content/browser/ssl/ssl_policy.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "content/browser/ssl/ssl_policy.h"
   6
   7 #include "base/base_switches.h"
   8 #include "base/bind.h"
   9 #include "base/command_line.h"
  10 #include "base/memory/singleton.h"
  11 #include "base/strings/string_piece.h"
  12 #include "base/strings/string_util.h"
  13 #include "content/browser/frame_host/navigation_entry_impl.h"
  14 #include "content/browser/renderer_host/render_process_host_impl.h"
  15 #include "content/browser/renderer_host/render_view_host_impl.h"
  16 #include "content/browser/site_instance_impl.h"
  17 #include "content/browser/ssl/ssl_cert_error_handler.h"
  18 #include "content/browser/ssl/ssl_request_info.h"
  19 #include "content/browser/web_contents/web_contents_impl.h"
  20 #include "content/public/browser/content_browser_client.h"
  21 #include "content/public/common/resource_type.h"
  22 #include "content/public/common/ssl_status.h"
  23 #include "content/public/common/url_constants.h"
  24 #include "net/ssl/ssl_info.h"
  25
  26
  27 namespace content {
  28
  29 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
  30     : backend_(backend) {
  31   DCHECK(backend_);
  32 }
  33
  34 void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
  35   bool expired_previous_decision;
  36   // First we check if we know the policy for this error.
  37   DCHECK(handler->ssl_info().is_valid());
  38   SSLHostStateDelegate::CertJudgment judgment =
  39       backend_->QueryPolicy(*handler->ssl_info().cert.get(),
  40                             handler->request_url().host(),
  41                             handler->cert_error(),
  42                             &expired_previous_decision);
  43
  44   if (judgment == SSLHostStateDelegate::ALLOWED) {
  45     handler->ContinueRequest();
  46     return;
  47   }
  48
  49   // For all other hosts, which must be DENIED, a blocking page is shown to the
  50   // user every time they come back to the page.
  51   int options_mask = 0;
  52   switch (handler->cert_error()) {
  53     case net::ERR_CERT_COMMON_NAME_INVALID:
  54     case net::ERR_CERT_DATE_INVALID:
  55     case net::ERR_CERT_AUTHORITY_INVALID:
  56     case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
  57     case net::ERR_CERT_WEAK_KEY:
  58     case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
  59     case net::ERR_CERT_VALIDITY_TOO_LONG:
  60       if (!handler->fatal())
  61         options_mask |= OVERRIDABLE;
  62       else
  63         options_mask |= STRICT_ENFORCEMENT;
  64       if (expired_previous_decision)
  65         options_mask |= EXPIRED_PREVIOUS_DECISION;
  66       OnCertErrorInternal(handler, options_mask);
  67       break;
  68     case net::ERR_CERT_NO_REVOCATION_MECHANISM:
  69       // Ignore this error.
  70       handler->ContinueRequest();
  71       break;
  72     case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
  73       // We ignore this error but will show a warning status in the location
  74       // bar.
  75       handler->ContinueRequest();
  76       break;
  77     case net::ERR_CERT_CONTAINS_ERRORS:
  78     case net::ERR_CERT_REVOKED:
  79     case net::ERR_CERT_INVALID:
  80     case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
  81     case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
  82       if (handler->fatal())
  83         options_mask |= STRICT_ENFORCEMENT;
  84       if (expired_previous_decision)
  85         options_mask |= EXPIRED_PREVIOUS_DECISION;
  86       OnCertErrorInternal(handler, options_mask);
  87       break;
  88     default:
  89       NOTREACHED();
  90       handler->CancelRequest();
  91       break;
  92   }
  93 }
  94
  95 void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry,
  96                                       const std::string& security_origin) {
  97   if (!entry)
  98     return;
  99
 100   SiteInstance* site_instance = entry->site_instance();
 101   if (!site_instance)
 102       return;
 103
 104   backend_->HostRanInsecureContent(GURL(security_origin).host(),
 105                                    site_instance->GetProcess()->GetID());
 106 }
 107
 108 void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
 109   // TODO(abarth): This mechanism is wrong.  What we should be doing is sending
 110   // this information back through WebKit and out some FrameLoaderClient
 111   // methods.
 112
 113   if (net::IsCertStatusError(info->ssl_cert_status()))
 114     backend_->HostRanInsecureContent(info->url().host(), info->child_id());
 115 }
 116
 117 void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry,
 118                             WebContentsImpl* web_contents) {
 119   DCHECK(entry);
 120
 121   InitializeEntryIfNeeded(entry);
 122
 123   if (!entry->GetURL().SchemeIsSecure())
 124     return;
 125
 126   if (!web_contents->DisplayedInsecureContent())
 127     entry->GetSSL().content_status &= ~SSLStatus::DISPLAYED_INSECURE_CONTENT;
 128
 129   // An HTTPS response may not have a certificate for some reason.  When that
 130   // happens, use the unauthenticated (HTTP) rather than the authentication
 131   // broken security style so that we can detect this error condition.
