Check Expect-CT at connection setup

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index f2d182c901031b6ed833c0f30a014c610d309048..f9364e6c15682a8f29d022c33f4865924994ac65 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -20,11 +20,16 @@
 #include "net/base/expiring_cache.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp_and_status.h"
 #include "net/http/transport_security_state_source.h"
 #include "url/gurl.h"
 
 namespace net {
 
+namespace ct {
+enum class CertPolicyCompliance;
+};
+
 class HostPortPair;
 class SSLInfo;
 class X509Certificate;
@@ -310,9 +315,13 @@ class NET_EXPORT TransportSecurityState
     // Called when the host in |host_port_pair| has opted in to have
     // reports about Expect CT policy violations sent to |report_uri|,
     // and such a violation has occurred.
-    virtual void OnExpectCTFailed(const net::HostPortPair& host_port_pair,
-                                  const GURL& report_uri,
-                                  const net::SSLInfo& ssl_info) = 0;
+    virtual void OnExpectCTFailed(
+        const net::HostPortPair& host_port_pair,
+        const GURL& report_uri,
+        const X509Certificate* validated_certificate_chain,
+        const X509Certificate* served_certificate_chain,
+        const SignedCertificateTimestampAndStatusList&
+            signed_certificate_timestamps) = 0;
 
    protected:
     virtual ~ExpectCTReporter() {}
@@ -322,6 +331,13 @@ class NET_EXPORT TransportSecurityState
   // report if a violation is detected.
   enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS };
 
+  // Indicates whether or not an Expect-CT check should send a report if a
+  // violation is detected.
+  enum ExpectCTReportStatus {
+    ENABLE_EXPECT_CT_REPORTS,
+    DISABLE_EXPECT_CT_REPORTS
+  };
+
   // Feature that controls whether Expect-CT HTTP headers are parsed, processed,
   // and stored.
   static const base::Feature kDynamicExpectCTFeature;
@@ -361,16 +377,29 @@ class NET_EXPORT TransportSecurityState
                          const SSLInfo& ssl_info,
                          base::StringPiece ocsp_response);
 
-  // Returns true if connections to |host|, using the validated certificate
-  // |validated_certificate_chain|, are expected to be accompanied with
+  // Returns false if a connection violates CT policy requirements: that is, if
+  // a connection to |host|, using the validated certificate
+  // |validated_certificate_chain|, is expected to be accompanied with
   // valid Certificate Transparency information that complies with the
-  // connection's CTPolicyEnforcer.
+  // connection's CTPolicyEnforcer and |cert_policy_compliance| indicates that
+  // the connection does not comply.
   //
   // The behavior may be further be altered by setting a RequireCTDelegate
   // via |SetRequireCTDelegate()|.
-  bool ShouldRequireCT(const std::string& host,
-                       const X509Certificate* validated_certificate_chain,
-                       const HashValueVector& hashes);
+  //
+  // This method checks Expect-CT state for |host| if |issued_by_known_root| is
+  // true. If Expect-CT is configured for |host| and the connection is not
+  // compliant and |report_status| is ENABLE_EXPECT_CT_REPORTS, then a report
+  // will be sent.
+  bool CheckCTRequirements(const net::HostPortPair& host_port_pair,
+                           bool is_issued_by_known_root,
+                           const HashValueVector& public_key_hashes,
+                           const X509Certificate* validated_certificate_chain,
+                           const X509Certificate* served_certificate_chain,
+                           const SignedCertificateTimestampAndStatusList&
+                               signed_certificate_timestamps,
+                           const ExpectCTReportStatus report_status,
+                           ct::CertPolicyCompliance cert_policy_compliance);
 
   // Assign a |Delegate| for persisting the transport security state. If
   // |NULL|, state will not be persisted. The caller retains
@@ -527,7 +556,7 @@ class NET_EXPORT TransportSecurityState
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
-  // For unit tests only; causes ShouldRequireCT() to return |*required|
+  // For unit tests only; causes CheckCTRequirements() to return |*required|

[mattm, 2017/05/04 01:57:11]

comment seems backwards now. (should require = true implies CheckCTRequirements
should return false)

[estark, 2017/05/04 04:03:25]

Fixed with new enum return value.

   // by default (that is, unless a RequireCTDelegate overrides). Set to
   // nullptr to reset.
   static void SetShouldRequireCTForTesting(bool* required);