Fix 58162: Mixed Content False Positive for intranet hostname certificates

Previously, we lumped the intranet host warning in with mixed content warning. This calls it out as a separate warning.

BUG=58162
TEST=None

Review URL: http://codereview.chromium.org/3536019

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62178 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 38 insertions, 22 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index fe0c9ed..8cfb0f3 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -5802,6 +5802,9 @@ Keep your key file in a safe place. You will need it to create new versions of y
       <message name="IDS_PAGE_INFO_SECURITY_TAB_INSECURE_IDENTITY" desc="The text of the identity section when the page is not secure.">
         The identity of this website has not been verified.
       </message>
+      <message name="IDS_PAGE_INFO_SECURITY_TAB_NON_UNIQUE_NAME" desc="The text of the identity section when the host is not unique (such as with Intranet host names).">
+        The identity of the server you are connected to cannot be fully validated. You are connected to a server using a name only valid within your network, which an external certificate authority has no way to validate ownership of. As some certificate authorities will issue certificates for these names regardless, there is no way to ensure you are connected to the intended website and not an attacker.
+      </message>
 
       <message name="IDS_PAGE_INFO_SECURITY_TAB_UNABLE_TO_CHECK_REVOCATION" desc="The text of the identity section when we were unable to check if the certificate has been revoked.">
         Unable to check whether the certificate has been revoked.
diff --git a/chrome/browser/page_info_model.cc b/chrome/browser/page_info_model.cc
index e32d7e9..1f8c7df 100644
--- a/chrome/browser/page_info_model.cc
+++ b/chrome/browser/page_info_model.cc
@@ -141,6 +141,12 @@ PageInfoModel::PageInfoModel(Profile* profile,
         IDS_PAGE_INFO_SECURITY_TAB_INSECURE_IDENTITY));
     icon_id = ssl.security_style() == SECURITY_STYLE_UNAUTHENTICATED ?
         ICON_STATE_WARNING_MAJOR : ICON_STATE_ERROR;
+
+    if (ssl.cert_status() & net::CERT_STATUS_NON_UNIQUE_NAME) {
+      description += ASCIIToUTF16("\n\n");
+      description += l10n_util::GetStringUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_NON_UNIQUE_NAME);
+    }
   }
   sections_.push_back(SectionInfo(
       icon_id,
diff --git a/chrome/browser/ssl/ssl_host_state.cc b/chrome/browser/ssl/ssl_host_state.cc
index 564afa9..15c9b98 100644
--- a/chrome/browser/ssl/ssl_host_state.cc
+++ b/chrome/browser/ssl/ssl_host_state.cc
@@ -6,17 +6,6 @@
 
 #include "base/logging.h"
 
-namespace {
-
-static const char kDot = '.';
-
-static bool IsIntranetHost(const std::string& host) {
-  const size_t dot = host.find(kDot);
-  return dot == std::string::npos || dot == host.length() - 1;
-}
-
-}  // namespace
-
 SSLHostState::SSLHostState() {
 }
 
@@ -31,12 +20,6 @@ void SSLHostState::HostRanInsecureContent(const std::string& host, int pid) {
 bool SSLHostState::DidHostRunInsecureContent(const std::string& host,
                                              int pid) const {
   DCHECK(CalledOnValidThread());
-
-  // CAs issue certificates for intranet hosts to everyone.  Therefore, we
-  // always treat intranet hosts as having run insecure content.
-  if (IsIntranetHost(host))
-    return true;
-
   return !!ran_insecure_content_hosts_.count(BrokenHostEntry(host, pid));
 }
 
diff --git a/chrome/browser/ssl/ssl_policy.cc b/chrome/browser/ssl/ssl_policy.cc
index 767d743..c10e219 100644
--- a/chrome/browser/ssl/ssl_policy.cc
+++ b/chrome/browser/ssl/ssl_policy.cc
@@ -32,6 +32,17 @@
 #include "net/base/ssl_info.h"
 #include "webkit/glue/resource_type.h"
 
+namespace {
+
+static const char kDot = '.';
+
+static bool IsIntranetHost(const std::string& host) {
+  const size_t dot = host.find(kDot);
+  return dot == std::string::npos || dot == host.length() - 1;
+}
+
+}  // namespace
+
 SSLPolicy::SSLPolicy(SSLPolicyBackend* backend)
     : backend_(backend) {
   DCHECK(backend_);
@@ -151,6 +162,15 @@ void SSLPolicy::UpdateEntry(NavigationEntry* entry, TabContents* tab_contents) {
     return;
   }
 
