| Index: remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| index e01998dbc172783905d34f5f4f3cd41891feba65..464aa1d994bae454383ee2eec87f68774e161f24 100644
|
| --- a/remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| +++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| @@ -6,10 +6,13 @@
|
|
|
| #include "base/bind.h"
|
| #include "base/bind_helpers.h"
|
| +#include "base/logging.h"
|
| #include "crypto/secure_util.h"
|
| #include "net/base/host_port_pair.h"
|
| #include "net/base/io_buffer.h"
|
| #include "net/base/net_errors.h"
|
| +#include "net/cert/cert_status_flags.h"
|
| +#include "net/cert/cert_verifier.h"
|
| #include "net/cert/x509_certificate.h"
|
| #include "net/http/transport_security_state.h"
|
| #include "net/socket/client_socket_factory.h"
|
| @@ -24,6 +27,34 @@
|
| namespace remoting {
|
| namespace protocol {
|
|
|
| +namespace {
|
| +
|
| +// A CertVerifier which rejects every certificate.
|
| +class FailingCertVerifier : public net::CertVerifier {
|
| + public:
|
| + FailingCertVerifier() {}
|
| + ~FailingCertVerifier() override {}
|
| +
|
| + int Verify(net::X509Certificate* cert,
|
| + const std::string& hostname,
|
| + int flags,
|
| + net::CRLSet* crl_set,
|
| + net::CertVerifyResult* verify_result,
|
| + const net::CompletionCallback& callback,
|
| + RequestHandle* out_req,
|
| + const net::BoundNetLog& net_log) override {
|
| + verify_result->verified_cert = cert;
|
| + verify_result->cert_status = net::CERT_STATUS_INVALID;
|
| + return net::ERR_CERT_INVALID;
|
| + }
|
| +
|
| + void CancelRequest(RequestHandle req) override {
|
| + NOTIMPLEMENTED();
|
| + }
|
| +};
|
| +
|
| +} // namespace
|
| +
|
| // static
|
| scoped_ptr<SslHmacChannelAuthenticator>
|
| SslHmacChannelAuthenticator::CreateForClient(
|
| @@ -95,6 +126,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
|
| #endif
|
| } else {
|
| transport_security_state_.reset(new net::TransportSecurityState);
|
| + cert_verifier_.reset(new FailingCertVerifier);
|
|
|
| net::SSLConfig::CertAndStatus cert_and_status;
|
| cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID;
|
| @@ -112,6 +144,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
|
| net::HostPortPair host_and_port(kSslFakeHostName, 0);
|
| net::SSLClientSocketContext context;
|
| context.transport_security_state = transport_security_state_.get();
|
| + context.cert_verifier = cert_verifier_.get();
|
| scoped_ptr<net::ClientSocketHandle> socket_handle(
|
| new net::ClientSocketHandle);
|
| socket_handle->SetSocket(socket.Pass());
|
|
|
Chromium Code Reviews
Issue 1080593003:
Pass in a non-null CertVerifier into SSLClientSocket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss