Add Certificate Transparency logs auditing

components/certificate_transparency/single_tree_tracker.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/certificate_transparency/single_tree_tracker.h"
 
+#include <algorithm>
+#include <iterator>
+#include <list>
 #include <utility>
 
+#include "base/bind.h"
 #include "base/metrics/histogram_macros.h"
+#include "components/certificate_transparency/log_dns_client.h"
+#include "crypto/sha2.h"
+#include "net/base/hash_value.h"
+#include "net/base/net_errors.h"
 #include "net/cert/ct_log_verifier.h"
+#include "net/cert/merkle_audit_proof.h"
+#include "net/cert/merkle_tree_leaf.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
 
+using net::SHA256HashValue;
+using net::ct::LogEntry;
+using net::ct::MerkleTreeLeaf;
+using net::ct::SignedCertificateTimestamp;
 using net::ct::SignedTreeHead;
 
 namespace {
 
 // Enum indicating whether an SCT can be checked for inclusion and if not,
 // the reason it cannot.
 //
 // Note: The numeric values are used within a histogram and should not change
 // or be re-assigned.
 enum SCTCanBeCheckedForInclusion {
   // If the SingleTreeTracker does not have a valid STH, then a valid STH is
   // first required to evaluate whether the SCT can be checked for inclusion
   // or not.
   VALID_STH_REQUIRED = 0,
   // If the STH does not cover the SCT (the timestamp in the SCT is greater than
   // MMD + timestamp in the STH), then a newer STH is needed.
   NEWER_STH_REQUIRED = 1,
   // When an SCT is observed, if the SingleTreeTracker instance has a valid STH
   // and the STH covers the SCT (the timestamp in the SCT is less than MMD +
   // timestamp in the STH), then it can be checked for inclusion.
   CAN_BE_CHECKED = 2,
+  // This SCT was not audited because the queue of pending entries was
+  // full.
+  NOT_AUDITED_QUEUE_FULL = 3,
   SCT_CAN_BE_CHECKED_MAX
 };
 
 // Measure how often clients encounter very new SCTs, by measuring whether an
 // SCT can be checked for inclusion upon first observation.
 void LogCanBeCheckedForInclusionToUMA(
     SCTCanBeCheckedForInclusion can_be_checked) {
   UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.CanInclusionCheckSCT",
                             can_be_checked, SCT_CAN_BE_CHECKED_MAX);
 }
 
+// Enum indicating the outcome of an inclusion check for a particular log
+// entry.
+//
+// Note: The numeric values are used within a histogram and should not change
+// or be re-assigned.
+enum LogEntryInclusionCheckResult {
+  // Inclusion check succeeded: Proof obtained and validated successfully.
+  GOT_VALID_INCLUSION_PROOF = 0,
+  // Could not get an inclusion proof.
+  FAILED_GETTING_INCLUSION_PROOF = 1,
+  // An inclusion proof was obtained but it is invalid.
+  GOT_INVALID_INCLUSION_PROOF = 2,
+  // The SCT could not be audited because the client's DNS configuration
+  // is faulty.
+  DNS_QUERY_NOT_POSSIBLE = 3,
+  LOG_ENTRY_INCLUSION_CHECK_RESULT_MAX
+};
+
+void LogInclusionCheckResult(LogEntryInclusionCheckResult result) {
+  UMA_HISTOGRAM_ENUMERATION("Net.CertificateTransparency.InclusionCheckResult",
+                            result, LOG_ENTRY_INCLUSION_CHECK_RESULT_MAX);
+}
+
+// Calculate the leaf hash of the the entry in the log represented by
+// the given |cert| and |sct|. If leaf hash calculation succeeds returns
+// true, false otherwise.
+bool GetLogEntryLeafHash(const net::X509Certificate* cert,
+                         const SignedCertificateTimestamp* sct,
+                         SHA256HashValue* leaf_hash) {
+  MerkleTreeLeaf leaf;
+  if (!GetMerkleTreeLeaf(cert, sct, &leaf))
+    return false;
+
+  std::string leaf_hash_str;
+  if (!HashMerkleTreeLeaf(leaf, &leaf_hash_str))
+    return false;
+
+  DCHECK(leaf_hash_str.size() == crypto::kSHA256Length);

[Ryan Sleevi, 2016/11/14 05:03:28]

1) Why not DCHECK_EQ
2) Is DCHECK vs CHECK the right answer, given the memcpy below?

