Home | History | Annotate | Download | only in ssl
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "chrome/browser/ssl/ssl_policy.h"
      6 
      7 #include "base/base_switches.h"
      8 #include "base/command_line.h"
      9 #include "base/memory/singleton.h"
     10 #include "base/string_piece.h"
     11 #include "base/string_util.h"
     12 #include "chrome/browser/ssl/ssl_cert_error_handler.h"
     13 #include "chrome/browser/ssl/ssl_error_info.h"
     14 #include "chrome/browser/ssl/ssl_request_info.h"
     15 #include "chrome/common/jstemplate_builder.h"
     16 #include "chrome/common/time_format.h"
     17 #include "chrome/common/url_constants.h"
     18 #include "content/browser/renderer_host/render_process_host.h"
     19 #include "content/browser/renderer_host/render_view_host.h"
     20 #include "content/browser/site_instance.h"
     21 #include "content/browser/tab_contents/navigation_entry.h"
     22 #include "content/browser/tab_contents/tab_contents.h"
     23 #include "grit/generated_resources.h"
     24 #include "net/base/cert_status_flags.h"
     25 #include "net/base/ssl_info.h"
     26 #include "webkit/glue/resource_type.h"
     27 
     28 namespace {
     29 
     30 static const char kDot = '.';
     31 
     32 static bool IsIntranetHost(const std::string& host) {
     33   const size_t dot = host.find(kDot);
     34   return dot == std::string::npos || dot == host.length() - 1;
     35 }
     36 
     37 }  // namespace
     38 
     39 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
     40     : backend_(backend) {
     41   DCHECK(backend_);
     42 }
     43 
     44 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
     45   // First we check if we know the policy for this error.
     46   net::CertPolicy::Judgment judgment =
     47       backend_->QueryPolicy(handler->ssl_info().cert,
     48                             handler->request_url().host());
     49 
     50   if (judgment == net::CertPolicy::ALLOWED) {
     51     handler->ContinueRequest();
     52     return;
     53   }
     54 
     55   // The judgment is either DENIED or UNKNOWN.
     56   // For now we handle the DENIED as the UNKNOWN, which means a blocking
     57   // page is shown to the user every time he comes back to the page.
     58 
     59   switch (handler->cert_error()) {
     60     case net::ERR_CERT_COMMON_NAME_INVALID:
     61     case net::ERR_CERT_DATE_INVALID:
     62     case net::ERR_CERT_AUTHORITY_INVALID:
     63     case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
     64       OnCertErrorInternal(handler, SSLBlockingPage::ERROR_OVERRIDABLE);
     65       break;
     66     case net::ERR_CERT_NO_REVOCATION_MECHANISM:
     67       // Ignore this error.
     68       handler->ContinueRequest();
     69       break;
     70     case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
     71       // We ignore this error but will show a warning status in the location
     72       // bar.
     73       handler->ContinueRequest();
     74       break;
     75     case net::ERR_CERT_CONTAINS_ERRORS:
     76     case net::ERR_CERT_REVOKED:
     77     case net::ERR_CERT_INVALID:
     78     case net::ERR_CERT_NOT_IN_DNS:
     79       OnCertErrorInternal(handler, SSLBlockingPage::ERROR_FATAL);
     80       break;
     81     default:
     82       NOTREACHED();
     83       handler->CancelRequest();
     84       break;
     85   }
     86 }
     87 
     88 void SSLPolicy::DidRunInsecureContent(NavigationEntry* entry,
     89                                       const std::string& security_origin) {
     90   if (!entry)
     91     return;
     92 
     93   SiteInstance* site_instance = entry->site_instance();
     94   if (!site_instance)
     95       return;
     96 
     97   backend_->HostRanInsecureContent(GURL(security_origin).host(),
     98                                    site_instance->GetProcess()->id());
     99 }
    100 
    101 void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
    102   // TODO(abarth): This mechanism is wrong.  What we should be doing is sending
    103   // this information back through WebKit and out some FrameLoaderClient
    104   // methods.
    105 
    106   if (net::IsCertStatusError(info->ssl_cert_status()))
    107     backend_->HostRanInsecureContent(info->url().host(), info->child_id());
    108 }
    109 
    110 void SSLPolicy::UpdateEntry(NavigationEntry* entry, TabContents* tab_contents) {
    111   DCHECK(entry);
    112 
    113   InitializeEntryIfNeeded(entry);
    114 
    115   if (!entry->url().SchemeIsSecure())
    116     return;
    117 
    118   // An HTTPS response may not have a certificate for some reason.  When that
    119   // happens, use the unauthenticated (HTTP) rather than the authentication
    120   // broken security style so that we can detect this error condition.
