Certificate Transparency: Discard entries pending auditing on network change

components/certificate_transparency/single_tree_tracker.h

Index: components/certificate_transparency/single_tree_tracker.h
diff --git a/components/certificate_transparency/single_tree_tracker.h b/components/certificate_transparency/single_tree_tracker.h
index 16342e1b1ee8cbaae375cec55b361ec28160997a..a3ca1be23f5edf99752cc9cbdc194000ecd0dbb4 100644
--- a/components/certificate_transparency/single_tree_tracker.h
+++ b/components/certificate_transparency/single_tree_tracker.h
@@ -14,6 +14,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
 #include "net/base/hash_value.h"
+#include "net/base/network_change_notifier.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/signed_tree_head.h"
 #include "net/cert/sth_observer.h"
@@ -113,6 +114,8 @@ class SingleTreeTracker : public net::CTVerifier::Observer,
   struct EntryToAudit;
   struct EntryAuditState;
   struct EntryAuditResult {};
+  class NetworkObserver;
+  friend class NetworkObserver;
 
   // Less-than comparator that sorts EntryToAudits based on the SCT timestamp,
   // with smaller (older) SCTs appearing less than larger (newer) SCTs.
@@ -140,6 +143,12 @@ class SingleTreeTracker : public net::CTVerifier::Observer,
   //   has not been observed.
   void OnAuditProofObtained(const EntryToAudit& entry, int net_error);
 
+  // Discards all entries pending inclusion check on network change.
+  // That is done to prevent the client looking up inclusion proofs for
+  // certificates received from one network, on another network, thus
+  // leaking state between networks.
+  void ResetPendingQueue();
+
   // Clears entries to reduce memory overhead.
   void OnMemoryPressure(
       base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level);
@@ -173,6 +182,8 @@ class SingleTreeTracker : public net::CTVerifier::Observer,
 
   net::NetLogWithSource net_log_;
 
+  std::unique_ptr<NetworkObserver> network_observer_;
+
   base::WeakPtrFactory<SingleTreeTracker> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker);