1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "content/browser/ssl/ssl_policy.h"
6
7#include "base/base_switches.h"
8#include "base/bind.h"
9#include "base/command_line.h"
10#include "base/memory/singleton.h"
11#include "base/strings/string_piece.h"
12#include "base/strings/string_util.h"
13#include "content/browser/frame_host/navigation_entry_impl.h"
14#include "content/browser/renderer_host/render_process_host_impl.h"
15#include "content/browser/renderer_host/render_view_host_impl.h"
16#include "content/browser/site_instance_impl.h"
17#include "content/browser/ssl/ssl_cert_error_handler.h"
18#include "content/browser/ssl/ssl_request_info.h"
19#include "content/browser/web_contents/web_contents_impl.h"
20#include "content/public/browser/content_browser_client.h"
21#include "content/public/common/ssl_status.h"
22#include "content/public/common/url_constants.h"
23#include "net/ssl/ssl_info.h"
24#include "webkit/common/resource_type.h"
25
26
27namespace content {
28
29SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
30    : backend_(backend) {
31  DCHECK(backend_);
32}
33
34void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
35  // First we check if we know the policy for this error.
36  net::CertPolicy::Judgment judgment = backend_->QueryPolicy(
37      handler->ssl_info().cert.get(),
38      handler->request_url().host(),
39      handler->cert_error());
40
41  if (judgment == net::CertPolicy::ALLOWED) {
42    handler->ContinueRequest();
43    return;
44  }
45
46  // The judgment is either DENIED or UNKNOWN.
47  // For now we handle the DENIED as the UNKNOWN, which means a blocking
48  // page is shown to the user every time he comes back to the page.
49
50  switch (handler->cert_error()) {
51    case net::ERR_CERT_COMMON_NAME_INVALID:
52    case net::ERR_CERT_DATE_INVALID:
53    case net::ERR_CERT_AUTHORITY_INVALID:
54    case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
55    case net::ERR_CERT_WEAK_KEY:
56    case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
57      OnCertErrorInternal(handler, !handler->fatal(), handler->fatal());
58      break;
59    case net::ERR_CERT_NO_REVOCATION_MECHANISM:
60      // Ignore this error.
61      handler->ContinueRequest();
62      break;
63    case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
64      // We ignore this error but will show a warning status in the location
65      // bar.
66      handler->ContinueRequest();
67      break;
68    case net::ERR_CERT_CONTAINS_ERRORS:
69    case net::ERR_CERT_REVOKED:
70    case net::ERR_CERT_INVALID:
71    case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
72    case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
73      OnCertErrorInternal(handler, false, handler->fatal());
74      break;
75    default:
76      NOTREACHED();
77      handler->CancelRequest();
78      break;
79  }
80}
81
82void SSLPolicy::DidRunInsecureContent(NavigationEntryImpl* entry,
83                                      const std::string& security_origin) {
84  if (!entry)
85    return;
86
87  SiteInstance* site_instance = entry->site_instance();
88  if (!site_instance)
89      return;
90
91  backend_->HostRanInsecureContent(GURL(security_origin).host(),
92                                   site_instance->GetProcess()->GetID());
93}
94
95void SSLPolicy::OnRequestStarted(SSLRequestInfo* info) {
96  // TODO(abarth): This mechanism is wrong.  What we should be doing is sending
97  // this information back through WebKit and out some FrameLoaderClient
98  // methods.
99
100  if (net::IsCertStatusError(info->ssl_cert_status()))
101    backend_->HostRanInsecureContent(info->url().host(), info->child_id());
102}
103
104void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry,
105                            WebContentsImpl* web_contents) {
106  DCHECK(entry);
107
108  InitializeEntryIfNeeded(entry);
109
110  if (!entry->GetURL().SchemeIsSecure())
111    return;
112
113  if (!web_contents->DisplayedInsecureContent())
114    entry->GetSSL().content_status &= ~SSLStatus::DISPLAYED_INSECURE_CONTENT;
115
116  // An HTTPS response may not have a certificate for some reason.  When that
117  // happens, use the unauthenticated (HTTP) rather than the authentication
118  // broken security style so that we can detect this error condition.