    121   if (!entry->ssl().cert_id()) {
    122     entry->ssl().set_security_style(SECURITY_STYLE_UNAUTHENTICATED);
    123     return;
    124   }
    125 
    126   if (!(entry->ssl().cert_status() & net::CERT_STATUS_COMMON_NAME_INVALID)) {
    127     // CAs issue certificates for intranet hosts to everyone.  Therefore, we
    128     // mark intranet hosts as being non-unique.
    129     if (IsIntranetHost(entry->url().host())) {
    130       entry->ssl().set_cert_status(entry->ssl().cert_status() |
    131                                    net::CERT_STATUS_NON_UNIQUE_NAME);
    132     }
    133   }
    134 
    135   // If CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is the only certificate error,
    136   // don't lower the security style to SECURITY_STYLE_AUTHENTICATION_BROKEN.
    137   int cert_errors = entry->ssl().cert_status() & net::CERT_STATUS_ALL_ERRORS;
    138   if (cert_errors) {
    139     if (cert_errors != net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
    140       entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
    141     return;
    142   }
    143 
    144   SiteInstance* site_instance = entry->site_instance();
    145   // Note that |site_instance| can be NULL here because NavigationEntries don't
    146   // necessarily have site instances.  Without a process, the entry can't
    147   // possibly have insecure content.  See bug http://crbug.com/12423.
    148   if (site_instance &&
    149       backend_->DidHostRunInsecureContent(entry->url().host(),
    150                                           site_instance->GetProcess()->id())) {
    151     entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
    152     entry->ssl().set_ran_insecure_content();
    153     return;
    154   }
    155 
    156   if (tab_contents->displayed_insecure_content())
    157     entry->ssl().set_displayed_insecure_content();
    158 }
    159 
    160 ////////////////////////////////////////////////////////////////////////////////
    161 // SSLBlockingPage::Delegate methods
    162 
    163 SSLErrorInfo SSLPolicy::GetSSLErrorInfo(SSLCertErrorHandler* handler) {
    164   return SSLErrorInfo::CreateError(
    165       SSLErrorInfo::NetErrorToErrorType(handler->cert_error()),
    166       handler->ssl_info().cert, handler->request_url());
    167 }
    168 
    169 void SSLPolicy::OnDenyCertificate(SSLCertErrorHandler* handler) {
    170   // Default behavior for rejecting a certificate.
    171   //
    172   // While DenyCertForHost() executes synchronously on this thread,
    173   // CancelRequest() gets posted to a different thread. Calling
    174   // DenyCertForHost() first ensures deterministic ordering.
    175   backend_->DenyCertForHost(handler->ssl_info().cert,
    176                             handler->request_url().host());
    177   handler->CancelRequest();
    178 }
    179 
    180 void SSLPolicy::OnAllowCertificate(SSLCertErrorHandler* handler) {
    181   // Default behavior for accepting a certificate.
    182   // Note that we should not call SetMaxSecurityStyle here, because the active
    183   // NavigationEntry has just been deleted (in HideInterstitialPage) and the
    184   // new NavigationEntry will not be set until DidNavigate.  This is ok,
    185   // because the new NavigationEntry will have its max security style set
    186   // within DidNavigate.
    187   //
    188   // While AllowCertForHost() executes synchronously on this thread,
    189   // ContinueRequest() gets posted to a different thread. Calling
    190   // AllowCertForHost() first ensures deterministic ordering.
    191   backend_->AllowCertForHost(handler->ssl_info().cert,
    192                              handler->request_url().host());
    193   handler->ContinueRequest();
    194 }
    195 
    196 ////////////////////////////////////////////////////////////////////////////////
    197 // Certificate Error Routines
    198 
    199 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
    200                                     SSLBlockingPage::ErrorLevel error_level) {
    201   if (handler->resource_type() != ResourceType::MAIN_FRAME) {
    202     // A sub-resource has a certificate error.  The user doesn't really
    203     // have a context for making the right decision, so block the
    204     // request hard, without an info bar to allow showing the insecure
    205     // content.
    206     handler->DenyRequest();
    207     return;
    208   }
    209   SSLBlockingPage* blocking_page = new SSLBlockingPage(handler, this,
    210                                                        error_level);
    211   blocking_page->Show();
    212 }
    213 
    214 void SSLPolicy::InitializeEntryIfNeeded(NavigationEntry* entry) {
    215   if (entry->ssl().security_style() != SECURITY_STYLE_UNKNOWN)
    216     return;
    217 
    218   entry->ssl().set_security_style(entry->url().SchemeIsSecure() ?
    219       SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED);
    220 }
    221 
    222 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
    223   GURL parsed_origin(origin);
    224   if (parsed_origin.SchemeIsSecure())
    225     backend_->HostRanInsecureContent(parsed_origin.host(), pid);
    226 }
    227