| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/security_state/core/security_state.h" | 5 #include "components/security_state/core/security_state.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 77 // nonsecure defaults to neutral. | 77 // nonsecure defaults to neutral. |
| 78 status = NEUTRAL; | 78 status = NEUTRAL; |
| 79 level = NONE; | 79 level = NONE; |
| 80 } | 80 } |
| 81 } | 81 } |
| 82 | 82 |
| 83 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS); | 83 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS); |
| 84 return level; | 84 return level; |
| 85 } | 85 } |
| 86 | 86 |
| 87 SHA1DeprecationStatus GetSHA1DeprecationStatus( | |
| 88 const VisibleSecurityState& visible_security_state) { | |
| 89 if (!visible_security_state.certificate || | |
| 90 !(visible_security_state.cert_status & | |
| 91 net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) | |
| 92 return NO_DEPRECATED_SHA1; | |
| 93 | |
| 94 // The internal representation of the dates for UI treatment of SHA-1. | |
| 95 // See http://crbug.com/401365 for details. | |
| 96 static const int64_t kJanuary2017 = INT64_C(13127702400000000); | |
| 97 if (visible_security_state.certificate->valid_expiry() >= | |
| 98 base::Time::FromInternalValue(kJanuary2017)) | |
| 99 return DEPRECATED_SHA1_MAJOR; | |
| 100 static const int64_t kJanuary2016 = INT64_C(13096080000000000); | |
| 101 if (visible_security_state.certificate->valid_expiry() >= | |
| 102 base::Time::FromInternalValue(kJanuary2016)) | |
| 103 return DEPRECATED_SHA1_MINOR; | |
| 104 | |
| 105 return NO_DEPRECATED_SHA1; | |
| 106 } | |
| 107 | |
| 108 ContentStatus GetContentStatus(bool displayed, bool ran) { | 87 ContentStatus GetContentStatus(bool displayed, bool ran) { |
| 109 if (ran && displayed) | 88 if (ran && displayed) |
| 110 return CONTENT_STATUS_DISPLAYED_AND_RAN; | 89 return CONTENT_STATUS_DISPLAYED_AND_RAN; |
| 111 if (ran) | 90 if (ran) |
| 112 return CONTENT_STATUS_RAN; | 91 return CONTENT_STATUS_RAN; |
| 113 if (displayed) | 92 if (displayed) |
| 114 return CONTENT_STATUS_DISPLAYED; | 93 return CONTENT_STATUS_DISPLAYED; |
| 115 return CONTENT_STATUS_NONE; | 94 return CONTENT_STATUS_NONE; |
| 116 } | 95 } |
| 117 | 96 |
| 118 SecurityLevel GetSecurityLevelForRequest( | 97 SecurityLevel GetSecurityLevelForRequest( |
| 119 const VisibleSecurityState& visible_security_state, | 98 const VisibleSecurityState& visible_security_state, |
| 120 bool used_policy_installed_certificate, | 99 bool used_policy_installed_certificate, |
| 121 const IsOriginSecureCallback& is_origin_secure_callback, | 100 const IsOriginSecureCallback& is_origin_secure_callback, |
| 122 SHA1DeprecationStatus sha1_status, | 101 bool sha1_in_chain, |
| 123 ContentStatus mixed_content_status, | 102 ContentStatus mixed_content_status, |
| 124 ContentStatus content_with_cert_errors_status) { | 103 ContentStatus content_with_cert_errors_status) { |
| 125 DCHECK(visible_security_state.connection_info_initialized || | 104 DCHECK(visible_security_state.connection_info_initialized || |
| 126 visible_security_state.malicious_content_status != | 105 visible_security_state.malicious_content_status != |
| 127 MALICIOUS_CONTENT_STATUS_NONE); | 106 MALICIOUS_CONTENT_STATUS_NONE); |
| 128 | 107 |
| 129 // Override the connection security information if the website failed the | 108 // Override the connection security information if the website failed the |
| 130 // browser's malware checks. | 109 // browser's malware checks. |
| 131 if (visible_security_state.malicious_content_status != | 110 if (visible_security_state.malicious_content_status != |
| 132 MALICIOUS_CONTENT_STATUS_NONE) { | 111 MALICIOUS_CONTENT_STATUS_NONE) { |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 165 | 144 |
| 166 // Report if there is a policy cert first, before reporting any other | 145 // Report if there is a policy cert first, before reporting any other |
| 167 // authenticated-but-with-errors cases. A policy cert is a strong | 146 // authenticated-but-with-errors cases. A policy cert is a strong |
