Add initial version of captive portal list checking.

chrome/browser/ssl/ssl_error_handler.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/ssl_error_handler.h"
 
 #include <stdint.h>
+#include <unordered_set>
 #include <utility>
 
 #include "base/callback_helpers.h"
 #include "base/feature_list.h"
+#include "base/files/file_util.h"
 #include "base/lazy_instance.h"
 #include "base/macros.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/non_thread_safe.h"
 #include "base/time/clock.h"
 #include "base/time/time.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ssl/bad_clock_blocking_page.h"
 #include "chrome/browser/ssl/ssl_blocking_page.h"
 #include "chrome/browser/ssl/ssl_cert_reporter.h"
+#include "chrome/browser/ssl/ssl_error_assistant.pb.h"
 #include "chrome/common/features.h"
+#include "chrome/grit/browser_resources.h"
 #include "components/network_time/network_time_tracker.h"
 #include "components/ssl_errors/error_classification.h"
 #include "components/ssl_errors/error_info.h"
+#include "content/public/browser/browser_thread.h"
 #include "content/public/browser/navigation_handle.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_source.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "net/base/net_errors.h"
+#include "ui/base/resource/resource_bundle.h"
 
 #if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
 #include "chrome/browser/captive_portal/captive_portal_service.h"
 #include "chrome/browser/captive_portal/captive_portal_service_factory.h"
 #include "chrome/browser/captive_portal/captive_portal_tab_helper.h"
 #include "chrome/browser/ssl/captive_portal_blocking_page.h"
 #endif
 
 namespace {
 
 #if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
 const base::Feature kCaptivePortalInterstitial{
     "CaptivePortalInterstitial", base::FEATURE_ENABLED_BY_DEFAULT};
+
+const base::Feature kCaptivePortalCertificateList{
+    "CaptivePortalCertificateList", base::FEATURE_DISABLED_BY_DEFAULT};
 #endif
 
 const base::Feature kSSLCommonNameMismatchHandling{
     "SSLCommonNameMismatchHandling", base::FEATURE_ENABLED_BY_DEFAULT};
 
-const char kHistogram[] = "interstitial.ssl_error_handler";
-
 // Default delay in milliseconds before displaying the SSL interstitial.
 // This can be changed in tests.
 // - If there is a name mismatch and a suggested URL available result arrives
 //   during this time, the user is redirected to the suggester URL.
 // - If a "captive portal detected" result arrives during this time,
 //   a captive portal interstitial is displayed.
 // - Otherwise, an SSL interstitial is displayed.
 const int64_t kInterstitialDelayInMilliseconds = 3000;
 
+const char kHistogram[] = "interstitial.ssl_error_handler";
+
 // Adds a message to console after navigation commits and then, deletes itself.
 // Also deletes itself if the navigation is stopped.
 class CommonNameMismatchRedirectObserver
     : public content::WebContentsObserver,
       public content::WebContentsUserData<CommonNameMismatchRedirectObserver> {
  public:
   static void AddToConsoleAfterNavigation(
       content::WebContents* web_contents,
       const std::string& request_url_hostname,
       const std::string& suggested_url_hostname) {
@@ skipping 46 matching lines @@
 
 void RecordUMA(SSLErrorHandler::UMAEvent event) {
   UMA_HISTOGRAM_ENUMERATION(kHistogram, event,
                             SSLErrorHandler::SSL_ERROR_HANDLER_EVENT_COUNT);
 }
 
 #if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
 bool IsCaptivePortalInterstitialEnabled() {
   return base::FeatureList::IsEnabled(kCaptivePortalInterstitial);
 }
+
+// Reads the SSL error assistant configuration from the resource bundle.
+void ReadErrorAssistantProtoFromResourceBundle(std::string* binary_pb) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  ui::ResourceBundle& bundle = ui::ResourceBundle::GetSharedInstance();
+  bundle.GetRawDataResource(IDR_SSL_ERROR_ASSISTANT_PB).CopyToString(binary_pb);
+}
+
+std::unique_ptr<std::unordered_set<std::string>> LoadCaptivePortalCertHashes(
+    const chrome_browser_ssl::SSLErrorAssistantConfig& proto) {
+  std::unique_ptr<std::unordered_set<std::string>> hashes(
+      new std::unordered_set<std::string>());
+  for (const chrome_browser_ssl::CaptivePortalCert& cert :
+       proto.captive_portal_cert()) {
+    hashes.get()->insert(cert.sha256_hash());
+  }
+  return hashes;
+}
 #endif
 
 bool IsSSLCommonNameMismatchHandlingEnabled() {
   return base::FeatureList::IsEnabled(kSSLCommonNameMismatchHandling);
 }
 
 // Configuration for SSLErrorHandler.
 class ConfigSingleton : public base::NonThreadSafe {
  public:
   ConfigSingleton();
 
   base::TimeDelta interstitial_delay() const;
   SSLErrorHandler::TimerStartedCallback* timer_started_callback() const;
   base::Clock* clock() const;
   network_time::NetworkTimeTracker* network_time_tracker() const;
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+  // Returns true if any of the SHA256 hashes in |ssl_info| is of a captive
+  // portal certificate. The set of captive portal hashes is loaded on first
+  // use.
+  bool IsKnownCaptivePortalCert(const net::SSLInfo& ssl_info);
+#endif
+
+  // Testing methods:
+  void ResetForTesting();
   void SetInterstitialDelayForTesting(const base::TimeDelta& delay);
   void SetTimerStartedCallbackForTesting(
       SSLErrorHandler::TimerStartedCallback* callback);
   void SetClockForTesting(base::Clock* clock);
   void SetNetworkTimeTrackerForTesting(
       network_time::NetworkTimeTracker* tracker);
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+  void SetErrorAssistantProtoForTesting(
+      const chrome_browser_ssl::SSLErrorAssistantConfig& error_assistant_proto);
+#endif
+
  private:
   base::TimeDelta interstitial_delay_;
 
   // Callback to call when the interstitial timer is started. Used for
   // testing.
   SSLErrorHandler::TimerStartedCallback* timer_started_callback_ = nullptr;
 
   // The clock to use when deciding which error type to display. Used for
   // testing.
   base::Clock* testing_clock_ = nullptr;
 
   network_time::NetworkTimeTracker* network_time_tracker_ = nullptr;
+
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+  // SPKI hashes belonging to certs treated as captive portals. Null until the
+  // first time IsKnownCaptivePortalCert() or SetErrorAssistantProtoForTesting()
+  // is called.
+  std::unique_ptr<std::unordered_set<std::string>> captive_portal_spki_hashes_;
+#endif
 };
 
 ConfigSingleton::ConfigSingleton()
     : interstitial_delay_(
           base::TimeDelta::FromMilliseconds(kInterstitialDelayInMilliseconds)) {
 }
 
 base::TimeDelta ConfigSingleton::interstitial_delay() const {
   return interstitial_delay_;
 }
 
 SSLErrorHandler::TimerStartedCallback* ConfigSingleton::timer_started_callback()
     const {
   return timer_started_callback_;
 }
 
 network_time::NetworkTimeTracker* ConfigSingleton::network_time_tracker()
     const {
   return network_time_tracker_ ? network_time_tracker_
                                : g_browser_process->network_time_tracker();
 }
 
 base::Clock* ConfigSingleton::clock() const {
   return testing_clock_;
 }
 
+void ConfigSingleton::ResetForTesting() {
+  interstitial_delay_ =
+      base::TimeDelta::FromMilliseconds(kInterstitialDelayInMilliseconds);
+  timer_started_callback_ = nullptr;
+  network_time_tracker_ = nullptr;
+  testing_clock_ = nullptr;
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+  captive_portal_spki_hashes_.reset();
+#endif
+}
+
 void ConfigSingleton::SetInterstitialDelayForTesting(
     const base::TimeDelta& delay) {
   interstitial_delay_ = delay;
 }
 
 void ConfigSingleton::SetTimerStartedCallbackForTesting(
     SSLErrorHandler::TimerStartedCallback* callback) {
   DCHECK(!callback || !callback->is_null());
   timer_started_callback_ = callback;
 }
 
 void ConfigSingleton::SetClockForTesting(base::Clock* clock) {
   testing_clock_ = clock;
 }
 
 void ConfigSingleton::SetNetworkTimeTrackerForTesting(
     network_time::NetworkTimeTracker* tracker) {
   network_time_tracker_ = tracker;
 }
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+void ConfigSingleton::SetErrorAssistantProtoForTesting(
+    const chrome_browser_ssl::SSLErrorAssistantConfig& error_assistant_proto) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  DCHECK(!captive_portal_spki_hashes_);
+  captive_portal_spki_hashes_ =
+      LoadCaptivePortalCertHashes(error_assistant_proto);
+}
+
+bool ConfigSingleton::IsKnownCaptivePortalCert(const net::SSLInfo& ssl_info) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  if (!captive_portal_spki_hashes_) {
+    std::string binary_proto;
+    ReadErrorAssistantProtoFromResourceBundle(&binary_proto);
+    chrome_browser_ssl::SSLErrorAssistantConfig proto;
+    proto.ParseFromString(binary_proto);
+    captive_portal_spki_hashes_ = LoadCaptivePortalCertHashes(proto);

[Ryan Sleevi, 2017/02/02 02:24:37]

The zero-copy solution I was suggesting previously was some combination of

base::StringPiece data = bundle.GetRawDataResource(IDR_SSL_ERROR_ASSISTANT_PB);
ArrayInputStream stream(data.data(), data.size());
SSLErrorAssistantConfig proto;
proto.ParseFromZeroCopyStream(&stream);

[meacer, 2017/02/06 23:39:17]

Done, thanks for pointing to this.

+  }
+
+  for (const net::HashValue& hash_value : ssl_info.public_key_hashes) {
+    if (hash_value.tag != net::HASH_VALUE_SHA256) {
+      continue;
+    }
+    if (captive_portal_spki_hashes_->find(hash_value.ToString()) !=

[Ryan Sleevi, 2017/02/02 02:24:36]

If you wanted to avoid forcing every hash to be string-coerced, you could

namespace std {
template <>
struct hash<net::SHA256HashValue> {
  size_t operator()(const net::SHA256HashValue& hash) {
    return base::StringPieceHash()(base::StringPiece(hash.data(), hash.size()));
  }
}
}  // namespace std

std::unique_ptr<std::unordered_set<net::SHA256HashValue>>
captive_portal_spki_hashes_;

I mean, the hash function is super-grotty, but it avoids copying (which is why
not forwarding to std::hash<string>()). Mostly, it's a question of how often you
expect this to be called - and given that it's only for errors, it may not be
worth optimizing. But at least worth calling out if you wanted :)

[meacer, 2017/02/06 23:39:17]

I looked into providing a hash function, but was a bit wary of adding it to std
namespace because I wasn't sure if it's frowned up in Chrome codebase :) (there
aren't any examples under chrome/, after all)

I think I'll leave this as is, given that it's only done for errors.

(And just for completeness' sake: Another option is to use binary search and
pull HashToArrayComparator out from cert_verify_proc.cc for that purpose.)

+        captive_portal_spki_hashes_->end()) {
+      return true;
+    }
+  }
+  return false;
+}
+#endif
+
 class SSLErrorHandlerDelegateImpl : public SSLErrorHandler::Delegate {
  public:
   SSLErrorHandlerDelegateImpl(
       content::WebContents* web_contents,
       const net::SSLInfo& ssl_info,
       Profile* const profile,
       int cert_error,
       int options_mask,
       const GURL& request_url,
       std::unique_ptr<SSLCertReporter> ssl_cert_reporter,
@@ skipping 138 matching lines @@
       std::unique_ptr<SSLErrorHandler::Delegate>(
           new SSLErrorHandlerDelegateImpl(
               web_contents, ssl_info, profile, cert_error, options_mask,
               request_url, std::move(ssl_cert_reporter), callback)),
       web_contents, profile, cert_error, ssl_info, request_url, callback);
   web_contents->SetUserData(UserDataKey(), error_handler);
   error_handler->StartHandlingError();
 }
 
