Report second-level domains for UMA on pin failure.

net/base/transport_security_state.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
 #include <nspr.h>
 
 #include <cryptohi.h>
 #include <hasht.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #endif
 
 #include "base/base64.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
 #include "crypto/sha2.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/dns_util.h"
 
 #if defined(USE_OPENSSL)
 #include "crypto/openssl_util.h"
 #endif
 
 namespace net {
 
+static const char kPinFailure[] = "SSL.PinFailure";

[wtc, 2011/10/25 00:49:57]

Same here: please clarify what kind of pin failure this is.

+
 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365;  // 1 year
 
 TransportSecurityState::TransportSecurityState(const std::string& hsts_hosts)
     : delegate_(NULL) {
   if (!hsts_hosts.empty()) {
     bool dirty;
     Deserialise(hsts_hosts, &dirty, &forced_hosts_);
   }
 }
 
@@ skipping 191 matching lines @@
         if (!LowerCaseEqualsASCII(tokenizer.token(), "max-age"))
           return false;
         state = AFTER_MAX_AGE_LABEL;
         break;
 
       case AFTER_MAX_AGE_LABEL:
         if (IsAsciiWhitespace(*tokenizer.token_begin()))
           continue;
         if (*tokenizer.token_begin() != '=')
           return false;
-        DCHECK(tokenizer.token().length() ==  1);
+        DCHECK(tokenizer.token().length() == 1);

[wtc, 2011/10/25 00:49:57]

Nit: it may be better to use DCHECK_EQ.  If you use DCHECK_EQ,
the constant 1 may need to be unsigned 1U.

         state = AFTER_MAX_AGE_EQUALS;
         break;
 
       case AFTER_MAX_AGE_EQUALS:
         if (IsAsciiWhitespace(*tokenizer.token_begin()))
           continue;
         if (!MaxAgeToInt(tokenizer.token_begin(),
                          tokenizer.token_end(),
                          &max_age_candidate))
           return false;
@@ skipping 538 matching lines @@
     // step 3(b)
     if (new_host[i + 1] == '-' ||
         new_host[i + label_length] == '-') {
       return std::string();
     }
   }
 
   return new_host;
 }
 
+typedef enum {

[wtc, 2011/10/25 00:49:57]

Can you document what this enum is for?

I guess the values of the constants in this enum must not
change.  If so, please document that.

[agl, 2011/10/25 15:00:01]

This typeful is significantly larger than the set of hosts for which we have
pinning. Since we wouldn't accept most of these hosts for pinning in any case,
is there any point in including them now?

+  DOMAIN_GOOGLE_COM = 0,

[wtc, 2011/10/25 00:49:57]

Unless our Style Guide requires this, it is not necessary
to initialize the first enum constant to 0 because that is
the default.

+  DOMAIN_ANDROID_COM,
+  DOMAIN_GOOGLE_ANALYTICS_COM,
+  DOMAIN_GOOGLEPLEX_COM,
+  DOMAIN_YTIMG_COM,
+  DOMAIN_GOOGLEUSERCONTENT_COM,
+  DOMAIN_YOUTUBE_COM,
+  DOMAIN_GOOGLEAPIS_COM,
+  DOMAIN_GOOGLEADSERVICES_COM,
+  DOMAIN_GOOGLECODE_COM,
+  DOMAIN_APPSPOT_COM,
+  DOMAIN_GOOGLESYNDICATION_COM,
+  DOMAIN_DOUBLECLICK_NET,
+  DOMAIN_GSTATIC_COM,
+  DOMAIN_GMAIL_COM,
+  DOMAIN_GOOGLEMAIL_COM,
+  DOMAIN_GOOGLEGROUPS_COM,
+
+  DOMAIN_PAYPAL_COM,
+  DOMAIN_ELANEX_BIZ,
+  DOMAIN_JOTTIT_COM,
+  DOMAIN_SUNSHINEPRESS_ORG,
+  DOMAIN_NOISEBRIDGE_NET,
+  DOMAIN_NEG9_ORG,
+  DOMAIN_RISEUP_NET,
+  DOMAIN_FACTOR_CC,
+  DOMAIN_MAYFIRST_ORG,
+  DOMAIN_SPLENDIDBACON_COM,
+  DOMAIN_OTTOSPORA_NL,
+  DOMAIN_PAYCHECKRECORDS_COM,
+  DOMAIN_LASTPASS_COM,
+  DOMAIN_KEYERROR_COM,
+  DOMAIN_ENTROPIA_DE,
+  DOMAIN_ROMAB_COM,
+  DOMAIN_LOGENTRIES_COM,
+  DOMAIN_STRIPE_COM,
+  DOMAIN_CLOUDSECURITYALLIANCE_ORG,
+  DOMAIN_SAPO_PT,
+  DOMAIN_MATTMCCUTCHEN_NET,
+  DOMAIN_BETNET_FR,
+  DOMAIN_UPROTECT_IT,
+  DOMAIN_SQUAREUP_COM,
+  DOMAIN_CERT_SE,
+  DOMAIN_CRYPTO_IS,
+  DOMAIN_BUTCHER_NAME,
+  DOMAIN_LINX_NET,
+  DOMAIN_DROPCAM_COM,
+  DOMAIN_INDOVINABANK_COM_VN,
+  DOMAIN_EPOXATE_COM,
+  DOMAIN_TORPROJECT_ORG,
+  DOMAIN_MONEYBOOKERS_COM,
+  DOMAIN_LEDGERSCOPE_NET,
+  DOMAIN_KYPS_NET,
+  DOMAIN_RECURLY_COM,
+  DOMAIN_GREPLIN_COM,
+  DOMAIN_NEARBUYSYSTEMS_COM,
+  DOMAIN_UBERTT_ORG,
+  DOMAIN_TWITTER_COM,
+  DOMAIN_TWIMG_COM,
+  DOMAIN_AKAMAIHD_NET,
+
+  // Boundary value for UMA_HISTOGRAM_ENUMERATION:
+  DOMAIN_NUM_EVENTS

[wtc, 2011/10/25 00:49:57]

NUM_EVENTS sounds strange because these aren't events.

+} LowResolutionDomainName;

[wtc, 2011/10/25 00:49:57]

  typedef enum {
    ...
  } LowResolutionDomainName;

is the C way.  In C++, you can simply say:

  enum LowResolutionDomainName {
    ...
  };

-- A C programmer

+
 struct HSTSPreload {
   uint8 length;
   bool include_subdomains;
   char dns_name[30];
   bool https_required;
   const char* const* required_hashes;
+  LowResolutionDomainName low_res_name;
 };
 
 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
                        const std::string& canonicalized_host, size_t i,
                        TransportSecurityState::DomainState* out, bool* ret) {
   for (size_t j = 0; j < num_entries; j++) {
     if (entries[j].length == canonicalized_host.size() - i &&
         memcmp(entries[j].dns_name, &canonicalized_host[i],
                entries[j].length) == 0) {
       if (!entries[j].include_subdomains && i != 0) {
@@ skipping 130 matching lines @@
 #if defined(OS_CHROMEOS)
   static const bool kTwitterHSTS = true;
 #else
   static const bool kTwitterHSTS = false;
 #endif
 
