commit b051cdb6465736e7233cd22b807e255554378206
author agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Fri Feb 28 02:20:16 2014
committer agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Fri Feb 28 02:20:16 2014
tree 027263108a9956ee120a8a3987efd6225ba86395
parent bb56a7c247456a9ddaca09d5ab46c87e9a4322b6

OpenSSL: don't allow the server certificate to change during renegotiation.

This mirrors r229611, but for OpenSSL.

BUG=306959

Review URL: https://codereview.chromium.org/177143004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@254022 0039d316-1c4b-4281-b951-d872f2087c98

net/socket/ssl_client_socket_openssl.h

diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h
index 5f4800a0..0fc9cbe2 100644
--- a/net/socket/ssl_client_socket_openssl.h
+++ b/net/socket/ssl_client_socket_openssl.h
@@ -27,6 +27,8 @@
 typedef struct ssl_st SSL;
 // <openssl/x509.h>
 typedef struct x509_st X509;
+// <openssl/ossl_type.h>
+typedef struct x509_store_ctx_st X509_STORE_CTX;
 
 namespace net {
 
@@ -131,6 +133,11 @@
   // Channel IDs.
   void ChannelIDRequestCallback(SSL* ssl, EVP_PKEY** pkey);
 
+  // CertVerifyCallback is called to verify the server's certificates. We do
+  // verification after the handshake so this function only enforces that the
+  // certificates don't change during renegotiation.
+  int CertVerifyCallback(X509_STORE_CTX *store_ctx);
+
   // Callback from the SSL layer to check which NPN protocol we are supporting
   int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen,
                               const unsigned char* in, unsigned int inlen);