| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/security_state/security_state_model.h" | 5 #include "components/security_state/core/security_state_model.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
| 11 #include "base/metrics/histogram_macros.h" | 11 #include "base/metrics/histogram_macros.h" |
| 12 #include "components/security_state/security_state_model_client.h" | 12 #include "components/security_state/core/switches.h" |
| 13 #include "components/security_state/switches.h" | |
| 14 #include "net/ssl/ssl_cipher_suite_names.h" | 13 #include "net/ssl/ssl_cipher_suite_names.h" |
| 15 #include "net/ssl/ssl_connection_status_flags.h" | 14 #include "net/ssl/ssl_connection_status_flags.h" |
| 16 | 15 |
| 17 namespace security_state { | 16 namespace security_state { |
| 18 | 17 |
| 19 namespace { | 18 namespace { |
| 20 | 19 |
| 21 // Do not change or reorder this enum, and add new values at the end. It is used | 20 // Do not change or reorder this enum, and add new values at the end. It is used |
| 22 // in the MarkHttpAs histogram. | 21 // in the MarkHttpAs histogram. |
| 23 enum MarkHttpStatus { NEUTRAL, NON_SECURE, HTTP_SHOW_WARNING, LAST_STATUS }; | 22 enum MarkHttpStatus { NEUTRAL, NON_SECURE, HTTP_SHOW_WARNING, LAST_STATUS }; |
| (...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 112 return SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN; | 111 return SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN; |
| 113 if (ran) | 112 if (ran) |
| 114 return SecurityStateModel::CONTENT_STATUS_RAN; | 113 return SecurityStateModel::CONTENT_STATUS_RAN; |
| 115 if (displayed) | 114 if (displayed) |
| 116 return SecurityStateModel::CONTENT_STATUS_DISPLAYED; | 115 return SecurityStateModel::CONTENT_STATUS_DISPLAYED; |
| 117 return SecurityStateModel::CONTENT_STATUS_NONE; | 116 return SecurityStateModel::CONTENT_STATUS_NONE; |
| 118 } | 117 } |
| 119 | 118 |
| 120 SecurityStateModel::SecurityLevel GetSecurityLevelForRequest( | 119 SecurityStateModel::SecurityLevel GetSecurityLevelForRequest( |
| 121 const SecurityStateModel::VisibleSecurityState& visible_security_state, | 120 const SecurityStateModel::VisibleSecurityState& visible_security_state, |
| 122 SecurityStateModelClient* client, | 121 bool used_policy_installed_certificate, |
| 123 SecurityStateModel::SHA1DeprecationStatus sha1_status, | 122 SecurityStateModel::SHA1DeprecationStatus sha1_status, |
| 124 SecurityStateModel::ContentStatus mixed_content_status, | 123 SecurityStateModel::ContentStatus mixed_content_status, |
| 125 SecurityStateModel::ContentStatus content_with_cert_errors_status) { | 124 SecurityStateModel::ContentStatus content_with_cert_errors_status) { |
| 126 DCHECK(visible_security_state.connection_info_initialized || | 125 DCHECK(visible_security_state.connection_info_initialized || |
| 127 visible_security_state.fails_malware_check); | 126 visible_security_state.fails_malware_check); |
| 128 | 127 |
| 129 // Override the connection security information if the website failed the | 128 // Override the connection security information if the website failed the |
| 130 // browser's malware checks. | 129 // browser's malware checks. |
| 131 if (visible_security_state.fails_malware_check) | 130 if (visible_security_state.fails_malware_check) |
| 132 return SecurityStateModel::DANGEROUS; | 131 return SecurityStateModel::DANGEROUS; |
| 133 | 132 |
| 134 GURL url = visible_security_state.url; | 133 GURL url = visible_security_state.url; |
| 135 | 134 |
| 136 bool is_cryptographic_with_certificate = | 135 bool is_cryptographic_with_certificate = |
| 137 (url.SchemeIsCryptographic() && visible_security_state.certificate); | 136 (url.SchemeIsCryptographic() && visible_security_state.certificate); |
| 138 | 137 |
| 139 // Set the security level to DANGEROUS for major certificate errors. | 138 // Set the security level to DANGEROUS for major certificate errors. |
