Add the ability to send Expect-Staple reports.

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 431 matching lines @@
   // 1. The header value is "preload", indicating that the site wants to
   // be opted in to Expect CT.
   // 2. The given host is present on the Expect CT preload list with a
   // valid report-uri, and the build is timely (i.e. preload list is fresh).
   // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
   // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
   void ProcessExpectCTHeader(const std::string& value,
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
+  void ProcessExpectStaple(const HostPortPair& host_port_pair,
+                           const SSLInfo& ssl_info,
+                           const std::string& ocsp_response);

[Ryan Sleevi, 2016/07/19 00:02:49]

Documentation is needed here. Just from the header, it's unclear why
ocsp_response is needed.

From a design standpoint, the naming here leaves much to be desired - I thought
at first this processed ExpectStaple headers, but no, it performs the logic of
ExpectStaple processing.

From a documentation standpoint, it's unclear how one would use this. For
example, do you call this for all hosts when you get a stapled response? Do you
only call it if the host is in the expect-staple list? Do you only call it when
the stapled response is bad?

I would try, as much as possible, to examine the other methods of TSS and try to
make it consistent with them.

[dadrian, 2016/07/19 00:18:54]

I modeled this after ProcessExpectCTHeader. It follows almost identical
structure, modulo one less reporting abstract class. It doesn't take a header
because ExpectStaple is preload-only. The plan is to call this from
ssl_client_socket_impl.cc in DoVerifyCertComplete().

That being said, I totally forgot to put any documentation on this. :)

+
   // For unit tests only; causes ShouldRequireCT() to return |*required|
   // by default (that is, unless a RequireCTDelegate overrides). Set to
   // nullptr to reset.
   static void SetShouldRequireCTForTesting(bool* required);
 
  private:
   friend class TransportSecurityStateTest;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
@@ skipping 114 matching lines @@
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_