Implement Expect-Staple

net/socket/ssl_client_socket_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_impl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
@@ skipping 1341 matching lines @@
           server_cert_verify_result_.verified_cert.get(),
           TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
   if (result == OK) {
     // Only check Certificate Transparency if there were no other errors with
     // the connection.
     VerifyCT();
 
+    CheckOCSP();

[estark, 2016/06/09 21:24:15]

Could you pass in |server_cert_| as an argument so you don't have to call
GetSSLInfo() inside CheckOCSP() to get at the cert?

[dadrian, 2016/06/10 01:05:53]

Yes, though it will eventually need both the certificate and the unverified
certificate.

+
     DCHECK(!certificate_verified_);
     certificate_verified_ = true;
     MaybeCacheSession();
   } else {
     DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result) << " ("
              << result << ")";
   }
 
   completed_connect_ = true;
   // Exit DoHandshakeLoop and return the result to the caller to Connect.
@@ skipping 74 matching lines @@
         server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
       }
     }
     ct_verify_result_.cert_policy_compliance =
         policy_enforcer_->DoesConformToCertPolicy(
             server_cert_verify_result_.verified_cert.get(),
             ct_verify_result_.verified_scts, net_log_);
   }
 }
 
+void SSLClientSocketImpl::CheckOCSP() {
+  TransportSecurityState::ExpectStapleState expect_staple_state;
+  if (!transport_security_state_->GetStaticExpectStapleState(
+          host_and_port_.host(), &expect_staple_state)) {
+    return;
+  }
+  SSLInfo ssl_info;
+  GetSSLInfo(&ssl_info);
+  transport_security_state_->CheckExpectStaple(
+      host_and_port_, expect_staple_state, *ssl_info.cert, ocsp_response_);

[estark, 2016/06/09 21:24:15]

Is |ocsp_response_| already always populated? I thought it is only populated if
we have a CT verifier or something like that. (Which we probably always do in
Chrome, but I'm not sure, might be worth checking.)

[dadrian, 2016/06/10 01:05:53]

I'll make sure it gets populated if enable_static_expect_staple_ is true,
although this might already be the case, I might have added that in the preload
list change.

+}
+
 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
   int rv = DoHandshakeLoop(result);
   if (rv != ERR_IO_PENDING) {
     LogConnectEndEvent(rv);
     DoConnectCallback(rv);
   }
 }
 
 void SSLClientSocketImpl::OnSendComplete(int result) {
   if (next_handshake_state_ == STATE_HANDSHAKE) {
@@ skipping 865 matching lines @@
   if (rv != OK) {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
     return;
   }
 
   net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,
                     base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
 }
 
 }  // namespace net