| OLD | NEW |
| (Empty) |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/ssl/connection_security_helper.h" | |
| 6 | |
| 7 #include "base/command_line.h" | |
| 8 #include "base/metrics/field_trial.h" | |
| 9 #include "base/metrics/histogram_macros.h" | |
| 10 #include "base/prefs/pref_service.h" | |
| 11 #include "chrome/browser/profiles/profile.h" | |
| 12 #include "chrome/browser/ssl/ssl_error_info.h" | |
| 13 #include "chrome/common/chrome_constants.h" | |
| 14 #include "chrome/common/chrome_switches.h" | |
| 15 #include "chrome/common/pref_names.h" | |
| 16 #include "content/public/browser/cert_store.h" | |
| 17 #include "content/public/browser/navigation_controller.h" | |
| 18 #include "content/public/browser/navigation_entry.h" | |
| 19 #include "content/public/browser/web_contents.h" | |
| 20 #include "content/public/common/origin_util.h" | |
| 21 #include "content/public/common/ssl_status.h" | |
| 22 #include "net/base/net_util.h" | |
| 23 #include "net/cert/cert_status_flags.h" | |
| 24 #include "net/cert/x509_certificate.h" | |
| 25 #include "net/ssl/ssl_connection_status_flags.h" | |
| 26 | |
| 27 #if defined(OS_CHROMEOS) | |
| 28 #include "chrome/browser/chromeos/policy/policy_cert_service.h" | |
| 29 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" | |
| 30 #endif | |
| 31 | |
| 32 namespace { | |
| 33 | |
| 34 ConnectionSecurityHelper::SecurityLevel | |
| 35 GetSecurityLevelForNonSecureFieldTrial() { | |
| 36 std::string choice = | |
| 37 base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | |
| 38 switches::kMarkNonSecureAs); | |
| 39 std::string group = base::FieldTrialList::FindFullName("MarkNonSecureAs"); | |
| 40 | |
| 41 // Do not change this enum. It is used in the histogram. | |
| 42 enum MarkNonSecureStatus { NEUTRAL, DUBIOUS, NON_SECURE, LAST_STATUS }; | |
| 43 const char kEnumeration[] = "MarkNonSecureAs"; | |
| 44 | |
| 45 ConnectionSecurityHelper::SecurityLevel level; | |
| 46 MarkNonSecureStatus status; | |
| 47 | |
| 48 if (choice == switches::kMarkNonSecureAsNeutral) { | |
| 49 status = NEUTRAL; | |
| 50 level = ConnectionSecurityHelper::NONE; | |
| 51 } else if (choice == switches::kMarkNonSecureAsDubious) { | |
| 52 status = DUBIOUS; | |
| 53 level = ConnectionSecurityHelper::SECURITY_WARNING; | |
| 54 } else if (choice == switches::kMarkNonSecureAsNonSecure) { | |
| 55 status = NON_SECURE; | |
| 56 level = ConnectionSecurityHelper::SECURITY_ERROR; | |
| 57 } else if (group == switches::kMarkNonSecureAsNeutral) { | |
| 58 status = NEUTRAL; | |
| 59 level = ConnectionSecurityHelper::NONE; | |
| 60 } else if (group == switches::kMarkNonSecureAsDubious) { | |
| 61 status = DUBIOUS; | |
| 62 level = ConnectionSecurityHelper::SECURITY_WARNING; | |
| 63 } else if (group == switches::kMarkNonSecureAsNonSecure) { | |
| 64 status = NON_SECURE; | |
| 65 level = ConnectionSecurityHelper::SECURITY_ERROR; | |
| 66 } else { | |
| 67 status = NEUTRAL; | |
| 68 level = ConnectionSecurityHelper::NONE; | |
| 69 } | |
| 70 | |
| 71 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS); | |
| 72 return level; | |
| 73 } | |
| 74 | |
| 75 } // namespace | |
| 76 | |
| 77 ConnectionSecurityHelper::SecurityLevel | |
| 78 ConnectionSecurityHelper::GetSecurityLevelForWebContents( | |
| 79 const content::WebContents* web_contents) { | |
| 80 if (!web_contents) | |
| 81 return NONE; | |
| 82 | |
| 83 content::NavigationEntry* entry = | |
