Recommit fraudulent certificate reporting infrastructure.

net/base/transport_security_state.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 826 matching lines @@
             hash++;
           }
         }
       }
       return true;
     }
   }
   return false;
 }
 
-// IsPreloadedSTS returns true if the canonicalized hostname should always be
-// considered to have STS enabled.
-bool TransportSecurityState::IsPreloadedSTS(
-    const std::string& canonicalized_host,
-    bool sni_available,
-    DomainState* out) {
-  DCHECK(CalledOnValidThread());
+// These hashes are base64 encodings of SHA1 hashes for cert public keys.
+static const char kCertPKHashVerisignClass3[] =
+      "sha1/4n972HfV354KP560yw4uqe/baXc=";
+static const char kCertPKHashVerisignClass3G3[] =
+      "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
+static const char kCertPKHashGoogle1024[] =
+      "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
+static const char kCertPKHashGoogle2048[] =
+      "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
+static const char kCertPKHashEquifaxSecureCA[] =
+      "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
+static const char* const kGoogleAcceptableCerts[] = {
+  kCertPKHashVerisignClass3,
+  kCertPKHashVerisignClass3G3,
+  kCertPKHashGoogle1024,
+  kCertPKHashGoogle2048,
+  kCertPKHashEquifaxSecureCA,
+  NULL,
+};
 
-  out->preloaded = true;
-  out->mode = DomainState::MODE_STRICT;
-  out->include_subdomains = false;
+static const char kCertRapidSSL[] =
+    "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
+static const char kCertDigiCertEVRoot[] =
+    "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
+static const char kCertTor1[] =
+    "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
+static const char kCertTor2[] =
+    "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
+static const char kCertTor3[] =
+    "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
+static const char* const kTorAcceptableCerts[] = {
+  kCertRapidSSL,
+  kCertDigiCertEVRoot,
+  kCertTor1,
+  kCertTor2,
+  kCertTor3,
+  NULL,
+};
 
-  // These hashes are base64 encodings of SHA1 hashes for cert public keys.
-  static const char kCertPKHashVerisignClass3[] =
-      "sha1/4n972HfV354KP560yw4uqe/baXc=";
-  static const char kCertPKHashVerisignClass3G3[] =
-      "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
-  static const char kCertPKHashGoogle1024[] =
-      "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
-  static const char kCertPKHashGoogle2048[] =
-      "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
-  static const char kCertPKHashEquifaxSecureCA[] =
-      "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
-  static const char* const kGoogleAcceptableCerts[] = {
-    kCertPKHashVerisignClass3,
-    kCertPKHashVerisignClass3G3,
-    kCertPKHashGoogle1024,
-    kCertPKHashGoogle2048,
-    kCertPKHashEquifaxSecureCA,
-    0,
-  };
-
-  static const char kCertRapidSSL[] =
-    "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
-  static const char kCertDigiCertEVRoot[] =
-    "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
-  static const char kCertTor1[] =
-    "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
-  static const char kCertTor2[] =
-    "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
-  static const char kCertTor3[] =
-    "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
-  static const char* const kTorAcceptableCerts[] = {
-    kCertRapidSSL,
-    kCertDigiCertEVRoot,
-    kCertTor1,
-    kCertTor2,
-    kCertTor3,
-    0,
-  };
-
-  static const char kCertVerisignClass1[] =
+static const char kCertVerisignClass1[] =
     "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
-  static const char kCertVerisignClass3[] =
+static const char kCertVerisignClass3[] =
     "sha1/4n972HfV354KP560yw4uqe/baXc=";
-  static const char kCertVerisignClass3_G4[] =
+static const char kCertVerisignClass3_G4[] =
     "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
-  static const char kCertVerisignClass4_G3[] =
+static const char kCertVerisignClass4_G3[] =
     "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
-  static const char kCertVerisignClass3_G3[] =
+static const char kCertVerisignClass3_G3[] =
     "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
-  static const char kCertVerisignClass1_G3[] =
+static const char kCertVerisignClass1_G3[] =
     "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
-  static const char kCertVerisignClass2_G3[] =
+static const char kCertVerisignClass2_G3[] =
     "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
-  static const char kCertVerisignClass3_G2[] =
+static const char kCertVerisignClass3_G2[] =
     "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
-  static const char kCertVerisignClass2_G2[] =
+static const char kCertVerisignClass2_G2[] =
     "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
-  static const char kCertVerisignClass3_G5[] =
+static const char kCertVerisignClass3_G5[] =
     "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
-  static const char kCertVerisignUniversal[] =
+static const char kCertVerisignUniversal[] =
     "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
 