119  if (!entry->GetSSL().cert_id) {
120    entry->GetSSL().security_style = SECURITY_STYLE_UNAUTHENTICATED;
121    return;
122  }
123
124  if (web_contents->DisplayedInsecureContent())
125    entry->GetSSL().content_status |= SSLStatus::DISPLAYED_INSECURE_CONTENT;
126
127  if (net::IsCertStatusError(entry->GetSSL().cert_status)) {
128    // Minor errors don't lower the security style to
129    // SECURITY_STYLE_AUTHENTICATION_BROKEN.
130    if (!net::IsCertStatusMinorError(entry->GetSSL().cert_status)) {
131      entry->GetSSL().security_style =
132          SECURITY_STYLE_AUTHENTICATION_BROKEN;
133    }
134    return;
135  }
136
137  SiteInstance* site_instance = entry->site_instance();
138  // Note that |site_instance| can be NULL here because NavigationEntries don't
139  // necessarily have site instances.  Without a process, the entry can't
140  // possibly have insecure content.  See bug http://crbug.com/12423.
141  if (site_instance &&
142      backend_->DidHostRunInsecureContent(
143          entry->GetURL().host(), site_instance->GetProcess()->GetID())) {
144    entry->GetSSL().security_style =
145        SECURITY_STYLE_AUTHENTICATION_BROKEN;
146    entry->GetSSL().content_status |= SSLStatus::RAN_INSECURE_CONTENT;
147    return;
148  }
149}
150
151void SSLPolicy::OnAllowCertificate(scoped_refptr<SSLCertErrorHandler> handler,
152                                   bool allow) {
153  if (allow) {
154    // Default behavior for accepting a certificate.
155    // Note that we should not call SetMaxSecurityStyle here, because the active
156    // NavigationEntry has just been deleted (in HideInterstitialPage) and the
157    // new NavigationEntry will not be set until DidNavigate.  This is ok,
158    // because the new NavigationEntry will have its max security style set
159    // within DidNavigate.
160    //
161    // While AllowCertForHost() executes synchronously on this thread,
162    // ContinueRequest() gets posted to a different thread. Calling
163    // AllowCertForHost() first ensures deterministic ordering.
164    backend_->AllowCertForHost(handler->ssl_info().cert.get(),
165                               handler->request_url().host(),
166                               handler->cert_error());
167    handler->ContinueRequest();
168  } else {
169    // Default behavior for rejecting a certificate.
170    //
171    // While DenyCertForHost() executes synchronously on this thread,
172    // CancelRequest() gets posted to a different thread. Calling
173    // DenyCertForHost() first ensures deterministic ordering.
174    backend_->DenyCertForHost(handler->ssl_info().cert.get(),
175                              handler->request_url().host(),
176                              handler->cert_error());
177    handler->CancelRequest();
178  }
179}
180
181////////////////////////////////////////////////////////////////////////////////
182// Certificate Error Routines
183
184void SSLPolicy::OnCertErrorInternal(SSLCertErrorHandler* handler,
185                                    bool overridable,
186                                    bool strict_enforcement) {
187  CertificateRequestResultType result =
188      CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE;
189  GetContentClient()->browser()->AllowCertificateError(
190      handler->render_process_id(),
191      handler->render_frame_id(),
192      handler->cert_error(),
193      handler->ssl_info(),
194      handler->request_url(),
195      handler->resource_type(),
196      overridable,
197      strict_enforcement,
198      base::Bind(&SSLPolicy::OnAllowCertificate, base::Unretained(this),
199                 make_scoped_refptr(handler)),
200      &result);
201  switch (result) {
202    case CERTIFICATE_REQUEST_RESULT_TYPE_CONTINUE:
203      break;
204    case CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL:
205      handler->CancelRequest();
206      break;
207    case CERTIFICATE_REQUEST_RESULT_TYPE_DENY:
208      handler->DenyRequest();
209      break;
210    default:
211      NOTREACHED();
212  }
213}
214
215void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) {
216  if (entry->GetSSL().security_style != SECURITY_STYLE_UNKNOWN)
217    return;
218
219  entry->GetSSL().security_style = entry->GetURL().SchemeIsSecure() ?
220      SECURITY_STYLE_AUTHENTICATED : SECURITY_STYLE_UNAUTHENTICATED;
221}
222
223void SSLPolicy::OriginRanInsecureContent(const std::string& origin, int pid) {
224  GURL parsed_origin(origin);
225  if (parsed_origin.SchemeIsSecure())
226    backend_->HostRanInsecureContent(parsed_origin.host(), pid);
227}
228
229}  // namespace content
230