| 168 // indicator of a MITM being present (the enterprise), while the | 147 // indicator of a MITM being present (the enterprise), while the |
| 169 // other authenticated-but-with-errors indicate something may | 148 // other authenticated-but-with-errors indicate something may |
| 170 // be wrong, or may be wrong in the future, but is unclear now. | 149 // be wrong, or may be wrong in the future, but is unclear now. |
| 171 if (used_policy_installed_certificate) | 150 if (used_policy_installed_certificate) |
| 172 return SECURE_WITH_POLICY_INSTALLED_CERT; | 151 return SECURE_WITH_POLICY_INSTALLED_CERT; |
| 173 | 152 |
| 174 // In most cases, SHA1 use is treated as a certificate error, in which case | 153 // In most cases, SHA1 use is treated as a certificate error, in which case |
| 175 // DANGEROUS will have been returned above. If SHA1 is permitted, we downgrade | 154 // DANGEROUS will have been returned above. If SHA1 was permitted by policy, |
| 176 // the security level to Neutral or Dangerous depending on policy. | 155 // downgrade the security level to Neutral. |
| 177 if (sha1_status == DEPRECATED_SHA1_MAJOR || | 156 if (sha1_in_chain) |
| 178 sha1_status == DEPRECATED_SHA1_MINOR) { | 157 return NONE; |
| 179 return (visible_security_state.display_sha1_from_local_anchors_as_neutral) | |
| 180 ? NONE | |
| 181 : DANGEROUS; | |
| 182 } | |
| 183 | 158 |
| 184 // Active mixed content is handled above. | 159 // Active mixed content is handled above. |
| 185 DCHECK_NE(CONTENT_STATUS_RAN, mixed_content_status); | 160 DCHECK_NE(CONTENT_STATUS_RAN, mixed_content_status); |
| 186 DCHECK_NE(CONTENT_STATUS_DISPLAYED_AND_RAN, mixed_content_status); | 161 DCHECK_NE(CONTENT_STATUS_DISPLAYED_AND_RAN, mixed_content_status); |
| 187 | 162 |
| 188 if (mixed_content_status == CONTENT_STATUS_DISPLAYED || | 163 if (mixed_content_status == CONTENT_STATUS_DISPLAYED || |
| 189 content_with_cert_errors_status == CONTENT_STATUS_DISPLAYED) { | 164 content_with_cert_errors_status == CONTENT_STATUS_DISPLAYED) { |
| 190 return kDisplayedInsecureContentLevel; | 165 return kDisplayedInsecureContentLevel; |
| 191 } | 166 } |
| 192 | 167 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 209 const IsOriginSecureCallback& is_origin_secure_callback, | 184 const IsOriginSecureCallback& is_origin_secure_callback, |
| 210 SecurityInfo* security_info) { | 185 SecurityInfo* security_info) { |
| 211 if (!visible_security_state.connection_info_initialized) { | 186 if (!visible_security_state.connection_info_initialized) { |
| 212 *security_info = SecurityInfo(); | 187 *security_info = SecurityInfo(); |
| 213 security_info->malicious_content_status = | 188 security_info->malicious_content_status = |
| 214 visible_security_state.malicious_content_status; | 189 visible_security_state.malicious_content_status; |
| 215 if (security_info->malicious_content_status != | 190 if (security_info->malicious_content_status != |
| 216 MALICIOUS_CONTENT_STATUS_NONE) { | 191 MALICIOUS_CONTENT_STATUS_NONE) { |
| 217 security_info->security_level = GetSecurityLevelForRequest( | 192 security_info->security_level = GetSecurityLevelForRequest( |
| 218 visible_security_state, used_policy_installed_certificate, | 193 visible_security_state, used_policy_installed_certificate, |
| 219 is_origin_secure_callback, UNKNOWN_SHA1, CONTENT_STATUS_UNKNOWN, | 194 is_origin_secure_callback, false, CONTENT_STATUS_UNKNOWN, |
| 220 CONTENT_STATUS_UNKNOWN); | 195 CONTENT_STATUS_UNKNOWN); |
| 221 } | 196 } |
| 222 return; | 197 return; |
| 223 } | 198 } |
| 224 security_info->certificate = visible_security_state.certificate; | 199 security_info->certificate = visible_security_state.certificate; |
| 225 security_info->sha1_deprecation_status = | 200 |
| 226 GetSHA1DeprecationStatus(visible_security_state); | 201 security_info->sha1_in_chain = visible_security_state.certificate && |
| 202 (visible_security_state.cert_status & |
| 203 net::CERT_STATUS_SHA1_SIGNATURE_PRESENT); |
| 227 security_info->mixed_content_status = | 204 security_info->mixed_content_status = |
| 228 GetContentStatus(visible_security_state.displayed_mixed_content, | 205 GetContentStatus(visible_security_state.displayed_mixed_content, |
