1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/ssl/ssl_policy.h"
6
7#include "base/base_switches.h"
8#include "base/command_line.h"
9#include "base/memory/singleton.h"
10#include "base/string_piece.h"
11#include "base/string_util.h"
12#include "chrome/browser/ssl/ssl_cert_error_handler.h"
13#include "chrome/browser/ssl/ssl_error_info.h"
14#include "chrome/browser/ssl/ssl_request_info.h"
15#include "chrome/common/jstemplate_builder.h"
16#include "chrome/common/time_format.h"
17#include "chrome/common/url_constants.h"
18#include "content/browser/renderer_host/render_process_host.h"
19#include "content/browser/renderer_host/render_view_host.h"
20#include "content/browser/site_instance.h"
21#include "content/browser/tab_contents/navigation_entry.h"
22#include "content/browser/tab_contents/tab_contents.h"
23#include "grit/generated_resources.h"
24#include "net/base/cert_status_flags.h"
25#include "net/base/ssl_info.h"
26#include "webkit/glue/resource_type.h"
27
28namespace {
29
30static const char kDot = '.';
31
32static bool IsIntranetHost(const std::string& host) {
33  const size_t dot = host.find(kDot);
34  return dot == std::string::npos || dot == host.length() - 1;
35}
36
37}  // namespace
38
39SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
40    : backend_(backend) {
41  DCHECK(backend_);
42}
43
44void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
45  // First we check if we know the policy for this error.
46  net::CertPolicy::Judgment judgment =
47      backend_->QueryPolicy(handler->ssl_info().cert,
48                            handler->request_url().host());
49
50  if (judgment == net::CertPolicy::ALLOWED) {
51    handler->ContinueRequest();
52    return;
53  }
54
55  // The judgment is either DENIED or UNKNOWN.
56  // For now we handle the DENIED as the UNKNOWN, which means a blocking
57  // page is shown to the user every time he comes back to the page.
58
59  switch (handler->cert_error()) {
60    case net::ERR_CERT_COMMON_NAME_INVALID:
61    case net::ERR_CERT_DATE_INVALID:
62    case net::ERR_CERT_AUTHORITY_INVALID:
63    case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
64      OnCertErrorInternal(handler, SSLBlockingPage::ERROR_OVERRIDABLE);
65      break;
66    case net::ERR_CERT_NO_REVOCATION_MECHANISM:
67      // Ignore this error.
68      handler->ContinueRequest();
69      break;
70    case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
71      // We ignore this error but will show a warning status in the location
72      // bar.
73      handler->ContinueRequest();
74      break;
75    case net::ERR_CERT_CONTAINS_ERRORS:
76    case net::ERR_CERT_REVOKED:
77    case net::ERR_CERT_INVALID:
78    case net::ERR_CERT_NOT_IN_DNS:
79      OnCertErrorInternal(handler, SSLBlockingPage::ERROR_FATAL);
80      break;
81    default:
82      NOTREACHED();
83      handler->CancelRequest();
84      break;
85  }
86}
87
88void SSLPolicy::DidRunInsecureContent(NavigationEntry* entry,
89                                      const std::string& security_origin) {
90  if (!entry)
91    return;
92
93  SiteInstance* site_instance = entry->site_instance();
94  if (!site_instance)
95      return;
96
97  backend_->HostRanInsecureContent(GURL(security_origin).host(),
98                                   site_instance->GetProcess()->id());
99}
100
101void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
102  // TODO(abarth): This mechanism is wrong.  What we should be doing is sending
103  // this information back through WebKit and out some FrameLoaderClient
104  // methods.
105
106  if (net::IsCertStatusError(info->ssl_cert_status()))
107    backend_->HostRanInsecureContent(info->url().host(), info->child_id());
108}
109
110void SSLPolicy::UpdateEntry(NavigationEntry* entry, TabContents* tab_contents) {
111  DCHECK(entry);
112
113  InitializeEntryIfNeeded(entry);
114
115  if (!entry->url().SchemeIsSecure())
116    return;
117
118  // An HTTPS response may not have a certificate for some reason.  When that
119  // happens, use the unauthenticated (HTTP) rather than the authentication
120  // broken security style so that we can detect this error condition.
