Detect Kaspersky SSL MITM and give a helpful error message.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 433 matching lines @@
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       server_cert_nss_(NULL),
       server_cert_verify_result_(NULL),
       ssl_connection_status_(0),
       client_auth_cert_needed_(false),
       cert_verifier_(cert_verifier),
       handshake_callback_called_(false),
       completed_handshake_(false),
       eset_mitm_detected_(false),
+      kaspersky_mitm_detected_(false),
       predicted_cert_chain_correct_(false),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL),
       net_log_(transport_socket->socket()->NetLog()),
       ssl_host_info_(ssl_host_info),
       dns_cert_checker_(dns_ctx),
       valid_thread_id_(base::kInvalidThreadId) {
   EnterFunction("");
 }
@@ skipping 173 matching lines @@
   server_cert_           = NULL;
   if (server_cert_nss_) {
     CERT_DestroyCertificate(server_cert_nss_);
     server_cert_nss_     = NULL;
   }
   local_server_cert_verify_result_.Reset();
   server_cert_verify_result_ = NULL;
   ssl_connection_status_ = 0;
   completed_handshake_   = false;
   eset_mitm_detected_    = false;
+  kaspersky_mitm_detected_ = false;
   start_cert_verification_time_ = base::TimeTicks();
   predicted_cert_chain_correct_ = false;
   nss_bufs_              = NULL;
   client_certs_.clear();
   client_auth_cert_needed_ = false;
 
   LeaveFunction("");
 }
 
 bool SSLClientSocketNSS::IsConnected() const {
@@ skipping 727 matching lines @@
     // so that we won't try to resume the non-client-authenticated session in
     // the next handshake.  This will cause the server to ask for a client
     // cert again.
     if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) {
       LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
     }
   } else if (rv == SECSuccess) {
     if (handshake_callback_called_) {
       if (eset_mitm_detected_) {
         net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION;
+      } else if (kaspersky_mitm_detected_) {
+        net_error = ERR_KASPERSKY_ANTI_VIRUS_SSL_INTERCEPTION;
       } else {
         // We need to see if the predicted certificate chain (in
         // |ssl_host_info_->state().certs) matches the actual certificate chain
         // before we call SaveSSLHostInfo, as that will update
         // |ssl_host_info_|.
         if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty()) {
           PeerCertificateChain certs(nss_fd_);
           const SSLHostInfo::State& state = ssl_host_info_->state();
           predicted_cert_chain_correct_ = certs.size() == state.certs.size();
           if (predicted_cert_chain_correct_) {
@@ skipping 462 matching lines @@
 #ifdef SSL_ENABLE_FALSE_START
   // In the event that we are False Starting this connection, we wish to send
   // out the Finished message and first application data record in the same
   // packet. This prevents non-determinism when talking to False Start
   // intolerant servers which, otherwise, might see the two messages in
   // different reads or not, depending on network conditions.
   PRBool false_start = 0;
   SECStatus rv = SSL_OptionGet(socket, SSL_ENABLE_FALSE_START, &false_start);
   DCHECK_EQ(SECSuccess, rv);
 
-  if (false_start) {
-    SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
+  SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
+  CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_);
+  if (cert) {
+    char* common_name = CERT_GetCommonName(&cert->issuer);
+    if (common_name) {
+      if (false_start && strcmp(common_name, "ESET_RootSslCert") == 0)
+        // ESET anti-virus is capable of intercepting HTTPS connections on
+        // Windows.  However, it is False Start intolerant and causes the
+        // connections to hang forever. We detect ESET by the issuer of the
+        // leaf certificate and set a flag to return a specific error, giving
+        // the user instructions for reconfiguring ESET.
+        that->eset_mitm_detected_ = true;
+      if (strcmp(common_name,
+                 "Kaspersky Anti-Virus personal root certificate") == 0) {
+        // Kaspersky has an unknown intolerance to our HTTPS handshakes and so
+        // we detect and give a more helpful error message.
+        that->kaspersky_mitm_detected_ = true;
+      }
+      if (false_start &&
+          strcmp(common_name, "ContentWatch Root Certificate Authority") == 0) {
+        // This is NetNanny. NetNanny are updating their product so we
+        // silently disable False Start for now.
+        rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
+        DCHECK_EQ(SECSuccess, rv);
+        false_start = 0;
+      }
+      PORT_Free(common_name);
+    }
+    CERT_DestroyCertificate(cert);
+  }
 
-    // ESET anti-virus is capable of intercepting HTTPS connections on Windows.
-    // However, it is False Start intolerant and causes the connections to hang
-    // forever. We detect ESET by the issuer of the leaf certificate and set a
-    // flag to return a specific error, giving the user instructions for
-    // reconfiguring ESET.
-    CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_);
-    if (cert) {
-      char* common_name = CERT_GetCommonName(&cert->issuer);
-      if (common_name) {
-        if (strcmp(common_name, "ESET_RootSslCert") == 0)
-          that->eset_mitm_detected_ = true;
-        if (strcmp(common_name,
-                   "ContentWatch Root Certificate Authority") == 0) {
-          // This is NetNanny. NetNanny are updating their product so we
-          // silently disable False Start for now.
-          rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
-          DCHECK_EQ(SECSuccess, rv);
-          false_start = 0;
-        }
-        PORT_Free(common_name);
-      }
-      CERT_DestroyCertificate(cert);
-    }
-
-    if (false_start && !that->handshake_callback_called_) {
-      that->corked_ = true;
-      that->uncork_timer_.Start(
-          base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
-          that, &SSLClientSocketNSS::UncorkAfterTimeout);
-    }
+  if (false_start && !that->handshake_callback_called_) {
+    that->corked_ = true;
+    that->uncork_timer_.Start(
+        base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
+        that, &SSLClientSocketNSS::UncorkAfterTimeout);
   }
 #endif
 
   // Tell NSS to not verify the certificate.
   return SECSuccess;
 }
 
 #if defined(NSS_PLATFORM_CLIENT_AUTH)
 // static
 // NSS calls this if a client certificate is needed.
@@ skipping 337 matching lines @@
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 }  // namespace net