| 229 visible_security_state.ran_mixed_content); | 206 visible_security_state.ran_mixed_content); |
| 230 security_info->content_with_cert_errors_status = GetContentStatus( | 207 security_info->content_with_cert_errors_status = GetContentStatus( |
| 231 visible_security_state.displayed_content_with_cert_errors, | 208 visible_security_state.displayed_content_with_cert_errors, |
| 232 visible_security_state.ran_content_with_cert_errors); | 209 visible_security_state.ran_content_with_cert_errors); |
| 233 security_info->security_bits = visible_security_state.security_bits; | 210 security_info->security_bits = visible_security_state.security_bits; |
| 234 security_info->connection_status = visible_security_state.connection_status; | 211 security_info->connection_status = visible_security_state.connection_status; |
| 235 security_info->key_exchange_group = visible_security_state.key_exchange_group; | 212 security_info->key_exchange_group = visible_security_state.key_exchange_group; |
| 236 security_info->cert_status = visible_security_state.cert_status; | 213 security_info->cert_status = visible_security_state.cert_status; |
| 237 security_info->scheme_is_cryptographic = | 214 security_info->scheme_is_cryptographic = |
| 238 visible_security_state.url.SchemeIsCryptographic(); | 215 visible_security_state.url.SchemeIsCryptographic(); |
| 239 security_info->obsolete_ssl_status = | 216 security_info->obsolete_ssl_status = |
| 240 net::ObsoleteSSLStatus(security_info->connection_status); | 217 net::ObsoleteSSLStatus(security_info->connection_status); |
| 241 security_info->pkp_bypassed = visible_security_state.pkp_bypassed; | 218 security_info->pkp_bypassed = visible_security_state.pkp_bypassed; |
| 242 security_info->sct_verify_statuses = | 219 security_info->sct_verify_statuses = |
| 243 visible_security_state.sct_verify_statuses; | 220 visible_security_state.sct_verify_statuses; |
| 244 | 221 |
| 245 security_info->malicious_content_status = | 222 security_info->malicious_content_status = |
| 246 visible_security_state.malicious_content_status; | 223 visible_security_state.malicious_content_status; |
| 247 | 224 |
| 248 security_info->displayed_password_field_on_http = | 225 security_info->displayed_password_field_on_http = |
| 249 visible_security_state.displayed_password_field_on_http; | 226 visible_security_state.displayed_password_field_on_http; |
| 250 security_info->displayed_credit_card_field_on_http = | 227 security_info->displayed_credit_card_field_on_http = |
| 251 visible_security_state.displayed_credit_card_field_on_http; | 228 visible_security_state.displayed_credit_card_field_on_http; |
| 252 | 229 |
| 253 security_info->security_level = GetSecurityLevelForRequest( | 230 security_info->security_level = GetSecurityLevelForRequest( |
| 254 visible_security_state, used_policy_installed_certificate, | 231 visible_security_state, used_policy_installed_certificate, |
| 255 is_origin_secure_callback, security_info->sha1_deprecation_status, | 232 is_origin_secure_callback, security_info->sha1_in_chain, |
| 256 security_info->mixed_content_status, | 233 security_info->mixed_content_status, |
| 257 security_info->content_with_cert_errors_status); | 234 security_info->content_with_cert_errors_status); |
| 258 } | 235 } |
| 259 | 236 |
| 260 } // namespace | 237 } // namespace |
| 261 | 238 |
| 262 const base::Feature kHttpFormWarningFeature{"HttpFormWarning", | 239 const base::Feature kHttpFormWarningFeature{"HttpFormWarning", |
| 263 base::FEATURE_DISABLED_BY_DEFAULT}; | 240 base::FEATURE_DISABLED_BY_DEFAULT}; |
| 264 | 241 |
| 265 SecurityInfo::SecurityInfo() | 242 SecurityInfo::SecurityInfo() |
| 266 : security_level(NONE), | 243 : security_level(NONE), |
| 267 malicious_content_status(MALICIOUS_CONTENT_STATUS_NONE), | 244 malicious_content_status(MALICIOUS_CONTENT_STATUS_NONE), |
| 268 sha1_deprecation_status(NO_DEPRECATED_SHA1), | 245 sha1_in_chain(false), |
| 269 mixed_content_status(CONTENT_STATUS_NONE), | 246 mixed_content_status(CONTENT_STATUS_NONE), |
| 270 content_with_cert_errors_status(CONTENT_STATUS_NONE), | 247 content_with_cert_errors_status(CONTENT_STATUS_NONE), |
