OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 403 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
414 user_connect_callback_(NULL), | 414 user_connect_callback_(NULL), |
415 user_read_callback_(NULL), | 415 user_read_callback_(NULL), |
416 user_write_callback_(NULL), | 416 user_write_callback_(NULL), |
417 user_read_buf_len_(0), | 417 user_read_buf_len_(0), |
418 user_write_buf_len_(0), | 418 user_write_buf_len_(0), |
419 server_cert_nss_(NULL), | 419 server_cert_nss_(NULL), |
420 client_auth_cert_needed_(false), | 420 client_auth_cert_needed_(false), |
421 handshake_callback_called_(false), | 421 handshake_callback_called_(false), |
422 completed_handshake_(false), | 422 completed_handshake_(false), |
423 pseudo_connected_(false), | 423 pseudo_connected_(false), |
| 424 eset_mitm_detected_(false), |
| 425 netnanny_mitm_detected_(false), |
424 dnssec_provider_(NULL), | 426 dnssec_provider_(NULL), |
425 next_handshake_state_(STATE_NONE), | 427 next_handshake_state_(STATE_NONE), |
426 nss_fd_(NULL), | 428 nss_fd_(NULL), |
427 nss_bufs_(NULL), | 429 nss_bufs_(NULL), |
428 net_log_(transport_socket->socket()->NetLog()), | 430 net_log_(transport_socket->socket()->NetLog()), |
429 predicted_npn_status_(kNextProtoUnsupported), | 431 predicted_npn_status_(kNextProtoUnsupported), |
430 predicted_npn_proto_used_(false) { | 432 predicted_npn_proto_used_(false) { |
431 EnterFunction(""); | 433 EnterFunction(""); |
432 } | 434 } |
433 | 435 |
(...skipping 554 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
988 user_write_buf_ = NULL; | 990 user_write_buf_ = NULL; |
989 user_write_buf_len_ = 0; | 991 user_write_buf_len_ = 0; |
990 server_cert_ = NULL; | 992 server_cert_ = NULL; |
991 if (server_cert_nss_) { | 993 if (server_cert_nss_) { |
992 CERT_DestroyCertificate(server_cert_nss_); | 994 CERT_DestroyCertificate(server_cert_nss_); |
993 server_cert_nss_ = NULL; | 995 server_cert_nss_ = NULL; |
994 } | 996 } |
995 server_cert_verify_result_.Reset(); | 997 server_cert_verify_result_.Reset(); |
996 completed_handshake_ = false; | 998 completed_handshake_ = false; |
997 pseudo_connected_ = false; | 999 pseudo_connected_ = false; |
| 1000 eset_mitm_detected_ = false; |
| 1001 netnanny_mitm_detected_= false; |
998 nss_bufs_ = NULL; | 1002 nss_bufs_ = NULL; |
999 client_certs_.clear(); | 1003 client_certs_.clear(); |
1000 client_auth_cert_needed_ = false; | 1004 client_auth_cert_needed_ = false; |
1001 | 1005 |
1002 LeaveFunction(""); | 1006 LeaveFunction(""); |
1003 } | 1007 } |
1004 | 1008 |
1005 bool SSLClientSocketNSS::IsConnected() const { | 1009 bool SSLClientSocketNSS::IsConnected() const { |
1006 // Ideally, we should also check if we have received the close_notify alert | 1010 // Ideally, we should also check if we have received the close_notify alert |
1007 // message from the server, and return false in that case. We're not doing | 1011 // message from the server, and return false in that case. We're not doing |
(...skipping 724 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1732 if (rv != SECSuccess) | 1736 if (rv != SECSuccess) |
1733 NOTREACHED(); | 1737 NOTREACHED(); |
1734 if (false_start) { | 1738 if (false_start) { |
1735 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 1739 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
1736 if (!that->handshake_callback_called_) { | 1740 if (!that->handshake_callback_called_) { |
1737 that->corked_ = true; | 1741 that->corked_ = true; |
1738 that->uncork_timer_.Start( | 1742 that->uncork_timer_.Start( |
1739 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), | 1743 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), |
1740 that, &SSLClientSocketNSS::UncorkAfterTimeout); | 1744 that, &SSLClientSocketNSS::UncorkAfterTimeout); |
1741 } | 1745 } |
| 1746 |
| 1747 // ESET anti-virus is capable of intercepting HTTPS connections on Windows. |
| 1748 // However, it is False Start intolerant and causes the connections to hang |
| 1749 // forever. We detect ESET by the issuer of the leaf certificate and set a |
| 1750 // flag to return a specific error, giving the user instructions for |
| 1751 // reconfiguring ESET. |
| 1752 CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_); |
| 1753 if (cert) { |
| 1754 char* common_name = CERT_GetCommonName(&cert->issuer); |
| 1755 if (common_name) { |
| 1756 if (strcmp(common_name, "ESET_RootSslCert") == 0) |
| 1757 that->eset_mitm_detected_ = true; |
| 1758 if (strcmp(common_name, "ContentWatch Root Certificate Authority") == 0) |
| 1759 that->netnanny_mitm_detected_ = true; |
| 1760 PORT_Free(common_name); |
