Implement Expect-Staple

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 180 matching lines @@
     ExpectCTState();
     ~ExpectCTState();
 
     // The domain which matched during a search for this DomainState entry.
     std::string domain;
     // The URI to which reports should be sent if valid CT info is not
     // provided.
     GURL report_uri;
   };
 
+  // An ExpectStapleState describes a site that expects valid OCSP information
+  // to be stapled to its certificate on every connection.
+  class NET_EXPORT ExpectStapleState {
+   public:
+    ExpectStapleState();
+    ~ExpectStapleState();
+
+    // The domain which matched during a search for this Expect-Staple entry
+    std::string domain;
+
+    // The URI reports are sent to if a valid OCSP response is not stapled
+    GURL report_uri;
+
+    // True if subdomains are subject to this policy
+    bool include_subdomains;
+  };
+
   // An interface for asynchronously sending HPKP violation reports.
   class NET_EXPORT ReportSender {
    public:
     // Sends the given serialized |report| to |report_uri|.
     virtual void Send(const GURL& report_uri, const std::string& report) = 0;
 
     // Sets a callback to be called when report sending fails.
     virtual void SetErrorCallback(
         const base::Callback<void(const GURL&, int)>& error_callback) = 0;
 
@@ skipping 10 matching lines @@
     // reports about Expect CT policy violations sent to |report_uri|,
     // and such a violation has occurred.
     virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair,
                                   const GURL& report_uri,
                                   const net::SSLInfo& ssl_info) = 0;
 
    protected:
     virtual ~ExpectCTReporter() {}
   };
 
+  // An interface for building and asynchronously sending reports when a site
+  // expects to have sent a valid OCSP staple during a TLS handshake, but it
+  // wasn't supplied.
+  class NET_EXPORT ExpectStapleReporter {
+   public:
+    virtual void OnExpectStapleFailed(const net::HostPortPair& host_port_pair,
+                                      const GURL& report_uri,
+                                      const net::SSLInfo& ssl_info) = 0;
+
+   protected:
+    virtual ~ExpectStapleReporter() {}
+  };
+
   // Indicates whether or not a public key pin check should send a
   // report if a violation is detected.
   enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS };
 
   TransportSecurityState();
   ~TransportSecurityState();
 
   // These functions search for static and dynamic STS and PKP states, and
   // invoke the functions of the same name on them. These functions are the
   // primary public interface; direct access to STS and PKP states is best
@@ skipping 13 matching lines @@
   // |NULL|, state will not be persisted. The caller retains
   // ownership of |delegate|.
   // Note: This is only used for serializing/deserializing the
   // TransportSecurityState.
   void SetDelegate(Delegate* delegate);
 
   void SetReportSender(ReportSender* report_sender);
 
   void SetExpectCTReporter(ExpectCTReporter* expect_ct_reporter);
 
+  void SetExpectStapleReporter(ExpectStapleReporter* expect_staple_reporter);
+
   // Clears all dynamic data (e.g. HSTS and HPKP data).
   //
   // Does NOT persist changes using the Delegate, as this function is only
   // used to clear any dynamic data prior to re-loading it from a file.
   // Note: This is only used for serializing/deserializing the
   // TransportSecurityState.
   void ClearDynamicData();
 
   // Inserts |state| into |enabled_sts_hosts_| under the key |hashed_host|.
   // |hashed_host| is already in the internal representation.
@@ skipping 86 matching lines @@
   // 1. The header value is "preload", indicating that the site wants to
   // be opted in to Expect CT.
   // 2. The given host is present on the Expect CT preload list with a
   // valid report-uri, and the build is timely (i.e. preload list is fresh).
   // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
   // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
   void ProcessExpectCTHeader(const std::string& value,
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
+  // TODO
+  void CheckExpectStaple(const HostPortPair& host_port_pair,
+                         const SSLInfo& ssl_info);
+
  private:
   friend class TransportSecurityStateTest;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
   FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader);
 
   typedef std::map<std::string, STSState> STSStateMap;
   typedef std::map<std::string, PKPState> PKPStateMap;
 
@@ skipping 60 matching lines @@
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const TransportSecurityState::PublicKeyPinReportStatus report_status,
       std::string* failure_log);
 
   // Returns true and updates |*expect_ct_result| iff there is a static
   // (built-in) state for |host| with expect_ct=true.
   bool GetStaticExpectCTState(const std::string& host,
                               ExpectCTState* expect_ct_result) const;
 
+  // Returns true and updates |*expect_staple_result| iff there is a static
+  // (built-in) state for |host| with expect_staple=true, or if |host| is a
+  // subdomain of another domain with expect_staple=true and
+  // include_subdomains_for_expect_staple=true.
+  bool GetStaticExpectStapleState(
+      const std::string& host,
+      ExpectStapleState* expect_staple_result) const;
+
   // The sets of hosts that have enabled TransportSecurity. |domain| will always
   // be empty for a STSState or PKPState in these maps; the domain
   // comes from the map keys instead. In addition, |upgrade_mode| in the
   // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState
   // always returns true.
   STSStateMap enabled_sts_hosts_;
   PKPStateMap enabled_pkp_hosts_;
 
   Delegate* delegate_;
 
   ReportSender* report_sender_;
 
   // True if static pins should be used.
   bool enable_static_pins_;
 
   // True if static expect-CT state should be used.
   bool enable_static_expect_ct_;
 
   ExpectCTReporter* expect_ct_reporter_;
 
+  // True if static expect-staple state should be used.
+  bool enable_static_expect_staple_;
+
+  ExpectStapleReporter* expect_staple_reporter_;
+
   // Keeps track of reports that have been sent recently for
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_