Add Certificate Transparency logs auditing

components/certificate_transparency/log_dns_client.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/certificate_transparency/log_dns_client.h"
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/format_macros.h"
 #include "base/location.h"
@@ skipping 305 matching lines @@
   next_state_ = State::REQUEST_AUDIT_PROOF_NODES;
   return net::OK;
 }
 
 net::Error LogDnsClient::AuditProofQuery::RequestAuditProofNodes() {
   // Test pre-conditions (should be guaranteed by DNS response validation).
   if (proof_->leaf_index >= proof_->tree_size ||
       proof_->nodes.size() >= net::ct::CalculateAuditPathLength(
                                   proof_->leaf_index, proof_->tree_size)) {
     return net::ERR_UNEXPECTED;
+    // The performance of this could be improved by sending all of the expected
+    // queries up front. Each response can contain a maximum of 7 audit path
+    // nodes,
+    // so for an audit proof of size 20, it could send 3 queries (for nodes 0-6,
+    // 7-13 and 14-19) immediately. Currently, it sends only the first and then,
+    // based on the number of nodes received, sends the next query. The
+    // complexity
+    // of the code would increase though, as it would need to detect gaps in the
+    // audit proof caused by the server not responding with the anticipated
+    // number
+    // of nodes. Ownership of the proof would need to change, as it would be
+    // shared
+    // between simultaneous DNS transactions.
+    /*
+    void LogDnsClient::QueryAuditProof(base::StringPiece domain_for_log,
+                                       uint64_t leaf_index,
+                                       uint64_t tree_size,
+                                       const AuditProofCallback& callback) {
+      if (domain_for_log.empty() || leaf_index >= tree_size) {
+        base::ThreadTaskRunnerHandle::Get()->PostTask(
+            FROM_HERE,
+            base::Bind(callback, net::Error::ERR_INVALID_ARGUMENT, nullptr));
+        return;
+    */

[Ryan Sleevi, 2016/12/22 21:33:20]

Accidental paste?

[Eran Messeri, 2017/01/03 23:07:41]

Fixed - bad merge.

   }
 
   std::string qname = base::StringPrintf(
       "%zu.%" PRIu64 ".%" PRIu64 ".tree.%s.", proof_->nodes.size(),
       proof_->leaf_index, proof_->tree_size, domain_for_log_.c_str());
 
   if (!StartDnsTransaction(qname)) {
     return net::ERR_NAME_RESOLUTION_FAILED;
   }
 
@@ skipping 134 matching lines @@
 }
 
 void LogDnsClient::UpdateDnsConfig() {
   net::DnsConfig config;
   net::NetworkChangeNotifier::GetDnsConfig(&config);
   if (config.IsValid())
     dns_client_->SetConfig(config);
 }
 
 }  // namespace certificate_transparency