Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets

net/socket/ssl_client_socket_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_impl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
@@ skipping 501 matching lines @@
       session_pending_(false),
       certificate_verified_(false),
       ssl_failure_state_(SSL_FAILURE_NONE),
       signature_result_(kNoPendingResult),
       transport_security_state_(context.transport_security_state),
       policy_enforcer_(context.ct_policy_enforcer),
       pkp_bypassed_(false),
       net_log_(transport_->socket()->NetLog()),
       weak_factory_(this) {
   DCHECK(cert_verifier_);
+  DCHECK(transport_security_state_);
+  DCHECK(policy_enforcer_);
 }
 
 SSLClientSocketImpl::~SSLClientSocketImpl() {
   Disconnect();
 }
 
 #if !defined(OS_NACL)
 void SSLClientSocketImpl::SetSSLKeyLogFile(
     const base::FilePath& ssl_keylog_file,
     const scoped_refptr<base::SequencedTaskRunner>& task_runner) {
@@ skipping 77 matching lines @@
   if (rv != 1) {
     int ssl_error = SSL_get_error(ssl_, rv);
     LOG(ERROR) << "Failed to export keying material;"
                << " returned " << rv << ", SSL error code " << ssl_error;
     return MapOpenSSLError(ssl_error, err_tracer);
   }
   return OK;
 }
 
 int SSLClientSocketImpl::Connect(const CompletionCallback& callback) {
-  // It is an error to create an SSLClientSocket whose context has no
-  // TransportSecurityState.
-  DCHECK(transport_security_state_);
-
   // Although StreamSocket does allow calling Connect() after Disconnect(),
   // this has never worked for layered sockets. CHECK to detect any consumers
   // reconnecting an SSL socket.
   //
   // TODO(davidben,mmenke): Remove this API feature. See
   // https://crbug.com/499289.
   CHECK(!disconnected_);
 
   net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT);
 
@@ skipping 690 matching lines @@
     base::TimeDelta verify_time =
         base::TimeTicks::Now() - start_cert_verification_time_;
     if (result == OK) {
       UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
     } else {
       UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
     }
   }
 
   const CertStatus cert_status = server_cert_verify_result_.cert_status;
-  if (transport_security_state_ &&
-      (result == OK ||
+  if ((result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
       !transport_security_state_->CheckPublicKeyPins(
           host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
           server_cert_verify_result_.public_key_hashes, server_cert_.get(),
           server_cert_verify_result_.verified_cert.get(),
           TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) {
     if (server_cert_verify_result_.is_issued_by_known_root)
       result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
     else
       pkp_bypassed_ = true;
@@ skipping 27 matching lines @@
   server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_));
   server_cert_ = server_cert_chain_->AsOSChain();
   if (server_cert_.get()) {
     net_log_.AddEvent(NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
                       base::Bind(&NetLogX509CertificateCallback,
                                  base::Unretained(server_cert_.get())));
   }
 }
 
 void SSLClientSocketImpl::VerifyCT() {
-  if (!cert_transparency_verifier_)
-    return;
-
   const uint8_t* ocsp_response_raw;
   size_t ocsp_response_len;
   SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
   std::string ocsp_response;
   if (ocsp_response_len > 0) {
     ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw),
                          ocsp_response_len);
   }
 
   const uint8_t* sct_list_raw;
   size_t sct_list_len;
   SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len);
   std::string sct_list;
   if (sct_list_len > 0)
     sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len);
 
   // Note that this is a completely synchronous operation: The CT Log Verifier
   // gets all the data it needs for SCT verification and does not do any
   // external communication.
   cert_transparency_verifier_->Verify(
       server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list,
       &ct_verify_result_, net_log_);
 
-  ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
+  ct_verify_result_.ct_policies_applied = true;
   ct_verify_result_.ev_policy_compliance =
       ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
-  if (policy_enforcer_) {
-    if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
-      scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
-          SSLConfigService::GetEVCertsWhitelist();
-      ct::EVPolicyCompliance ev_policy_compliance =
-          policy_enforcer_->DoesConformToCTEVPolicy(
-              server_cert_verify_result_.verified_cert.get(),
-              ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_);
-      ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
-      if (ev_policy_compliance !=
-              ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
-          ev_policy_compliance !=
-              ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
-          ev_policy_compliance !=
-              ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
-        server_cert_verify_result_.cert_status |=
-            CERT_STATUS_CT_COMPLIANCE_FAILED;
-        server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
-      }
+  if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
+    scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
+        SSLConfigService::GetEVCertsWhitelist();
+    ct::EVPolicyCompliance ev_policy_compliance =
+        policy_enforcer_->DoesConformToCTEVPolicy(
+            server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
+            ct_verify_result_.verified_scts, net_log_);
+    ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
+    if (ev_policy_compliance !=
+            ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
+        ev_policy_compliance !=
+            ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+        ev_policy_compliance !=
+            ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
+      server_cert_verify_result_.cert_status |=
+          CERT_STATUS_CT_COMPLIANCE_FAILED;
+      server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
     }
-    ct_verify_result_.cert_policy_compliance =
-        policy_enforcer_->DoesConformToCertPolicy(
-            server_cert_verify_result_.verified_cert.get(),
-            ct_verify_result_.verified_scts, net_log_);
   }
+  ct_verify_result_.cert_policy_compliance =
+      policy_enforcer_->DoesConformToCertPolicy(
+          server_cert_verify_result_.verified_cert.get(),
+          ct_verify_result_.verified_scts, net_log_);
 }
 
 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
   int rv = DoHandshakeLoop(result);
   if (rv != ERR_IO_PENDING) {
     LogConnectEndEvent(rv);
     DoConnectCallback(rv);
   }
 }
 
@@ skipping 864 matching lines @@
   if (rv != OK) {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
     return;
   }
 
   net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,
                     base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
 }
 
 }  // namespace net