Check Expect-CT at connection setup

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 #include <vector>
@@ skipping 843 matching lines @@
   PKPState static_pkp_state;
   if (GetStaticDomainState(host, &unused, &static_pkp_state)) {
     if (static_pkp_state.HasPublicKeyPins())
       return true;
   }
 
   return false;
 }
 
 bool TransportSecurityState::ShouldRequireCT(
-    const std::string& hostname,
+    const net::HostPortPair& host_port_pair,
+    bool is_issued_by_known_root,
+    const HashValueVector& public_key_hashes,
     const X509Certificate* validated_certificate_chain,
-    const HashValueVector& public_key_hashes) {
+    const X509Certificate* served_certificate_chain,
+    const SignedCertificateTimestampAndStatusList&
+        signed_certificate_timestamps,
+    const ExpectCTReportStatus report_status) {
   using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel;
+  std::string hostname = host_port_pair.host();
+
+  // Check Expect-CT first so that other CT requirements do not prevent
+  // Expect-CT reports from being sent.
+  ExpectCTState state;
+  if (is_issued_by_known_root && IsDynamicExpectCTEnabled() &&
+      GetDynamicExpectCTState(hostname, &state)) {
+    if (expect_ct_reporter_ && !state.report_uri.is_empty() &&
+        report_status == ENABLE_EXPECT_CT_REPORTS) {
+      expect_ct_reporter_->OnExpectCTFailed(
+          host_port_pair, state.report_uri, served_certificate_chain,
+          validated_certificate_chain, signed_certificate_timestamps);
+    }
+    if (state.enforce)
+      return true;
+  }
 
   CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT;
   if (require_ct_delegate_)
     ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname);
   if (ct_required != CTRequirementLevel::DEFAULT)
     return ct_required == CTRequirementLevel::REQUIRED;
 
   // Allow unittests to override the default result.
   if (g_ct_required_for_testing)
     return g_ct_required_for_testing == 1;
@@ skipping 528 matching lines @@
       return;
     if (!ssl_info.is_issued_by_known_root)
       return;
     if (!ssl_info.ct_compliance_details_available)
       return;
     if (ssl_info.ct_cert_policy_compliance ==
         ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)
       return;
     ExpectCTState state;
     if (GetStaticExpectCTState(host_port_pair.host(), &state)) {
-      expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri,
-                                            ssl_info);
+      expect_ct_reporter_->OnExpectCTFailed(
+          host_port_pair, state.report_uri, ssl_info.unverified_cert.get(),
+          ssl_info.cert.get(), ssl_info.signed_certificate_timestamps);
     }
     return;
   }
 
   // Otherwise, see if the site has sent a valid Expect-CT header to dynamically
   // turn on reporting and/or enforcement.
   if (!IsDynamicExpectCTEnabled())
     return;
   base::Time now = base::Time::Now();
   base::TimeDelta max_age;
@@ skipping 12 matching lines @@
     ExpectCTState state;
     // If an Expect-CT header is observed over a non-compliant connection, the
     // site owner should be notified about the misconfiguration. If the site was
     // already opted in to Expect-CT, this report would have been sent at
     // connection setup time. If the host is not already a noted Expect-CT host,
     // however, the lack of CT compliance would not have been evaluated/reported
     // at connection setup time, so it needs to be reported here while
     // processing the header.
     if (expect_ct_reporter_ && !report_uri.is_empty() &&
         !GetDynamicExpectCTState(host_port_pair.host(), &state)) {
-      expect_ct_reporter_->OnExpectCTFailed(host_port_pair, report_uri,
-                                            ssl_info);
+      expect_ct_reporter_->OnExpectCTFailed(
+          host_port_pair, report_uri, ssl_info.unverified_cert.get(),
+          ssl_info.cert.get(), ssl_info.signed_certificate_timestamps);
     }
     return;
   }
   AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce,
                       report_uri);
 }
 
 // static
 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) {
   if (!required) {
@@ skipping 328 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace