Add Expect-Staple to preload list

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
@@ skipping 357 matching lines @@
   uint32_t domain_id;
   // hostname_offset contains the number of bytes from the start of the given
   // hostname where the name of the matching entry starts.
   size_t hostname_offset;
   bool sts_include_subdomains;
   bool pkp_include_subdomains;
   bool force_https;
   bool has_pins;
   bool expect_ct;
   uint32_t expect_ct_report_uri_id;
+  bool expect_staple;
+  bool expect_staple_include_subdomains;
+  uint32_t expect_staple_report_uri_id;
 };
 
 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns
 // false on internal error and true otherwise. After a successful return,
 // |*out_found| is true iff a relevant entry has been found. If so, |*out|
 // contains the details.
 //
 // Don't call this function, call DecodeHSTSPreload, below.
 //
 // Although this code should be robust, it never processes attacker-controlled
@@ skipping 115 matching lines @@
         }
 
         if (!reader.Next(&tmp.expect_ct))
           return false;
 
         if (tmp.expect_ct) {
           if (!reader.Read(4, &tmp.expect_ct_report_uri_id))
             return false;
         }
 
+        if (!reader.Next(&tmp.expect_staple))
+          return false;
+        tmp.expect_staple_include_subdomains = false;
+        if (tmp.expect_staple) {
+          if (!reader.Next(&tmp.expect_staple_include_subdomains))
+            return false;
+          if (!reader.Read(4, &tmp.expect_staple_report_uri_id))
+            return false;
+        }
+
         tmp.hostname_offset = hostname_offset;
 
         if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') {
-          *out_found = tmp.sts_include_subdomains || tmp.pkp_include_subdomains;
+          *out_found = tmp.sts_include_subdomains ||
+                       tmp.pkp_include_subdomains ||
+                       tmp.expect_staple_include_subdomains;
           *out = tmp;
 
           if (hostname_offset > 0) {
             out->force_https &= tmp.sts_include_subdomains;
           } else {
             *out_found = true;
             return true;
           }
         }
 
@@ skipping 68 matching lines @@
   return found;
 }
 
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
     : delegate_(nullptr),
       report_sender_(nullptr),
       enable_static_pins_(true),
       enable_static_expect_ct_(true),
+      enable_static_expect_staple_(false),

[estark, 2016/06/03 22:53:04]

I think you can initialize this to true and set it to false after line 627. (Or
is there a reason you want to leave it disabled for now?)

       expect_ct_reporter_(nullptr),
       sent_reports_cache_(kMaxHPKPReportCacheEntries) {
 // Static pinning is only enabled for official builds to make sure that
 // others don't end up with pins that cannot be easily updated.
 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
   enable_static_pins_ = false;
   enable_static_expect_ct_ = false;
 #endif
   DCHECK(CalledOnValidThread());
 }
@@ skipping 234 matching lines @@
 
   if (!enable_static_expect_ct_ || !result.expect_ct)
     return false;
 
   expect_ct_state->domain = host.substr(result.hostname_offset);
   expect_ct_state->report_uri =
       GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]);
   return true;
 }
 
+bool TransportSecurityState::GetStaticExpectStapleState(
+    const std::string& host,
+    ExpectStapleState* expect_staple_state) const {
+  DCHECK(CalledOnValidThread());
+
+  if (!IsBuildTimely())
+    return false;
+
+  PreloadResult result;
+  if (!DecodeHSTSPreload(host, &result))
+    return false;
+
+  if (!enable_static_expect_staple_ || !result.expect_staple)
+    return false;
+
+  expect_staple_state->domain = host.substr(result.hostname_offset);
+  expect_staple_state->include_subdomains =
+      result.expect_staple_include_subdomains;
+  expect_staple_state->report_uri =
+      GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]);
+  return true;
+}
+
 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) {
   DCHECK(CalledOnValidThread());
 
   const std::string canonicalized_host = CanonicalizeHost(host);
   if (canonicalized_host.empty())
     return false;
 
   const std::string hashed_host = HashHost(canonicalized_host);
   bool deleted = false;
   STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host);
@@ skipping 434 matching lines @@
 
 TransportSecurityState::PKPState::PKPState(const PKPState& other) = default;
 
 TransportSecurityState::PKPState::~PKPState() {
 }
 
 TransportSecurityState::ExpectCTState::ExpectCTState() {}
 
 TransportSecurityState::ExpectCTState::~ExpectCTState() {}
 
+TransportSecurityState::ExpectStapleState::ExpectStapleState()
+    : include_subdomains(false) {}
+
+TransportSecurityState::ExpectStapleState::~ExpectStapleState() {}
+
 bool TransportSecurityState::PKPState::CheckPublicKeyPins(
     const HashValueVector& hashes,
     std::string* failure_log) const {
   // Validate that hashes is not empty. By the time this code is called (in
   // production), that should never happen, but it's good to be defensive.
   // And, hashes *can* be empty in some test scenarios.
   if (hashes.empty()) {
     failure_log->append(
         "Rejecting empty public key chain for public-key-pinned domains: " +
         domain);
@@ skipping 33 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace