OpenSSL: don't allow the server certificate to change during renegotiation.

net/socket/ssl_client_socket_openssl.h

Index: net/socket/ssl_client_socket_openssl.h
diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h
index 5f4800a08de3ee71114e706e43dfae353f0fb23a..916903eb3df0daf1433363b26b5fe289c0dde8c6 100644
--- a/net/socket/ssl_client_socket_openssl.h
+++ b/net/socket/ssl_client_socket_openssl.h
@@ -27,6 +27,8 @@ typedef struct evp_pkey_st EVP_PKEY;
 typedef struct ssl_st SSL;
 // <openssl/x509.h>
 typedef struct x509_st X509;
+// <openssl/ossl_type.h>
+typedef struct x509_store_ctx_st X509_STORE_CTX;
 
 namespace net {
 
@@ -131,6 +133,11 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
   // Channel IDs.
   void ChannelIDRequestCallback(SSL* ssl, EVP_PKEY** pkey);
 
+  // CertificateCallback is called to verify the server's certificates. We do
+  // verification after the handshake so this function only enforces that the
+  // certificates don't change during renegotiation.
+  int CertificateCallback(X509_STORE_CTX *store_ctx);

[wtc, 2014/02/27 22:12:07]

Nit: rename this function "VerifyCertCallback".

[agl, 2014/02/27 22:31:23]

Done.

+
   // Callback from the SSL layer to check which NPN protocol we are supporting
   int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen,
                               const unsigned char* in, unsigned int inlen);