_type_histograms.cc
@@ -0,0 +1,38 @@
+// Copyright (c) 2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/connection_type_histograms.h"
+
+#include "base/histogram.h"
+
+namespace net {
+
+// We're using a histogram as a group of counters.  We're only interested in
+// the values of the counters.  Ignore the shape, average, and standard
+// deviation of the histograms because they are meaningless.
+//
+// We use two groups of counters.  In the first group (counter1), each counter
+// is a boolean (0 or 1) that indicates whether the user has seen a connection
+// of that type during that session.  In the second group (counter2), each
+// counter is the number of connections of that type the user has seen during
+// that session.
+void UpdateConnectionTypeHistograms(ConnectionType type) {
+  static bool had_connection_type[NUM_OF_CONNECTION_TYPES];
+  static LinearHistogram counter1(L"Net.HadConnectionType",
+                                  1, NUM_OF_CONNECTION_TYPES - 1,
+                                  NUM_OF_CONNECTION_TYPES);
+  static LinearHistogram counter2(L"Net.ConnectionTypeCount",
+                                  1, NUM_OF_CONNECTION_TYPES - 1,
+                                  NUM_OF_CONNECTION_TYPES);
+
+  if (type >= 0 && type < NUM_OF_CONNECTION_TYPES) {
+    if (!had_connection_type[type]) {
+      had_connection_type[type] = true;
+      counter1.Add(type);
+    }
+  }
+  counter2.Add(type);
+}
+
+}  // namespace net
diff --git a/net/base/connection_type_histograms.h b/net/base/connection_type_histograms.h
new file mode 100644
index 0000000..8d25664
--- /dev/null
+++ b/net/base/connection_type_histograms.h
@@ -0,0 +1,33 @@
+// Copyright (c) 2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_CONNECTION_TYPE_HISTOGRAMS_H_
+#define NET_BASE_CONNECTION_TYPE_HISTOGRAMS_H_
+
+// The UpdateConnectionTypeHistograms function collects statistics related
+// to the number of MD5 certificates that our users are encountering.  The
+// information will help us decide when it is fine for browsers to stop
+// supporting MD5 certificates, in light of the recent MD5 certificate
+// collision attack (see "MD5 considered harmful today: Creating a rogue CA
+// certificate" at http://www.win.tue.nl/hashclash/rogue-ca/).
+
+namespace net {
+
+enum ConnectionType {
+  CONNECTION_ANY = 0,      // Any connection, SSL or not
+  CONNECTION_SSL = 1,      // An SSL connection
+  CONNECTION_SSL_MD5 = 2,  // An SSL connection with an MD5 certificate in
+                           // the certificate chain (excluding root)
+  CONNECTION_SSL_MD2 = 3,  // An SSL connection with an MD2 certificate in
+                           // the certificate chain (excluding root)
+  CONNECTION_SSL_MD4 = 4,  // An SSL connection with an MD4 certificate in
+                           // the certificate chain (excluding root)
+  NUM_OF_CONNECTION_TYPES
+};
+
+void UpdateConnectionTypeHistograms(ConnectionType type);
+
+}  // namespace net
+
+#endif  // NET_BASE_CONNECTION_TYPE_HISTOGRAMS_H_
diff --git a/net/base/ssl_client_socket_win.cc b/net/base/ssl_client_socket_win.cc
index 8bd812b..d39c958 100644
--- a/net/base/ssl_client_socket_win.cc
+++ b/net/base/ssl_client_socket_win.cc
@@ -9,6 +9,7 @@
 #include "base/lock.h"
 #include "base/singleton.h"
 #include "base/string_util.h"
+#include "net/base/connection_type_histograms.h"
 #include "net/base/net_errors.h"
 #include "net/base/scoped_cert_chain_context.h"
 #include "net/base/ssl_info.h"
@@ -1021,6 +1022,44 @@ int SSLClientSocketWin::DidCompleteHandshake() {
   return VerifyServerCert();
 }
 