-  static const char kCertTwitter1[] =
+static const char kCertTwitter1[] =
     "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
 
-  static const char kCertGeoTrustGlobal[] =
+static const char kCertGeoTrustGlobal[] =
     "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
-  static const char kCertGeoTrustGlobal2[] =
+static const char kCertGeoTrustGlobal2[] =
     "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
-  static const char kCertGeoTrustUniversal[] =
+static const char kCertGeoTrustUniversal[] =
     "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
-  static const char kCertGeoTrustUniversal2[] =
+static const char kCertGeoTrustUniversal2[] =
     "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
-  static const char kCertGeoTrustPrimary[] =
+static const char kCertGeoTrustPrimary[] =
     "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
-  static const char kCertGeoTrustPrimaryG2[] =
+static const char kCertGeoTrustPrimaryG2[] =
     "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
-  static const char kCertGeoTrustPrimaryG3[] =
+static const char kCertGeoTrustPrimaryG3[] =
     "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
 
-  static const char* const kTwitterComAcceptableCerts[] = {
-    kCertVerisignClass1,
-    kCertVerisignClass3,
-    kCertVerisignClass3_G4,
-    kCertVerisignClass4_G3,
-    kCertVerisignClass3_G3,
-    kCertVerisignClass1_G3,
-    kCertVerisignClass2_G3,
-    kCertVerisignClass3_G2,
-    kCertVerisignClass2_G2,
-    kCertVerisignClass3_G5,
-    kCertVerisignUniversal,
-    kCertGeoTrustGlobal,
-    kCertGeoTrustGlobal2,
-    kCertGeoTrustUniversal,
-    kCertGeoTrustUniversal2,
-    kCertGeoTrustPrimary,
-    kCertGeoTrustPrimaryG2,
-    kCertGeoTrustPrimaryG3,
-    kCertTwitter1,
-    0,
-  };
+static const char* const kTwitterComAcceptableCerts[] = {
+  kCertVerisignClass1,
+  kCertVerisignClass3,
+  kCertVerisignClass3_G4,
+  kCertVerisignClass4_G3,
+  kCertVerisignClass3_G3,
+  kCertVerisignClass1_G3,
+  kCertVerisignClass2_G3,
+  kCertVerisignClass3_G2,
+  kCertVerisignClass2_G2,
+  kCertVerisignClass3_G5,
+  kCertVerisignUniversal,
+  kCertGeoTrustGlobal,
+  kCertGeoTrustGlobal2,
+  kCertGeoTrustUniversal,
+  kCertGeoTrustUniversal2,
+  kCertGeoTrustPrimary,
+  kCertGeoTrustPrimaryG2,
+  kCertGeoTrustPrimaryG3,
+  kCertTwitter1,
+  NULL,
+};
 
-  // kTestAcceptableCerts doesn't actually match any public keys and is used
-  // with "pinningtest.appspot.com", below, to test if pinning is active.
-  static const char* const kTestAcceptableCerts[] = {
-    "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
-  };
+// kTestAcceptableCerts doesn't actually match any public keys and is used
+// with "pinningtest.appspot.com", below, to test if pinning is active.
+static const char* const kTestAcceptableCerts[] = {
+  "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+};
 
 #if defined(OS_CHROMEOS)
   static const bool kTwitterHSTS = true;
 #else
   static const bool kTwitterHSTS = false;
 #endif
 
