OpenSSL: don't allow the server certificate to change during renegotiation.

net/socket/ssl_client_socket_openssl.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
 
 #include <string>
 
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "net/base/completion_callback.h"
 #include "net/base/io_buffer.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/ssl/server_bound_cert_service.h"
 #include "net/ssl/ssl_config_service.h"
 
 // Avoid including misc OpenSSL headers, i.e.:
 // <openssl/bio.h>
 typedef struct bio_st BIO;
 // <openssl/evp.h>
 typedef struct evp_pkey_st EVP_PKEY;
 // <openssl/ssl.h>
 typedef struct ssl_st SSL;
 // <openssl/x509.h>
 typedef struct x509_st X509;
+// <openssl/ossl_type.h>
+typedef struct x509_store_ctx_st X509_STORE_CTX;
 
 namespace net {
 
 class CertVerifier;
 class SingleRequestCertVerifier;
 class SSLCertRequestInfo;
 class SSLInfo;
 
 // An SSL client socket implemented with OpenSSL.
 class SSLClientSocketOpenSSL : public SSLClientSocket {
@@ skipping 84 matching lines @@
   int TransportReadComplete(int result);
 
   // Callback from the SSL layer that indicates the remote server is requesting
   // a certificate for this client.
   int ClientCertRequestCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey);
 
   // Callback from the SSL layer that indicates the remote server supports TLS
   // Channel IDs.
   void ChannelIDRequestCallback(SSL* ssl, EVP_PKEY** pkey);
 
+  // CertificateCallback is called to verify the server's certificates. We do
+  // verification after the handshake so this function only enforces that the
+  // certificates don't change during renegotiation.
+  int CertificateCallback(X509_STORE_CTX *store_ctx);

[wtc, 2014/02/27 22:12:07]

Nit: rename this function "VerifyCertCallback".

[agl, 2014/02/27 22:31:23]

Done.

+
   // Callback from the SSL layer to check which NPN protocol we are supporting
   int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen,
                               const unsigned char* in, unsigned int inlen);
 
   bool transport_send_busy_;
   bool transport_recv_busy_;
   bool transport_recv_eof_;
 
   scoped_refptr<DrainableIOBuffer> send_buffer_;
   scoped_refptr<IOBuffer> recv_buffer_;
@@ skipping 75 matching lines @@
   // True if channel ID extension was negotiated.
   bool channel_id_xtn_negotiated_;
   // The request handle for |server_bound_cert_service_|.
   ServerBoundCertService::RequestHandle channel_id_request_handle_;
   BoundNetLog net_log_;
 };
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_