[Eran Messeri, 2016/11/16 14:24:10]

(1) Done
(2) Switched to CHECK, good point.

+  memcpy(leaf_hash->data, leaf_hash_str.data(), crypto::kSHA256Length);
+  return true;
+}
+
+// Audit state of a log entry.
+enum AuditState {
+  // Entry cannot be audited because a newer STH is needed.
+  PENDING_NEWER_STH,
+  // A leaf index has been obtained and the entry is now pending request
+  // of an inclusion proof.
+  PENDING_INCLUSION_PROOF_REQUEST,
+  // An inclusion proof for this entry has been requested from the log.
+  INCLUSION_PROOF_REQUESTED
+};
+
+// Maximal size of the checked entries cache.
+size_t kCheckedEntriesCacheSize = 100;
+
+// Maximal size of the pending entries queue.
+size_t kPendingEntriesQueueSize = 100;
+
+// Maximum Merge Delay - logs can have individual MMD, but all known logs
+// currently have 24 hours MMD and Chrome's CT policy requires an MMD
+// that's no greater than that. For simplicity, use 24 hours for all logs.
+constexpr base::TimeDelta kMaximumMergeDelay = base::TimeDelta::FromHours(24);
+
+// The log MUST incorporate the a certificate in the tree within the Maximum
+// Merge Delay, so an entry can be audited once the timestamp from the SCT +
+// MMD has passed.
+// Returns true if the timestamp from the STH is newer than SCT timestamp + MMD.
+bool IsSCTReadyForAudit(base::Time sth_timestamp, base::Time sct_timestamp) {
+  return sct_timestamp + kMaximumMergeDelay < sth_timestamp;
+}
+
 }  // namespace
 
 namespace certificate_transparency {
+// The entry that is being audited. Immutable - once created, the entry
+// to audit does not change.
+struct SingleTreeTracker::EntryToAudit {
+  base::Time sct_timestamp;
+  SHA256HashValue leaf_hash;
+
+  EntryToAudit(base::Time timestamp) : sct_timestamp(timestamp) {}

[Ryan Sleevi, 2016/11/14 05:03:27]

explicit? Necessary?

[Eran Messeri, 2016/11/16 14:24:10]

Done, added.
Not essential, but spares setting it after creating the object (since it's
pointless to create an EntryToAudit instance that does not relate to a specific
entry, already known at the time of instantiation of the EntryToAudit entry).

+};
+
+// State of a log entry: its audit state and information necessary to
+// validate an inclusion proof. Gets updated as the entry transitions
+// between the different audit states.
+struct SingleTreeTracker::EntryAuditState {
+  // Current phase of inclusion check.
+  AuditState state;
+  // The proof to be filled in by the LogDnsClient
+  net::ct::MerkleAuditProof proof;
+  // The root hash of the tree for which an inclusion proof was requested.
+  // The root hash is needed after the inclusion proof is fetched for validating
+  // the inclusion proof (each inclusion proof is valid for one particular leaf,
+  // denoted by the leaf index, in exactly one particular tree, denoted by the
+  // tree size in the proof).
+  // To avoid having to re-fetch the inclusion proof if a newer STH is provided
+  // to the SingleTreeTracker, the size of the original tree for which the
+  // inclusion proof was requested is stored in |proof| and the root hash
+  // in |root_hash|.
+  std::string root_hash;
+
+  EntryAuditState(AuditState state) : state(state) {}

[Ryan Sleevi, 2016/11/14 05:03:28]

explicit? Necessary?

[Eran Messeri, 2016/11/16 14:24:10]

Done, added.
Same as above, not absolutely necessary but means instances can be created
in-line.