-  // In the medium term this list is likely to just be hardcoded here. This,
-  // slightly odd, form removes the need for additional relocations records.
-  static const struct HSTSPreload kPreloadedSTS[] = {
-    // (*.)google.com, iff using SSL must use an acceptable certificate.
-    {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
-    {25, true, "\013pinningtest\007appspot\003com", false,
-     kTestAcceptableCerts },
-    // Now we force HTTPS for subtrees of google.com.
-    {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
-    {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
-    {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
-    {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
-    {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
-    {25, true, "\014spreadsheets\006google\003com", true,
-     kGoogleAcceptableCerts },
-    {22, false, "\011appengine\006google\003com", true,
-     kGoogleAcceptableCerts },
-    {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
-    {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
-    {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
-    {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
-    {23, true, "\012talkgadget\006google\003com", true,
-     kGoogleAcceptableCerts },
-    {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
-    {29, true, "\020hostedtalkgadget\006google\003com", true,
-     kGoogleAcceptableCerts },
-    {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
-    // Other Google-related domains that must use HTTPS.
-    {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
-    {26, true, "\003ssl\020google-analytics\003com", true,
-     kGoogleAcceptableCerts },
-    {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
-    {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
-    // Other Google-related domains that must use an acceptable certificate
-    // iff using SSL.
-    {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
-    {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
-    {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
-    {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
-    {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
-    {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
-    {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
-    {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
-    {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
-    {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
-    // Exclude the learn.doubleclick.net subdomain because it uses a different
-    // CA.
-    {23, true, "\005learn\013doubleclick\003net", false, 0 },
-    // Now we force HTTPS for other sites that have requested it.
-    {16, false, "\003www\006paypal\003com", true, 0 },
-    {16, false, "\003www\006elanex\003biz", true, 0 },
-    {12, true,  "\006jottit\003com", true, 0 },
-    {19, true,  "\015sunshinepress\003org", true, 0 },
-    {21, false, "\003www\013noisebridge\003net", true, 0 },
-    {10, false, "\004neg9\003org", true, 0 },
-    {12, true, "\006riseup\003net", true, 0 },
-    {11, false, "\006factor\002cc", true, 0 },
-    {22, false, "\007members\010mayfirst\003org", true, 0 },
-    {22, false, "\007support\010mayfirst\003org", true, 0 },
-    {17, false, "\002id\010mayfirst\003org", true, 0 },
-    {20, false, "\005lists\010mayfirst\003org", true, 0 },
-    {19, true, "\015splendidbacon\003com", true, 0 },
-    {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
-    {14, true, "\011ottospora\002nl", true, 0 },
-    {25, false, "\003www\017paycheckrecords\003com", true, 0 },
-    {14, false, "\010lastpass\003com", true, 0 },
-    {18, false, "\003www\010lastpass\003com", true, 0 },
-    {14, true, "\010keyerror\003com", true, 0 },
-    {13, false, "\010entropia\002de", true, 0 },
-    {17, false, "\003www\010entropia\002de", true, 0 },
-    {11, true, "\005romab\003com", true, 0 },
-    {16, false, "\012logentries\003com", true, 0 },
-    {20, false, "\003www\012logentries\003com", true, 0 },
-    {12, true, "\006stripe\003com", true, 0 },
-    {27, true, "\025cloudsecurityalliance\003org", true, 0 },
-    {15, true, "\005login\004sapo\002pt", true, 0 },
-    {19, true, "\015mattmccutchen\003net", true, 0 },
-    {11, true, "\006betnet\002fr", true, 0 },
-    {13, true, "\010uprotect\002it", true, 0 },
-    {14, false, "\010squareup\003com", true, 0 },
-    {9, true, "\004cert\002se", true, 0 },
-    {11, true, "\006crypto\002is", true, 0 },
-    {20, true, "\005simon\007butcher\004name", true, 0 },
-    {10, true, "\004linx\003net", true, 0 },
-    {13, false, "\007dropcam\003com", true, 0 },
-    {17, false, "\003www\007dropcam\003com", true, 0 },
-    {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
-    {13, false, "\007epoxate\003com", true, 0 },
-    {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
-    {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
-    {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
-    {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
-    {22, true, "\003www\014moneybookers\003com", true, 0 },
-    {17, false, "\013ledgerscope\003net", true, 0 },
-    {21, false, "\003www\013ledgerscope\003net", true, 0 },
-    {10, false, "\004kyps\003net", true, 0 },
-    {14, false, "\003www\004kyps\003net", true, 0 },
-    {17, true, "\003app\007recurly\003com", true, 0 },
-    {17, true, "\003api\007recurly\003com", true, 0 },
-    {13, false, "\007greplin\003com", true, 0 },
-    {17, false, "\003www\007greplin\003com", true, 0 },
-    {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
-    {12, true, "\006ubertt\003org", true, 0 },
-
