OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
6 | 6 |
| 7 #include <vector> |
| 8 |
7 #include "base/command_line.h" | 9 #include "base/command_line.h" |
8 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
9 #include "base/metrics/histogram_macros.h" | 11 #include "base/metrics/histogram_macros.h" |
| 12 #include "base/strings/string16.h" |
10 #include "base/strings/utf_string_conversions.h" | 13 #include "base/strings/utf_string_conversions.h" |
11 #include "build/build_config.h" | 14 #include "build/build_config.h" |
12 #include "chrome/browser/chromeos/policy/policy_cert_service.h" | 15 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
13 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" | 16 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
14 #include "chrome/browser/profiles/profile.h" | 17 #include "chrome/browser/profiles/profile.h" |
15 #include "chrome/grit/generated_resources.h" | 18 #include "chrome/grit/generated_resources.h" |
16 #include "content/public/browser/cert_store.h" | 19 #include "content/public/browser/cert_store.h" |
17 #include "content/public/browser/navigation_entry.h" | 20 #include "content/public/browser/navigation_entry.h" |
18 #include "content/public/browser/security_style_explanation.h" | 21 #include "content/public/browser/security_style_explanation.h" |
19 #include "content/public/browser/security_style_explanations.h" | 22 #include "content/public/browser/security_style_explanations.h" |
20 #include "content/public/browser/web_contents.h" | 23 #include "content/public/browser/web_contents.h" |
21 #include "content/public/common/origin_util.h" | 24 #include "content/public/common/origin_util.h" |
22 #include "content/public/common/ssl_status.h" | 25 #include "content/public/common/ssl_status.h" |
23 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
24 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 28 #include "net/ssl/ssl_cipher_suite_names.h" |
| 29 #include "net/ssl/ssl_connection_status_flags.h" |
25 #include "ui/base/l10n/l10n_util.h" | 30 #include "ui/base/l10n/l10n_util.h" |
26 | 31 |
27 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient); | 32 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient); |
28 | 33 |
29 using security_state::SecurityStateModel; | 34 using security_state::SecurityStateModel; |
30 | 35 |
31 namespace { | 36 namespace { |
32 | 37 |
33 // Converts a content::SecurityStyle (an indicator of a request's | 38 // Converts a content::SecurityStyle (an indicator of a request's |
34 // overall security level computed by //content) into a | 39 // overall security level computed by //content) into a |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
70 case SecurityStateModel::SECURE: | 75 case SecurityStateModel::SECURE: |
71 return content::SECURITY_STYLE_AUTHENTICATED; | 76 return content::SECURITY_STYLE_AUTHENTICATED; |
72 case SecurityStateModel::SECURITY_ERROR: | 77 case SecurityStateModel::SECURITY_ERROR: |
73 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | 78 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN; |
74 } | 79 } |
75 | 80 |
76 NOTREACHED(); | 81 NOTREACHED(); |
77 return content::SECURITY_STYLE_UNKNOWN; | 82 return content::SECURITY_STYLE_UNKNOWN; |
78 } | 83 } |
79 | 84 |
| 85 void AddConnectionExplanation( |
| 86 const security_state::SecurityStateModel::SecurityInfo& security_info, |
| 87 content::SecurityStyleExplanations* security_style_explanations) { |
| 88 |
| 89 // Avoid showing TLS details when we couldn't even establish a TLS connection |
| 90 // (e.g. for net errors) or if there was no real connection (some tests). We |
| 91 // check the |cert_id| to see if there was a connection. |
| 92 if (security_info.cert_id == 0 || security_info.connection_status == 0) { |
| 93 return; |
| 94 } |
| 95 |
| 96 int ssl_version = |
| 97 net::SSLConnectionStatusToVersion(security_info.connection_status); |
| 98 const char* protocol; |
| 99 net::SSLVersionToString(&protocol, ssl_version); |
| 100 const char* key_exchange; |
| 101 const char* cipher; |
| 102 const char* mac; |
| 103 bool is_aead; |
| 104 uint16_t cipher_suite = |
| 105 net::SSLConnectionStatusToCipherSuite(security_info.connection_status); |
| 106 net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, |
| 107 cipher_suite); |
| 108 base::string16 protocol_name = base::ASCIIToUTF16(protocol); |
| 109 base::string16 key_exchange_name = base::ASCIIToUTF16(key_exchange); |
| 110 const base::string16 cipher_name = |
| 111 (mac == NULL) ? base::ASCIIToUTF16(cipher) |
| 112 : l10n_util::GetStringFUTF16(IDS_CIPHER_WITH_MAC, |
| 113 base::ASCIIToUTF16(cipher), |
| 114 base::ASCIIToUTF16(mac)); |
| 115 if (security_info.obsolete_ssl_status == net::OBSOLETE_SSL_NONE) { |
| 116 security_style_explanations->secure_explanations.push_back( |
| 117 content::SecurityStyleExplanation( |
| 118 l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
| 119 l10n_util::GetStringFUTF8(IDS_STRONG_SSL_DESCRIPTION, protocol_name, |
| 120 key_exchange_name, cipher_name))); |
