Implement Expect-Staple

net/socket/ssl_client_socket_impl.cc

Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 12867ad2e3a3d44dc10e6373c346b4e2af7adfa0..62b3b826b993066f6744bfcf2544f2aaff08a7c7 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -1359,6 +1359,8 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) {
     // the connection.
     VerifyCT();
 
+    CheckOCSP();

[estark, 2016/06/09 21:24:15]

Could you pass in |server_cert_| as an argument so you don't have to call
GetSSLInfo() inside CheckOCSP() to get at the cert?

[dadrian, 2016/06/10 01:05:53]

Yes, though it will eventually need both the certificate and the unverified
certificate.

+
     DCHECK(!certificate_verified_);
     certificate_verified_ = true;
     MaybeCacheSession();
@@ -1453,6 +1455,18 @@ void SSLClientSocketImpl::VerifyCT() {
   }
 }
 
+void SSLClientSocketImpl::CheckOCSP() {
+  TransportSecurityState::ExpectStapleState expect_staple_state;
+  if (!transport_security_state_->GetStaticExpectStapleState(
+          host_and_port_.host(), &expect_staple_state)) {
+    return;
+  }
+  SSLInfo ssl_info;
+  GetSSLInfo(&ssl_info);
+  transport_security_state_->CheckExpectStaple(
+      host_and_port_, expect_staple_state, *ssl_info.cert, ocsp_response_);

[estark, 2016/06/09 21:24:15]

Is |ocsp_response_| already always populated? I thought it is only populated if
we have a CT verifier or something like that. (Which we probably always do in
Chrome, but I'm not sure, might be worth checking.)

[dadrian, 2016/06/10 01:05:53]

I'll make sure it gets populated if enable_static_expect_staple_ is true,
although this might already be the case, I might have added that in the preload
list change.

+}
+
 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
   int rv = DoHandshakeLoop(result);
   if (rv != ERR_IO_PENDING) {