diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-27 16:49:54 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-27 16:49:54 +0000 |
| commit | ec7a5a0958ecc05d5781d547fa6363b3cfab9050 (patch) | |
| tree | 0b18c35ee9a9d0909332493c804b5bb88b2bfab0 /net | |
| parent | 38993d44ef144bbe779e4bb386275cd9a62395a7 (diff) | |
| download | chromium_src-ec7a5a0958ecc05d5781d547fa6363b3cfab9050.zip chromium_src-ec7a5a0958ecc05d5781d547fa6363b3cfab9050.tar.gz chromium_src-ec7a5a0958ecc05d5781d547fa6363b3cfab9050.tar.bz2 | |
Revert "net: make HSTS hosts use the normal SSL interstitials"
This reverts commit r102947. It broke the shared build, probably because of a
missing NET_EXPORT.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102950 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/proxy/proxy_script_fetcher_impl.cc | 7 | ||||
| -rw-r--r-- | net/proxy/proxy_script_fetcher_impl.h | 5 | ||||
| -rw-r--r-- | net/url_request/url_request.cc | 10 | ||||
| -rw-r--r-- | net/url_request/url_request.h | 11 | ||||
| -rw-r--r-- | net/url_request/url_request_http_job.cc | 36 | ||||
| -rw-r--r-- | net/url_request/url_request_http_job.h | 2 | ||||
| -rw-r--r-- | net/url_request/url_request_job.cc | 6 | ||||
| -rw-r--r-- | net/url_request/url_request_job.h | 4 | ||||
| -rw-r--r-- | net/url_request/url_request_test_util.cc | 4 | ||||
| -rw-r--r-- | net/url_request/url_request_test_util.h | 4 |
10 files changed, 49 insertions, 40 deletions
diff --git a/net/proxy/proxy_script_fetcher_impl.cc b/net/proxy/proxy_script_fetcher_impl.cc index bb0e57c..7025e72 100644 --- a/net/proxy/proxy_script_fetcher_impl.cc +++ b/net/proxy/proxy_script_fetcher_impl.cc @@ -9,7 +9,6 @@ #include "base/logging.h" #include "base/message_loop.h" #include "base/string_util.h" -#include "net/base/cert_status_flags.h" #include "net/base/data_url.h" #include "net/base/io_buffer.h" #include "net/base/load_flags.h" @@ -191,12 +190,12 @@ void ProxyScriptFetcherImpl::OnAuthRequired(URLRequest* request, } void ProxyScriptFetcherImpl::OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_host) { + int cert_error, + X509Certificate* cert) { DCHECK_EQ(request, cur_request_.get()); LOG(WARNING) << "SSL certificate error when fetching PAC script, aborting."; // Certificate errors are in same space as net errors. - result_code_ = MapCertStatusToNetError(ssl_info.cert_status); + result_code_ = cert_error; request->Cancel(); } diff --git a/net/proxy/proxy_script_fetcher_impl.h b/net/proxy/proxy_script_fetcher_impl.h index 0236559..ff57a28 100644 --- a/net/proxy/proxy_script_fetcher_impl.h +++ b/net/proxy/proxy_script_fetcher_impl.h @@ -53,9 +53,8 @@ class NET_EXPORT ProxyScriptFetcherImpl : public ProxyScriptFetcher, // URLRequest::Delegate methods: virtual void OnAuthRequired(URLRequest* request, AuthChallengeInfo* auth_info) OVERRIDE; - virtual void OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_ok) OVERRIDE; + virtual void OnSSLCertificateError(URLRequest* request, int cert_error, + X509Certificate* cert) OVERRIDE; virtual void OnResponseStarted(URLRequest* request) OVERRIDE; virtual void OnReadCompleted(URLRequest* request, int num_bytes) OVERRIDE; diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc index 3c12da6..02667b5 100644 --- a/net/url_request/url_request.cc +++ b/net/url_request/url_request.cc @@ -112,8 +112,8 @@ void URLRequest::Delegate::OnCertificateRequested( } void URLRequest::Delegate::OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_ok) { + int cert_error, + X509Certificate* cert) { request->Cancel(); } @@ -783,10 +783,10 @@ void URLRequest::NotifyCertificateRequested( delegate_->OnCertificateRequested(this, cert_request_info); } -void URLRequest::NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host) { +void URLRequest::NotifySSLCertificateError(int cert_error, + X509Certificate* cert) { if (delegate_) - delegate_->OnSSLCertificateError(this, ssl_info, is_hsts_host); + delegate_->OnSSLCertificateError(this, cert_error, cert); } bool URLRequest::CanGetCookies(const CookieList& cookie_list) const { diff --git a/net/url_request/url_request.h b/net/url_request/url_request.h index 7f5f961..640f045 100644 --- a/net/url_request/url_request.h +++ b/net/url_request/url_request.h @@ -83,7 +83,6 @@ class CookieOptions; class HostPortPair; class IOBuffer; class SSLCertRequestInfo; -class SSLInfo; class UploadData; class URLRequestContext; class URLRequestJob; @@ -267,12 +266,9 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe) { // safe thing and Cancel() the request or decide to proceed by calling // ContinueDespiteLastError(). cert_error is a ERR_* error code // indicating what's wrong with the certificate. - // If |is_hsts_host| is true then the host in question is an HSTS host - // which demands a higher level of security. In this case, errors must not - // be bypassable by the user. virtual void OnSSLCertificateError(URLRequest* request, - const SSLInfo& ssl_info, - bool is_hsts_host); + int cert_error, + X509Certificate* cert); // Called when reading cookies to allow the delegate to block access to the // cookie. This method will never be invoked when LOAD_DO_NOT_SEND_COOKIES @@ -717,8 +713,7 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe) { // of these functions. void NotifyAuthRequired(AuthChallengeInfo* auth_info); void NotifyCertificateRequested(SSLCertRequestInfo* cert_request_info); - void NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host); + void NotifySSLCertificateError(int cert_error, X509Certificate* cert); bool