Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(44)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 7275027: Detect Kaspersky SSL MITM and give a helpful error message. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 9 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/socket/ssl_client_socket_nss.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 433 matching lines...) Expand 10 before | Expand all | Expand 10 after
444 user_read_buf_len_(0), 444 user_read_buf_len_(0),
445 user_write_buf_len_(0), 445 user_write_buf_len_(0),
446 server_cert_nss_(NULL), 446 server_cert_nss_(NULL),
447 server_cert_verify_result_(NULL), 447 server_cert_verify_result_(NULL),
448 ssl_connection_status_(0), 448 ssl_connection_status_(0),
449 client_auth_cert_needed_(false), 449 client_auth_cert_needed_(false),
450 cert_verifier_(cert_verifier), 450 cert_verifier_(cert_verifier),
451 handshake_callback_called_(false), 451 handshake_callback_called_(false),
452 completed_handshake_(false), 452 completed_handshake_(false),
453 eset_mitm_detected_(false), 453 eset_mitm_detected_(false),
454 kaspersky_mitm_detected_(false),
454 predicted_cert_chain_correct_(false), 455 predicted_cert_chain_correct_(false),
455 next_handshake_state_(STATE_NONE), 456 next_handshake_state_(STATE_NONE),
456 nss_fd_(NULL), 457 nss_fd_(NULL),
457 nss_bufs_(NULL), 458 nss_bufs_(NULL),
458 net_log_(transport_socket->socket()->NetLog()), 459 net_log_(transport_socket->socket()->NetLog()),
459 ssl_host_info_(ssl_host_info), 460 ssl_host_info_(ssl_host_info),
460 dns_cert_checker_(dns_ctx), 461 dns_cert_checker_(dns_ctx),
461 valid_thread_id_(base::kInvalidThreadId) { 462 valid_thread_id_(base::kInvalidThreadId) {
462 EnterFunction(""); 463 EnterFunction("");
463 } 464 }
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after
626 server_cert_ = NULL; 627 server_cert_ = NULL;
627 if (server_cert_nss_) { 628 if (server_cert_nss_) {
628 CERT_DestroyCertificate(server_cert_nss_); 629 CERT_DestroyCertificate(server_cert_nss_);
629 server_cert_nss_ = NULL; 630 server_cert_nss_ = NULL;
630 } 631 }
631 local_server_cert_verify_result_.Reset(); 632 local_server_cert_verify_result_.Reset();
632 server_cert_verify_result_ = NULL; 633 server_cert_verify_result_ = NULL;
633 ssl_connection_status_ = 0; 634 ssl_connection_status_ = 0;
634 completed_handshake_ = false; 635 completed_handshake_ = false;
635 eset_mitm_detected_ = false; 636 eset_mitm_detected_ = false;
637 kaspersky_mitm_detected_ = false;
636 start_cert_verification_time_ = base::TimeTicks(); 638 start_cert_verification_time_ = base::TimeTicks();
637 predicted_cert_chain_correct_ = false; 639 predicted_cert_chain_correct_ = false;
638 nss_bufs_ = NULL; 640 nss_bufs_ = NULL;
639 client_certs_.clear(); 641 client_certs_.clear();
640 client_auth_cert_needed_ = false; 642 client_auth_cert_needed_ = false;
641 643
642 LeaveFunction(""); 644 LeaveFunction("");
643 } 645 }
644 646
645 bool SSLClientSocketNSS::IsConnected() const { 647 bool SSLClientSocketNSS::IsConnected() const {
(...skipping 727 matching lines...) Expand 10 before | Expand all | Expand 10 after
1373 // so that we won't try to resume the non-client-authenticated session in 1375 // so that we won't try to resume the non-client-authenticated session in
1374 // the next handshake. This will cause the server to ask for a client 1376 // the next handshake. This will cause the server to ask for a client
1375 // cert again. 1377 // cert again.