 // In the medium term this list is likely to just be hardcoded here. This
 // slightly odd form removes the need for additional relocations records.
 static const struct HSTSPreload kPreloadedSTS[] = {
   // (*.)google.com, iff using SSL must use an acceptable certificate.
-  {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+  {12, true, "\006google\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {25, true, "\013pinningtest\007appspot\003com", false,
-      kTestAcceptableCerts },
+      kTestAcceptableCerts, DOMAIN_APPSPOT_COM },
   // Now we force HTTPS for subtrees of google.com.
-  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
-  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
+  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM  },
+  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {25, true, "\014spreadsheets\006google\003com", true,
-      kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
   {22, false, "\011appengine\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {23, true, "\012talkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {29, true, "\020hostedtalkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   // Other Google-related domains that must use HTTPS.
-  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
+  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_ANDROID_COM },
   {26, true, "\003ssl\020google-analytics\003com", true,
-      kGoogleAcceptableCerts },
-  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
-  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_ANALYTICS_COM },
+  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEPLEX_COM },
+  {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   // Other Google-related domains that must use an acceptable certificate
   // iff using SSL.
-  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
-  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
-  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
-  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
+  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_YTIMG_COM },
+  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEUSERCONTENT_COM },
+  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_YOUTUBE_COM },
+  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEAPIS_COM },
+  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEADSERVICES_COM },
+  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLECODE_COM },
+  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_APPSPOT_COM },
+  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLESYNDICATION_COM },
+  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts,
+      DOMAIN_DOUBLECLICK_NET },
+  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GSTATIC_COM },
   // Exclude the learn.doubleclick.net subdomain because it uses a different
   // CA.
-  {23, true, "\005learn\013doubleclick\003net", false, 0 },
+  {23, true, "\005learn\013doubleclick\003net", false, 0,
+      DOMAIN_DOUBLECLICK_NET },
   // Now we force HTTPS for other sites that have requested it.
-  {16, false, "\003www\006paypal\003com", true, 0 },
-  {16, false, "\003www\006elanex\003biz", true, 0 },
-  {12, true,  "\006jottit\003com", true, 0 },
-  {19, true,  "\015sunshinepress\003org", true, 0 },
-  {21, false, "\003www\013noisebridge\003net", true, 0 },
-  {10, false, "\004neg9\003org", true, 0 },
-  {12, true, "\006riseup\003net", true, 0 },
-  {11, false, "\006factor\002cc", true, 0 },
-  {22, false, "\007members\010mayfirst\003org", true, 0 },
-  {22, false, "\007support\010mayfirst\003org", true, 0 },
-  {17, false, "\002id\010mayfirst\003org", true, 0 },
-  {20, false, "\005lists\010mayfirst\003org", true, 0 },
-  {19, true, "\015splendidbacon\003com", true, 0 },
-  {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
-  {14, true, "\011ottospora\002nl", true, 0 },
-  {25, false, "\003www\017paycheckrecords\003com", true, 0 },
-  {14, false, "\010lastpass\003com", true, 0 },
-  {18, false, "\003www\010lastpass\003com", true, 0 },
-  {14, true, "\010keyerror\003com", true, 0 },
-  {13, false, "\010entropia\002de", true, 0 },
-  {17, false, "\003www\010entropia\002de", true, 0 },
-  {11, true, "\005romab\003com", true, 0 },
-  {16, false, "\012logentries\003com", true, 0 },
-  {20, false, "\003www\012logentries\003com", true, 0 },
-  {12, true, "\006stripe\003com", true, 0 },
-  {27, true, "\025cloudsecurityalliance\003org", true, 0 },
-  {15, true, "\005login\004sapo\002pt", true, 0 },
-  {19, true, "\015mattmccutchen\003net", true, 0 },
-  {11, true, "\006betnet\002fr", true, 0 },
-  {13, true, "\010uprotect\002it", true, 0 },
