File: stateful_ssl_host_state_delegate.cc

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (504 lines) | stat: -rw-r--r-- 20,231 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "components/security_interstitials/content/stateful_ssl_host_state_delegate.h"

#include <stdint.h>

#include <functional>
#include <memory>
#include <optional>
#include <set>
#include <utility>

#include "base/base64.h"
#include "base/containers/contains.h"
#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "base/functional/callback_helpers.h"
#include "base/json/values_util.h"
#include "base/logging.h"
#include "base/strings/string_number_conversions.h"
#include "base/time/clock.h"
#include "base/time/default_clock.h"
#include "base/time/time.h"
#include "base/values.h"
#include "build/build_config.h"
#include "components/content_settings/core/browser/content_settings_pref_provider.h"
#include "components/content_settings/core/browser/host_content_settings_map.h"
#include "components/content_settings/core/common/content_settings_types.h"
#include "components/pref_registry/pref_registry_syncable.h"
#include "components/prefs/scoped_user_pref_update.h"
#include "components/security_interstitials/core/pref_names.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/storage_partition.h"
#include "net/base/hash_value.h"
#include "net/cert/x509_certificate.h"
#include "services/network/public/mojom/network_context.mojom.h"
#include "url/gurl.h"

namespace {

// Certificate error bypasses are remembered for one week.
const uint64_t kCertErrorBypassExpirationInSeconds = UINT64_C(604800);

// The expiration for HTTPS-First Mode bypasses is 15 days.
const uint64_t kHTTPSFirstModeBypassExpirationInSeconds = UINT64_C(1296000);

// Keys for the per-site error + certificate finger to judgment content
// settings map.
const char kSSLCertDecisionCertErrorMapKey[] = "cert_exceptions_map";
const char kSSLCertDecisionExpirationTimeKey[] = "decision_expiration_time";
const char kSSLCertDecisionVersionKey[] = "version";

const int kDefaultSSLCertDecisionVersion = 1;

// All SSL decisions are per host (and are shared arcoss schemes), so this
// canonicalizes all hosts into a secure scheme GURL to use with content
// settings. The returned GURL will be the passed in host with an empty path and
// https:// as the scheme.
GURL GetSecureGURLForHost(const std::string& host) {
  std::string url = "https://" + host;
  return GURL(url);
}

std::string GetKey(const net::X509Certificate& cert, int error) {
  // Since a security decision will be made based on the fingerprint, Chrome
  // should use the SHA-256 fingerprint for the certificate.
  net::SHA256HashValue fingerprint = cert.CalculateChainFingerprint256();
  std::string base64_fingerprint = base::Base64Encode(fingerprint);
  return base::NumberToString(error) + base64_fingerprint;
}

bool HostFilterToPatternFilter(
    base::OnceCallback<bool(const std::string&)> host_filter,
    const ContentSettingsPattern& primary_pattern,
    const ContentSettingsPattern& secondary_pattern) {
  // We only ever set origin-scoped exceptions which are of the form
  // "https://<host>:443". That is a valid URL, so we can compare |host_filter|
  // against its host.
  GURL url = GURL(primary_pattern.ToString());
  DCHECK(url.is_valid());
  return std::move(host_filter).Run(url.host());
}

}  // namespace

StatefulSSLHostStateDelegate::StatefulSSLHostStateDelegate(
    content::BrowserContext* browser_context,
    HostContentSettingsMap* host_content_settings_map)
    : clock_(new base::DefaultClock()),
      browser_context_(browser_context),
      host_content_settings_map_(host_content_settings_map),
      https_only_mode_allowlist_(
          host_content_settings_map,
          clock_.get(),
          base::Seconds(kHTTPSFirstModeBypassExpirationInSeconds)),
      https_only_mode_enforcelist_(host_content_settings_map_, clock_.get()),
      https_first_balanced_mode_suppressed_for_testing(false) {}