-    {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-    {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-    {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-    {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-    {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-    {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-    {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+// In the medium term this list is likely to just be hardcoded here. This
+// slightly odd form removes the need for additional relocations records.
+static const struct HSTSPreload kPreloadedSTS[] = {
+  // (*.)google.com, iff using SSL must use an acceptable certificate.
+  {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+  {25, true, "\013pinningtest\007appspot\003com", false,
+      kTestAcceptableCerts },
+  // Now we force HTTPS for subtrees of google.com.
+  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
+  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
+  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
+  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
+  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
+  {25, true, "\014spreadsheets\006google\003com", true,
+      kGoogleAcceptableCerts },
+  {22, false, "\011appengine\006google\003com", true,
+      kGoogleAcceptableCerts },
+  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
+  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
+  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
+  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
+  {23, true, "\012talkgadget\006google\003com", true,
+      kGoogleAcceptableCerts },
+  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
+  {29, true, "\020hostedtalkgadget\006google\003com", true,
+      kGoogleAcceptableCerts },
+  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
+  // Other Google-related domains that must use HTTPS.
+  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
+  {26, true, "\003ssl\020google-analytics\003com", true,
+      kGoogleAcceptableCerts },
+  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
+  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
+  // Other Google-related domains that must use an acceptable certificate
+  // iff using SSL.
+  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
+  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
+  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
+  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
+  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
+  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
+  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
+  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
+  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
+  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
+  // Exclude the learn.doubleclick.net subdomain because it uses a different
+  // CA.
+  {23, true, "\005learn\013doubleclick\003net", false, 0 },
+  // Now we force HTTPS for other sites that have requested it.
+  {16, false, "\003www\006paypal\003com", true, 0 },
+  {16, false, "\003www\006elanex\003biz", true, 0 },
+  {12, true,  "\006jottit\003com", true, 0 },
+  {19, true,  "\015sunshinepress\003org", true, 0 },
+  {21, false, "\003www\013noisebridge\003net", true, 0 },
+  {10, false, "\004neg9\003org", true, 0 },
+  {12, true, "\006riseup\003net", true, 0 },
+  {11, false, "\006factor\002cc", true, 0 },
+  {22, false, "\007members\010mayfirst\003org", true, 0 },
+  {22, false, "\007support\010mayfirst\003org", true, 0 },
+  {17, false, "\002id\010mayfirst\003org", true, 0 },
+  {20, false, "\005lists\010mayfirst\003org", true, 0 },
+  {19, true, "\015splendidbacon\003com", true, 0 },
+  {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
+  {14, true, "\011ottospora\002nl", true, 0 },
+  {25, false, "\003www\017paycheckrecords\003com", true, 0 },
+  {14, false, "\010lastpass\003com", true, 0 },
+  {18, false, "\003www\010lastpass\003com", true, 0 },
+  {14, true, "\010keyerror\003com", true, 0 },
+  {13, false, "\010entropia\002de", true, 0 },
+  {17, false, "\003www\010entropia\002de", true, 0 },
+  {11, true, "\005romab\003com", true, 0 },
+  {16, false, "\012logentries\003com", true, 0 },
+  {20, false, "\003www\012logentries\003com", true, 0 },
+  {12, true, "\006stripe\003com", true, 0 },
+  {27, true, "\025cloudsecurityalliance\003org", true, 0 },
+  {15, true, "\005login\004sapo\002pt", true, 0 },
+  {19, true, "\015mattmccutchen\003net", true, 0 },
+  {11, true, "\006betnet\002fr", true, 0 },
+  {13, true, "\010uprotect\002it", true, 0 },
+  {14, false, "\010squareup\003com", true, 0 },
+  {9, true, "\004cert\002se", true, 0 },
+  {11, true, "\006crypto\002is", true, 0 },
+  {20, true, "\005simon\007butcher\004name", true, 0 },
+  {10, true, "\004linx\003net", true, 0 },
+  {13, false, "\007dropcam\003com", true, 0 },
+  {17, false, "\003www\007dropcam\003com", true, 0 },
+  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
+  {13, false, "\007epoxate\003com", true, 0 },
+  {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
+  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
+  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
+  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
+  {22, true, "\003www\014moneybookers\003com", true, 0 },
+  {17, false, "\013ledgerscope\003net", true, 0 },
+  {21, false, "\003www\013ledgerscope\003net", true, 0 },
+  {10, false, "\004kyps\003net", true, 0 },
+  {14, false, "\003www\004kyps\003net", true, 0 },
+  {17, true, "\003app\007recurly\003com", true, 0 },
+  {17, true, "\003api\007recurly\003com", true, 0 },
+  {13, false, "\007greplin\003com", true, 0 },
+  {17, false, "\003www\007greplin\003com", true, 0 },
+  {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
+  {12, true, "\006ubertt\003org", true, 0 },
+
+  {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
 
