Bug 1876442 - remove OCSP_AGE_AT_CRLITE_OVERRIDE probe. r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D199681
2024-11-24 05:11:16 +00:00 · 2024-02-22 23:26:41 +00:00 · 2024-02-22 23:26:41 +00:00 · f2870147ca
commit f2870147ca
parent eaf8b887ab
3 changed files with 6 additions and 52 deletions
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -861,10 +861,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
  Result stapledOCSPResponseResult = Success;
  if (stapledOCSPResponse) {
    bool expired;
-    uint32_t ageInHours;
    stapledOCSPResponseResult = VerifyAndMaybeCacheEncodedOCSPResponse(
        certID, time, maxOCSPLifetimeInDays, *stapledOCSPResponse,
-        ResponseWasStapled, expired, ageInHours);
+        ResponseWasStapled, expired);
    Telemetry::AccumulateCategorical(
        Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::StapledOCSP);
    if (stapledOCSPResponseResult == Success) {
@ -1087,10 +1086,9 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
  // or unknown certificate, PR_GetError() will return the appropriate error.
  // We actually ignore expired here.
  bool expired;
-  uint32_t ageInHours;
-  rv = VerifyAndMaybeCacheEncodedOCSPResponse(
-      certID, time, maxOCSPLifetimeInDays, response, ResponseIsFromNetwork,
-      expired, ageInHours);
+  rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time,
+                                              maxOCSPLifetimeInDays, response,
+                                              ResponseIsFromNetwork, expired);

  // If the CRLite filter covers the certificate, compare the CRLite result
  // with the OCSP fetching result. OCSP may have succeeded, said the
@ -1109,11 +1107,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
        // CRLite says the certificate is revoked, but OCSP says it is OK.
        Telemetry::AccumulateCategorical(
            Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPOk);
-
-        if (mCRLiteMode == CRLiteMode::ConfirmRevocations) {
-          Telemetry::Accumulate(Telemetry::OCSP_AGE_AT_CRLITE_OVERRIDE,
-                                ageInHours);
-        }
      }
    } else if (rv == Result::ERROR_REVOKED_CERTIFICATE) {
      if (crliteResult == Success) {
@ -1209,8 +1202,7 @@ Result NSSCertDBTrustDomain::HandleOCSPFailure(
 Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
    const CertID& certID, Time time, uint16_t maxLifetimeInDays,
    Input encodedResponse, EncodedResponseSource responseSource,
-    /*out*/ bool& expired,
-    /*out*/ uint32_t& ageInHours) {
+    /*out*/ bool& expired) {
  Time thisUpdate(Time::uninitialized);
  Time validThrough(Time::uninitialized);

@ -1234,30 +1226,6 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
      return Result::FATAL_ERROR_LIBRARY_FAILURE;  // integer overflow
    }
  }
-  // The `thisUpdate` field holds the latest time at which the server knew the
-  // response was correct. The age of the response is the time that has elapsed
-  // since. We only use this for the telemetry defined in Bug 1794479.
-  uint64_t timeInSeconds;
-  uint64_t thisUpdateInSeconds;
-  uint64_t ageInSeconds;
-  SecondsSinceEpochFromTime(time, &timeInSeconds);
-  SecondsSinceEpochFromTime(thisUpdate, &thisUpdateInSeconds);
-  if (timeInSeconds >= thisUpdateInSeconds) {
-    ageInSeconds = timeInSeconds - thisUpdateInSeconds;
-    // ageInHours is 32 bits because of the telemetry api.
-    if (ageInSeconds > UINT32_MAX) {
-      // We could divide by 3600 before checking the UINT32_MAX bound, but if
-      // ageInSeconds is more than UINT32_MAX then there's been some sort of
-      // error.
-      ageInHours = UINT32_MAX;
-    } else {
-      // We start at 1 and divide with truncation to reserve ageInHours=0 for
-      // the case where `thisUpdate` is in the future.
-      ageInHours = 1 + ageInSeconds / (60 * 60);
-    }
-  } else {
-    ageInHours = 0;
-  }
  if (responseSource == ResponseIsFromNetwork || rv == Success ||
      rv == Result::ERROR_REVOKED_CERTIFICATE ||
      rv == Result::ERROR_OCSP_UNKNOWN_CERT) {
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@ -272,8 +272,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
  Result VerifyAndMaybeCacheEncodedOCSPResponse(
      const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
      uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
-      EncodedResponseSource responseSource, /*out*/ bool& expired,
-      /*out*/ uint32_t& ageInHours);
+      EncodedResponseSource responseSource, /*out*/ bool& expired);
  TimeDuration GetOCSPTimeout() const;

  Result CheckRevocationByCRLite(const mozilla::pkix::CertID& certID,
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -3971,19 +3971,6 @@
    "n_values": 16,
    "description": "SSL Handshake Key Exchange Algorithm for resumed handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
  },
-  "OCSP_AGE_AT_CRLITE_OVERRIDE": {
-    "record_in_processes": ["main", "socket"],
-    "products": ["firefox"],
-    "alert_emails": ["seceng-telemetry@mozilla.com", "jschanck@mozilla.com"],
-    "bug_numbers": [1794479, 1817101, 1846897],
-    "expires_in_version": "125",
-    "kind": "linear",
-    "releaseChannelCollection": "opt-out",
-    "low": 1,
-    "high": 240,
-    "n_buckets": 20,
-    "description": "When OCSP and CRLite differ, how old is the OCSP response (in hours)?"
-  },
  "CRLITE_VS_OCSP_RESULT": {
    "record_in_processes": ["main", "socket"],
    "products": ["firefox"],