bug 848139 - telemetry for tls server hello size r=honzab

--HG-- extra : rebase_source : 5e8d1fa5e86ed7845cb196ad84539a6be024ca73
2025-01-16 15:17:14 +00:00 · 2013-03-26 20:06:15 -04:00 · 2013-03-26 20:06:15 -04:00 · a97c6a3a21
commit a97c6a3a21
parent 512a50e970
3 changed files with 86 additions and 5 deletions
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -84,7 +84,8 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags)
    mJoined(false),
    mSentClientCert(false),
    mProviderFlags(providerFlags),
-    mSocketCreationTimestamp(TimeStamp::Now())
+    mSocketCreationTimestamp(TimeStamp::Now()),
+    mPlaintextBytesRead(0)
 {
 }

@ -199,6 +200,17 @@ nsNSSSocketInfo::SetHandshakeCompleted(bool aResumedSession)
    // If the handshake is completed for the first time from just 1 callback
    // that means that TLS session resumption must have been used.
    Telemetry::Accumulate(Telemetry::SSL_RESUMED_SESSION, aResumedSession);
+
+    // Remove the plain text layer as it is not needed anymore.
+    // The plain text layer is not always present - so its not a fatal error
+    // if it cannot be removed
+    PRFileDesc* poppedPlaintext =
+      PR_GetIdentitiesLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+    if (poppedPlaintext) {
+      PR_PopIOLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+      poppedPlaintext->dtor(poppedPlaintext);
+    }
+
    mHandshakeCompleted = true;
  }
 }
@ -446,6 +458,10 @@ nsNSSSocketInfo::SetCertVerificationResult(PRErrorCode errorCode,
    SetCanceled(errorCode, errorMessageType);
  }

+  if (mPlaintextBytesRead && !errorCode) {
+    Telemetry::Accumulate(Telemetry::SSL_BYTES_BEFORE_CERT_CALLBACK, mPlaintextBytesRead);
+  }
+
  mCertVerificationState = after_cert_verification;
 }

@ -700,6 +716,12 @@ nsSSLIOLayerHelpers::rememberTolerantSite(nsNSSSocketInfo *socketInfo)
  nsSSLIOLayerHelpers::mTLSTolerantSites->PutEntry(key);
 }

+bool nsSSLIOLayerHelpers::nsSSLIOLayerInitialized = false;
+PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity;
+PRDescIdentity nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity;
+PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods;
+PRIOMethods nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods;
+
 static PRStatus
 nsSSLIOLayerClose(PRFileDesc *fd)
 {
@ -721,6 +743,18 @@ PRStatus nsNSSSocketInfo::CloseSocketAndDestroy(
  nsNSSShutDownList::trackSSLSocketClose();

  PRFileDesc* popped = PR_PopIOLayer(mFd, PR_TOP_IO_LAYER);
+  NS_ASSERTION(popped &&
+               popped->identity == nsSSLIOLayerHelpers::nsSSLIOLayerIdentity,
+               "SSL Layer not on top of stack");
+
+  // The plain text layer is not always present - so its not a fatal error
+  // if it cannot be removed
+  PRFileDesc* poppedPlaintext =
+    PR_GetIdentitiesLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+  if (poppedPlaintext) {
+    PR_PopIOLayer(mFd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+    poppedPlaintext->dtor(poppedPlaintext);
+  }

  PRStatus status = mFd->methods->close(mFd);
  
@ -1041,10 +1075,6 @@ nsSSLIOLayerPoll(PRFileDesc * fd, int16_t in_flags, int16_t *out_flags)
  return result;
 }

-bool nsSSLIOLayerHelpers::nsSSLIOLayerInitialized = false;
-PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity;
-PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods;
-
 nsSSLIOLayerHelpers::nsSSLIOLayerHelpers()
 : mutex(nullptr)
 , mTLSIntolerantSites(nullptr)
@ -1247,6 +1277,23 @@ PrefObserver::Observe(nsISupports *aSubject, const char *aTopic,
  return NS_OK;
 }

