1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "content/browser/ssl/ssl_policy.h" 6 7#include "base/base_switches.h" 8#include "base/bind.h" 9#include "base/command_line.h" 10#include "base/memory/singleton.h" 11#include "base/strings/string_piece.h" 12#include "base/strings/string_util.h" 13#include "content/browser/frame_host/navigation_entry_impl.h" 14#include "content/browser/renderer_host/render_process_host_impl.h" 15#include "content/browser/renderer_host/render_view_host_impl.h" 16#include "content/browser/site_instance_impl.h" 17#include "content/browser/ssl/ssl_cert_error_handler.h" 18#include "content/browser/ssl/ssl_request_info.h" 19#include "content/browser/web_contents/web_contents_impl.h" 20#include "content/public/browser/content_browser_client.h" 21#include "content/public/common/ssl_status.h" 22#include "content/public/common/url_constants.h" 23#include "net/ssl/ssl_info.h" 24#include "webkit/common/resource_type.h" 25 26 27namespace content { 28 29SSLPolicy::SSLPolicy(SSLPolicyBackend* backend) 30 : backend_(backend) { 31 DCHECK(backend_); 32} 33 34void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { 35 // First we check if we know the policy for this error. 36 net::CertPolicy::Judgment judgment = backend_->QueryPolicy( 37 handler->ssl_info().cert.get(), 38 handler->request_url().host(), 39 handler->cert_error()); 40 41 if (judgment == net::CertPolicy::ALLOWED) { 42 handler->ContinueRequest(); 43 return; 44 } 45 46 // The judgment is either DENIED or UNKNOWN. 47 // For now we handle the DENIED as the UNKNOWN, which means a blocking 48 // page is shown to the user every time he comes back to the page. 49 50 switch (handler->cert_error()) { 51 case net::ERR_CERT_COMMON_NAME_INVALID: 52 case net::ERR_CERT_DATE_INVALID: 53 case net::ERR_CERT_AUTHORITY_INVALID: 54 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: 55 case net::ERR_CERT_WEAK_KEY: 56 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION: 57 OnCertErrorInternal(handler, !handler->fatal(), handler->fatal()); 58 break; 59 case net::ERR_CERT_NO_REVOCATION_MECHANISM: 60 // Ignore this error. 61 handler->ContinueRequest(); 62 break; 63 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION: 64 // We ignore this error but will show a warning status in the location 65 // bar. 66 handler->ContinueRequest(); 67 break; 68 case net::ERR_CERT_CONTAINS_ERRORS: 69 case net::ERR_CERT_REVOKED: 70 case net::ERR_CERT_INVALID: 71 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: 72 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN: 73 OnCertErrorInternal(handler, false, handler->fatal()); 74 break; 75 default: 76 NOTREACHED(); 77 handler->CancelRequest(); 78 break; 79 } 80} 81 82void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry, 83 const std::string& security_origin) { 84 if (!entry) 85 return; 86 87 SiteInstance* site_instance = entry->site_instance(); 88 if (!site_instance) 89 return; 90 91 backend_->HostRanInsecureContent(GURL(security_origin).host(), 92 site_instance->GetProcess()->GetID()); 93} 94 95void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) { 96 // TODO(abarth): This mechanism is wrong. What we should be doing is sending 97 // this information back through WebKit and out some FrameLoaderClient 98 // methods. 99 100 if (net::IsCertStatusError(info->ssl_cert_status())) 101 backend_->HostRanInsecureContent(info->url().host(), info->child_id()); 102} 103 104void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry, 105 WebContentsImpl* web_contents) { 106 DCHECK(entry); 107 108 InitializeEntryIfNeeded(entry); 109 110 if (!entry->GetURL().SchemeIsSecure()) 111 return; 112 113 // An HTTPS response may not have a certificate for some reason. When that 114 // happens, use the unauthenticated (HTTP) rather than the authentication 115 // broken security style so that we can detect this error condition. 116 if (!entry->GetSSL().cert_id) { 117 entry->GetSSL().security_style = SECURITY_STYLE_UNAUTHENTICATED; 118 return; 119 } 120 121 if (net::IsCertStatusError(entry->GetSSL().cert_status)) { 122 // Minor errors don't lower the security style to 123 // SECURITY_STYLE_AUTHENTICATION_BROKEN. 