OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 433 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
444 user_read_buf_len_(0), | 444 user_read_buf_len_(0), |
445 user_write_buf_len_(0), | 445 user_write_buf_len_(0), |
446 server_cert_nss_(NULL), | 446 server_cert_nss_(NULL), |
447 server_cert_verify_result_(NULL), | 447 server_cert_verify_result_(NULL), |
448 ssl_connection_status_(0), | 448 ssl_connection_status_(0), |
449 client_auth_cert_needed_(false), | 449 client_auth_cert_needed_(false), |
450 cert_verifier_(cert_verifier), | 450 cert_verifier_(cert_verifier), |
451 handshake_callback_called_(false), | 451 handshake_callback_called_(false), |
452 completed_handshake_(false), | 452 completed_handshake_(false), |
453 eset_mitm_detected_(false), | 453 eset_mitm_detected_(false), |
454 kaspersky_mitm_detected_(false), | |
454 predicted_cert_chain_correct_(false), | 455 predicted_cert_chain_correct_(false), |
455 next_handshake_state_(STATE_NONE), | 456 next_handshake_state_(STATE_NONE), |
456 nss_fd_(NULL), | 457 nss_fd_(NULL), |
457 nss_bufs_(NULL), | 458 nss_bufs_(NULL), |
458 net_log_(transport_socket->socket()->NetLog()), | 459 net_log_(transport_socket->socket()->NetLog()), |
459 ssl_host_info_(ssl_host_info), | 460 ssl_host_info_(ssl_host_info), |
460 dns_cert_checker_(dns_ctx), | 461 dns_cert_checker_(dns_ctx), |
461 valid_thread_id_(base::kInvalidThreadId) { | 462 valid_thread_id_(base::kInvalidThreadId) { |
462 EnterFunction(""); | 463 EnterFunction(""); |
463 } | 464 } |
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
626 server_cert_ = NULL; | 627 server_cert_ = NULL; |
627 if (server_cert_nss_) { | 628 if (server_cert_nss_) { |
628 CERT_DestroyCertificate(server_cert_nss_); | 629 CERT_DestroyCertificate(server_cert_nss_); |
629 server_cert_nss_ = NULL; | 630 server_cert_nss_ = NULL; |
630 } | 631 } |
631 local_server_cert_verify_result_.Reset(); | 632 local_server_cert_verify_result_.Reset(); |
632 server_cert_verify_result_ = NULL; | 633 server_cert_verify_result_ = NULL; |
633 ssl_connection_status_ = 0; | 634 ssl_connection_status_ = 0; |
634 completed_handshake_ = false; | 635 completed_handshake_ = false; |
635 eset_mitm_detected_ = false; | 636 eset_mitm_detected_ = false; |
637 kaspersky_mitm_detected_ = false; | |
636 start_cert_verification_time_ = base::TimeTicks(); | 638 start_cert_verification_time_ = base::TimeTicks(); |
637 predicted_cert_chain_correct_ = false; | 639 predicted_cert_chain_correct_ = false; |
638 nss_bufs_ = NULL; | 640 nss_bufs_ = NULL; |
639 client_certs_.clear(); | 641 client_certs_.clear(); |
640 client_auth_cert_needed_ = false; | 642 client_auth_cert_needed_ = false; |
641 | 643 |
642 LeaveFunction(""); | 644 LeaveFunction(""); |
643 } | 645 } |
644 | 646 |
645 bool SSLClientSocketNSS::IsConnected() const { | 647 bool SSLClientSocketNSS::IsConnected() const { |
(...skipping 727 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1373 // so that we won't try to resume the non-client-authenticated session in | 1375 // so that we won't try to resume the non-client-authenticated session in |
1374 // the next handshake. This will cause the server to ask for a client | 1376 // the next handshake. This will cause the server to ask for a client |
1375 // cert again. | 1377 // cert again. |
1376 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { | 1378 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) { |
1377 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); | 1379 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); |
1378 } | 1380 } |
1379 } else if (rv == SECSuccess) { | 1381 } else if (rv == SECSuccess) { |
1380 if (handshake_callback_called_) { | 1382 if (handshake_callback_called_) { |
1381 if (eset_mitm_detected_) { | 1383 if (eset_mitm_detected_) { |
1382 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION; | 1384 net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION; |
1385 } else if (kaspersky_mitm_detected_) { | |
