diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-27 16:49:54 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-27 16:49:54 +0000 |
| commit | ec7a5a0958ecc05d5781d547fa6363b3cfab9050 (patch) | |
| tree | 0b18c35ee9a9d0909332493c804b5bb88b2bfab0 | |
| parent | 38993d44ef144bbe779e4bb386275cd9a62395a7 (diff) | |
| download | chromium_src-ec7a5a0958ecc05d5781d547fa6363b3cfab9050.zip chromium_src-ec7a5a0958ecc05d5781d547fa6363b3cfab9050.tar.gz chromium_src-ec7a5a0958ecc05d5781d547fa6363b3cfab9050.tar.bz2 | |
Revert "net: make HSTS hosts use the normal SSL interstitials"
This reverts commit r102947. It broke the shared build, probably because of a
missing NET_EXPORT.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102950 0039d316-1c4b-4281-b951-d872f2087c98
20 files changed, 94 insertions, 95 deletions
diff --git a/content/browser/renderer_host/resource_dispatcher_host.cc b/content/browser/renderer_host/resource_dispatcher_host.cc index ba94ab2..228d465 100644 --- a/content/browser/renderer_host/resource_dispatcher_host.cc +++ b/content/browser/renderer_host/resource_dispatcher_host.cc @@ -1306,10 +1306,10 @@ void ResourceDispatcherHost::OnCertificateRequested( void ResourceDispatcherHost::OnSSLCertificateError( net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) { + int cert_error, + net::X509Certificate* cert) { DCHECK(request); - SSLManager::OnSSLCertificateError(this, request, ssl_info, is_hsts_host); + SSLManager::OnSSLCertificateError(this, request, cert_error, cert); } bool ResourceDispatcherHost::CanGetCookies( diff --git a/content/browser/renderer_host/resource_dispatcher_host.h b/content/browser/renderer_host/resource_dispatcher_host.h index 3708492..4626674 100644 --- a/content/browser/renderer_host/resource_dispatcher_host.h +++ b/content/browser/renderer_host/resource_dispatcher_host.h @@ -190,8 +190,8 @@ class CONTENT_EXPORT ResourceDispatcherHost : public net::URLRequest::Delegate { net::URLRequest* request, net::SSLCertRequestInfo* cert_request_info) OVERRIDE; virtual void OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) OVERRIDE; + int cert_error, + net::X509Certificate* cert) OVERRIDE; virtual bool CanGetCookies(const net::URLRequest* request, const net::CookieList& cookie_list) const OVERRIDE; virtual bool CanSetCookie(const net::URLRequest* request, diff --git a/content/browser/ssl/ssl_cert_error_handler.cc b/content/browser/ssl/ssl_cert_error_handler.cc index 6af1497..c668b41 100644 --- a/content/browser/ssl/ssl_cert_error_handler.cc +++ b/content/browser/ssl/ssl_cert_error_handler.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2009 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,20 +6,22 @@ #include "content/browser/renderer_host/resource_dispatcher_host.h" #include "content/browser/ssl/ssl_policy.h" -#include "net/base/cert_status_flags.h" #include "net/base/x509_certificate.h" SSLCertErrorHandler::SSLCertErrorHandler( ResourceDispatcherHost* rdh, net::URLRequest* request, ResourceType::Type resource_type, - const net::SSLInfo& ssl_info, - bool is_hsts_host) + int cert_error, + net::X509Certificate* cert) : SSLErrorHandler(rdh, request, resource_type), - ssl_info_(ssl_info), - cert_error_(net::MapCertStatusToNetError(ssl_info.cert_status)), - is_hsts_host_(is_hsts_host) { + cert_error_(cert_error) { DCHECK(request == resource_dispatcher_host_->GetURLRequest(request_id_)); + + // We cannot use the request->ssl_info(), it's not been initialized yet, so + // we have to set the fields manually. + ssl_info_.cert = cert; + ssl_info_.SetCertError(cert_error); } SSLCertErrorHandler* SSLCertErrorHandler::AsSSLCertErrorHandler() { diff --git a/content/browser/ssl/ssl_cert_error_handler.h b/content/browser/ssl/ssl_cert_error_handler.h index 62b1a1e..6dcbe0f 100644 --- a/content/browser/ssl/ssl_cert_error_handler.h +++ b/content/browser/ssl/ssl_cert_error_handler.