 132   if (!entry->GetSSL().cert_id) {
 133     entry->GetSSL().security_style = SECURITY_STYLE_UNAUTHENTICATED;
 134     return;
 135   }
 136
 137   if (web_contents->DisplayedInsecureContent())
 138     entry->GetSSL().content_status |= SSLStatus::DISPLAYED_INSECURE_CONTENT;
 139
 140   if (net::IsCertStatusError(entry->GetSSL().cert_status)) {
 141     // Minor errors don't lower the security style to
 142     // SECURITY_STYLE_AUTHENTICATION_BROKEN.
 143     if (!net::IsCertStatusMinorError(entry->GetSSL().cert_status)) {
 144       entry->GetSSL().security_style =
 145           SECURITY_STYLE_AUTHENTICATION_BROKEN;
 146     }
 147     return;
 148   }
 149
 150   SiteInstance* site_instance = entry->site_instance();
 151   // Note that |site_instance| can be NULL here because NavigationEntries don't
 152   // necessarily have site instances.  Without a process, the entry can't
 153   // possibly have insecure content.  See bug http://crbug.com/12423.
 154   if (site_instance &&
 155       backend_->DidHostRunInsecureContent(
 156           entry->GetURL().host(), site_instance->GetProcess()->GetID())) {
 157     entry->GetSSL().security_style =
 158         SECURITY_STYLE_AUTHENTICATION_BROKEN;
 159     entry->GetSSL().content_status |= SSLStatus::RAN_INSECURE_CONTENT;
 160     return;
 161   }
 162 }
 163
 164 void SSLPolicy::OnAllowCertificate(scoped_refptr<SSLCertErrorHandler> handler,
 165                                    bool allow) {
 166   DCHECK(handler->ssl_info().is_valid());
 167   if (allow) {
 168     // Default behavior for accepting a certificate.
 169     // Note that we should not call SetMaxSecurityStyle here, because the active
 170     // NavigationEntry has just been deleted (in HideInterstitialPage) and the
 171     // new NavigationEntry will not be set until DidNavigate.  This is ok,
 172     // because the new NavigationEntry will have its max security style set
 173     // within DidNavigate.
 174     //
 175     // While AllowCertForHost() executes synchronously on this thread,
 176     // ContinueRequest() gets posted to a different thread. Calling
 177     // AllowCertForHost() first ensures deterministic ordering.
 178     backend_->AllowCertForHost(*handler->ssl_info().cert.get(),
 179                                handler->request_url().host(),
 180                                handler->cert_error());
 181     handler->ContinueRequest();
 182   } else {
 183     // Default behavior for rejecting a certificate.
 184     handler->CancelRequest();
 185   }
 186 }
 187
 188 ////////////////////////////////////////////////////////////////////////////////
 189 // Certificate Error Routines
 190
 191 void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
 192                                     int options_mask) {
 193   bool overridable = (options_mask & OVERRIDABLE) != 0;
 194   bool strict_enforcement = (options_mask & STRICT_ENFORCEMENT) != 0;
 195   bool expired_previous_decision =
 196       (options_mask & EXPIRED_PREVIOUS_DECISION) != 0;
 197   CertificateRequestResultType result =
 198       CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE;
 199   GetContentClient()->browser()->AllowCertificateError(
 200       handler->render_process_id(),
 201       handler->render_frame_id(),
 202       handler->cert_error(),
 203       handler->ssl_info(),
 204       handler->request_url(),
 205       handler->resource_type(),
 206       overridable,
 207       strict_enforcement,
 208       expired_previous_decision,
 209       base::Bind(&SSLPolicy::OnAllowCertificate,
 210                  base::Unretained(this),
 211                  make_scoped_refptr(handler)),
 212       &result);
 213   switch (result) {
 214     case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE:
 215       break;
 216     case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL:
 217       handler->CancelRequest();
 218       break;
 219     case CERTIFICATE_REQUEST_RESULT_TYPE_DENY:
 220       handler->DenyRequest();
 221       break;
 222     default:
 223       NOTREACHED();
 224   }
 225 }
 226
 227 void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) {
 228   if (entry->GetSSL().security_style != SECURITY_STYLE_UNKNOWN)
 229     return;
 230
 231   entry->GetSSL().security_style = entry->GetURL().SchemeIsSecure() ?
 232       SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED;
 233 }
 234
 235 void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
 236   GURL parsed_origin(origin);
 237   if (parsed_origin.SchemeIsSecure())
 238     backend_->HostRanInsecureContent(parsed_origin.host(), pid);
 239 }
 240
 241 }  // namespace content