StatefulSSLHostStateDelegate::~StatefulSSLHostStateDelegate() = default;

void StatefulSSLHostStateDelegate::AllowCert(
    const std::string& host,
    const net::X509Certificate& cert,
    int error,
    content::StoragePartition* storage_partition) {
  if (!storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition()) {
    // Decisions for non-default storage partitions are stored in memory only;
    // see comment on declaration of
    // |allowed_certs_for_non_default_storage_partitions_|.
    auto allowed_cert =
        AllowedCert(GetKey(cert, error), storage_partition->GetPath());
    allowed_certs_for_non_default_storage_partitions_[host].insert(
        allowed_cert);
    return;
  }

  GURL url = GetSecureGURLForHost(host);
  base::Value value(host_content_settings_map_->GetWebsiteSetting(
      url, url, ContentSettingsType::SSL_CERT_DECISIONS, nullptr));

  if (!value.is_dict())
    value = base::Value(base::Value::Type::DICT);

  base::Value::Dict* cert_dict =
      GetValidCertDecisionsDict(CREATE_DICTIONARY_ENTRIES, value.GetDict());
  // If a a valid certificate dictionary cannot be extracted from the content
  // setting, that means it's in an unknown format. Unfortunately, there's
  // nothing to be done in that case, so a silent fail is the only option.
  if (!cert_dict)
    return;

  value.GetDict().Set(kSSLCertDecisionVersionKey,
                      kDefaultSSLCertDecisionVersion);
  cert_dict->Set(GetKey(cert, error), ALLOWED);

  // The map takes ownership of the value, so it is released in the call to
  // SetWebsiteSettingDefaultScope.
  host_content_settings_map_->SetWebsiteSettingDefaultScope(
      url, GURL(), ContentSettingsType::SSL_CERT_DECISIONS, std::move(value));
}

void StatefulSSLHostStateDelegate::Clear(
    base::RepeatingCallback<bool(const std::string&)> host_filter) {
  // Convert host matching to content settings pattern matching. Content
  // settings deletion is done synchronously on the UI thread, so we can use
  // |host_filter| by reference.
  HostContentSettingsMap::PatternSourcePredicate pattern_filter;
  if (!host_filter.is_null()) {
    pattern_filter =
        base::BindRepeating(&HostFilterToPatternFilter, host_filter);
  }

  host_content_settings_map_->ClearSettingsForOneTypeWithPredicate(
      ContentSettingsType::SSL_CERT_DECISIONS, base::Time(), base::Time::Max(),
      pattern_filter);
  https_only_mode_allowlist_.Clear(base::Time(), base::Time::Max(),
                                   pattern_filter);

  // This might not be necessary since the engagement score of a site will be
  // cleared and the site will be removed from the enforcelist. However, there
  // could be a period between clearing and navigating where the enforcelist
  // would still be persisted on disk etc, so clear it explicitly.
  https_only_mode_enforcelist_.Clear(base::Time(), base::Time::Max(),
                                     pattern_filter);
}

content::SSLHostStateDelegate::CertJudgment
StatefulSSLHostStateDelegate::QueryPolicy(
    const std::string& host,
    const net::X509Certificate& cert,
    int error,
    content::StoragePartition* storage_partition) {
  if (!storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition()) {
    if (allowed_certs_for_non_default_storage_partitions_.find(host) ==
        allowed_certs_for_non_default_storage_partitions_.end()) {
      return DENIED;
    }
    AllowedCert allowed_cert =
        AllowedCert(GetKey(cert, error), storage_partition->GetPath());
    if (base::Contains(allowed_certs_for_non_default_storage_partitions_[host],
                       allowed_cert)) {
      return ALLOWED;
    }
    return DENIED;
  }

  GURL url = GetSecureGURLForHost(host);
  base::Value value(host_content_settings_map_->GetWebsiteSetting(
      url, url, ContentSettingsType::SSL_CERT_DECISIONS, nullptr));

  if (!value.is_dict())
    return DENIED;

  base::Value::Dict* cert_error_dict = GetValidCertDecisionsDict(
      DO_NOT_CREATE_DICTIONARY_ENTRIES, value.GetDict());
  if (!cert_error_dict) {
    // This revoke is necessary to clear any old expired setting that may be
    // lingering in the case that an old decision expried.
    RevokeUserAllowExceptions(host);
    return DENIED;
  }

  std::optional<int> policy_decision =
      cert_error_dict->FindInt(GetKey(cert, error));

