Index: net/http/transport_security_state.cc |
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc |
index 6bbe0b032a5997b6c90e90898453410dfa7ae138..06ebc9c1fc82cdfdf18071ed1fe34bbb5f8af6dc 100644 |
--- a/net/http/transport_security_state.cc |
+++ b/net/http/transport_security_state.cc |
@@ -375,6 +375,9 @@ struct PreloadResult { |
bool has_pins; |
bool expect_ct; |
uint32_t expect_ct_report_uri_id; |
+ bool expect_staple; |
+ bool expect_staple_include_subdomains; |
+ uint32_t expect_staple_report_uri_id; |
}; |
// DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns |
@@ -510,10 +513,22 @@ bool DecodeHSTSPreloadRaw(const std::string& search_hostname, |
return false; |
} |
+ if (!reader.Next(&tmp.expect_staple)) |
+ return false; |
+ tmp.expect_staple_include_subdomains = false; |
+ if (tmp.expect_staple) { |
+ if (!reader.Next(&tmp.expect_staple_include_subdomains)) |
+ return false; |
+ if (!reader.Read(4, &tmp.expect_staple_report_uri_id)) |
+ return false; |
+ } |
+ |
tmp.hostname_offset = hostname_offset; |
if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { |
- *out_found = tmp.sts_include_subdomains || tmp.pkp_include_subdomains; |
+ *out_found = tmp.sts_include_subdomains || |
+ tmp.pkp_include_subdomains || |
+ tmp.expect_staple_include_subdomains; |
*out = tmp; |
if (hostname_offset > 0) { |
@@ -704,6 +719,12 @@ void TransportSecurityState::SetExpectCTReporter( |
expect_ct_reporter_ = expect_ct_reporter; |
} |
+void TransportSecurityState::SetExpectStapleReporter( |
+ ExpectStapleReporter* expect_staple_reporter) { |
+ DCHECK(CalledOnValidThread()); |
+ expect_staple_reporter_ = expect_staple_reporter; |
+} |
+ |
void TransportSecurityState::AddHSTSInternal( |
const std::string& host, |
TransportSecurityState::STSState::UpgradeMode upgrade_mode, |
@@ -856,6 +877,29 @@ bool TransportSecurityState::GetStaticExpectCTState( |
return true; |
} |
+bool TransportSecurityState::GetStaticExpectStapleState( |
+ const std::string& host, |
+ ExpectStapleState* expect_staple_state) const { |
+ DCHECK(CalledOnValidThread()); |
+ |
+ if (!IsBuildTimely()) |
+ return false; |
+ |
+ PreloadResult result; |
+ if (!DecodeHSTSPreload(host, &result)) |
+ return false; |
+ |
+ if (!enable_static_expect_staple_ || !result.expect_staple) |
+ return false; |
+ |
+ expect_staple_state->domain = host.substr(result.hostname_offset); |
+ expect_staple_state->include_subdomains = |
+ result.expect_staple_include_subdomains; |
+ expect_staple_state->report_uri = |
+ GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]); |
+ return true; |
+} |
+ |
bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
DCHECK(CalledOnValidThread()); |
@@ -1059,6 +1103,22 @@ void TransportSecurityState::ProcessExpectCTHeader( |
ssl_info); |
} |
+void TransportSecurityState::CheckExpectStaple( |
+ const HostPortPair& host_port_pair, |
+ const SSLInfo& ssl_info) { |
+ DCHECK(CalledOnValidThread()); |
+ if (!expect_staple_reporter_) |
+ return; |
+ if (!IsBuildTimely()) |
+ return; |
+ // TODO: actually check OCSP info |
+ ExpectStapleState state; |
+ if (!GetStaticExpectStapleState(host_port_pair.host(), &state)) |
+ return; |
+ expect_staple_reporter_->OnExpectStapleFailed(host_port_pair, |
+ state.report_uri, ssl_info); |
+} |
+ |
// static |
void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { |
PreloadResult result; |
@@ -1310,6 +1370,11 @@ TransportSecurityState::ExpectCTState::ExpectCTState() {} |
TransportSecurityState::ExpectCTState::~ExpectCTState() {} |
+TransportSecurityState::ExpectStapleState::ExpectStapleState() |
+ : include_subdomains(false) {} |
+ |
+TransportSecurityState::ExpectStapleState::~ExpectStapleState() {} |
+ |
bool TransportSecurityState::PKPState::CheckPublicKeyPins( |
const HashValueVector& hashes, |
std::string* failure_log) const { |