+};
+
+// Orders entries by the SCT timestamp. In case of tie, which is very unlikely
+// as it requires two SCTs issued from a log at exactly the same time, order
+// by leaf hash.
+bool SingleTreeTracker::OrderByTimestamp::operator()(
+    const EntryToAudit& lhs,
+    const EntryToAudit& rhs) const {
+  if (lhs.sct_timestamp != rhs.sct_timestamp)
+    return lhs.sct_timestamp < rhs.sct_timestamp;
+
+  return net::SHA256HashValueLessThan()(lhs.leaf_hash, rhs.leaf_hash);
+}
 
 SingleTreeTracker::SingleTreeTracker(
-    scoped_refptr<const net::CTLogVerifier> ct_log)
-    : ct_log_(std::move(ct_log)) {}
+    scoped_refptr<const net::CTLogVerifier> ct_log,
+    LogDnsClient* dns_client)
+    : ct_log_(std::move(ct_log)),
+      checked_entries_(kCheckedEntriesCacheSize),
+      dns_client_(dns_client),
+      weak_factory_(this) {
+  memory_pressure_listener_.reset(new base::MemoryPressureListener(base::Bind(
+      &SingleTreeTracker::OnMemoryPressure, base::Unretained(this))));

[Ryan Sleevi, 2016/11/14 05:03:28]

Are you guaranteed this is safe? That is, I can't see any documentation in
https://cs.chromium.org/chromium/src/base/memory/memory_pressure_listener.h?r...
that suggests base::Unretained() is safe here - that you won't have a pending
PostTask floating out there.

[Eran Messeri, 2016/11/16 14:24:10]

Switched to using a weakptr. The use of base::Unretained is the pattern I saw,
so I assumed it's safe (I don't see *any* other way it's called:
https://cs.chromium.org/search/?q=%22new+base::MemoryPressureListener%22&sq=p...)

[Ryan Sleevi, 2016/12/14 01:34:15]

Apologies for not providing better guidance. While I think a WeakPtr is 'safe'
to use here (e.g. it reflects the uncertainty), my hope was that it would have
been pushed to 'upstream'. That is, if upstream already guarantees it's safe, if
it's a pattern used by other code, then the only 'issue' here is just that the
header didn't document it as safe.

In that case, the response could have been "Yes, it's safe, but I see that's not
clear, so I'll submit a CL to update the documentation of
MemoryPressureListener". Or "Yes, it's safe, you can see this pattern in
[X]/[Y]"

+}
 
 SingleTreeTracker::~SingleTreeTracker() {}
 
 void SingleTreeTracker::OnSCTVerified(
     net::X509Certificate* cert,
     const net::ct::SignedCertificateTimestamp* sct) {
   DCHECK_EQ(ct_log_->key_id(), sct->log_id);
 
-  // SCT was previously observed, so its status should not be changed.
-  if (entries_status_.find(sct->timestamp) != entries_status_.end())
+  EntryToAudit entry(sct->timestamp);
+  if (!GetLogEntryLeafHash(cert, sct, &entry.leaf_hash))
     return;
 
+  // Avoid queueing multiple instances of the same entry.
+  if (GetLogEntryInclusionStatus(entry) != SCT_NOT_OBSERVED)
+    return;
+
+  if (pending_entries_.size() >= kPendingEntriesQueueSize) {
+    // Queue is full - cannot audit SCT.
+    LogCanBeCheckedForInclusionToUMA(NOT_AUDITED_QUEUE_FULL);
+    return;
+  }
+
   // If there isn't a valid STH or the STH is not fresh enough to check
   // inclusion against, store the SCT for future checking and return.
   if (verified_sth_.timestamp.is_null() ||
-      (verified_sth_.timestamp <
-       (sct->timestamp + base::TimeDelta::FromHours(24)))) {
-    entries_status_.insert(
-        std::make_pair(sct->timestamp, SCT_PENDING_NEWER_STH));
+      !IsSCTReadyForAudit(verified_sth_.timestamp, entry.sct_timestamp)) {
+    pending_entries_.insert(
+        std::make_pair(std::move(entry), EntryAuditState(PENDING_NEWER_STH)));
 
-    if (!verified_sth_.timestamp.is_null()) {
+    if (verified_sth_.timestamp.is_null()) {
+      LogCanBeCheckedForInclusionToUMA(VALID_STH_REQUIRED);
+    } else {
       LogCanBeCheckedForInclusionToUMA(NEWER_STH_REQUIRED);
-    } else {
-      LogCanBeCheckedForInclusionToUMA(VALID_STH_REQUIRED);
     }
+  } else {

[Ryan Sleevi, 2016/11/14 05:03:28]

Should these } else { have short-circuited returns?

