Pass in a non-null CertVerifier into SSLClientSocket.

remoting/protocol/ssl_hmac_channel_authenticator.cc

Index: remoting/protocol/ssl_hmac_channel_authenticator.cc
diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc
index e01998dbc172783905d34f5f4f3cd41891feba65..464aa1d994bae454383ee2eec87f68774e161f24 100644
--- a/remoting/protocol/ssl_hmac_channel_authenticator.cc
+++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc
@@ -6,10 +6,13 @@
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
+#include "base/logging.h"
 #include "crypto/secure_util.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/cert_verifier.h"
 #include "net/cert/x509_certificate.h"
 #include "net/http/transport_security_state.h"
 #include "net/socket/client_socket_factory.h"
@@ -24,6 +27,34 @@
 namespace remoting {
 namespace protocol {
 
+namespace {
+
+// A CertVerifier which rejects every certificate.
+class FailingCertVerifier : public net::CertVerifier {
+ public:
+  FailingCertVerifier() {}
+  ~FailingCertVerifier() override {}
+
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             RequestHandle* out_req,
+             const net::BoundNetLog& net_log) override {
+    verify_result->verified_cert = cert;
+    verify_result->cert_status = net::CERT_STATUS_INVALID;
+    return net::ERR_CERT_INVALID;
+  }
+
+  void CancelRequest(RequestHandle req) override {
+    NOTIMPLEMENTED();
+  }
+};
+
+}  // namespace
+
 // static
 scoped_ptr<SslHmacChannelAuthenticator>
 SslHmacChannelAuthenticator::CreateForClient(
@@ -95,6 +126,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
 #endif
   } else {
     transport_security_state_.reset(new net::TransportSecurityState);
+    cert_verifier_.reset(new FailingCertVerifier);

[Sergey Ulanov, 2015/04/24 00:34:45]

On the client side we actually don't care about the cert received from the host.
SSL here is used for encryption/key exchange, but not authentication.
Authentication is based on the extra layer that exchanges HMAC tokens based on
the keys extracted from the negotiated SSL master key and a shared key (which
exchanged prior to establishing SSL connection). So instead of
FailingCertVerifier we need a CertVerifier that accepts any certs.

Currently it works by adding remote_cert_ to ssl_config.allowed_bad_certs. The
(ugly) reason it was implemented this way instead of creating a special
CertVerifier is because net::X509Certificate* can't be created in the renderer
sandbox (because it depends on system APIs that don't work in sandbox) and this
code runs in sandbox. In other words CertVerifier is not useful here because
X509Certificate creation normally fails - that's the reason we never bothered
creating CertVerifier here. It will not be a problem in the future after we
finished migrating to PNaCl (net::X509Certificate works properly in PNaCl
sandbox as it doesn't depend on system APIs in that case), at which point it
will be possible to remove the allowed_bad_certs hack, but we will want
CertVerifier that accept all certs for that.

Also we are planning to migrate to QUIC, and so this file will be removed
completely in the future.

[davidben, 2015/04/24 20:52:44]

Leaving as-is per offline discussion.

 
     net::SSLConfig::CertAndStatus cert_and_status;
     cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID;
@@ -112,6 +144,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
     net::HostPortPair host_and_port(kSslFakeHostName, 0);
     net::SSLClientSocketContext context;
     context.transport_security_state = transport_security_state_.get();
+    context.cert_verifier = cert_verifier_.get();
     scoped_ptr<net::ClientSocketHandle> socket_handle(
         new net::ClientSocketHandle);
     socket_handle->SetSocket(socket.Pass());