CanGetCookies(const CookieList& cookie_list) const; bool CanSetCookie(const std::string& cookie_line, CookieOptions* options) const; diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index 08b7762..cdb94fa 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -686,18 +686,13 @@ void URLRequestHttpJob::OnStartCompleted(int result) { if (result == OK) { SaveCookiesAndNotifyHeadersComplete(); - } else if (IsCertificateError(result)) { + } else if (ShouldTreatAsCertificateError(result)) { // We encountered an SSL certificate error. Ask our delegate to decide // what we should do. - - TransportSecurityState::DomainState domain_state; - const bool is_hsts_host = - context_->transport_security_state() && - context_->transport_security_state()->IsEnabledForHost( - &domain_state, request_info_.url.host(), - SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); - NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, - is_hsts_host); + // TODO(wtc): also pass ssl_info.cert_status, or just pass the whole + // ssl_info. + NotifySSLCertificateError( + result, transaction_->GetResponseInfo()->ssl_info.cert); } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { NotifyCertificateRequested( transaction_->GetResponseInfo()->cert_request_info); @@ -724,6 +719,27 @@ void URLRequestHttpJob::OnReadCompleted(int result) { NotifyReadComplete(result); } +bool URLRequestHttpJob::ShouldTreatAsCertificateError(int result) { + if (!IsCertificateError(result)) + return false; + + // Revocation check failures are always certificate errors, even if the host + // is using Strict-Transport-Security. + if (result == ERR_CERT_UNABLE_TO_CHECK_REVOCATION) + return true; + + // Check whether our context is using Strict-Transport-Security. + if (!context_->transport_security_state()) + return true; + + TransportSecurityState::DomainState domain_state; + const bool r = context_->transport_security_state()->IsEnabledForHost( + &domain_state, request_info_.url.host(), + SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); + + return !r; +} + void URLRequestHttpJob::RestartTransactionWithAuth( const string16& username, const string16& password) { diff --git a/net/url_request/url_request_http_job.h b/net/url_request/url_request_http_job.h index 883948d..8293c13 100644 --- a/net/url_request/url_request_http_job.h +++ b/net/url_request/url_request_http_job.h @@ -59,6 +59,8 @@ class URLRequestHttpJob : public URLRequestJob { void OnReadCompleted(int result); void NotifyBeforeSendHeadersCallback(int result); + bool ShouldTreatAsCertificateError(int result); + void RestartTransactionWithAuth(const string16& username, const string16& password); diff --git a/net/url_request/url_request_job.cc b/net/url_request/url_request_job.cc index 2a23d61..47e38e9 100644 --- a/net/url_request/url_request_job.cc +++ b/net/url_request/url_request_job.cc @@ -228,12 +228,12 @@ void URLRequestJob::NotifyCertificateRequested( request_->NotifyCertificateRequested(cert_request_info); } -void URLRequestJob::NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host) { +void URLRequestJob::NotifySSLCertificateError(int cert_error, + X509Certificate* cert) { if (!request_) return; // The request was destroyed, so there is no more work to do. - request_->NotifySSLCertificateError(ssl_info, is_hsts_host); + request_->NotifySSLCertificateError(cert_error, cert); } bool URLRequestJob::CanGetCookies(const CookieList& cookie_list) const { diff --git a/net/url_request/url_request_job.h b/net/url_request/url_request_job.h index 4231ddd..01547cc 100644 --- a/net/url_request/url_request_job.h +++ b/net/url_request/url_request_job.h @@ -30,7 +30,6 @@ class HttpRequestHeaders; class HttpResponseInfo; class IOBuffer; class SSLCertRequestInfo; -class SSLInfo; class URLRequest; class UploadData; class URLRequestStatus; @@ -198,8 +197,7 @@ class NET_EXPORT URLRequestJob : public base::RefCounted<URLRequestJob>, void NotifyCertificateRequested(SSLCertRequestInfo* cert_request_info); // Notifies the job about an SSL certificate error. - void NotifySSLCertificateError(const SSLInfo& ssl_info, - bool is_hsts_host); + void NotifySSLCertificateError(int cert_error, X509Certificate* cert); // Delegates to URLRequest::Delegate. bool CanGetCookies(const CookieList& cookie_list) const; diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc index bffad74..f49d0c4 100644 --- a/net/url_request/url_request_test_util.cc +++ b/net/url_request/url_request_test_util.cc @@ -193,8 +193,8 @@ void TestDelegate::OnAuthRequired(net::URLRequest* request, } void TestDelegate::OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) { + int cert_error, + net::X509Certificate* cert) { // The caller can control whether it needs all SSL requests to go through, // independent of any possible errors, or whether it wants SSL errors to // cancel the request. diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h index f8ef867..cac7a72 100644 --- a/net/url_request/url_request_test_util.h +++ b/net/url_request/url_request_test_util.h @@ -129,8 +129,8 @@ class TestDelegate : public net::URLRequest::Delegate { virtual void OnAuthRequired(net::URLRequest* request, net::AuthChallengeInfo* auth_info) OVERRIDE; virtual void OnSSLCertificateError(net::URLRequest* request, - const net::SSLInfo& ssl_info, - bool is_hsts_host) OVERRIDE; + int cert_error, + net::X509Certificate* cert) OVERRIDE; virtual bool CanGetCookies(const net::URLRequest* request, const net::CookieList& cookie_list) const OVERRIDE; virtual bool CanSetCookie(const net::URLRequest* request, |