1376 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { 1378 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) {
1377 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); 1379 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
1378 } 1380 }
1379 } else if (rv == SECSuccess) { 1381 } else if (rv == SECSuccess) {
1380 if (handshake_callback_called_) { 1382 if (handshake_callback_called_) {
1381 if (eset_mitm_detected_) { 1383 if (eset_mitm_detected_) {
1382 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION; 1384 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION;
1385 } else if (kaspersky_mitm_detected_) {
1386 net_error = ERR_KASPERSKY_ANTI_VIRUS_SSL_INTERCEPTION;
1383 } else { 1387 } else {
1384 // We need to see if the predicted certificate chain (in 1388 // We need to see if the predicted certificate chain (in
1385 // |ssl_host_info_->state().certs) matches the actual certificate chain 1389 // |ssl_host_info_->state().certs) matches the actual certificate chain
1386 // before we call SaveSSLHostInfo, as that will update 1390 // before we call SaveSSLHostInfo, as that will update
1387 // |ssl_host_info_|. 1391 // |ssl_host_info_|.
1388 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty()) { 1392 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty()) {
1389 PeerCertificateChain certs(nss_fd_); 1393 PeerCertificateChain certs(nss_fd_);
1390 const SSLHostInfo::State& state = ssl_host_info_->state(); 1394 const SSLHostInfo::State& state = ssl_host_info_->state();
1391 predicted_cert_chain_correct_ = certs.size() == state.certs.size(); 1395 predicted_cert_chain_correct_ = certs.size() == state.certs.size();
1392 if (predicted_cert_chain_correct_) { 1396 if (predicted_cert_chain_correct_) {
(...skipping 477 matching lines...) Expand 10 before | Expand all | Expand 10 after
1870 // forever. We detect ESET by the issuer of the leaf certificate and set a 1874 // forever. We detect ESET by the issuer of the leaf certificate and set a
1871 // flag to return a specific error, giving the user instructions for 1875 // flag to return a specific error, giving the user instructions for
1872 // reconfiguring ESET. 1876 // reconfiguring ESET.
1873 CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_); 1877 CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_);
1874 if (cert) { 1878 if (cert) {
1875 char* common_name = CERT_GetCommonName(&cert->issuer); 1879 char* common_name = CERT_GetCommonName(&cert->issuer);
1876 if (common_name) { 1880 if (common_name) {
1877 if (strcmp(common_name, "ESET_RootSslCert") == 0) 1881 if (strcmp(common_name, "ESET_RootSslCert") == 0)
1878 that->eset_mitm_detected_ = true; 1882 that->eset_mitm_detected_ = true;
1879 if (strcmp(common_name, 1883 if (strcmp(common_name,
1884 "Kaspersky Anti-Virus personal root certificate") == 0) {
1885 that->kaspersky_mitm_detected_ = true;
1886 }
wtc 2011/06/30 14:26:25 Nit: since disabling False Start doesn't help, it
agl 2011/07/01 14:34:42 Done. It's still within an #ifdef SSL_ENABLE_FALSE
1887 if (strcmp(common_name,
1880 "ContentWatch Root Certificate Authority") == 0) { 1888 "ContentWatch Root Certificate Authority") == 0) {
1881 // This is NetNanny. NetNanny are updating their product so we 1889 // This is NetNanny. NetNanny are updating their product so we
1882 // silently disable False Start for now. 1890 // silently disable False Start for now.
1883 rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); 1891 rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
1884 DCHECK_EQ(SECSuccess, rv); 1892 DCHECK_EQ(SECSuccess, rv);
1885 false_start = 0; 1893 false_start = 0;
1886 } 1894 }
1887 PORT_Free(common_name); 1895 PORT_Free(common_name);
1888 } 1896 }
1889 CERT_DestroyCertificate(cert); 1897 CERT_DestroyCertificate(cert);
(...skipping 355 matching lines...) Expand 10 before | Expand all | Expand 10 after
2245 valid_thread_id_ = base::PlatformThread::CurrentId(); 2253 valid_thread_id_ = base::PlatformThread::CurrentId();
2246 } 2254 }
2247 2255
2248 bool SSLClientSocketNSS::CalledOnValidThread() const { 2256 bool SSLClientSocketNSS::CalledOnValidThread() const {
2249 EnsureThreadIdAssigned(); 2257 EnsureThreadIdAssigned();
2250 base::AutoLock auto_lock(lock_); 2258 base::AutoLock auto_lock(lock_);
2251 return valid_thread_id_ == base::PlatformThread::CurrentId(); 2259 return valid_thread_id_ == base::PlatformThread::CurrentId();
2252 } 2260 }
2253 2261
2254 } // namespace net 2262 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket_nss.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698