+static int32_t PlaintextRecv(PRFileDesc *fd, void *buf, int32_t amount,
+                             int flags, PRIntervalTime timeout)
+{
+  // The shutdownlocker is not needed here because it will already be
+  // held higher in the stack
+  nsNSSSocketInfo *socketInfo = nullptr;
+
+  int32_t bytesRead = fd->lower->methods->recv(fd->lower, buf, amount, flags,
+                                               timeout);
+  if (fd->identity == nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity)
+    socketInfo = (nsNSSSocketInfo*)fd->secret;
+
+  if ((bytesRead > 0) && socketInfo)
+    socketInfo->AddPlaintextBytesRead(bytesRead);
+  return bytesRead;
+}
+
 nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers()
 {
  Preferences::RemoveObserver(mPrefObserver, "security.ssl.renego_unrestricted_hosts");
@ -1292,6 +1339,10 @@ nsresult nsSSLIOLayerHelpers::Init()
    nsSSLIOLayerMethods.write = nsSSLIOLayerWrite;
    nsSSLIOLayerMethods.read = nsSSLIOLayerRead;
    nsSSLIOLayerMethods.poll = nsSSLIOLayerPoll;
+
+    nsSSLPlaintextLayerIdentity = PR_GetUniqueIdentity("Plaintxext PSM layer");
+    nsSSLPlaintextLayerMethods  = *PR_GetDefaultIOMethods();
+    nsSSLPlaintextLayerMethods.recv = PlaintextRecv;
  }

  mutex = new Mutex("nsSSLIOLayerHelpers.mutex");
@ -2538,6 +2589,7 @@ nsSSLIOLayerAddToSocket(int32_t family,
 {
  nsNSSShutDownPreventionLock locker;
  PRFileDesc* layer = nullptr;
+  PRFileDesc* plaintextLayer = nullptr;
  nsresult rv;
  PRStatus stat;

@ -2551,6 +2603,19 @@ nsSSLIOLayerAddToSocket(int32_t family,
  infoObject->SetHostName(host);
  infoObject->SetPort(port);

+  // A plaintext observer shim is inserted so we can observe some protocol
+  // details without modifying nss
+  plaintextLayer = PR_CreateIOLayerStub(nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity,
+                                        &nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods);
+  if (plaintextLayer) {
+    plaintextLayer->secret = (PRFilePrivate*) infoObject;
+    stat = PR_PushIOLayer(fd, PR_TOP_IO_LAYER, plaintextLayer);
+    if (stat == PR_FAILURE) {
+      plaintextLayer->dtor(plaintextLayer);
+      plaintextLayer = nullptr;
+    }
+  }
+
  PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host);
  if (!sslSock) {
    NS_ASSERTION(false, "NSS: Error importing socket");
@ -2596,5 +2661,9 @@ nsSSLIOLayerAddToSocket(int32_t family,
  if (layer) {
    layer->dtor(layer);
  }
+  if (plaintextLayer) {
+    PR_PopIOLayer(fd, nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity);
+    plaintextLayer->dtor(plaintextLayer);
+  }
  return NS_ERROR_FAILURE;
 }
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@ -91,6 +91,8 @@ public:
  void SetSSL3Enabled(bool enabled) { mSSL3Enabled = enabled; }
  bool IsTLSEnabled() const { return mTLSEnabled; }
  void SetTLSEnabled(bool enabled) { mTLSEnabled = enabled; }
+
+  void AddPlaintextBytesRead(uint64_t val) { mPlaintextBytesRead += val; }
 private:
  PRFileDesc* mFd;

@ -118,6 +120,7 @@ private:

  uint32_t mProviderFlags;
  mozilla::TimeStamp mSocketCreationTimestamp;
+  uint64_t mPlaintextBytesRead;
 };

 class nsSSLIOLayerHelpers
@ -131,7 +134,9 @@ public:

  static bool nsSSLIOLayerInitialized;
  static PRDescIdentity nsSSLIOLayerIdentity;
+  static PRDescIdentity nsSSLPlaintextLayerIdentity;
  static PRIOMethods nsSSLIOLayerMethods;
+  static PRIOMethods nsSSLPlaintextLayerMethods;

  mozilla::Mutex *mutex;
  nsTHashtable<nsCStringHashKey> *mTLSIntolerantSites;
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -843,6 +843,13 @@
    "extended_statistics_ok": true,
    "description": "ms of SSL wait time including TCP and proxy tunneling"
  },
+  "SSL_BYTES_BEFORE_CERT_CALLBACK": {
+    "kind": "exponential",
+    "high": "32000",
+    "n_buckets": 64,
+    "extended_statistics_ok": true,
+    "description": "plaintext bytes read before a server certificate authenticated"
+  },
  "SSL_NPN_TYPE": {
    "kind": "enumerated",
    "n_values": 16,