124 if (!net::IsCertStatusMinorError(entry->GetSSL().cert_status)) { 125 entry->GetSSL().security_style = 126 SECURITY_STYLE_AUTHENTICATION_BROKEN; 127 } 128 return; 129 } 130 131 SiteInstance* site_instance = entry->site_instance(); 132 // Note that |site_instance| can be NULL here because NavigationEntries don't 133 // necessarily have site instances. Without a process, the entry can't 134 // possibly have insecure content. See bug http://crbug.com/12423. 135 if (site_instance && 136 backend_->DidHostRunInsecureContent( 137 entry->GetURL().host(), site_instance->GetProcess()->GetID())) { 138 entry->GetSSL().security_style = 139 SECURITY_STYLE_AUTHENTICATION_BROKEN; 140 entry->GetSSL().content_status |= SSLStatus::RAN_INSECURE_CONTENT; 141 return; 142 } 143 144 if (web_contents->DisplayedInsecureContent()) 145 entry->GetSSL().content_status |= SSLStatus::DISPLAYED_INSECURE_CONTENT; 146 else 147 entry->GetSSL().content_status &= ~SSLStatus::DISPLAYED_INSECURE_CONTENT; 148} 149 150void SSLPolicy::OnAllowCertificate(scoped_refptr<SSLCertErrorHandler> handler, 151 bool allow) { 152 if (allow) { 153 // Default behavior for accepting a certificate. 154 // Note that we should not call SetMaxSecurityStyle here, because the active 155 // NavigationEntry has just been deleted (in HideInterstitialPage) and the 156 // new NavigationEntry will not be set until DidNavigate. This is ok, 157 // because the new NavigationEntry will have its max security style set 158 // within DidNavigate. 159 // 160 // While AllowCertForHost() executes synchronously on this thread, 161 // ContinueRequest() gets posted to a different thread. Calling 162 // AllowCertForHost() first ensures deterministic ordering. 163 backend_->AllowCertForHost(handler->ssl_info().cert.get(), 164 handler->request_url().host(), 165 handler->cert_error()); 166 handler->ContinueRequest(); 167 } else { 168 // Default behavior for rejecting a certificate. 169 // 170 // While DenyCertForHost() executes synchronously on this thread, 171 // CancelRequest() gets posted to a different thread. Calling 172 // DenyCertForHost() first ensures deterministic ordering. 173 backend_->DenyCertForHost(handler->ssl_info().cert.get(), 174 handler->request_url().host(), 175 handler->cert_error()); 176 handler->CancelRequest(); 177 } 178} 179 180//////////////////////////////////////////////////////////////////////////////// 181// Certificate Error Routines 182 183void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler, 184 bool overridable, 185 bool strict_enforcement) { 186 CertificateRequestResultType result = 187 CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE; 188 GetContentClient()->browser()->AllowCertificateError( 189 handler->render_process_id(), 190 handler->render_view_id(), 191 handler->cert_error(), 192 handler->ssl_info(), 193 handler->request_url(), 194 handler->resource_type(), 195 overridable, 196 strict_enforcement, 197 base::Bind(&SSLPolicy::OnAllowCertificate, base::Unretained(this), 198 make_scoped_refptr(handler)), 199 &result); 200 switch (result) { 201 case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE: 202 break; 203 case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL: 204 handler->CancelRequest(); 205 break; 206 case CERTIFICATE_REQUEST_RESULT_TYPE_DENY: 207 handler->DenyRequest(); 208 break; 209 default: 210 NOTREACHED(); 211 } 212} 213 214void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) { 215 if (entry->GetSSL().security_style != SECURITY_STYLE_UNKNOWN) 216 return; 217 218 entry->GetSSL().security_style = entry->GetURL().SchemeIsSecure() ? 219 SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED; 220} 221 222void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) { 223 GURL parsed_origin(origin); 224 if (parsed_origin.SchemeIsSecure()) 225 backend_->HostRanInsecureContent(parsed_origin.host(), pid); 226} 227 228} // namespace content 229