+  if (!(entry->ssl().cert_status() & net::CERT_STATUS_COMMON_NAME_INVALID)) {
+    // CAs issue certificates for intranet hosts to everyone.  Therefore, we
+    // mark intranet hosts as being non-unique.
+    if (IsIntranetHost(entry->url().host())) {
+      entry->ssl().set_cert_status(entry->ssl().cert_status() |
+                                   net::CERT_STATUS_NON_UNIQUE_NAME);
+    }
+  }
+
   // If CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is the only certificate error,
   // don't lower the security style to SECURITY_STYLE_AUTHENTICATION_BROKEN.
   int cert_errors = entry->ssl().cert_status() & net::CERT_STATUS_ALL_ERRORS;
diff --git a/net/base/cert_status_flags.h b/net/base/cert_status_flags.h
index 8bf2565..5303af1 100644
--- a/net/base/cert_status_flags.h
+++ b/net/base/cert_status_flags.h
@@ -22,6 +22,7 @@ enum {
   CERT_STATUS_INVALID                    = 1 << 7,
   CERT_STATUS_WEAK_SIGNATURE_ALGORITHM   = 1 << 8,
   CERT_STATUS_NOT_IN_DNS                 = 1 << 9,
+  CERT_STATUS_NON_UNIQUE_NAME            = 1 << 10,
 
   // Bits 16 to 30 are for non-error statuses.
   CERT_STATUS_IS_EV                      = 1 << 16,
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index b96524d..6e4c7b9 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -25,7 +25,7 @@
 // finally completed.
 NET_ERROR(IO_PENDING, -1)
 
-// A generic failure occured.
+// A generic failure occurred.
 NET_ERROR(FAILED, -2)
 
 // An operation was aborted (due to user action).
@@ -157,7 +157,7 @@ NET_ERROR(SSL_NO_RENEGOTIATION, -123)
 NET_ERROR(WINSOCK_UNEXPECTED_WRITTEN_BYTES, -124)
 
 // An SSL peer sent us a fatal decompression_failure alert. This typically
-// occurs when a peer selects DEFLATE compression in the mismaken belief that
+// occurs when a peer selects DEFLATE compression in the mistaken belief that
 // it supports it.
 NET_ERROR(SSL_DECOMPRESSION_FAILURE_ALERT, -125)
 
@@ -278,13 +278,16 @@ NET_ERROR(CERT_WEAK_SIGNATURE_ALGORITHM, -208)
 // valid fingerprints. But the certificate presented was not in this list.
 NET_ERROR(CERT_NOT_IN_DNS, -209)
 
+// The host name specified in the certificate is not unique.
+NET_ERROR(CERT_NON_UNIQUE_NAME, -210)
+
 // Add new certificate error codes here.
 //
 // Update the value of CERT_END whenever you add a new certificate error
 // code.
 
 // The value immediately past the last certificate error code.
-NET_ERROR(CERT_END, -210)
+NET_ERROR(CERT_END, -211)
 
 // The URL is invalid.
 NET_ERROR(INVALID_URL, -300)
@@ -365,7 +368,7 @@ NET_ERROR(NO_SUPPORTED_PROXIES, -336)
 // There is a SPDY protocol framing error.
 NET_ERROR(SPDY_PROTOCOL_ERROR, -337)
 
-// Credentials could not be estalished during HTTP Authentication.
+// Credentials could not be established during HTTP Authentication.
 NET_ERROR(INVALID_AUTH_CREDENTIALS, -338)
 
 // An HTTP Authentication scheme was tried which is not supported on this
@@ -471,7 +474,7 @@ NET_ERROR(IMPORT_CA_CERT_NOT_CA, -703)
 
 // Import failed - certificate already exists in database.
 // Note it's a little weird this is an error but reimporting a PKCS12 is ok
-// (no-op).  That's how mozilla does it, though.
+// (no-op).  That's how Mozilla does it, though.
 NET_ERROR(IMPORT_CERT_ALREADY_EXISTS, -704)
 
 // CA import failed due to some other error.