+// static
+void SSLClientSocketWin::LogConnectionTypeMetrics(
+    PCCERT_CHAIN_CONTEXT chain_context) {
+  UpdateConnectionTypeHistograms(CONNECTION_SSL);
+
+  PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
+  int num_elements = first_chain->cElement;
+  PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
+  bool has_md5 = false;
+  bool has_md2 = false;
+  bool has_md4 = false;
+
+  // Each chain starts with the end entity certificate and ends with the root
+  // CA certificate.  Do not inspect the signature algorithm of the root CA
+  // certificate because the signature on the trust anchor is not important.
+  for (int i = 0; i < num_elements - 1; ++i) {
+    PCCERT_CONTEXT cert = element[i]->pCertContext;
+    const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId;
+    if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) {
+      // md5WithRSAEncryption: 1.2.840.113549.1.1.4
+      has_md5 = true;
+    } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) {
+      // md2WithRSAEncryption: 1.2.840.113549.1.1.2
+      has_md2 = true;
+    } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) {
+      // md4WithRSAEncryption: 1.2.840.113549.1.1.3
+      has_md4 = true;
+    }
+  }
+
+  if (has_md5)
+    UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5);
+  if (has_md2)
+    UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2);
+  if (has_md4)
+    UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4);
+}
+
 // Set server_cert_status_ and return OK or a network error.
 int SSLClientSocketWin::VerifyServerCert() {
   DCHECK(server_cert_);
@@ -1058,6 +1097,8 @@ int SSLClientSocketWin::VerifyServerCert() {
   }
   ScopedCertChainContext scoped_chain_context(chain_context);
 
+  LogConnectionTypeMetrics(chain_context);
+
   server_cert_status_ |= MapCertChainErrorStatusToCertStatus(
       chain_context->TrustStatus.dwErrorStatus);
 
diff --git a/net/base/ssl_client_socket_win.h b/net/base/ssl_client_socket_win.h
index da657f5..58a035e 100644
--- a/net/base/ssl_client_socket_win.h
+++ b/net/base/ssl_client_socket_win.h
@@ -63,6 +63,7 @@ class SSLClientSocketWin : public SSLClientSocket {
   int DoPayloadWriteComplete(int result);
 
   int DidCompleteHandshake();
+  static void LogConnectionTypeMetrics(PCCERT_CHAIN_CONTEXT chain_context);
   int VerifyServerCert();
 
   CompletionCallbackImpl<SSLClientSocketWin> io_callback_;
diff --git a/net/build/net.vcproj b/net/build/net.vcproj
index 78fbc68..275d7fd 100644
--- a/net/build/net.vcproj
+++ b/net/build/net.vcproj
@@ -209,6 +209,14 @@
 				>
 			</File>
 			<File
+				RelativePath="..\base\connection_type_histograms.cc"
+				>
+			</File>
+			<File
+				RelativePath="..\base\connection_type_histograms.h"
+				>
+			</File>
+			<File
 				RelativePath="..\base\cookie_monster.cc"
 				>
 			</File>
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 0ba3d1e..45a9a5e 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -10,6 +10,7 @@
 #include "base/trace_event.h"
 #include "build/build_config.h"
 #include "net/base/client_socket_factory.h"
+#include "net/base/connection_type_histograms.h"
 #include "net/base/dns_resolution_observer.h"
 #include "net/base/host_resolver.h"
 #include "net/base/load_flags.h"
@@ -62,6 +63,8 @@ HttpNetworkTransaction::HttpNetworkTransaction(HttpNetworkSession* session,
 
 int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info,
                                   CompletionCallback* callback) {
+  UpdateConnectionTypeHistograms(CONNECTION_ANY);
+
   request_ = request_info;
 
   next_state_ = STATE_RESOLVE_PROXY;
@@ -1054,7 +1057,7 @@ int HttpNetworkTransaction::ReconsiderProxyAfterError(int error) {
 void HttpNetworkTransaction::AddAuthorizationHeader(HttpAuth::Target target) {
   // If we have no authentication information, check if we can select
   // a cache entry preemptively (based on the path).
-  if(!HaveAuth(target) && !SelectPreemptiveAuth(target))
+  if (!HaveAuth(target) && !SelectPreemptiveAuth(target))
     return;
 
