Index: remoting/protocol/ssl_hmac_channel_authenticator.cc |
diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc |
index e01998dbc172783905d34f5f4f3cd41891feba65..464aa1d994bae454383ee2eec87f68774e161f24 100644 |
--- a/remoting/protocol/ssl_hmac_channel_authenticator.cc |
+++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc |
@@ -6,10 +6,13 @@ |
#include "base/bind.h" |
#include "base/bind_helpers.h" |
+#include "base/logging.h" |
#include "crypto/secure_util.h" |
#include "net/base/host_port_pair.h" |
#include "net/base/io_buffer.h" |
#include "net/base/net_errors.h" |
+#include "net/cert/cert_status_flags.h" |
+#include "net/cert/cert_verifier.h" |
#include "net/cert/x509_certificate.h" |
#include "net/http/transport_security_state.h" |
#include "net/socket/client_socket_factory.h" |
@@ -24,6 +27,34 @@ |
namespace remoting { |
namespace protocol { |
+namespace { |
+ |
+// A CertVerifier which rejects every certificate. |
+class FailingCertVerifier : public net::CertVerifier { |
+ public: |
+ FailingCertVerifier() {} |
+ ~FailingCertVerifier() override {} |
+ |
+ int Verify(net::X509Certificate* cert, |
+ const std::string& hostname, |
+ int flags, |
+ net::CRLSet* crl_set, |
+ net::CertVerifyResult* verify_result, |
+ const net::CompletionCallback& callback, |
+ RequestHandle* out_req, |
+ const net::BoundNetLog& net_log) override { |
+ verify_result->verified_cert = cert; |
+ verify_result->cert_status = net::CERT_STATUS_INVALID; |
+ return net::ERR_CERT_INVALID; |
+ } |
+ |
+ void CancelRequest(RequestHandle req) override { |
+ NOTIMPLEMENTED(); |
+ } |
+}; |
+ |
+} // namespace |
+ |
// static |
scoped_ptr<SslHmacChannelAuthenticator> |
SslHmacChannelAuthenticator::CreateForClient( |
@@ -95,6 +126,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( |
#endif |
} else { |
transport_security_state_.reset(new net::TransportSecurityState); |
+ cert_verifier_.reset(new FailingCertVerifier); |
Sergey Ulanov
2015/04/24 00:34:45
On the client side we actually don't care about th
davidben
2015/04/24 20:52:44
Leaving as-is per offline discussion.
|
net::SSLConfig::CertAndStatus cert_and_status; |
cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; |
@@ -112,6 +144,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( |
net::HostPortPair host_and_port(kSslFakeHostName, 0); |
net::SSLClientSocketContext context; |
context.transport_security_state = transport_security_state_.get(); |
+ context.cert_verifier = cert_verifier_.get(); |
scoped_ptr<net::ClientSocketHandle> socket_handle( |
new net::ClientSocketHandle); |
socket_handle->SetSocket(socket.Pass()); |