 #if 0
-    // Twitter CDN pins disabled in order to track down pinning failures --agl
-    {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
-    {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
-    {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
+  // Twitter CDN pins disabled in order to track down pinning failures --agl
+  {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
+  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
+  {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
 #endif
-  };
-  static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
-
-  static const struct HSTSPreload kPreloadedSNISTS[] = {
-    // These SNI-only domains must always use HTTPS.
-    {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
-    {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
-    {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
-    {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
-    // These SNI-only domains must use an acceptable certificate iff using
-    // HTTPS.
-    {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
-    // www. requires SNI.
-    {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
-  };
-  static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
+};
+static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
+
+static const struct HSTSPreload kPreloadedSNISTS[] = {
+  // These SNI-only domains must always use HTTPS.
+  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
+  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
+  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
+  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
+  // These SNI-only domains must use an acceptable certificate iff using
+  // HTTPS.
+  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+  // www. requires SNI.
+  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
+};
+static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
+
+// Returns true if there is an HSTSPreload entry for the host in |entries|, and
+// if its |required_hashes| member is identical (by address) to |certs|.
+static bool ScanForHostAndCerts(
+    const std::string& canonicalized_host,
+    const struct HSTSPreload* entries,
+    size_t num_entries,
+    const char* const certs[]) {
+  bool hit = false;
+
+  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
+    for (size_t j = 0; j < num_entries; j++) {
+      const struct HSTSPreload& entry = entries[j];
+
+      if (i != 0 && !entry.include_subdomains)
+        continue;
+
+      if (entry.length == canonicalized_host.size() - i &&
+          memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
+        hit = entry.required_hashes == certs;
+        // Return immediately upon exact match:
+        if (i == 0)
+          return hit;
+      }
+    }
+  }
+
+  return hit;
+}
+
+// static
+bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
+                                                    bool sni_available) {
+  std::string canonicalized_host = CanonicalizeHost(host);
+
+  if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
+                          kGoogleAcceptableCerts)) {
+    return true;
+  }
+
+  if (sni_available) {
+    if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
+                            kGoogleAcceptableCerts)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+
+// IsPreloadedSTS returns true if the canonicalized hostname should always be
+// considered to have STS enabled.
+bool TransportSecurityState::IsPreloadedSTS(
+    const std::string& canonicalized_host,
+    bool sni_available,
+    DomainState* out) {
+  DCHECK(CalledOnValidThread());
+
+  out->preloaded = true;
+  out->mode = DomainState::MODE_STRICT;
+  out->include_subdomains = false;
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     std::string host_sub_chunk(&canonicalized_host[i],
                                canonicalized_host.size() - i);
     out->domain = DNSDomainToString(host_sub_chunk);
     std::string hashed_host(HashHost(host_sub_chunk));
     if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) {
       *out = forced_hosts_[hashed_host];
       out->domain = DNSDomainToString(host_sub_chunk);
       out->preloaded = true;
@@ skipping 54 matching lines @@
   }
 
   LOG(ERROR) << "Rejecting public key chain for domain " << domain
              << ". Validated chain: " << HashesToBase64String(hashes)
              << ", expected: " << HashesToBase64String(public_key_hashes);
 
   return false;
 }
 
 }  // namespace