Chromium Code Reviews Chromium Code Reviews
Issue 2587243002:
Do not do Expect-Staple when OCSPVerifyResult has not been populated (Closed)
| Index: net/http/transport_security_state.cc |
| diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc |
| index 9b42febf5f177481b33b5406d88215da1e24b325..5df88a944a83bc874cca46121c2a20f4d88652bd 100644 |
| --- a/net/http/transport_security_state.cc |
| +++ b/net/http/transport_security_state.cc |
| @@ -645,6 +645,10 @@ bool DecodeHSTSPreload(const std::string& hostname, PreloadResult* out) { |
| std::string SerializeExpectStapleResponseStatus( |
| OCSPVerifyResult::ResponseStatus status) { |
| switch (status) { |
| + case OCSPVerifyResult::UNKNOWN: |
| + // Reports shouldn't be sent for this response status. |
| + NOTREACHED(); |
| + return "UNKNOWN"; |
| case OCSPVerifyResult::MISSING: |
| return "MISSING"; |
| case OCSPVerifyResult::PROVIDED: |
| @@ -803,9 +807,11 @@ void TransportSecurityState::CheckExpectStaple( |
| if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state)) |
| return; |
| - // No report needed if a stapled OCSP response was provided. |
| - if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED && |
| - ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD) { |
| + // No report needed if OCSP details were not checked on this |
| + // connection, or if a stapled OCSP response was provided. |
| + if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::UNKNOWN || |
| + (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED && |
| + ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD)) { |
|
Ryan Sleevi
2016/12/21 01:35:29
suggestion: I would actually break these into two
estark
2016/12/21 17:53:12
Done.
|
| return; |
| } |