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2009 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -24,15 +24,14 @@ class SSLCertErrorHandler : public SSLErrorHandler { SSLCertErrorHandler(ResourceDispatcherHost* rdh, net::URLRequest* request, ResourceType::Type resource_type, - const net::SSLInfo& ssl_info, - bool is_hsts_host); + int cert_error, + net::X509Certificate* cert); virtual SSLCertErrorHandler* AsSSLCertErrorHandler(); // These accessors are available on either thread const net::SSLInfo& ssl_info() const { return ssl_info_; } int cert_error() const { return cert_error_; } - bool is_hsts_host() const { return is_hsts_host_; } protected: // SSLErrorHandler methods @@ -43,9 +42,8 @@ class SSLCertErrorHandler : public SSLErrorHandler { virtual ~SSLCertErrorHandler(); // These read-only members may be accessed on any thread. - const net::SSLInfo ssl_info_; + net::SSLInfo ssl_info_; const int cert_error_; // The error we represent. - const bool is_hsts_host_; // true if the error is from an HSTS host. DISALLOW_COPY_AND_ASSIGN(SSLCertErrorHandler); }; diff --git a/content/browser/ssl/ssl_manager.cc b/content/browser/ssl/ssl_manager.cc index 83b4d66..6ae6fb9 100644 --- a/content/browser/ssl/ssl_manager.cc +++ b/content/browser/ssl/ssl_manager.cc @@ -24,12 +24,10 @@ // static void SSLManager::OnSSLCertificateError(ResourceDispatcherHost* rdh, net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) { - DVLOG(1) << "OnSSLCertificateError() cert_error: " - << net::MapCertStatusToNetError(ssl_info.cert_status) - << " url: " << request->url().spec() - << " cert_status: " << std::hex << ssl_info.cert_status; + int cert_error, + net::X509Certificate* cert) { + DVLOG(1) << "OnSSLCertificateError() cert_error: " << cert_error + << " url: " << request->url().spec(); ResourceDispatcherHostRequestInfo* info = ResourceDispatcherHost::InfoForRequest(request); @@ -41,8 +39,8 @@ void SSLManager::OnSSLCertificateError(ResourceDispatcherHost* rdh, NewRunnableMethod(new SSLCertErrorHandler(rdh, request, info->resource_type(), - ssl_info, - is_hsts_host), + cert_error, + cert), &SSLCertErrorHandler::Dispatch)); } diff --git a/content/browser/ssl/ssl_manager.h b/content/browser/ssl/ssl_manager.h index abb9522..24892bf 100644 --- a/content/browser/ssl/ssl_manager.h +++ b/content/browser/ssl/ssl_manager.h @@ -28,7 +28,6 @@ class ResourceRequestDetails; class SSLPolicy; namespace net { -class SSLInfo; class URLRequest; } // namespace net @@ -50,8 +49,8 @@ class SSLManager : public NotificationObserver { // Called on the IO thread. static void OnSSLCertificateError(ResourceDispatcherHost* resource_dispatcher, net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host); + int cert_error, + net::X509Certificate* cert); // Called when SSL state for a host or tab changes. Broadcasts the // SSL_INTERNAL_STATE_CHANGED notification. diff --git a/content/browser/ssl/ssl_policy.cc b/content/browser/ssl/ssl_policy.cc index 256c27f..1d9f3f6 100644 --- a/content/browser/ssl/ssl_policy.cc +++ b/content/browser/ssl/ssl_policy.cc @@ -58,7 +58,7 @@ void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { case net::ERR_CERT_DATE_INVALID: case net::ERR_CERT_AUTHORITY_INVALID: case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: - OnCertErrorInternal(handler, !handler->is_hsts_host()); + OnCertErrorInternal(handler, true); break; case net::ERR_CERT_NO_REVOCATION_MECHANISM: // Ignore this error. diff --git a/net/proxy/proxy_script_fetcher_impl.cc b/net/proxy/proxy_script_fetcher_impl.cc index bb0e57c..7025e72 100644 --- a/net/proxy/proxy_script_fetcher_impl.cc +++ b/net/proxy/proxy_script_fetcher_impl.cc @@ -9,7 +9,6 @@ #include "base/logging.h" #include "base/message_loop.h" #include "base/string_util.h" -#include "net/base/cert_status_flags.h" #include "net/base/data_url.h" #include "net/base/io_buffer.h" #include "net/base/load_flags.h" @@ -191,12 +190,12 @@ void ProxyScriptFetcherImpl::OnAuthRequired(URLRequest* request, } void ProxyScriptFetcherImpl::OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_host) { + int cert_error, + X509Certificate* cert) { DCHECK_EQ(request, cur_request_.get()); LOG(WARNING) << "SSL certificate error when fetching PAC script, aborting."; // Certificate