That is

  if (verified_sth_...) {
    ...
  } else {
    ...
  }
  return;
}

LogCanBeChecked...
...
ProcessPendingEntries();

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+    LogCanBeCheckedForInclusionToUMA(CAN_BE_CHECKED);
+    pending_entries_.insert(std::make_pair(
+        std::move(entry), EntryAuditState(PENDING_INCLUSION_PROOF_REQUEST)));
 
-    return;
+    ProcessPendingEntries();
   }
-
-  LogCanBeCheckedForInclusionToUMA(CAN_BE_CHECKED);
-  // TODO(eranm): Check inclusion here.
-  entries_status_.insert(
-      std::make_pair(sct->timestamp, SCT_PENDING_INCLUSION_CHECK));
 }
 
 void SingleTreeTracker::NewSTHObserved(const SignedTreeHead& sth) {
   DCHECK_EQ(ct_log_->key_id(), sth.log_id);
 
   if (!ct_log_->VerifySignedTreeHead(sth)) {
     // Sanity check the STH; the caller should have done this
     // already, but being paranoid here.
     // NOTE(eranm): Right now there's no way to get rid of this check here
     // as this is the first object in the chain that has an instance of
     // a CTLogVerifier to verify the STH.
     return;
   }
 
   // In order to avoid updating |verified_sth_| to an older STH in case
   // an older STH is observed, check that either the observed STH is for
   // a larger tree size or that it is for the same tree size but has
   // a newer timestamp.
   const bool sths_for_same_tree = verified_sth_.tree_size == sth.tree_size;
   const bool received_sth_is_for_larger_tree =
-      (verified_sth_.tree_size > sth.tree_size);
+      (verified_sth_.tree_size < sth.tree_size);
   const bool received_sth_is_newer = (sth.timestamp > verified_sth_.timestamp);
 
-  if (verified_sth_.timestamp.is_null() || received_sth_is_for_larger_tree ||
-      (sths_for_same_tree && received_sth_is_newer)) {
-    verified_sth_ = sth;
+  if (!verified_sth_.timestamp.is_null() && !received_sth_is_for_larger_tree &&
+      !(sths_for_same_tree && received_sth_is_newer)) {
+    // Observed an old STH - do nothing.
+    return;
   }
 
-  // Find out which SCTs can now be checked for inclusion.
-  // TODO(eranm): Keep two maps of MerkleTreeLeaf instances, one for leaves
-  // pending inclusion checks and one for leaves pending a new STH.
-  // The comparison function between MerkleTreeLeaf instances should use the
-  // timestamp to determine sorting order, so that bulk moving from one
-  // map to the other can happen.
-  auto entry = entries_status_.begin();
-  while (entry != entries_status_.end() &&
-         entry->first < verified_sth_.timestamp) {
-    entry->second = SCT_PENDING_INCLUSION_CHECK;
-    ++entry;
-    // TODO(eranm): Check inclusion here.
+  verified_sth_ = sth;
+
+  // Find the first entry in the PENDING_NEWER_STH state - entries
+  // before that should be pending leaf index / inclusion proof, no
+  // reason to inspect them.
+  auto first_entry_to_audit = std::find_if(
+      pending_entries_.begin(), pending_entries_.end(),
+      [](std::pair<const EntryToAudit&, const EntryAuditState&> value) {
+        return value.second.state == PENDING_NEWER_STH;
+      });
+
+  // Find where to stop - this is the first entry whose timestamp + MMD
+  // is greater than the STH's timestamp.
+  auto entry_to_stop_at = std::lower_bound(
+      first_entry_to_audit, pending_entries_.end(), sth.timestamp,
+      [](std::pair<const EntryToAudit&, const EntryAuditState&> value,
+         base::Time sth_timestamp) {
+        return IsSCTReadyForAudit(sth_timestamp, value.first.sct_timestamp);
+      });
+
+  // Update the state of all entries that can now be checked for inclusion.
+  for (auto curr_entry = first_entry_to_audit; curr_entry != entry_to_stop_at;
+       ++curr_entry) {
+    DCHECK(curr_entry->second.state == PENDING_NEWER_STH);
+    curr_entry->second.state = PENDING_INCLUSION_PROOF_REQUEST;
   }
+
+  ProcessPendingEntries();
 }
 