| 1761 } |
| 1762 CERT_DestroyCertificate(cert); |
| 1763 } |
1742 } | 1764 } |
1743 #endif | 1765 #endif |
1744 | 1766 |
1745 // Tell NSS to not verify the certificate. | 1767 // Tell NSS to not verify the certificate. |
1746 return SECSuccess; | 1768 return SECSuccess; |
1747 } | 1769 } |
1748 | 1770 |
1749 // static | 1771 // static |
1750 // NSS calls this if a client certificate is needed. | 1772 // NSS calls this if a client certificate is needed. |
1751 // Based on Mozilla's NSS_GetClientAuthData. | 1773 // Based on Mozilla's NSS_GetClientAuthData. |
(...skipping 265 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2017 // If the handshake already succeeded (because the server requests but | 2039 // If the handshake already succeeded (because the server requests but |
2018 // doesn't require a client cert), we need to invalidate the SSL session | 2040 // doesn't require a client cert), we need to invalidate the SSL session |
2019 // so that we won't try to resume the non-client-authenticated session in | 2041 // so that we won't try to resume the non-client-authenticated session in |
2020 // the next handshake. This will cause the server to ask for a client | 2042 // the next handshake. This will cause the server to ask for a client |
2021 // cert again. | 2043 // cert again. |
2022 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { | 2044 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { |
2023 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 2045 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
2024 } | 2046 } |
2025 } else if (rv == SECSuccess) { | 2047 } else if (rv == SECSuccess) { |
2026 if (handshake_callback_called_) { | 2048 if (handshake_callback_called_) { |
2027 SaveSnapStartInfo(); | 2049 if (eset_mitm_detected_) { |
2028 // SSL handshake is completed. It's possible that we mispredicted the NPN | 2050 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION; |
2029 // agreed protocol. In this case, we've just sent a request in the wrong | 2051 } else if (netnanny_mitm_detected_) { |
2030 // protocol! The higher levels of this network stack aren't prepared for | 2052 net_error = ERR_NETNANNY_SSL_INTERCEPTION; |
2031 // switching the protocol like that so we make up an error and rely on | |
2032 // the fact that the request will be retried. | |
2033 if (IsNPNProtocolMispredicted()) { | |
2034 LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_; | |
2035 net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION; | |
2036 } else { | 2053 } else { |
2037 // Let's verify the certificate. | 2054 SaveSnapStartInfo(); |
2038 GotoState(STATE_VERIFY_DNSSEC); | 2055 // SSL handshake is completed. It's possible that we mispredicted the NP
N |
| 2056 // agreed protocol. In this case, we've just sent a request in the wrong |
| 2057 // protocol! The higher levels of this network stack aren't prepared for |
| 2058 // switching the protocol like that so we make up an error and rely on |
| 2059 // the fact that the request will be retried. |
| 2060 if (IsNPNProtocolMispredicted()) { |
| 2061 LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_; |
| 2062 net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION; |
| 2063 } else { |
| 2064 // Let's verify the certificate. |
| 2065 GotoState(STATE_VERIFY_DNSSEC); |
| 2066 } |
2039 } | 2067 } |
2040 // Done! | 2068 // Done! |
2041 } else { | 2069 } else { |
2042 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - | 2070 // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 - |
2043 // SSL_ForceHandshake returned SECSuccess prematurely. | 2071 // SSL_ForceHandshake returned SECSuccess prematurely. |
2044 rv = SECFailure; | 2072 rv = SECFailure; |
2045 net_error = ERR_SSL_PROTOCOL_ERROR; | 2073 net_error = ERR_SSL_PROTOCOL_ERROR; |
2046 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 2074 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
2047 new SSLErrorParams(net_error, 0)); | 2075 new SSLErrorParams(net_error, 0)); |
2048 } | 2076 } |
(...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2416 return ERR_IO_PENDING; | 2444 return ERR_IO_PENDING; |
2417 } | 2445 } |
2418 LeaveFunction(""); | 2446 LeaveFunction(""); |
2419 rv = MapNSPRError(prerr); | 2447 rv = MapNSPRError(prerr); |
2420 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, | 2448 net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR, |
2421 new SSLErrorParams(rv, prerr)); | 2449 new SSLErrorParams(rv, prerr)); |
2422 return rv; | 2450 return rv; |
2423 } | 2451 } |
2424 | 2452 |
2425 } // namespace net | 2453 } // namespace net |
OLD | NEW |