Certificate Transparency: Threading the CT verifier into the SSL client socket.

net/socket/ssl_client_socket_nss.h

Index: net/socket/ssl_client_socket_nss.h
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index b41d28d74a8472ddbfb3635e72f1b5f47fc971e5..e7dfb47dc4c7b25cc8b34835e8a034f7f3cb8f14 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -24,6 +24,7 @@
 #include "net/base/net_log.h"
 #include "net/base/nss_memio.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/ssl/server_bound_cert_service.h"
@@ -37,6 +38,7 @@ namespace net {
 
 class BoundNetLog;
 class CertVerifier;
+class CTVerifier;
 class ClientSocketHandle;
 class ServerBoundCertService;
 class SingleRequestCertVerifier;
@@ -115,6 +117,8 @@ class SSLClientSocketNSS : public SSLClientSocket {
     STATE_HANDSHAKE_COMPLETE,
     STATE_VERIFY_CERT,
     STATE_VERIFY_CERT_COMPLETE,
+    STATE_VERIFY_CT,
+    STATE_VERIFY_CT_COMPLETE,
   };
 
   int Init();
@@ -134,6 +138,8 @@ class SSLClientSocketNSS : public SSLClientSocket {
   int DoHandshakeComplete(int result);
   int DoVerifyCert(int result);
   int DoVerifyCertComplete(int result);
+  int DoVerifyCT(int result);
+  int DoVerifyCTComplete(int result);
 
   void LogConnectionTypeMetrics() const;
 
@@ -182,6 +188,9 @@ class SSLClientSocketNSS : public SSLClientSocket {
 
   TransportSecurityState* transport_security_state_;
 
+  ct::CTVerifyResult ct_verify_result_;
+  CTVerifier* cert_transparency_verifier_;

[wtc, 2013/11/26 01:47:23]

Nit: inside this class, I suggest we list these CT-related members right after
the CertVerifier-related members (lines 161-165).

[Eran M. (Google), 2013/11/26 14:45:53]

Done.

+
   // The following two variables are added for debugging bug 65948. Will
   // remove this code after fixing bug 65948.
   // Added the following code Debugging in release mode.