 SingleTreeTracker::SCTInclusionStatus
 SingleTreeTracker::GetLogEntryInclusionStatus(
     net::X509Certificate* cert,
     const net::ct::SignedCertificateTimestamp* sct) {
-  auto it = entries_status_.find(sct->timestamp);
+  EntryToAudit entry(sct->timestamp);
+  if (!GetLogEntryLeafHash(cert, sct, &entry.leaf_hash))
+    return SCT_NOT_OBSERVED;
+  return GetLogEntryInclusionStatus(entry);
+}
 
-  return it == entries_status_.end() ? SCT_NOT_OBSERVED : it->second;
+void SingleTreeTracker::ProcessPendingEntries() {
+  auto it = pending_entries_.begin();
+  while (it != pending_entries_.end()) {

[Ryan Sleevi, 2016/11/14 05:03:28]

DANGER: Why a while loop versus a for loop? It seems like you could do the for
loop, which at least provides better ease at reasoning about the termination of
this loop eventually happening.

[Eran Messeri, 2016/11/16 14:24:10]

Done - switched to a for loop.

+    if (it->second.state == PENDING_INCLUSION_PROOF_REQUEST) {
+      it->second.root_hash =
+          std::string(verified_sth_.sha256_root_hash, crypto::kSHA256Length);
+
+      std::string leaf_hash(
+          reinterpret_cast<const char*>(it->first.leaf_hash.data),
+          crypto::kSHA256Length);
+      net::Error result = dns_client_->QueryAuditProof(
+          ct_log_->dns_domain(), leaf_hash, verified_sth_.tree_size,
+          &(it->second.proof),
+          base::Bind(&SingleTreeTracker::OnAuditProofObtained,
+                     weak_factory_.GetWeakPtr(), &(it->first)));

[Ryan Sleevi, 2016/11/14 05:03:27]

DANGER: Messing with the key on a map strikes me as super-dangerous and hard to
reason about the safety and mutability (if you mutate it->first, you can easily
violate all of the invariants)

[Eran Messeri, 2016/11/16 14:24:10]

I wast taking a pointer that was used in a const context, but instead I bind a
const reference. So should be addressed.

+      DCHECK(result != net::OK)

[Ryan Sleevi, 2016/11/14 05:03:28]

DCHECK_EQ

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+          << "Handling proofs returned synchronously is not implemeted.";

[Ryan Sleevi, 2016/11/14 05:03:27]

Unnecessary

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+      if (result == net::ERR_IO_PENDING) {
+        // Successfully requested an inclusion proof - change entry state
+        // and continue to the next one.
+        it->second.state = INCLUSION_PROOF_REQUESTED;
+        ++it;
+      } else if (result == net::ERR_TEMPORARILY_THROTTLED) {
+        dns_client_->NotifyWhenNotThrottled(
+            base::Bind(&SingleTreeTracker::ProcessPendingEntries,
+                       weak_factory_.GetWeakPtr()));
+        // Exit the loop since all subsequent calls to QueryAuditProof
+        // will be throttled.
+        break;
+      } else if (result == net::ERR_NAME_RESOLUTION_FAILED) {
+        LogInclusionCheckResult(DNS_QUERY_NOT_POSSIBLE);
+        // Lookup failed due to bad DNS configuration, erase the entry and
+        // continue to the next one.
+        pending_entries_.erase(it++);

[Ryan Sleevi, 2016/11/14 05:03:28]

BUG: This triggers all of the heuristics for "This is likely a violation of some
important semantic". The normal pattern you expect is soemthing like

it = pending_entries_.erase(it);

(or something similar). This is because for most STL containers, a mutation
invalidates iterators.

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+      } else {
+        // BUG: an invalid argument was provided or an unexpected error

[Ryan Sleevi, 2016/11/14 05:03:27]

Is this a bug in your code? Or are you saying it's a violation of an invariant?
It sounds like bug in your code.

