Add metrics for TLS 1.3's anti-downgrade mechanism.

TLS 1.3 includes a server_random-based anti-downgrade mechanism which
gives it a stronger anti-downgrade store than prior versions of TLS.
(This is essentially working around a bug in TLS 1.2 where it did not
incorporate enough into the signature.) This is a few security
improvement for Chrome users that should not disrupt the existing
ecosystem.

Unfortunately, we are aware that some Cisco middleboxes have buggy TLS
1.2 implementations that fail to generate their own server random value.
Instead, they copy over another server's random value. This is invalid
and does not comply with the TLS 1.2 specification. See
https://www.ietf.org/mail-archive/web/tls/current/msg25168.html

Due to deployment considerations, this feature cannot be enabled until
TLS 1.3 is final. In preparation for that, this CL adds metrics to
determine the prevalance of these and potentially other non-compliant
middlebox products out there.

Bug: boringssl:226
Change-Id: Ie1288fadf84ff6988c741ceef1465c25559a369a
Reviewed-on: https://chromium-review.googlesource.com/891499Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533811}

net/socket/ssl_client_socket_impl.cc

@@ -34,6 +34,7 @@
 #include "net/base/ip_address.h"
 #include "net/base/net_errors.h"
 #include "net/base/trace_constants.h"
+#include "net/base/url_util.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
@@ -1149,6 +1150,16 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
     base::UmaHistogramSparse("Net.SSLSignatureAlgorithm", signature_algorithm);
   }
 
+  if (IsTLS13ExperimentHost(host_and_port_.host())) {
+    // To measure the effects of TLS 1.3's anti-downgrade mechanism, record
+    // whether the codepath would have been blocked against servers known to
+    // implement draft TLS 1.3. This should be a safe security measure to
+    // enable, but some middleboxes have non-compliant behavior here. See
+    // https://crbug.com/boringssl/226.
+    UMA_HISTOGRAM_BOOLEAN("Net.SSLDraftDowngradeTLS13Experiment",
+                          !!SSL_is_draft_downgrade(ssl_.get()));
+  }
+
   // Verify the certificate.
   next_handshake_state_ = STATE_VERIFY_CERT;
   return OK;

tools/metrics/histograms/enums.xml

@@ -3549,6 +3549,11 @@ uploading your change for review.  These are checked by presubmit scripts.
   <int value="1" label="Dispatched"/>
 </enum>
 
+<enum name="BooleanDowngrade">
+  <int value="0" label="Not downgraded"/>
+  <int value="1" label="Downgraded"/>
+</enum>
+
 <enum name="BooleanDownloaded">
   <int value="0" label="Local file"/>
   <int value="1" label="File downloaded"/>

tools/metrics/histograms/histograms.xml

@@ -48329,6 +48329,19 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
   <summary>Time to complete a certificate verification (error case).</summary>
 </histogram>
 
+<histogram name="Net.SSLDraftDowngradeTLS13Experiment" enum="BooleanDowngrade">
+  <owner>davidben@chromium.org</owner>
+  <summary>
+    For each HTTPS connection to the TLS 1.3 experiment server set, whether the
+    TLS 1.3 anti-downgrade mechanism would have fired. This is to measure the
+    effects of non-compliant middleboxes on this otherwise safe security
+    feature. The numbers are only valid while the TLS 1.3 experiment set deploys
+    a TLS 1.3 draft version compatible with the corresponding Chrome version and
+    implement the our draft anti-downgrade signal. See
+    https://crbug.com/boringssl/226.
+  </summary>
+</histogram>
+
 <histogram name="Net.SSLFallbackErrorCode" enum="NetErrorCodes">
   <obsolete>
     Removed June 2016.