| 271 scheme_is_cryptographic(false), | 248 scheme_is_cryptographic(false), |
| 272 cert_status(0), | 249 cert_status(0), |
| 273 security_bits(-1), | 250 security_bits(-1), |
| 274 connection_status(0), | 251 connection_status(0), |
| 275 key_exchange_group(0), | 252 key_exchange_group(0), |
| 276 obsolete_ssl_status(net::OBSOLETE_SSL_NONE), | 253 obsolete_ssl_status(net::OBSOLETE_SSL_NONE), |
| 277 pkp_bypassed(false), | 254 pkp_bypassed(false), |
| 278 displayed_password_field_on_http(false), | 255 displayed_password_field_on_http(false), |
| (...skipping 21 matching lines...) Expand all Loading... |
| 300 cert_status(0), | 277 cert_status(0), |
| 301 connection_status(0), | 278 connection_status(0), |
| 302 key_exchange_group(0), | 279 key_exchange_group(0), |
| 303 security_bits(-1), | 280 security_bits(-1), |
| 304 displayed_mixed_content(false), | 281 displayed_mixed_content(false), |
| 305 ran_mixed_content(false), | 282 ran_mixed_content(false), |
| 306 displayed_content_with_cert_errors(false), | 283 displayed_content_with_cert_errors(false), |
| 307 ran_content_with_cert_errors(false), | 284 ran_content_with_cert_errors(false), |
| 308 pkp_bypassed(false), | 285 pkp_bypassed(false), |
| 309 displayed_password_field_on_http(false), | 286 displayed_password_field_on_http(false), |
| 310 displayed_credit_card_field_on_http(false), | 287 displayed_credit_card_field_on_http(false) {} |
| 311 display_sha1_from_local_anchors_as_neutral(false) {} | |
| 312 | 288 |
| 313 VisibleSecurityState::~VisibleSecurityState() {} | 289 VisibleSecurityState::~VisibleSecurityState() {} |
| 314 | 290 |
| 315 bool VisibleSecurityState::operator==(const VisibleSecurityState& other) const { | 291 bool VisibleSecurityState::operator==(const VisibleSecurityState& other) const { |
| 316 return (url == other.url && | 292 return (url == other.url && |
| 317 malicious_content_status == other.malicious_content_status && | 293 malicious_content_status == other.malicious_content_status && |
| 318 !!certificate == !!other.certificate && | 294 !!certificate == !!other.certificate && |
| 319 (certificate ? certificate->Equals(other.certificate.get()) : true) && | 295 (certificate ? certificate->Equals(other.certificate.get()) : true) && |
| 320 connection_status == other.connection_status && | 296 connection_status == other.connection_status && |
| 321 key_exchange_group == other.key_exchange_group && | 297 key_exchange_group == other.key_exchange_group && |
| 322 security_bits == other.security_bits && | 298 security_bits == other.security_bits && |
| 323 sct_verify_statuses == other.sct_verify_statuses && | 299 sct_verify_statuses == other.sct_verify_statuses && |
| 324 displayed_mixed_content == other.displayed_mixed_content && | 300 displayed_mixed_content == other.displayed_mixed_content && |
| 325 ran_mixed_content == other.ran_mixed_content && | 301 ran_mixed_content == other.ran_mixed_content && |
| 326 displayed_content_with_cert_errors == | 302 displayed_content_with_cert_errors == |
| 327 other.displayed_content_with_cert_errors && | 303 other.displayed_content_with_cert_errors && |
| 328 ran_content_with_cert_errors == other.ran_content_with_cert_errors && | 304 ran_content_with_cert_errors == other.ran_content_with_cert_errors && |
| 329 pkp_bypassed == other.pkp_bypassed && | 305 pkp_bypassed == other.pkp_bypassed && |
| 330 displayed_password_field_on_http == | 306 displayed_password_field_on_http == |
| 331 other.displayed_password_field_on_http && | 307 other.displayed_password_field_on_http && |
| 332 displayed_credit_card_field_on_http == | 308 displayed_credit_card_field_on_http == |
| 333 other.displayed_credit_card_field_on_http && | 309 other.displayed_credit_card_field_on_http); |
| 334 display_sha1_from_local_anchors_as_neutral == | |
| 335 other.display_sha1_from_local_anchors_as_neutral); | |
| 336 } | 310 } |
| 337 | 311 |
| 338 } // namespace security_state | 312 } // namespace security_state |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2616553002:
Remove obsolete SHA-1 UX elements (Closed)