[Eran Messeri, 2016/11/16 14:24:10]

There are two cases:
* ERR_INVALID_ARGUMENT  was returned - this is a bug in my code.
* something other than ERR_INVALID_ARGUMENT was returned - this is a violation
of the contract with the LogDnsClient.

How do you suggest I express it?
In theory I could DCHECK_EQ(...) for the first case, and then remove the entry
so no future calls to QueryAuditProof are made and have a NOTREACHED for the
other case.
Does that seem sensible or an overkill to you?

+        // was returned from LogDnsClient.
+        DCHECK(result == net::ERR_INVALID_ARGUMENT);

[Ryan Sleevi, 2016/11/14 05:03:27]

DCHECK_EQ

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+        NOTREACHED();
+      }
+    } else {
+      // Entry not pending inclusion proof request, continue to next one.
+      ++it;

[Ryan Sleevi, 2016/11/14 05:03:27]

nit: error control goes first

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+    }
+  }
+}
+
+SingleTreeTracker::SCTInclusionStatus
+SingleTreeTracker::GetLogEntryInclusionStatus(const EntryToAudit& entry) {
+  auto checked_entries_iterator = checked_entries_.Get(

[Ryan Sleevi, 2016/11/14 05:03:28]

auto or const auto?

[Eran Messeri, 2016/11/16 14:24:10]

Done.

+      std::string(reinterpret_cast<const char*>(entry.leaf_hash.data),
+                  crypto::kSHA256Length));
+  if (checked_entries_iterator != checked_entries_.end()) {
+    // Only success is cached, so all values in |checked_entries_|
+    // should be true.
+    DCHECK(checked_entries_iterator->second);
+    return SCT_INCLUDED_IN_LOG;
+  }
+
+  auto pending_iterator = pending_entries_.find(entry);
+  if (pending_iterator != pending_entries_.end()) {
+    switch (pending_iterator->second.state) {
+      case PENDING_NEWER_STH:
+        return SCT_PENDING_NEWER_STH;
+      case PENDING_INCLUSION_PROOF_REQUEST:
+      case INCLUSION_PROOF_REQUESTED:
+        return SCT_PENDING_INCLUSION_CHECK;
+    }
+    NOTREACHED();
+  }
+
+  return SCT_NOT_OBSERVED;
+}
+
+void SingleTreeTracker::OnAuditProofObtained(const EntryToAudit* entry,
+                                             int net_error) {
+  auto it = pending_entries_.find(*entry);
+  // The entry may not be present if it was evacuated due to low memory
+  // pressure.
+  if (it == pending_entries_.end()) {
+    ProcessPendingEntries();
+    return;
+  }
+
+  DCHECK(it->second.state == INCLUSION_PROOF_REQUESTED);
+
+  if (net_error == net::OK) {
+    std::string leaf_hash(
+        reinterpret_cast<const char*>(it->first.leaf_hash.data),
+        crypto::kSHA256Length);
+
+    if (ct_log_->VerifyAuditProof(it->second.proof, it->second.root_hash,
+                                  leaf_hash)) {
+      checked_entries_.Put(leaf_hash, true);
+      LogInclusionCheckResult(GOT_VALID_INCLUSION_PROOF);
+    } else {
+      LogInclusionCheckResult(GOT_INVALID_INCLUSION_PROOF);
+    }
+  } else {
+    // XXX(eranm): Should failures be cached? For now, they are not.
+    LogInclusionCheckResult(FAILED_GETTING_INCLUSION_PROOF);
+  }
+
+  pending_entries_.erase(it);
+}
+
+void SingleTreeTracker::OnMemoryPressure(
+    base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level) {
+  switch (memory_pressure_level) {
+    case base::MemoryPressureListener::MEMORY_PRESSURE_LEVEL_NONE:
+      break;
+    case base::MemoryPressureListener::MEMORY_PRESSURE_LEVEL_CRITICAL:
+      pending_entries_.clear();
+    // Fall through to clearing the other cache.
+    case base::MemoryPressureListener::MEMORY_PRESSURE_LEVEL_MODERATE:
+      checked_entries_.Clear();
+      break;
+  }
 }
 
 }  // namespace certificate_transparency