| 84 web_contents->GetController().GetVisibleEntry(); | |
| 85 if (!entry) | |
| 86 return NONE; | |
| 87 | |
| 88 const content::SSLStatus& ssl = entry->GetSSL(); | |
| 89 switch (ssl.security_style) { | |
| 90 case content::SECURITY_STYLE_UNKNOWN: | |
| 91 return NONE; | |
| 92 | |
| 93 case content::SECURITY_STYLE_UNAUTHENTICATED: { | |
| 94 const GURL& url = entry->GetURL(); | |
| 95 if (!content::IsOriginSecure(url)) | |
| 96 return GetSecurityLevelForNonSecureFieldTrial(); | |
| 97 return NONE; | |
| 98 } | |
| 99 | |
| 100 case content::SECURITY_STYLE_AUTHENTICATION_BROKEN: | |
| 101 return SECURITY_ERROR; | |
| 102 | |
| 103 case content::SECURITY_STYLE_AUTHENTICATED: { | |
| 104 #if defined(OS_CHROMEOS) | |
| 105 policy::PolicyCertService* service = | |
| 106 policy::PolicyCertServiceFactory::GetForProfile( | |
| 107 Profile::FromBrowserContext(web_contents->GetBrowserContext())); | |
| 108 if (service && service->UsedPolicyCertificates()) | |
| 109 return SECURITY_POLICY_WARNING; | |
| 110 #endif | |
| 111 if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) | |
| 112 return SECURITY_WARNING; | |
| 113 scoped_refptr<net::X509Certificate> cert; | |
| 114 if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) && | |
| 115 (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) { | |
| 116 // The internal representation of the dates for UI treatment of SHA-1. | |
| 117 // See http://crbug.com/401365 for details. | |
| 118 static const int64_t kJanuary2017 = INT64_C(13127702400000000); | |
| 119 // kJanuary2016 needs to be kept in sync with | |
| 120 // ToolbarModelAndroid::IsDeprecatedSHA1Present(). | |
| 121 static const int64_t kJanuary2016 = INT64_C(13096080000000000); | |
| 122 if (cert->valid_expiry() >= | |
| 123 base::Time::FromInternalValue(kJanuary2017)) { | |
| 124 return SECURITY_ERROR; | |
| 125 } | |
| 126 if (cert->valid_expiry() >= | |
| 127 base::Time::FromInternalValue(kJanuary2016)) { | |
| 128 return SECURITY_WARNING; | |
| 129 } | |
| 130 } | |
| 131 if (net::IsCertStatusError(ssl.cert_status)) { | |
| 132 DCHECK(net::IsCertStatusMinorError(ssl.cert_status)); | |
| 133 return SECURITY_WARNING; | |
| 134 } | |
| 135 if (net::SSLConnectionStatusToVersion(ssl.connection_status) == | |
| 136 net::SSL_CONNECTION_VERSION_SSL3) { | |
| 137 // SSLv3 will be removed in the future. | |
| 138 return SECURITY_WARNING; | |
| 139 } | |
| 140 if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert) | |
| 141 return EV_SECURE; | |
| 142 return SECURE; | |
| 143 } | |
| 144 | |
| 145 default: | |
| 146 NOTREACHED(); | |
| 147 return NONE; | |
| 148 } | |
| 149 } | |
| 150 | |
| 151 content::SecurityStyle ConnectionSecurityHelper::GetSecurityStyleForWebContents( | |
| 152 const content::WebContents* web_contents) { | |
| 153 SecurityLevel security_level = GetSecurityLevelForWebContents(web_contents); | |
| 154 | |
| 155 switch (security_level) { | |
| 156 case NONE: | |
| 157 return content::SECURITY_STYLE_UNAUTHENTICATED; | |
| 158 case EV_SECURE: | |
| 159 case SECURE: | |
| 160 return content::SECURITY_STYLE_AUTHENTICATED; | |
| 161 case SECURITY_WARNING: | |
| 162 case SECURITY_POLICY_WARNING: | |
| 163 return content::SECURITY_STYLE_WARNING; | |
| 164 case SECURITY_ERROR: | |
| 165 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | |
| 166 } | |
| 167 | |
| 168 NOTREACHED(); | |
| 169 return content::SECURITY_STYLE_UNKNOWN; | |
| 170 } | |
| OLD | NEW |