| 140 if (is_cryptographic_with_certificate && | 139 if (is_cryptographic_with_certificate && |
| 141 net::IsCertStatusError(visible_security_state.cert_status) && | 140 net::IsCertStatusError(visible_security_state.cert_status) && |
| 142 !net::IsCertStatusMinorError(visible_security_state.cert_status)) { | 141 !net::IsCertStatusMinorError(visible_security_state.cert_status)) { |
| 143 return SecurityStateModel::DANGEROUS; | 142 return SecurityStateModel::DANGEROUS; |
| 144 } | 143 } |
| 145 | 144 |
| 146 // Choose the appropriate security level for HTTP requests. | 145 // Choose the appropriate security level for HTTP requests. |
| 147 if (!is_cryptographic_with_certificate) { | 146 if (!is_cryptographic_with_certificate) { |
| 148 if (!client->IsOriginSecure(url) && url.IsStandard()) { | 147 if (!IsOriginSecure(url) && url.IsStandard()) { |
| 149 return GetSecurityLevelForNonSecureFieldTrial( | 148 return GetSecurityLevelForNonSecureFieldTrial( |
| 150 visible_security_state.displayed_password_field_on_http || | 149 visible_security_state.displayed_password_field_on_http || |
| 151 visible_security_state.displayed_credit_card_field_on_http); | 150 visible_security_state.displayed_credit_card_field_on_http); |
| 152 } | 151 } |
| 153 return SecurityStateModel::NONE; | 152 return SecurityStateModel::NONE; |
| 154 } | 153 } |
| 155 | 154 |
| 156 // Downgrade the security level for active insecure subresources. | 155 // Downgrade the security level for active insecure subresources. |
| 157 if (mixed_content_status == SecurityStateModel::CONTENT_STATUS_RAN || | 156 if (mixed_content_status == SecurityStateModel::CONTENT_STATUS_RAN || |
| 158 mixed_content_status == | 157 mixed_content_status == |
| 159 SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN || | 158 SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN || |
| 160 content_with_cert_errors_status == | 159 content_with_cert_errors_status == |
| 161 SecurityStateModel::CONTENT_STATUS_RAN || | 160 SecurityStateModel::CONTENT_STATUS_RAN || |
| 162 content_with_cert_errors_status == | 161 content_with_cert_errors_status == |
| 163 SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN) { | 162 SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN) { |
| 164 return SecurityStateModel::kRanInsecureContentLevel; | 163 return SecurityStateModel::kRanInsecureContentLevel; |
| 165 } | 164 } |
| 166 | 165 |
| 167 // Report if there is a policy cert first, before reporting any other | 166 // Report if there is a policy cert first, before reporting any other |
| 168 // authenticated-but-with-errors cases. A policy cert is a strong | 167 // authenticated-but-with-errors cases. A policy cert is a strong |
| 169 // indicator of a MITM being present (the enterprise), while the | 168 // indicator of a MITM being present (the enterprise), while the |
| 170 // other authenticated-but-with-errors indicate something may | 169 // other authenticated-but-with-errors indicate something may |
| 171 // be wrong, or may be wrong in the future, but is unclear now. | 170 // be wrong, or may be wrong in the future, but is unclear now. |
| 172 if (client->UsedPolicyInstalledCertificate()) | 171 if (used_policy_installed_certificate) |
| 173 return SecurityStateModel::SECURE_WITH_POLICY_INSTALLED_CERT; | 172 return SecurityStateModel::SECURE_WITH_POLICY_INSTALLED_CERT; |
| 174 | 173 |
| 175 if (sha1_status == SecurityStateModel::DEPRECATED_SHA1_MAJOR) | 174 if (sha1_status == SecurityStateModel::DEPRECATED_SHA1_MAJOR) |
| 176 return SecurityStateModel::DANGEROUS; | 175 return SecurityStateModel::DANGEROUS; |
| 177 if (sha1_status == SecurityStateModel::DEPRECATED_SHA1_MINOR) | 176 if (sha1_status == SecurityStateModel::DEPRECATED_SHA1_MINOR) |
| 178 return SecurityStateModel::NONE; | 177 return SecurityStateModel::NONE; |
| 179 | 178 |
| 180 // Active mixed content is handled above. | 179 // Active mixed content is handled above. |