   DCHECK(HaveAuth(target));
@@ -1114,7 +1117,7 @@ void HttpNetworkTransaction::InvalidateRejectedAuthFromCache(
   // Note: we require the username/password to match before invalidating
   // since the entry in the cache may be newer than what we used last time.
   session_->auth_cache()->Remove(AuthOrigin(target),
-                                 auth_handler_[target]->realm(), 
+                                 auth_handler_[target]->realm(),
                                  auth_identity_[target].username,
                                  auth_identity_[target].password);
 }
diff --git a/net/net.xcodeproj/project.pbxproj b/net/net.xcodeproj/project.pbxproj
index f0ead56..d085c9f 100644
--- a/net/net.xcodeproj/project.pbxproj
+++ b/net/net.xcodeproj/project.pbxproj
@@ -184,6 +184,7 @@
 		E4CE9C260E8C027900D5378C /* http_network_layer_unittest.cc in Sources */ = {isa = PBXBuildFile; fileRef = 7BED335C0E5A194700A747DB /* http_network_layer_unittest.cc */; };
 		E4CE9C2E0E8C02ED00D5378C /* http_transaction_unittest.cc in Sources */ = {isa = PBXBuildFile; fileRef = 7BED334A0E5A194700A747DB /* http_transaction_unittest.cc */; };
 		E4CE9C380E8C035C00D5378C /* http_network_transaction_unittest.cc in Sources */ = {isa = PBXBuildFile; fileRef = 7BED33590E5A194700A747DB /* http_network_transaction_unittest.cc */; };
+		B4DD1C3523B3890B287055E6 /* connection_type_histograms.cc in Sources */ = {isa = PBXBuildFile; fileRef = F17062083BCE6F0A42F4C479 /* connection_type_histograms.cc */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -702,6 +703,8 @@
 		E4AFA6420E5241B400201347 /* run_all_unittests.cc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = run_all_unittests.cc; sourceTree = "<group>"; };
 		E4AFA6450E5241D300201347 /* base.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = base.xcodeproj; path = base/base.xcodeproj; sourceTree = "<group>"; };
 		E4BA04540E25613300BE02C6 /* libnet.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libnet.a; sourceTree = BUILT_PRODUCTS_DIR; };
+		F17062083BCE6F0A42F4C479 /* connection_type_histograms.cc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = connection_type_histograms.cc; sourceTree = "<group>"; };
+		D4726BC70CCE10F4FF2A5E12 /* connection_type_histograms.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = connection_type_histograms.h; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -903,6 +906,8 @@
 				7BED326B0E5A181C00A747DB /* client_socket_pool.h */,
 				7BED326A0E5A181C00A747DB /* client_socket_pool_unittest.cc */,
 				7BED32680E5A181C00A747DB /* completion_callback.h */,
+				F17062083BCE6F0A42F4C479 /* connection_type_histograms.cc */,
+				D4726BC70CCE10F4FF2A5E12 /* connection_type_histograms.h */,
 				7BED32690E5A181C00A747DB /* cookie_monster.cc */,
 				7BED32670E5A181C00A747DB /* cookie_monster.h */,
 				7BED32650E5A181C00A747DB /* cookie_monster_perftest.cc */,
@@ -1472,6 +1477,7 @@
 				E4CE9C0D0E8BFFFA00D5378C /* client_socket_factory.cc in Sources */,
 				7B8504080E5B2DD800730B43 /* client_socket_handle.cc in Sources */,
 				7B8504090E5B2DD800730B43 /* client_socket_pool.cc in Sources */,
+				B4DD1C3523B3890B287055E6 /* connection_type_histograms.cc in Sources */,
 				7B8B5A430E5CD1FD002F9A97 /* cookie_monster.cc in Sources */,
 				7B85040C0E5B2DD800730B43 /* cookie_policy.cc in Sources */,
 				7B85040D0E5B2DD800730B43 /* data_url.cc in Sources */,
diff --git a/net/net_lib.scons b/net/net_lib.scons
index 5631198..20d2e6b 100644
--- a/net/net_lib.scons
+++ b/net/net_lib.scons
@@ -37,6 +37,7 @@ input_files = ChromeFileList([
     'base/client_socket_pool.cc',
     'base/client_socket_pool.h',
     'base/completion_callback.h',
+    'base/connection_type_histograms.cc',
     'base/cookie_monster.cc',
     'base/cookie_monster.h',
     'base/cookie_policy.cc',