121  if (!entry->ssl().cert_id()) {
122    entry->ssl().set_security_style(SECURITY_STYLE_UNAUTHENTICATED);
123    return;
124  }
125
126  if (!(entry->ssl().cert_status() & net::CERT_STATUS_COMMON_NAME_INVALID)) {
127    // CAs issue certificates for intranet hosts to everyone.  Therefore, we
128    // mark intranet hosts as being non-unique.
129    if (IsIntranetHost(entry->url().host())) {
130      entry->ssl().set_cert_status(entry->ssl().cert_status() |
131                                   net::CERT_STATUS_NON_UNIQUE_NAME);
132    }
133  }
134
135  // If CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is the only certificate error,
136  // don't lower the security style to SECURITY_STYLE_AUTHENTICATION_BROKEN.
137  int cert_errors = entry->ssl().cert_status() & net::CERT_STATUS_ALL_ERRORS;
138  if (cert_errors) {
139    if (cert_errors != net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
140      entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
141    return;
142  }
143
144  SiteInstance* site_instance = entry->site_instance();
145  // Note that |site_instance| can be NULL here because NavigationEntries don't
146  // necessarily have site instances.  Without a process, the entry can't
147  // possibly have insecure content.  See bug http://crbug.com/12423.
148  if (site_instance &&
149      backend_->DidHostRunInsecureContent(entry->url().host(),
150                                          site_instance->GetProcess()->id())) {
151    entry->ssl().set_security_style(SECURITY_STYLE_AUTHENTICATION_BROKEN);
152    entry->ssl().set_ran_insecure_content();
153    return;
154  }
155
156  if (tab_contents->displayed_insecure_content())
157    entry->ssl().set_displayed_insecure_content();
158}
159
160////////////////////////////////////////////////////////////////////////////////
161// SSLBlockingPage::Delegate methods
162
163SSLErrorInfo SSLPolicy::GetSSLErrorInfo(SSLCertErrorHandler* handler) {
164  return SSLErrorInfo::CreateError(
165      SSLErrorInfo::NetErrorToErrorType(handler->cert_error()),
166      handler->ssl_info().cert, handler->request_url());
167}
168
169void SSLPolicy::OnDenyCertificate(SSLCertErrorHandler* handler) {
170  // Default behavior for rejecting a certificate.
171  //
172  // While DenyCertForHost() executes synchronously on this thread,
173  // CancelRequest() gets posted to a different thread. Calling
174  // DenyCertForHost() first ensures deterministic ordering.
175  backend_->DenyCertForHost(handler->ssl_info().cert,
176                            handler->request_url().host());
177  handler->CancelRequest();
178}
179
180void SSLPolicy::OnAllowCertificate(SSLCertErrorHandler* handler) {
181  // Default behavior for accepting a certificate.
182  // Note that we should not call SetMaxSecurityStyle here, because the active
183  // NavigationEntry has just been deleted (in HideInterstitialPage) and the
184  // new NavigationEntry will not be set until DidNavigate.  This is ok,
185  // because the new NavigationEntry will have its max security style set
186  // within DidNavigate.
187  //
188  // While AllowCertForHost() executes synchronously on this thread,
189  // ContinueRequest() gets posted to a different thread. Calling
190  // AllowCertForHost() first ensures deterministic ordering.
191  backend_->AllowCertForHost(handler->ssl_info().cert,
192                             handler->request_url().host());
193  handler->ContinueRequest();
194}
195
196////////////////////////////////////////////////////////////////////////////////
197// Certificate Error Routines
198
199void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
200                                    SSLBlockingPage::ErrorLevel error_level) {
201  if (handler->resource_type() != ResourceType::MAIN_FRAME) {
202    // A sub-resource has a certificate error.  The user doesn't really
203    // have a context for making the right decision, so block the
204    // request hard, without an info bar to allow showing the insecure
205    // content.
206    handler->DenyRequest();
207    return;
208  }
209  SSLBlockingPage* blocking_page = new SSLBlockingPage(handler, this,
210                                                       error_level);
211  blocking_page->Show();
212}
213
214void SSLPolicy::InitializeEntryIfNeeded(NavigationEntry* entry) {
215  if (entry->ssl().security_style() != SECURITY_STYLE_UNKNOWN)
216    return;
217
218  entry->ssl().set_security_style(entry->url().SchemeIsSecure() ?
219      SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED);
220}
221
222void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
223  GURL parsed_origin(origin);
224  if (parsed_origin.SchemeIsSecure())
225    backend_->HostRanInsecureContent(parsed_origin.host(), pid);
226}
227