| 181 DCHECK_NE(SecurityStateModel::CONTENT_STATUS_RAN, mixed_content_status); | 180 DCHECK_NE(SecurityStateModel::CONTENT_STATUS_RAN, mixed_content_status); |
| 182 DCHECK_NE(SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN, | 181 DCHECK_NE(SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN, |
| (...skipping 12 matching lines...) Expand all Loading... |
| 195 } | 194 } |
| 196 | 195 |
| 197 if ((visible_security_state.cert_status & net::CERT_STATUS_IS_EV) && | 196 if ((visible_security_state.cert_status & net::CERT_STATUS_IS_EV) && |
| 198 visible_security_state.certificate) { | 197 visible_security_state.certificate) { |
| 199 return SecurityStateModel::EV_SECURE; | 198 return SecurityStateModel::EV_SECURE; |
| 200 } | 199 } |
| 201 return SecurityStateModel::SECURE; | 200 return SecurityStateModel::SECURE; |
| 202 } | 201 } |
| 203 | 202 |
| 204 void SecurityInfoForRequest( | 203 void SecurityInfoForRequest( |
| 205 SecurityStateModelClient* client, | |
| 206 const SecurityStateModel::VisibleSecurityState& visible_security_state, | 204 const SecurityStateModel::VisibleSecurityState& visible_security_state, |
| 205 bool used_policy_installed_certificate, |
| 207 SecurityStateModel::SecurityInfo* security_info) { | 206 SecurityStateModel::SecurityInfo* security_info) { |
| 208 if (!visible_security_state.connection_info_initialized) { | 207 if (!visible_security_state.connection_info_initialized) { |
| 209 *security_info = SecurityStateModel::SecurityInfo(); | 208 *security_info = SecurityStateModel::SecurityInfo(); |
| 210 security_info->fails_malware_check = | 209 security_info->fails_malware_check = |
| 211 visible_security_state.fails_malware_check; | 210 visible_security_state.fails_malware_check; |
| 212 if (security_info->fails_malware_check) { | 211 if (security_info->fails_malware_check) { |
| 213 security_info->security_level = GetSecurityLevelForRequest( | 212 security_info->security_level = GetSecurityLevelForRequest( |
| 214 visible_security_state, client, SecurityStateModel::UNKNOWN_SHA1, | 213 visible_security_state, used_policy_installed_certificate, |
| 214 SecurityStateModel::UNKNOWN_SHA1, |
| 215 SecurityStateModel::CONTENT_STATUS_UNKNOWN, | 215 SecurityStateModel::CONTENT_STATUS_UNKNOWN, |
| 216 SecurityStateModel::CONTENT_STATUS_UNKNOWN); | 216 SecurityStateModel::CONTENT_STATUS_UNKNOWN); |
| 217 } | 217 } |
| 218 return; | 218 return; |
| 219 } | 219 } |
| 220 security_info->certificate = visible_security_state.certificate; | 220 security_info->certificate = visible_security_state.certificate; |
| 221 security_info->sha1_deprecation_status = | 221 security_info->sha1_deprecation_status = |
| 222 GetSHA1DeprecationStatus(visible_security_state); | 222 GetSHA1DeprecationStatus(visible_security_state); |
| 223 security_info->mixed_content_status = | 223 security_info->mixed_content_status = |
| 224 GetContentStatus(visible_security_state.displayed_mixed_content, | 224 GetContentStatus(visible_security_state.displayed_mixed_content, |
| (...skipping 14 matching lines...) Expand all Loading... |
| 239 visible_security_state.sct_verify_statuses; | 239 visible_security_state.sct_verify_statuses; |
| 240 | 240 |
| 241 security_info->fails_malware_check = | 241 security_info->fails_malware_check = |
| 242 visible_security_state.fails_malware_check; | 242 visible_security_state.fails_malware_check; |
| 243 | 243 |
| 244 security_info->displayed_private_user_data_input_on_http = | 244 security_info->displayed_private_user_data_input_on_http = |
| 245 visible_security_state.displayed_password_field_on_http || | 245 visible_security_state.displayed_password_field_on_http || |
| 246 visible_security_state.displayed_credit_card_field_on_http; | 246 visible_security_state.displayed_credit_card_field_on_http; |
| 247 | 247 |
| 248 security_info->security_level = GetSecurityLevelForRequest( | 248 security_info->security_level = GetSecurityLevelForRequest( |