 // static
+void SSLErrorHandler::ResetConfigForTesting() {
+  g_config.Pointer()->ResetForTesting();
+}
+
+// static
 void SSLErrorHandler::SetInterstitialDelayForTesting(
     const base::TimeDelta& delay) {
   g_config.Pointer()->SetInterstitialDelayForTesting(delay);
 }
 
 // static
 void SSLErrorHandler::SetInterstitialTimerStartedCallbackForTesting(
     TimerStartedCallback* callback) {
   g_config.Pointer()->SetTimerStartedCallbackForTesting(callback);
 }
@@ skipping 11 matching lines @@
 
 // static
 std::string SSLErrorHandler::GetHistogramNameForTesting() {
   return kHistogram;
 }
 
 bool SSLErrorHandler::IsTimerRunningForTesting() const {
   return timer_.IsRunning();
 }
 
+void SSLErrorHandler::SetErrorAssistantProtoForTesting(
+    const chrome_browser_ssl::SSLErrorAssistantConfig& config_proto) {
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+  g_config.Pointer()->SetErrorAssistantProtoForTesting(config_proto);
+#endif
+}
+
 SSLErrorHandler::SSLErrorHandler(
     std::unique_ptr<Delegate> delegate,
     content::WebContents* web_contents,
     Profile* profile,
     int cert_error,
     const net::SSLInfo& ssl_info,
     const GURL& request_url,
     const base::Callback<void(content::CertificateRequestResultType)>& callback)
     : content::WebContentsObserver(web_contents),
       delegate_(std::move(delegate)),
@@ skipping 10 matching lines @@
 
 void SSLErrorHandler::StartHandlingError() {
   RecordUMA(HANDLE_ALL);
 
   if (ssl_errors::ErrorInfo::NetErrorToErrorType(cert_error_) ==
       ssl_errors::ErrorInfo::CERT_DATE_INVALID) {
     HandleCertDateInvalidError();
     return;
   }
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+  if (base::FeatureList::IsEnabled(kCaptivePortalCertificateList) &&
+      cert_error_ == net::ERR_CERT_COMMON_NAME_INVALID &&
+      g_config.Pointer()->IsKnownCaptivePortalCert(ssl_info_)) {
+    RecordUMA(CAPTIVE_PORTAL_CERT_FOUND);
+    ShowCaptivePortalInterstitial(
+        GURL(captive_portal::CaptivePortalDetector::kDefaultURL));
+    return;
+  }
+#endif
+
   std::vector<std::string> dns_names;
   ssl_info_.cert->GetDNSNames(&dns_names);
   DCHECK(!dns_names.empty());
   GURL suggested_url;
   if (IsSSLCommonNameMismatchHandlingEnabled() &&
       cert_error_ == net::ERR_CERT_COMMON_NAME_INVALID &&
       delegate_->IsErrorOverridable() &&
       delegate_->GetSuggestedUrl(dns_names, &suggested_url)) {
     RecordUMA(WWW_MISMATCH_FOUND);
     net::CertStatus extra_cert_errors =
@@ skipping 189 matching lines @@
   network_time::NetworkTimeTracker* tracker =
       g_config.Pointer()->network_time_tracker();
   ssl_errors::ClockState clock_state = ssl_errors::GetClockState(now, tracker);
   if (clock_state == ssl_errors::CLOCK_STATE_FUTURE ||
       clock_state == ssl_errors::CLOCK_STATE_PAST) {
     ShowBadClockInterstitial(now, clock_state);
     return;  // |this| is deleted after showing the interstitial.
   }
   ShowSSLInterstitial();
 }