  // If a policy decision was successfully retrieved and it's a valid value of
  // ALLOWED, return the valid value. Otherwise, return DENIED.
  if (policy_decision.has_value() && policy_decision.value() == ALLOWED)
    return ALLOWED;

  return DENIED;
}

void StatefulSSLHostStateDelegate::HostRanInsecureContent(
    const std::string& host,
    InsecureContentType content_type) {
  switch (content_type) {
    case MIXED_CONTENT:
      ran_mixed_content_hosts_.insert(host);
      return;
    case CERT_ERRORS_CONTENT:
      ran_content_with_cert_errors_hosts_.insert(host);
      return;
  }
}

bool StatefulSSLHostStateDelegate::DidHostRunInsecureContent(
    const std::string& host,
    InsecureContentType content_type) {
  switch (content_type) {
    case MIXED_CONTENT:
      return base::Contains(ran_mixed_content_hosts_, host);
    case CERT_ERRORS_CONTENT:
      return base::Contains(ran_content_with_cert_errors_hosts_, host);
  }
  NOTREACHED();
}

void StatefulSSLHostStateDelegate::AllowHttpForHost(
    const std::string& host,
    content::StoragePartition* storage_partition) {
  bool is_nondefault_storage =
      !storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition();
  https_only_mode_allowlist_.AllowHttpForHost(host, is_nondefault_storage);
}

bool StatefulSSLHostStateDelegate::IsHttpAllowedForHost(
    const std::string& host,
    content::StoragePartition* storage_partition) {
  bool is_nondefault_storage =
      !storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition();
  return https_only_mode_allowlist_.IsHttpAllowedForHost(host,
                                                         is_nondefault_storage);
}

void StatefulSSLHostStateDelegate::SetHttpsEnforcementForHost(
    const std::string& host,
    bool enforced,
    content::StoragePartition* storage_partition) {
  bool is_nondefault_storage =
      !storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition();
  if (enforced) {
    https_only_mode_enforcelist_.EnforceForHost(host, is_nondefault_storage);
  } else {
    https_only_mode_enforcelist_.UnenforceForHost(host, is_nondefault_storage);
  }
}

bool StatefulSSLHostStateDelegate::IsHttpsEnforcedForUrl(
    const GURL& url,
    content::StoragePartition* storage_partition) {
  bool is_nondefault_storage =
      !storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition();
  return https_only_mode_enforcelist_.IsEnforcedForUrl(url,
                                                       is_nondefault_storage);
}

std::set<GURL> StatefulSSLHostStateDelegate::GetHttpsEnforcedHosts(
    content::StoragePartition* storage_partition) const {
  bool is_nondefault_storage =
      !storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition();
  return https_only_mode_enforcelist_.GetHosts(is_nondefault_storage);
}

void StatefulSSLHostStateDelegate::ClearHttpsOnlyModeAllowlist() {
  https_only_mode_allowlist_.ClearAllowlist(base::Time(), base::Time::Max());
}

void StatefulSSLHostStateDelegate::ClearHttpsEnforcelist() {
  https_only_mode_enforcelist_.ClearEnforcements(base::Time(),
                                                 base::Time::Max());
}

void StatefulSSLHostStateDelegate::RevokeUserAllowExceptions(
    const std::string& host) {
  GURL url = GetSecureGURLForHost(host);
  host_content_settings_map_->SetWebsiteSettingDefaultScope(
      url, GURL(), ContentSettingsType::SSL_CERT_DECISIONS, base::Value());
  // Decisions for non-default storage partitions are stored separately in
  // memory; delete those as well.
  allowed_certs_for_non_default_storage_partitions_.erase(host);

  https_only_mode_allowlist_.RevokeUserAllowExceptions(host);
  https_only_mode_enforcelist_.RevokeEnforcements(host);
}

