| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ | |
| 6 #define CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ | |
| 7 | |
| 8 #include <string> | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/gtest_prod_util.h" | |
| 12 #include "base/time/time.h" | |
| 13 #include "net/cert/x509_certificate.h" | |
| 14 #include "url/gurl.h" | |
| 15 | |
| 16 class SSLErrorClassification { | |
| 17 public: | |
| 18 SSLErrorClassification(const base::Time& current_time, | |
| 19 const GURL& url, | |
| 20 int cert_error, | |
| 21 const net::X509Certificate& cert); | |
| 22 ~SSLErrorClassification(); | |
| 23 | |
| 24 // Returns true if the system time is in the past. | |
| 25 static bool IsUserClockInThePast(const base::Time& time_now); | |
| 26 | |
| 27 // Returns true if the system time is too far in the future or the user is | |
| 28 // using a version of Chrome which is more than 1 year old. | |
| 29 static bool IsUserClockInTheFuture(const base::Time& time_now); | |
| 30 | |
| 31 // Sets a clock for browser tests that check the build time. Used by | |
| 32 // IsUserClockInThePast and IsUserClockInTheFuture. | |
| 33 static void SetBuildTimeForTesting(const base::Time& testing_time); | |
| 34 | |
| 35 // Returns true if the Windows platform is likely to not have SHA-256 support. | |
| 36 // On other platforms, returns false always. | |
| 37 static bool MaybeWindowsLacksSHA256Support(); | |
| 38 | |
| 39 // Returns true if the site's hostname differs from one of the DNS | |
| 40 // names in the certificate (CN or SANs) only by the presence or | |
| 41 // absence of the single-label prefix "www". E.g.: (The first domain | |
| 42 // is hostname and the second domain is a DNS name in the certificate) | |
| 43 // | |
| 44 // www.example.com ~ example.com -> true | |
| 45 // example.com ~ www.example.com -> true | |
| 46 // www.food.example.com ~ example.com -> false | |
| 47 // mail.example.com ~ example.com -> false | |
| 48 static bool GetWWWSubDomainMatch(const std::string& host_name, | |
| 49 const std::vector<std::string>& dns_names, | |
| 50 std::string* www_match_host_name); | |
| 51 | |
| 52 void RecordUMAStatistics(bool overridable) const; | |
| 53 | |
| 54 private: | |
| 55 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestDateInvalidScore); | |
| 56 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestNameMismatch); | |
| 57 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, | |
| 58 TestHostNameHasKnownTLD); | |
| 59 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestPrivateURL); | |
| 60 | |
| 61 typedef std::vector<std::string> Tokens; | |
| 62 | |
| 63 // Returns true if the hostname has a known Top Level Domain. | |
| 64 static bool IsHostNameKnownTLD(const std::string& host_name); | |
| 65 | |
| 66 // Returns true if any one of the following conditions hold: | |
| 67 // 1.|hostname| is an IP Address in an IANA-reserved range. | |
| 68 // 2.|hostname| is a not-yet-assigned by ICANN gTLD. | |
| 69 // 3.|hostname| is a dotless domain. | |
| 70 static bool IsHostnameNonUniqueOrDotless(const std::string& hostname); | |
| 71 | |
| 72 // Returns true if GetWWWSubDomainMatch finds a www mismatch. | |
| 73 bool IsWWWSubDomainMatch() const; | |
| 74 | |
| 75 // Returns true if |child| is a subdomain of any of the |potential_parents|. | |
| 76 bool NameUnderAnyNames(const Tokens& child, | |
| 77 const std::vector<Tokens>& potential_parents) const; | |
| 78 | |
| 79 // Returns true if any of the |potential_children| is a subdomain of the | |
| 80 // |parent|. The inverse case should be treated carefully as this is most | |
| 81 // likely a MITM attack. We don't want foo.appspot.com to be able to MITM for | |
| 82 // appspot.com. | |
| 83 bool AnyNamesUnderName(const std::vector<Tokens>& potential_children, | |
| 84 const Tokens& parent) const; | |
| 85 | |
| 86 // Returns true if |hostname| is too broad for the scope of a wildcard | |
| 87 // certificate. E.g.: | |
| 88 // | |
| 89 // a.b.example.com ~ *.example.com --> true | |
| 90 // b.example.com ~ *.example.com --> false | |
| 91 bool IsSubDomainOutsideWildcard(const Tokens& hostname) const; | |
| 92 | |
| 93 // Returns true if the certificate is a shared certificate. Note - This | |
| 94 // function should be used with caution (only for UMA histogram) as an | |
| 95 // attacker could easily get a certificate with more than 5 names in the SAN | |
| 96 // fields. | |
| 97 bool IsCertLikelyFromMultiTenantHosting() const; | |
| 98 | |
| 99 // Returns true if the hostname in |request_url_| has the same domain | |
| 100 // (effective TLD + 1 label) as at least one of the subject | |
| 101 // alternative names in |cert_|. | |
| 102 bool IsCertLikelyFromSameDomain() const; | |
| 103 | |
| 104 static std::vector<Tokens> GetTokenizedDNSNames( | |
| 105 const std::vector<std::string>& dns_names); | |
| 106 | |
| 107 // If |potential_subdomain| is a subdomain of |parent|, returns the | |
| 108 // number of DNS labels by which |potential_subdomain| is under | |
| 109 // |parent|. Otherwise, returns 0. | |
| 110 // | |
| 111 // For example, | |
| 112 // | |
| 113 // FindSubDomainDifference(Tokenize("a.b.example.com"), | |
| 114 // Tokenize("example.com")) | |
| 115 // --> 2. | |
| 116 size_t FindSubDomainDifference(const Tokens& potential_subdomain, | |
| 117 const Tokens& parent) const; | |
| 118 | |
| 119 static Tokens Tokenize(const std::string& name); | |
| 120 | |
| 121 base::Time current_time_; | |
| 122 const GURL request_url_; | |
| 123 int cert_error_; | |
| 124 const net::X509Certificate& cert_; | |
| 125 }; | |
| 126 | |
| 127 #endif // CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1355413003:
Move error classification into the ssl_errors component (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master