This causes ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY and ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN errors to be handled by the SSL interstitial, so that we can present a single unified non-overridable warning.

BUG=276540
R=rsleevi@chromium.org
TBR=abarth@chromium.org

Review URL: https://codereview.chromium.org/23908005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@229813 0039d316-1c4b-4281-b951-d872f2087c98

7 files changed, 59 insertions, 13 deletions

diff --git a/chrome/browser/ssl/ssl_error_info.cc b/chrome/browser/ssl/ssl_error_info.cc
index d11beb8..ac30ed08 100644
--- a/chrome/browser/ssl/ssl_error_info.cc
+++ b/chrome/browser/ssl/ssl_error_info.cc
@@ -198,6 +198,23 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
           l10n_util::GetStringUTF16(
               IDS_CERT_ERROR_WEAK_KEY_EXTRA_INFO_2));
       break;
+    case CERT_WEAK_KEY_DH:
+      title = l10n_util::GetStringUTF16(
+          IDS_ERRORPAGES_HEADING_WEAK_SERVER_EPHEMERAL_DH_KEY);
+      details = l10n_util::GetStringFUTF16(
+          IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
+      short_description = l10n_util::GetStringUTF16(
+          IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
+      extra_info.push_back(
+          l10n_util::GetStringUTF16(
+              IDS_ERRORPAGES_SUMMARY_WEAK_SERVER_EPHEMERAL_DH_KEY));
+    case CERT_PINNED_KEY_MISSING:
+      title = l10n_util::GetStringUTF16(
+          IDS_ERRORPAGES_HEADING_PINNING_FAILURE);
+      details = l10n_util::GetStringUTF16(
+          IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
+      short_description = l10n_util::GetStringUTF16(
+          IDS_ERRORPAGES_DETAILS_PINNING_FAILURE);
     case UNKNOWN:
       title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_TITLE);
       details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
@@ -236,6 +253,10 @@ SSLErrorInfo::ErrorType SSLErrorInfo::NetErrorToErrorType(int net_error) {
       return CERT_WEAK_SIGNATURE_ALGORITHM;
     case net::ERR_CERT_WEAK_KEY:
       return CERT_WEAK_KEY;
+    case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
+      return CERT_WEAK_KEY_DH;
+    case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
+      return CERT_PINNED_KEY_MISSING;
     default:
       NOTREACHED();
       return UNKNOWN;
diff --git a/chrome/browser/ssl/ssl_error_info.h b/chrome/browser/ssl/ssl_error_info.h
index 5e29523..b50d225 100644
--- a/chrome/browser/ssl/ssl_error_info.h
+++ b/chrome/browser/ssl/ssl_error_info.h
@@ -33,6 +33,8 @@ class SSLErrorInfo {
     CERT_WEAK_SIGNATURE_ALGORITHM,
     CERT_WEAK_KEY,
     UNKNOWN,
+    CERT_WEAK_KEY_DH,
+    CERT_PINNED_KEY_MISSING,
     END_OF_ENUM
   };
 
diff --git a/content/browser/ssl/ssl_policy.cc b/content/browser/ssl/ssl_policy.cc
index 02af398..d4e943e 100644
--- a/content/browser/ssl/ssl_policy.cc
+++ b/content/browser/ssl/ssl_policy.cc
@@ -67,6 +67,8 @@ void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
     case net::ERR_CERT_CONTAINS_ERRORS:
     case net::ERR_CERT_REVOKED:
     case net::ERR_CERT_INVALID:
+    case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
+    case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
       OnCertErrorInternal(handler, false, handler->fatal());
       break;
     default:
diff --git a/net/base/net_errors.h b/net/base/net_errors.h
index 21749d8..34e355e 100644
--- a/net/base/net_errors.h
+++ b/net/base/net_errors.h
@@ -36,7 +36,9 @@ NET_EXPORT const char* ErrorToString(int error);
 inline bool IsCertificateError(int error) {
   // Certificate errors are negative integers from net::ERR_CERT_BEGIN
   // (inclusive) to net::ERR_CERT_END (exclusive) in *decreasing* order.
-  return error <= ERR_CERT_BEGIN && error > ERR_CERT_END;
+  return (error <= ERR_CERT_BEGIN && error > ERR_CERT_END) ||
+         (error == ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY) ||
+         (error == ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN);
 }
 
 // Map system error code to Error.
diff --git a/net/cert/cert_status_flags.cc b/net/cert/cert_status_flags.cc
index 8cb736c..2b4a0d9 100644
--- a/net/cert/cert_status_flags.cc
+++ b/net/cert/cert_status_flags.cc
@@ -43,6 +43,10 @@ CertStatus MapNetErrorToCertStatus(int error) {
       return CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
     case ERR_CERT_WEAK_KEY:
       return CERT_STATUS_WEAK_KEY;
+    case ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
+      return CERT_STATUS_PINNED_KEY_MISSING;
+    case ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
+      return CERT_STATUS_WEAK_DH_KEY;
     default:
       return 0;
   }
@@ -57,6 +61,10 @@ int MapCertStatusToNetError(CertStatus cert_status) {
     return ERR_CERT_REVOKED;
   if (cert_status & CERT_STATUS_INVALID)
     return ERR_CERT_INVALID;
+  if (cert_status & CERT_STATUS_PINNED_KEY_MISSING)
+    return ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
+  if (cert_status & CERT_STATUS_WEAK_DH_KEY)
+    return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY;
 
   // Recoverable errors
   if (cert_status & CERT_STATUS_AUTHORITY_INVALID)
diff --git a/net/cert/cert_status_flags.h b/net/cert/cert_status_flags.h
index 8431032..630df65 100644
--- a/net/cert/cert_status_flags.h
+++ b/net/cert/cert_status_flags.h
@@ -32,6 +32,8 @@ static const CertStatus CERT_STATUS_WEAK_SIGNATURE_ALGORITHM   = 1 << 8;
 // 1 << 9 was used for CERT_STATUS_NOT_IN_DNS
 static const CertStatus CERT_STATUS_NON_UNIQUE_NAME            = 1 << 10;
 static const CertStatus CERT_STATUS_WEAK_KEY                   = 1 << 11;
+static const CertStatus CERT_STATUS_WEAK_DH_KEY                = 1 << 12;
+static const CertStatus CERT_STATUS_PINNED_KEY_MISSING         = 1 << 13;
 
 // Bits 16 to 31 are for non-error statuses.
 static const CertStatus CERT_STATUS_IS_EV                      = 1 << 16;
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 204e22a..9d9a648 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -889,18 +889,27 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
 
     SaveCookiesAndNotifyHeadersComplete(net::OK);
   } else if (IsCertificateError(result)) {
-    // We encountered an SSL certificate error.  Ask our delegate to decide
-    // what we should do.
-
-    TransportSecurityState::DomainState domain_state;
-    const URLRequestContext* context = request_->context();
-    const bool fatal = context->transport_security_state() &&
-        context->transport_security_state()->GetDomainState(
-            request_info_.url.host(),
-            SSLConfigService::IsSNIAvailable(context->ssl_config_service()),
-            &domain_state) &&
-        domain_state.ShouldSSLErrorsBeFatal();
-    NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal);
+    // We encountered an SSL certificate error.
+    if (result == ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY ||
+        result == ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN) {
+      // These are hard failures. They're handled separately and don't have
+      // the correct cert status, so set it here.
+      SSLInfo info(transaction_->GetResponseInfo()->ssl_info);
+      info.cert_status = MapNetErrorToCertStatus(result);
+      NotifySSLCertificateError(info, true);
+    } else {
+      // Maybe overridable, maybe not. Ask the delegate to decide.
+      TransportSecurityState::DomainState domain_state;
+      const URLRequestContext* context = request_->context();
+      const bool fatal = context->transport_security_state() &&
+          context->transport_security_state()->GetDomainState(
+              request_info_.url.host(),
+              SSLConfigService::IsSNIAvailable(context->ssl_config_service()),
+              &domain_state) &&
+          domain_state.ShouldSSLErrorsBeFatal();
+      NotifySSLCertificateError(
+          transaction_->GetResponseInfo()->ssl_info, fatal);
+    }
   } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
     NotifyCertificateRequested(
         transaction_->GetResponseInfo()->cert_request_info.get());