errors are in same space as net errors. - result_code_ = MapCertStatusToNetError(ssl_info.cert_status); + result_code_ = cert_error; request->Cancel(); } diff --git a/net/proxy/proxy_script_fetcher_impl.h b/net/proxy/proxy_script_fetcher_impl.h index 0236559..ff57a28 100644 --- a/net/proxy/proxy_script_fetcher_impl.h +++ b/net/proxy/proxy_script_fetcher_impl.h @@ -53,9 +53,8 @@ class NET_EXPORT ProxyScriptFetcherImpl : public ProxyScriptFetcher, // URLRequest::Delegate methods: virtual void OnAuthRequired(URLRequest* request, AuthChallengeInfo* auth_info) OVERRIDE; - virtual void OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_ok) OVERRIDE; + virtual void OnSSLCertificateError(URLRequest* request, int cert_error, + X509Certificate* cert) OVERRIDE; virtual void OnResponseStarted(URLRequest* request) OVERRIDE; virtual void OnReadCompleted(URLRequest* request, int num_bytes) OVERRIDE; diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc index 3c12da6..02667b5 100644 --- a/net/url_request/url_request.cc +++ b/net/url_request/url_request.cc @@ -112,8 +112,8 @@ void URLRequest::Delegate::OnCertificateRequested( } void URLRequest::Delegate::OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_ok) { + int cert_error, + X509Certificate* cert) { request->Cancel(); } @@ -783,10 +783,10 @@ void URLRequest::NotifyCertificateRequested( delegate_->OnCertificateRequested(this, cert_request_info); } -void URLRequest::NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host) { +void URLRequest::NotifySSLCertificateError(int cert_error, + X509Certificate* cert) { if (delegate_) - delegate_->OnSSLCertificateError(this, ssl_info, is_hsts_host); + delegate_->OnSSLCertificateError(this, cert_error, cert); } bool URLRequest::CanGetCookies(const CookieList& cookie_list) const { diff --git a/net/url_request/url_request.h b/net/url_request/url_request.h index 7f5f961..640f045 100644 --- a/net/url_request/url_request.h +++ b/net/url_request/url_request.h @@ -83,7 +83,6 @@ class CookieOptions; class HostPortPair; class IOBuffer; class SSLCertRequestInfo; -class SSLInfo; class UploadData; class URLRequestContext; class URLRequestJob; @@ -267,12 +266,9 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe) { // safe thing and Cancel() the request or decide to proceed by calling // ContinueDespiteLastError(). cert_error is a ERR_* error code // indicating what's wrong with the certificate. - // If |is_hsts_host| is true then the host in question is an HSTS host - // which demands a higher level of security. In this case, errors must not - // be bypassable by the user. virtual void OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_host); + int cert_error, + X509Certificate* cert); // Called when reading cookies to allow the delegate to block access to the // cookie. This method will never be invoked when LOAD_DO_NOT_SEND_COOKIES @@ -717,8 +713,7 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe) { // of these functions. void NotifyAuthRequired(AuthChallengeInfo* auth_info); void NotifyCertificateRequested(SSLCertRequestInfo* cert_request_info); - void NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host); + void NotifySSLCertificateError(int cert_error, X509Certificate* cert); bool CanGetCookies(const CookieList& cookie_list) const; bool CanSetCookie(const std::string& cookie_line, CookieOptions* options) const; diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index 08b7762..cdb94fa 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -686,18 +686,13 @@ void URLRequestHttpJob::OnStartCompleted(int result) { if (result == OK) { SaveCookiesAndNotifyHeadersComplete(); - } else if (IsCertificateError(result)) { + } else if (ShouldTreatAsCertificateError(result)) { // We encountered an SSL certificate error. Ask our delegate to decide // what we should do. - - TransportSecurityState::DomainState domain_state; - const bool is_hsts_host = - context_->transport_security_state() && - context_->transport_security_state()->IsEnabledForHost( - &domain_state, request_info_.url.host(), - SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); - NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, - is_hsts_host); + // TODO(wtc): also pass ssl_info.cert_status, or just pass the whole + // ssl_info. + NotifySSLCertificateError( + result, transaction_->GetResponseInfo()->ssl_info.cert); } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { NotifyCertificateRequested( transaction_->GetResponseInfo()->cert_request_info); @@ -724,6 +719,27 @@ void URLRequestHttpJob::OnReadCompleted(int result) { NotifyReadComplete(result); } +bool URLRequestHttpJob::ShouldTreatAsCertificateError(int result) { + if (!IsCertificateError(result)) + return false; + + // Revocation check failures are always certificate errors, even if the host + // is using Strict-Transport-Security. + if (result == ERR_CERT_UNABLE_TO_CHECK_REVOCATION) + return true; + + // Check whether our context is using Strict-Transport-Security. + if (!context_->transport_security_state()) + return true; + + TransportSecurityState::DomainState domain_state; + const bool r = context_->transport_security_state()->IsEnabledForHost( + &domain_state, request_info_.url.host(), + SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); + + return !r; +} + void URLRequestHttpJob::RestartTransactionWithAuth( const string16& username, const string16& password) { diff --git a/net/url_request/url_request_http_job.h b/net/url_request/url_request_http_job.h index 883948d..8293c13 100644 --- a/net/url_request/url_request_http_job.h +++ b/net/url_request/url_request_http_job.h @@ -59,6 +59,8 @@ class URLRequestHttpJob : public URLRequestJob { void OnReadCompleted(int result); void NotifyBeforeSendHeadersCallback(int result); + bool ShouldTreatAsCertificateError(int result); + void RestartTransactionWithAuth(const string16& username, const string16& password); diff --git a/net/url_request/url_request_job.cc b/net/url_request/url_request_job.cc index 2a23d61..47e38e9 100644 --- a/net/url_request/url_request_job.cc +++ b/net/url_request/url_request_job.cc @@ -228,12 +228,12 @@ void URLRequestJob::NotifyCertificateRequested( request_->NotifyCertificateRequested(cert_request_info); } -void URLRequestJob::NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host) { +void URLRequestJob::NotifySSLCertificateError(int cert_error, + X509Certificate* cert) { if (!request_) return; // The request was destroyed, so there is no more work to do. - request_->NotifySSLCertificateError(ssl_info, is_hsts_host); + request_->NotifySSLCertificateError(cert_error, cert); } bool URLRequestJob::CanGetCookies(const CookieList& cookie_list) const { diff --git a/net/url_request/url_request_job.h b/net/url_request/url_request_job.h index 4231ddd..01547cc 100644 --- a/net/url_request/url_request_job.h +++ b/net/url_request/url_request_job.h @@ -30,7 +30,6 @@ class HttpRequestHeaders; class HttpResponseInfo; class IOBuffer; class SSLCertRequestInfo; -class SSLInfo; class URLRequest; class UploadData; class URLRequestStatus; @@ -198,8 +197,7 @@ class NET_EXPORT URLRequestJob : public base::RefCounted<URLRequestJob>, void NotifyCertificateRequested(SSLCertRequestInfo* cert_request_info); // Notifies the job about an SSL certificate error. - void NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host); + void NotifySSLCertificateError(int cert_error, X509Certificate* cert); // Delegates to URLRequest::Delegate. bool CanGetCookies(const CookieList& cookie_list) const; diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc index bffad74..f49d0c4 100644 --- a/net/url_request/url_request_test_util.cc +++ b/net/url_request/url_request_test_util.cc @@ -193,8 +193,8 @@ void TestDelegate::OnAuthRequired(net::URLRequest* request, } void TestDelegate::OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) { + int cert_error, + net::X509Certificate* cert) { // The caller can control whether it needs all SSL requests to go through, // independent of any possible errors, or whether it wants SSL errors to // cancel the request. diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h