| 121 return; |
| 122 } |
| 123 |
| 124 std::vector<base::string16> description_replacements; |
| 125 int status = security_info.obsolete_ssl_status; |
| 126 int str_id; |
| 127 |
| 128 str_id = (status & net::OBSOLETE_SSL_MASK_PROTOCOL) |
| 129 ? IDS_SSL_AN_OBSOLETE_PROTOCOL |
| 130 : IDS_SSL_A_STRONG_PROTOCOL; |
| 131 description_replacements.push_back(l10n_util::GetStringUTF16(str_id)); |
| 132 description_replacements.push_back(protocol_name); |
| 133 |
| 134 str_id = (status & net::OBSOLETE_SSL_MASK_KEY_EXCHANGE) |
| 135 ? IDS_SSL_AN_OBSOLETE_KEY_EXCHANGE |
| 136 : IDS_SSL_A_STRONG_KEY_EXCHANGE; |
| 137 description_replacements.push_back(l10n_util::GetStringUTF16(str_id)); |
| 138 description_replacements.push_back(key_exchange_name); |
| 139 |
| 140 str_id = (status & net::OBSOLETE_SSL_MASK_CIPHER) ? IDS_SSL_AN_OBSOLETE_CIPHER |
| 141 : IDS_SSL_A_STRONG_CIPHER; |
| 142 description_replacements.push_back(l10n_util::GetStringUTF16(str_id)); |
| 143 description_replacements.push_back(cipher_name); |
| 144 |
| 145 security_style_explanations->info_explanations.push_back( |
| 146 content::SecurityStyleExplanation( |
| 147 l10n_util::GetStringUTF8(IDS_OBSOLETE_SSL_SUMMARY), |
| 148 base::UTF16ToUTF8( |
| 149 l10n_util::GetStringFUTF16(IDS_OBSOLETE_SSL_DESCRIPTION, |
| 150 description_replacements, nullptr)))); |
| 151 } |
| 152 |
80 } // namespace | 153 } // namespace |
81 | 154 |
82 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient( | 155 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient( |
83 content::WebContents* web_contents) | 156 content::WebContents* web_contents) |
84 : web_contents_(web_contents), | 157 : web_contents_(web_contents), |
85 security_state_model_(new SecurityStateModel()) { | 158 security_state_model_(new SecurityStateModel()) { |
86 security_state_model_->SetClient(this); | 159 security_state_model_->SetClient(this); |
87 } | 160 } |
88 | 161 |
89 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {} | 162 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {} |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
165 SecurityStateModel::NO_DEPRECATED_SHA1) { | 238 SecurityStateModel::NO_DEPRECATED_SHA1) { |
166 security_style_explanations->secure_explanations.push_back( | 239 security_style_explanations->secure_explanations.push_back( |
167 content::SecurityStyleExplanation( | 240 content::SecurityStyleExplanation( |
168 l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE), | 241 l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE), |
169 l10n_util::GetStringUTF8( | 242 l10n_util::GetStringUTF8( |
170 IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION), | 243 IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION), |
171 security_info.cert_id)); | 244 security_info.cert_id)); |
172 } | 245 } |
173 } | 246 } |
174 | 247 |
175 if (security_info.is_secure_protocol_and_ciphersuite) { | 248 AddConnectionExplanation(security_info, security_style_explanations); |
176 security_style_explanations->secure_explanations.push_back( | |
177 content::SecurityStyleExplanation( | |
178 l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | |
179 l10n_util::GetStringUTF8( | |
180 IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION))); | |
181 } | |
182 | 249 |
183 security_style_explanations->pkp_bypassed = security_info.pkp_bypassed; | 250 security_style_explanations->pkp_bypassed = security_info.pkp_bypassed; |
184 if (security_info.pkp_bypassed) { | 251 if (security_info.pkp_bypassed) { |
185 security_style_explanations->info_explanations.push_back( | 252 security_style_explanations->info_explanations.push_back( |
186 content::SecurityStyleExplanation( | 253 content::SecurityStyleExplanation( |
187 "Public-Key Pinning Bypassed", | 254 "Public-Key Pinning Bypassed", |
188 "Public-key pinning was bypassed by a local root certificate.")); | 255 "Public-key pinning was bypassed by a local root certificate.")); |
189 } | 256 } |
190 | 257 |
191 return security_style; | 258 return security_style; |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
248 state->displayed_mixed_content = | 315 state->displayed_mixed_content = |
249 !!(ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT); | 316 !!(ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT); |
250 state->ran_mixed_content = | 317 state->ran_mixed_content = |
251 !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT); | 318 !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT); |
252 state->displayed_content_with_cert_errors = | 319 state->displayed_content_with_cert_errors = |
253 !!(ssl.content_status & | 320 !!(ssl.content_status & |
254 content::SSLStatus::DISPLAYED_CONTENT_WITH_CERT_ERRORS); | 321 content::SSLStatus::DISPLAYED_CONTENT_WITH_CERT_ERRORS); |
255 state->ran_content_with_cert_errors = | 322 state->ran_content_with_cert_errors = |
256 !!(ssl.content_status & content::SSLStatus::RAN_CONTENT_WITH_CERT_ERRORS); | 323 !!(ssl.content_status & content::SSLStatus::RAN_CONTENT_WITH_CERT_ERRORS); |
257 } | 324 } |
OLD | NEW |