bool StatefulSSLHostStateDelegate::HasAllowException(
    const std::string& host,
    content::StoragePartition* storage_partition) {
  return HasCertAllowException(host, storage_partition) ||
         IsHttpAllowedForHost(host, storage_partition);
}

bool StatefulSSLHostStateDelegate::HasAllowExceptionForAnyHost(
    content::StoragePartition* storage_partition) {
  return HasCertAllowExceptionForAnyHost(storage_partition) ||
         IsHttpAllowedForAnyHost(storage_partition);
}

bool StatefulSSLHostStateDelegate::HasCertAllowExceptionForAnyHost(
    content::StoragePartition* storage_partition) {
  if (!storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition()) {
    return !allowed_certs_for_non_default_storage_partitions_.empty();
  }

  ContentSettingsForOneType content_settings_list =
      host_content_settings_map_->GetSettingsForOneType(
          ContentSettingsType::SSL_CERT_DECISIONS);
  return !content_settings_list.empty();
}

bool StatefulSSLHostStateDelegate::IsHttpAllowedForAnyHost(
    content::StoragePartition* storage_partition) {
  bool is_nondefault_storage =
      !storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition();

  return https_only_mode_allowlist_.IsHttpAllowedForAnyHost(
      is_nondefault_storage);
}

// TODO(jww): This will revoke all of the decisions in the browser context.
// However, the networking stack actually keeps track of its own list of
// exceptions per-HttpNetworkTransaction in the SSLConfig structure (see the
// allowed_bad_certs Vector in net/ssl/ssl_config.h). This dual-tracking of
// exceptions introduces a problem where the browser context can revoke a
// certificate, but if a transaction reuses a cached version of the SSLConfig
// (probably from a pooled socket), it may bypass the intestitial layer.
//
// Over time, the cached versions should expire and it should converge on
// showing the interstitial. We probably need to introduce into the networking
// stack a way revoke SSLConfig's allowed_bad_certs lists per socket.
//
// For now, RevokeUserAllowExceptionsHard is our solution for the rare case
// where it is necessary to revoke the preferences immediately. It does so by
// flushing idle sockets, thus it is a big hammer and should be wielded with
// extreme caution as it can have a big, negative impact on network performance.
void StatefulSSLHostStateDelegate::RevokeUserAllowExceptionsHard(
    const std::string& host) {
  RevokeUserAllowExceptions(host);
  auto* network_context =
      browser_context_->GetDefaultStoragePartition()->GetNetworkContext();
  network_context->CloseIdleConnections(base::NullCallback());
}

bool StatefulSSLHostStateDelegate::
    HttpsFirstBalancedModeSuppressedForTesting() {
  return https_first_balanced_mode_suppressed_for_testing;
}

void StatefulSSLHostStateDelegate::
    SetHttpsFirstBalancedModeSuppressedForTesting(bool suppressed) {
  https_first_balanced_mode_suppressed_for_testing = suppressed;
}

void StatefulSSLHostStateDelegate::SetClockForTesting(
    std::unique_ptr<base::Clock> clock) {
  // Pointers to the existing Clock object must be reset before swapping the
  // underlying Clock object, otherwise they are dangling (briefly).
  https_only_mode_allowlist_.SetClockForTesting(nullptr);    // IN-TEST
  https_only_mode_enforcelist_.SetClockForTesting(nullptr);  // IN-TEST

  clock_ = std::move(clock);
  https_only_mode_allowlist_.SetClockForTesting(clock_.get());    // IN-TEST
  https_only_mode_enforcelist_.SetClockForTesting(clock_.get());  // IN-TEST
}

bool StatefulSSLHostStateDelegate::HasCertAllowException(
    const std::string& host,
    content::StoragePartition* storage_partition) {
  if (!storage_partition ||
      storage_partition != browser_context_->GetDefaultStoragePartition()) {
    return base::Contains(allowed_certs_for_non_default_storage_partitions_,
                          host);
  }

