1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/ssl/ssl_policy.h"
6
7 #include "base/base_switches.h"
8 #include "base/command_line.h"
9 #include "base/memory/singleton.h"
10 #include "base/string_piece.h"
11 #include "base/string_util.h"
12 #include "chrome/browser/ssl/ssl_cert_error_handler.h"
13 #include "chrome/browser/ssl/ssl_error_info.h"
14 #include "chrome/browser/ssl/ssl_request_info.h"
15 #include "chrome/common/jstemplate_builder.h"
16 #include "chrome/common/time_format.h"
17 #include "chrome/common/url_constants.h"
18 #include "content/browser/renderer_host/render_process_host.h"
19 #include "content/browser/renderer_host/render_view_host.h"
20 #include "content/browser/site_instance.h"
21 #include "content/browser/tab_contents/navigation_entry.h"
22 #include "content/browser/tab_contents/tab_contents.h"
23 #include "grit/generated_resources.h"
24 #include "net/base/cert_status_flags.h"
25 #include "net/base/ssl_info.h"
26 #include "webkit/glue/resource_type.h"
27
28 namespace {
29
30 static const char kDot = '.';
31
IsIntranetHost(const std::string & host)32 static bool IsIntranetHost(const std::string& host) {
33 const size_t dot = host.find(kDot);
34 return dot == std::string::npos || dot == host.length() - 1;
35 }
36
37 } // namespace
38
SSLPolicy(SSLPolicyBackend * backend)39 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
40 : backend_(backend) {
41 DCHECK(backend_);
42 }
43
OnCertError(SSLCertErrorHandler * handler)44 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
45 // First we check if we know the policy for this error.
46 net::CertPolicy::Judgment judgment =
47 backend_->QueryPolicy(handler->ssl_info().cert,
48 handler->request_url().host());
49
50 if (judgment == net::CertPolicy::ALLOWED) {
51 handler->ContinueRequest();
52 return;
53 }
54
55 // The judgment is either DENIED or UNKNOWN.
56 // For now we handle the DENIED as the UNKNOWN, which means a blocking
57 // page is shown to the user every time he comes back to the page.
58
59 switch (handler->cert_error()) {
60 case net::ERR_CERT_COMMON_NAME_INVALID:
61 case net::ERR_CERT_DATE_INVALID:
62 case net::ERR_CERT_AUTHORITY_INVALID:
63 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
64 OnCertErrorInternal(handler, SSLBlockingPage::ERROR_OVERRIDABLE);
65 break;
66 case net::ERR_CERT_NO_REVOCATION_MECHANISM:
67 // Ignore this error.
68 handler->ContinueRequest();
69 break;
70 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
71 // We ignore this error but will show a warning status in the location
72 // bar.
73 handler->ContinueRequest();
74 break;
75 case net::ERR_CERT_CONTAINS_ERRORS:
76 case net::ERR_CERT_REVOKED:
77 case net::ERR_CERT_INVALID:
78 case net::ERR_CERT_NOT_IN_DNS:
79 OnCertErrorInternal(handler, SSLBlockingPage::ERROR_FATAL);
80 break;
81 default:
82 NOTREACHED();
83 handler->CancelRequest();
84 break;
85 }
86 }
87
DidRunInsecureContent(NavigationEntry * entry,const std::string & security_origin)88 void SSLPolicy::DidRunInsecureContent(NavigationEntry* entry,
89 const std::string& security_origin) {
90 if (!entry)
91 return;
92
93 SiteInstance* site_instance = entry->site_instance();
94 if (!site_instance)
95 return;
96
97 backend_->HostRanInsecureContent(GURL(security_origin).host(),
98 site_instance->GetProcess()->id());
99 }
100
OnRequestStarted(SSLRequestInfo * info)101 void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
102 // TODO(abarth): This mechanism is wrong. What we should be doing is sending
103 // this information back through WebKit and out some FrameLoaderClient
104 // methods.
105
106 if (net::IsCertStatusError(info->ssl_cert_status()))
107 backend_->HostRanInsecureContent(info->url().host(), info->child_id());
108 }
109
UpdateEntry(NavigationEntry * entry,TabContents * tab_contents)110 void SSLPolicy::UpdateEntry(NavigationEntry* entry, TabContents* tab_contents) {
111 DCHECK(entry);
112
113 InitializeEntryIfNeeded(entry);
114
115 if (!entry->url().SchemeIsSecure())
116 return;
117
118 // An HTTPS response may not have a certificate for some reason. When that
119 // happens, use the unauthenticated (HTTP) rather than the authentication
120 // broken security style so that we can detect this error condition.