| 249 visible_security_state, client, security_info->sha1_deprecation_status, | 249 visible_security_state, used_policy_installed_certificate, |
| 250 security_info->sha1_deprecation_status, |
| 250 security_info->mixed_content_status, | 251 security_info->mixed_content_status, |
| 251 security_info->content_with_cert_errors_status); | 252 security_info->content_with_cert_errors_status); |
| 252 } | 253 } |
| 253 | 254 |
| 254 } // namespace | 255 } // namespace |
| 255 | 256 |
| 256 const SecurityStateModel::SecurityLevel | 257 const SecurityStateModel::SecurityLevel |
| 257 SecurityStateModel::kDisplayedInsecureContentLevel = | 258 SecurityStateModel::kDisplayedInsecureContentLevel = |
| 258 SecurityStateModel::NONE; | 259 SecurityStateModel::NONE; |
| 259 const SecurityStateModel::SecurityLevel | 260 const SecurityStateModel::SecurityLevel |
| (...skipping 15 matching lines...) Expand all Loading... |
| 275 pkp_bypassed(false), | 276 pkp_bypassed(false), |
| 276 displayed_private_user_data_input_on_http(false) {} | 277 displayed_private_user_data_input_on_http(false) {} |
| 277 | 278 |
| 278 SecurityStateModel::SecurityInfo::~SecurityInfo() {} | 279 SecurityStateModel::SecurityInfo::~SecurityInfo() {} |
| 279 | 280 |
| 280 SecurityStateModel::SecurityStateModel() {} | 281 SecurityStateModel::SecurityStateModel() {} |
| 281 | 282 |
| 282 SecurityStateModel::~SecurityStateModel() {} | 283 SecurityStateModel::~SecurityStateModel() {} |
| 283 | 284 |
| 284 void SecurityStateModel::GetSecurityInfo( | 285 void SecurityStateModel::GetSecurityInfo( |
| 285 SecurityStateModel::SecurityInfo* result) const { | 286 SecurityStateModel::SecurityInfo* result, |
| 286 VisibleSecurityState new_visible_state; | 287 std::unique_ptr<VisibleSecurityState> visible_security_state, |
| 287 client_->GetVisibleSecurityState(&new_visible_state); | 288 bool used_policy_installed_certificate) const { |
| 288 SecurityInfoForRequest(client_, new_visible_state, result); | 289 SecurityInfoForRequest(*visible_security_state, |
| 289 } | 290 used_policy_installed_certificate, result); |
| 290 | |
| 291 void SecurityStateModel::SetClient(SecurityStateModelClient* client) { | |
| 292 client_ = client; | |
| 293 } | 291 } |
| 294 | 292 |
| 295 SecurityStateModel::VisibleSecurityState::VisibleSecurityState() | 293 SecurityStateModel::VisibleSecurityState::VisibleSecurityState() |
| 296 : fails_malware_check(false), | 294 : fails_malware_check(false), |
| 297 connection_info_initialized(false), | 295 connection_info_initialized(false), |
| 298 cert_status(0), | 296 cert_status(0), |
| 299 connection_status(0), | 297 connection_status(0), |
| 300 key_exchange_group(0), | 298 key_exchange_group(0), |
| 301 security_bits(-1), | 299 security_bits(-1), |
| 302 displayed_mixed_content(false), | 300 displayed_mixed_content(false), |
| (...skipping 22 matching lines...) Expand all Loading... |
| 325 other.displayed_content_with_cert_errors && | 323 other.displayed_content_with_cert_errors && |
| 326 ran_content_with_cert_errors == other.ran_content_with_cert_errors && | 324 ran_content_with_cert_errors == other.ran_content_with_cert_errors && |
| 327 pkp_bypassed == other.pkp_bypassed && | 325 pkp_bypassed == other.pkp_bypassed && |
| 328 displayed_password_field_on_http == | 326 displayed_password_field_on_http == |
| 329 other.displayed_password_field_on_http && | 327 other.displayed_password_field_on_http && |
| 330 displayed_credit_card_field_on_http == | 328 displayed_credit_card_field_on_http == |
| 331 other.displayed_credit_card_field_on_http); | 329 other.displayed_credit_card_field_on_http); |
| 332 } | 330 } |
| 333 | 331 |
| 334 } // namespace security_state | 332 } // namespace security_state |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2448943002:
Refactor SecurityStateModel/Clients for simplicity and reusability. (Closed)