1386 net_error = ERR_KASPERSKY_ANTI_VIRUS_SSL_INTERCEPTION; | |
1383 } else { | 1387 } else { |
1384 // We need to see if the predicted certificate chain (in | 1388 // We need to see if the predicted certificate chain (in |
1385 // |ssl_host_info_->state().certs) matches the actual certificate chain | 1389 // |ssl_host_info_->state().certs) matches the actual certificate chain |
1386 // before we call SaveSSLHostInfo, as that will update | 1390 // before we call SaveSSLHostInfo, as that will update |
1387 // |ssl_host_info_|. | 1391 // |ssl_host_info_|. |
1388 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty()) { | 1392 if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty()) { |
1389 PeerCertificateChain certs(nss_fd_); | 1393 PeerCertificateChain certs(nss_fd_); |
1390 const SSLHostInfo::State& state = ssl_host_info_->state(); | 1394 const SSLHostInfo::State& state = ssl_host_info_->state(); |
1391 predicted_cert_chain_correct_ = certs.size() == state.certs.size(); | 1395 predicted_cert_chain_correct_ = certs.size() == state.certs.size(); |
1392 if (predicted_cert_chain_correct_) { | 1396 if (predicted_cert_chain_correct_) { |
(...skipping 477 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1870 // forever. We detect ESET by the issuer of the leaf certificate and set a | 1874 // forever. We detect ESET by the issuer of the leaf certificate and set a |
1871 // flag to return a specific error, giving the user instructions for | 1875 // flag to return a specific error, giving the user instructions for |
1872 // reconfiguring ESET. | 1876 // reconfiguring ESET. |
1873 CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_); | 1877 CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_); |
1874 if (cert) { | 1878 if (cert) { |
1875 char* common_name = CERT_GetCommonName(&cert->issuer); | 1879 char* common_name = CERT_GetCommonName(&cert->issuer); |
1876 if (common_name) { | 1880 if (common_name) { |
1877 if (strcmp(common_name, "ESET_RootSslCert") == 0) | 1881 if (strcmp(common_name, "ESET_RootSslCert") == 0) |
1878 that->eset_mitm_detected_ = true; | 1882 that->eset_mitm_detected_ = true; |
1879 if (strcmp(common_name, | 1883 if (strcmp(common_name, |
1884 "Kaspersky Anti-Virus personal root certificate") == 0) { | |
1885 that->kaspersky_mitm_detected_ = true; | |
1886 } | |
wtc
2011/06/30 14:26:25
Nit: since disabling False Start doesn't help, it
agl
2011/07/01 14:34:42
Done. It's still within an #ifdef SSL_ENABLE_FALSE
| |
1887 if (strcmp(common_name, | |
1880 "ContentWatch Root Certificate Authority") == 0) { | 1888 "ContentWatch Root Certificate Authority") == 0) { |
1881 // This is NetNanny. NetNanny are updating their product so we | 1889 // This is NetNanny. NetNanny are updating their product so we |
1882 // silently disable False Start for now. | 1890 // silently disable False Start for now. |
1883 rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); | 1891 rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); |
1884 DCHECK_EQ(SECSuccess, rv); | 1892 DCHECK_EQ(SECSuccess, rv); |
1885 false_start = 0; | 1893 false_start = 0; |
1886 } | 1894 } |
1887 PORT_Free(common_name); | 1895 PORT_Free(common_name); |
1888 } | 1896 } |
1889 CERT_DestroyCertificate(cert); | 1897 CERT_DestroyCertificate(cert); |
(...skipping 355 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2245 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2253 valid_thread_id_ = base::PlatformThread::CurrentId(); |
2246 } | 2254 } |
2247 | 2255 |
2248 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2256 bool SSLClientSocketNSS::CalledOnValidThread() const { |
2249 EnsureThreadIdAssigned(); | 2257 EnsureThreadIdAssigned(); |
2250 base::AutoLock auto_lock(lock_); | 2258 base::AutoLock auto_lock(lock_); |
2251 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2259 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
2252 } | 2260 } |
2253 | 2261 |
2254 } // namespace net | 2262 } // namespace net |
OLD | NEW |