121 if (!entry->ssl().cert_id()) {
122 entry->ssl().set_security_style(SECURITY_STYLE_UNAUTHENTICATED);
123 return;
124 }
125
126 if (!(entry->ssl().cert_status() & net::CERT_STATUS_COMMON_NAME_INVALID)) {
127 // CAs issue certificates for intranet hosts to everyone. Therefore, we
128 // mark intranet hosts as being non-unique.
129 if (IsIntranetHost(entry->url().host())) {
130 entry->ssl().set_cert_status(entry->ssl().cert_status() |
131 net::CERT_STATUS_NON_UNIQUE_NAME);
132 }
133 }
134
135 // If CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is the only certificate error,
136 // don't lower the security style to SECURITY_STYLE_AUTHENTICATION_BROKEN.
137 int cert_errors = entry->ssl().cert_status() & net::CERT_STATUS_ALL_ERRORS;
138 if (cert_errors) {
139 if (cert_errors != net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
140 entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
141 return;
142 }
143
144 SiteInstance* site_instance = entry->site_instance();
145 // Note that |site_instance| can be NULL here because NavigationEntries don't
146 // necessarily have site instances. Without a process, the entry can't
147 // possibly have insecure content. See bug http://crbug.com/12423.
148 if (site_instance &&
149 backend_->DidHostRunInsecureContent(entry->url().host(),
150 site_instance->GetProcess()->id())) {
151 entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
152 entry->ssl().set_ran_insecure_content();
153 return;
154 }
155
156 if (tab_contents->displayed_insecure_content())
157 entry->ssl().set_displayed_insecure_content();
158 }
159
160 ////////////////////////////////////////////////////////////////////////////////
161 // SSLBlockingPage::Delegate methods
162
GetSSLErrorInfo(SSLCertErrorHandler * handler)163 SSLErrorInfo SSLPolicy::GetSSLErrorInfo(SSLCertErrorHandler* handler) {
164 return SSLErrorInfo::CreateError(
165 SSLErrorInfo::NetErrorToErrorType(handler->cert_error()),
166 handler->ssl_info().cert, handler->request_url());
167 }
168
OnDenyCertificate(SSLCertErrorHandler * handler)169 void SSLPolicy::OnDenyCertificate(SSLCertErrorHandler* handler) {
170 // Default behavior for rejecting a certificate.
171 //
172 // While DenyCertForHost() executes synchronously on this thread,
173 // CancelRequest() gets posted to a different thread. Calling
174 // DenyCertForHost() first ensures deterministic ordering.
175 backend_->DenyCertForHost(handler->ssl_info().cert,
176 handler->request_url().host());
177 handler->CancelRequest();
178 }
179
OnAllowCertificate(SSLCertErrorHandler * handler)180 void SSLPolicy::OnAllowCertificate(SSLCertErrorHandler* handler) {
181 // Default behavior for accepting a certificate.
182 // Note that we should not call SetMaxSecurityStyle here, because the active
183 // NavigationEntry has just been deleted (in HideInterstitialPage) and the
184 // new NavigationEntry will not be set until DidNavigate. This is ok,
185 // because the new NavigationEntry will have its max security style set
186 // within DidNavigate.
187 //
188 // While AllowCertForHost() executes synchronously on this thread,
189 // ContinueRequest() gets posted to a different thread. Calling
190 // AllowCertForHost() first ensures deterministic ordering.
191 backend_->AllowCertForHost(handler->ssl_info().cert,
192 handler->request_url().host());
193 handler->ContinueRequest();
194 }
195
196 ////////////////////////////////////////////////////////////////////////////////
197 // Certificate Error Routines
198
OnCertErrorInternal(SSLCertErrorHandler * handler,SSLBlockingPage::ErrorLevel error_level)199 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
200 SSLBlockingPage::ErrorLevel error_level) {
201 if (handler->resource_type() != ResourceType::MAIN_FRAME) {
202 // A sub-resource has a certificate error. The user doesn't really
203 // have a context for making the right decision, so block the
204 // request hard, without an info bar to allow showing the insecure
205 // content.
206 handler->DenyRequest();
207 return;
208 }
209 SSLBlockingPage* blocking_page = new SSLBlockingPage(handler, this,
210 error_level);
211 blocking_page->Show();
212 }
213
InitializeEntryIfNeeded(NavigationEntry * entry)214 void SSLPolicy::InitializeEntryIfNeeded(NavigationEntry* entry) {
215 if (entry->ssl().security_style() != SECURITY_STYLE_UNKNOWN)
216 return;
217
218 entry->ssl().set_security_style(entry->url().SchemeIsSecure() ?
219 SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED);
220 }
221
OriginRanInsecureContent(const std::string & origin,int pid)222 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
223 GURL parsed_origin(origin);
224 if (parsed_origin.SchemeIsSecure())
225 backend_->HostRanInsecureContent(parsed_origin.host(), pid);
226 }
227