index f8ef867..cac7a72 100644 --- a/net/url_request/url_request_test_util.h +++ b/net/url_request/url_request_test_util.h @@ -129,8 +129,8 @@ class TestDelegate : public net::URLRequest::Delegate { virtual void OnAuthRequired(net::URLRequest* request, net::AuthChallengeInfo* auth_info) OVERRIDE; virtual void OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) OVERRIDE; + int cert_error, + net::X509Certificate* cert) OVERRIDE; virtual bool CanGetCookies(const net::URLRequest* request, const net::CookieList& cookie_list) const OVERRIDE; virtual bool CanSetCookie(const net::URLRequest* request, diff --git a/webkit/fileapi/file_writer_delegate.cc b/webkit/fileapi/file_writer_delegate.cc index 34339a5..db28a22 100644 --- a/webkit/fileapi/file_writer_delegate.cc +++ b/webkit/fileapi/file_writer_delegate.cc @@ -137,29 +137,26 @@ void FileWriterDelegate::Start(base::PlatformFile file, relay->Start(proxy_, FROM_HERE); } -void FileWriterDelegate::OnReceivedRedirect(net::URLRequest* request, - const GURL& new_url, - bool* defer_redirect) { +void FileWriterDelegate::OnReceivedRedirect( + net::URLRequest* request, const GURL& new_url, bool* defer_redirect) { NOTREACHED(); OnError(base::PLATFORM_FILE_ERROR_SECURITY); } -void FileWriterDelegate::OnAuthRequired(net::URLRequest* request, - net::AuthChallengeInfo* auth_info) { +void FileWriterDelegate::OnAuthRequired( + net::URLRequest* request, net::AuthChallengeInfo* auth_info) { NOTREACHED(); OnError(base::PLATFORM_FILE_ERROR_SECURITY); } void FileWriterDelegate::OnCertificateRequested( - net::URLRequest* request, - net::SSLCertRequestInfo* cert_request_info) { + net::URLRequest* request, net::SSLCertRequestInfo* cert_request_info) { NOTREACHED(); OnError(base::PLATFORM_FILE_ERROR_SECURITY); } -void FileWriterDelegate::OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) { +void FileWriterDelegate::OnSSLCertificateError( + net::URLRequest* request, int cert_error, net::X509Certificate* cert) { NOTREACHED(); OnError(base::PLATFORM_FILE_ERROR_SECURITY); } diff --git a/webkit/fileapi/file_writer_delegate.h b/webkit/fileapi/file_writer_delegate.h index 7f25212..6d94e6e 100644 --- a/webkit/fileapi/file_writer_delegate.h +++ b/webkit/fileapi/file_writer_delegate.h @@ -38,20 +38,16 @@ class FileWriterDelegate : public net::URLRequest::Delegate { return file_; } - virtual void OnReceivedRedirect(net::URLRequest* request, - const GURL& new_url, - bool* defer_redirect) OVERRIDE; - virtual void OnAuthRequired(net::URLRequest* request, - net::AuthChallengeInfo* auth_info) OVERRIDE; + virtual void OnReceivedRedirect( + net::URLRequest* request, const GURL& new_url, bool* defer_redirect); + virtual void OnAuthRequired( + net::URLRequest* request, net::AuthChallengeInfo* auth_info); virtual void OnCertificateRequested( - net::URLRequest* request, - net::SSLCertRequestInfo* cert_request_info) OVERRIDE; - virtual void OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) OVERRIDE; - virtual void OnResponseStarted(net::URLRequest* request) OVERRIDE; - virtual void OnReadCompleted(net::URLRequest* request, - int bytes_read) OVERRIDE; + net::URLRequest* request, net::SSLCertRequestInfo* cert_request_info); + virtual void OnSSLCertificateError( + net::URLRequest* request, int cert_error, net::X509Certificate* cert); + virtual void OnResponseStarted(net::URLRequest* request); + virtual void OnReadCompleted(net::URLRequest* request, int bytes_read); private: void OnGetFileInfoAndCallStartUpdate( diff --git a/webkit/tools/test_shell/simple_resource_loader_bridge.cc b/webkit/tools/test_shell/simple_resource_loader_bridge.cc index 73fd0cb..6498e75 100644 --- a/webkit/tools/test_shell/simple_resource_loader_bridge.cc +++ b/webkit/tools/test_shell/simple_resource_loader_bridge.cc @@ -458,8 +458,8 @@ class RequestProxy : public net::URLRequest::Delegate, } virtual void OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) OVERRIDE { + int cert_error, + net::X509Certificate* cert) OVERRIDE { // Allow all certificate errors. request->ContinueDespiteLastError(); } |