From 370133c17a8f775a5497a832b892e3b01e159fbd Mon Sep 17 00:00:00 2001
From: "sergeyu@chromium.org"
 <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon, 16 Jul 2012 20:58:20 +0000
Subject: Enable HSTS for XMPP connection used by Chromoting

Chromoting host uses XMPP connection encrypted with SSL to connect to talk.google.com. Previously it was accepting any certificate signed by a known CA. Updating SSL adapter code to enable HSTS code, so that only limited set of CA's is accepted for the XMPP connection.

BUG=132884


Review URL: https://chromiumcodereview.appspot.com/10787009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146876 0039d316-1c4b-4281-b951-d872f2087c98
---
 remoting/jingle_glue/ssl_socket_adapter.cc | 6 ++++--
 remoting/jingle_glue/ssl_socket_adapter.h  | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/remoting/jingle_glue/ssl_socket_adapter.cc b/remoting/jingle_glue/ssl_socket_adapter.cc
index 33b04d3..4ff09a5c9 100644
--- a/remoting/jingle_glue/ssl_socket_adapter.cc
+++ b/remoting/jingle_glue/ssl_socket_adapter.cc
@@ -13,6 +13,7 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service.h"
+#include "net/base/transport_security_state.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/url_request/url_request_context.h"
 
@@ -26,6 +27,7 @@ SSLSocketAdapter::SSLSocketAdapter(AsyncSocket* socket)
     : SSLAdapter(socket),
       ignore_bad_cert_(false),
       cert_verifier_(net::CertVerifier::CreateDefault()),
+      transport_security_state_(new net::TransportSecurityState()),
       ssl_state_(SSLSTATE_NONE),
       read_pending_(false),
       write_pending_(false) {
@@ -61,8 +63,8 @@ int SSLSocketAdapter::BeginSSL() {
   // are correct for us, so we don't use the config service to initialize this
   // object.
   net::SSLConfig ssl_config;
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
+  net::SSLClientSocketContext context(
+      cert_verifier_.get(), NULL, transport_security_state_.get(), "");
 
   transport_socket_->set_addr(talk_base::SocketAddress(hostname_, 0));
   ssl_socket_.reset(
diff --git a/remoting/jingle_glue/ssl_socket_adapter.h b/remoting/jingle_glue/ssl_socket_adapter.h
index 9d32911..c95ac3a 100644
--- a/remoting/jingle_glue/ssl_socket_adapter.h
+++ b/remoting/jingle_glue/ssl_socket_adapter.h
@@ -17,6 +17,7 @@
 
 namespace net {
 class CertVerifier;
+class TransportSecurityState;
 }  // namespace net
 
 namespace remoting {
@@ -136,6 +137,7 @@ class SSLSocketAdapter : public talk_base::SSLAdapter {
   // |cert_verifier_| must be defined before |ssl_socket_|, so that
   // it's destroyed after |ssl_socket_|.
   scoped_ptr<net::CertVerifier> cert_verifier_;
+  scoped_ptr<net::TransportSecurityState> transport_security_state_;
   scoped_ptr<net::SSLClientSocket> ssl_socket_;
 
   SSLState ssl_state_;
-- 
cgit v1.1