  GURL url = GetSecureGURLForHost(host);
  const ContentSettingsPattern pattern =
      ContentSettingsPattern::FromURLNoWildcard(url);

  const base::Value value(host_content_settings_map_->GetWebsiteSetting(
      url, url, ContentSettingsType::SSL_CERT_DECISIONS, nullptr));

  if (!value.is_dict())
    return false;

  for (const auto pair : value.GetDict()) {
    if (!pair.second.is_int())
      continue;

    if (static_cast<CertJudgment>(pair.second.GetInt()) == ALLOWED)
      return true;
  }

  return false;
}

// This helper function gets the dictionary of certificate fingerprints to
// errors of certificates that have been accepted by the user from the content
// dictionary that has been passed in. The returned pointer is owned by the the
// argument dict that is passed in.
//
// If create_entries is set to |DO_NOT_CREATE_DICTIONARY_ENTRIES|,
// GetValidCertDecisionsDict will return nullptr if there is anything invalid
// about the setting, such as an invalid version or invalid value types (in
// addition to there not being any values in the dictionary). If create_entries
// is set to |CREATE_DICTIONARY_ENTRIES|, if no dictionary is found or the
// decisions are expired, a new dictionary will be created.
base::Value::Dict* StatefulSSLHostStateDelegate::GetValidCertDecisionsDict(
    CreateDictionaryEntriesDisposition create_entries,
    base::Value::Dict& dict) {
  // Extract the version of the certificate decision structure from the content
  // setting.
  std::optional<int> version = dict.FindInt(kSSLCertDecisionVersionKey);
  if (!version) {
    if (create_entries == DO_NOT_CREATE_DICTIONARY_ENTRIES)
      return nullptr;

    dict.Set(kSSLCertDecisionVersionKey, kDefaultSSLCertDecisionVersion);
    version = std::make_optional<int>(kDefaultSSLCertDecisionVersion);
  }

  // If the version is somehow a newer version than Chrome can handle, there's
  // really nothing to do other than fail silently and pretend it doesn't exist
  // (or is malformed).
  if (*version > kDefaultSSLCertDecisionVersion) {
    LOG(ERROR) << "Failed to parse a certificate error exception that is in a "
               << "newer version format (" << *version << ") than is supported"
               << "(" << kDefaultSSLCertDecisionVersion << ")";
    return nullptr;
  }

  // Extract the certificate decision's expiration time from the content
  // setting. If there is no expiration time, that means it should never expire
  // and it should reset only at session restart, so skip all of the expiration
  // checks.
  bool expired = false;
  base::Time now = clock_->Now();
  auto* decision_expiration_value =
      dict.Find(kSSLCertDecisionExpirationTimeKey);
  auto decision_expiration = base::ValueToTime(decision_expiration_value);

  // Check to see if the user's certificate decision has expired.
  // - Expired and |create_entries| is DO_NOT_CREATE_DICTIONARY_ENTRIES, return
  // nullptr.
  // - Expired and |create_entries| is CREATE_DICTIONARY_ENTRIES, update the
  // expiration time.
  if (decision_expiration <= now) {
    if (create_entries == DO_NOT_CREATE_DICTIONARY_ENTRIES)
      return nullptr;

    expired = true;
    base::Time expiration_time =
        now + base::Seconds(kCertErrorBypassExpirationInSeconds);
    // Unfortunately, JSON (and thus content settings) doesn't support int64_t
    // values, only doubles. Since this mildly depends on precision, it is
    // better to store the value as a string.
    dict.Set(kSSLCertDecisionExpirationTimeKey,
             base::TimeToValue(expiration_time));
  }

  // Extract the map of certificate fingerprints to errors from the setting.
  base::Value::Dict* cert_error_dict =
      dict.FindDict(kSSLCertDecisionCertErrorMapKey);
  if (expired || !cert_error_dict) {
    if (create_entries == DO_NOT_CREATE_DICTIONARY_ENTRIES)
      return nullptr;

    cert_error_dict = dict.EnsureDict(kSSLCertDecisionCertErrorMapKey);
    cert_error_dict->clear();
  }

  return cert_error_dict;
}