-  {14, false, "\010squareup\003com", true, 0 },
-  {9, true, "\004cert\002se", true, 0 },
-  {11, true, "\006crypto\002is", true, 0 },
-  {20, true, "\005simon\007butcher\004name", true, 0 },
-  {10, true, "\004linx\003net", true, 0 },
-  {13, false, "\007dropcam\003com", true, 0 },
-  {17, false, "\003www\007dropcam\003com", true, 0 },
-  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
-  {13, false, "\007epoxate\003com", true, 0 },
-  {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
-  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
-  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\003www\014moneybookers\003com", true, 0 },
-  {17, false, "\013ledgerscope\003net", true, 0 },
-  {21, false, "\003www\013ledgerscope\003net", true, 0 },
-  {10, false, "\004kyps\003net", true, 0 },
-  {14, false, "\003www\004kyps\003net", true, 0 },
-  {17, true, "\003app\007recurly\003com", true, 0 },
-  {17, true, "\003api\007recurly\003com", true, 0 },
-  {13, false, "\007greplin\003com", true, 0 },
-  {17, false, "\003www\007greplin\003com", true, 0 },
-  {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
-  {12, true, "\006ubertt\003org", true, 0 },
-
-  {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {16, false, "\003www\006paypal\003com", true, 0, DOMAIN_PAYPAL_COM },
+  {16, false, "\003www\006elanex\003biz", true, 0, DOMAIN_ELANEX_BIZ },
+  {12, true,  "\006jottit\003com", true, 0, DOMAIN_JOTTIT_COM },
+  {19, true,  "\015sunshinepress\003org", true, 0, DOMAIN_SUNSHINEPRESS_ORG },
+  {21, false, "\003www\013noisebridge\003net", true, 0,
+      DOMAIN_NOISEBRIDGE_NET },
+  {10, false, "\004neg9\003org", true, 0, DOMAIN_NEG9_ORG },
+  {12, true, "\006riseup\003net", true, 0, DOMAIN_RISEUP_NET },
+  {11, false, "\006factor\002cc", true, 0,
+      DOMAIN_FACTOR_CC },
+  {22, false, "\007members\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {22, false, "\007support\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {17, false, "\002id\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {20, false, "\005lists\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {19, true, "\015splendidbacon\003com", true, 0, DOMAIN_SPLENDIDBACON_COM },
+  {28, false, "\016aladdinschools\007appspot\003com", true, 0,
+      DOMAIN_APPSPOT_COM },
+  {14, true, "\011ottospora\002nl", true, 0, DOMAIN_OTTOSPORA_NL },
+  {25, false, "\003www\017paycheckrecords\003com", true, 0,
+      DOMAIN_PAYCHECKRECORDS_COM },
+  {14, false, "\010lastpass\003com", true, 0, DOMAIN_LASTPASS_COM },
+  {18, false, "\003www\010lastpass\003com", true, 0, DOMAIN_LASTPASS_COM },
+  {14, true, "\010keyerror\003com", true, 0, DOMAIN_KEYERROR_COM },
+  {13, false, "\010entropia\002de", true, 0, DOMAIN_ENTROPIA_DE },
+  {17, false, "\003www\010entropia\002de", true, 0, DOMAIN_ENTROPIA_DE },
+  {11, true, "\005romab\003com", true, 0, DOMAIN_ROMAB_COM },
+  {16, false, "\012logentries\003com", true, 0, DOMAIN_LOGENTRIES_COM },
+  {20, false, "\003www\012logentries\003com", true, 0, DOMAIN_LOGENTRIES_COM },
+  {12, true, "\006stripe\003com", true, 0, DOMAIN_STRIPE_COM },
+  {27, true, "\025cloudsecurityalliance\003org", true, 0,
+      DOMAIN_CLOUDSECURITYALLIANCE_ORG },
+  {15, true, "\005login\004sapo\002pt", true, 0, DOMAIN_SAPO_PT },
+  {19, true, "\015mattmccutchen\003net", true, 0, DOMAIN_MATTMCCUTCHEN_NET },
+  {11, true, "\006betnet\002fr", true, 0, DOMAIN_BETNET_FR },
+  {13, true, "\010uprotect\002it", true, 0, DOMAIN_UPROTECT_IT },
+  {14, false, "\010squareup\003com", true, 0, DOMAIN_SQUAREUP_COM },
+  {9, true, "\004cert\002se", true, 0, DOMAIN_CERT_SE },
+  {11, true, "\006crypto\002is", true, 0, DOMAIN_CRYPTO_IS },
+  {20, true, "\005simon\007butcher\004name", true, 0, DOMAIN_BUTCHER_NAME },
+  {10, true, "\004linx\003net", true, 0, DOMAIN_LINX_NET },
+  {13, false, "\007dropcam\003com", true, 0, DOMAIN_DROPCAM_COM },
+  {17, false, "\003www\007dropcam\003com", true, 0, DOMAIN_DROPCAM_COM },
+  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0,
+      DOMAIN_INDOVINABANK_COM_VN },
+  {13, false, "\007epoxate\003com", true, 0, DOMAIN_EPOXATE_COM },
+  {16, false, "\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {22, true, "\003www\014moneybookers\003com", true, 0,
+      DOMAIN_MONEYBOOKERS_COM },
+  {17, false, "\013ledgerscope\003net", true, 0, DOMAIN_LEDGERSCOPE_NET },
+  {21, false, "\003www\013ledgerscope\003net", true, 0,
+      DOMAIN_LEDGERSCOPE_NET },
+  {10, false, "\004kyps\003net", true, 0, DOMAIN_KYPS_NET },
+  {14, false, "\003www\004kyps\003net", true, 0, DOMAIN_KYPS_NET },
+  {17, true, "\003app\007recurly\003com", true, 0, DOMAIN_RECURLY_COM },
+  {17, true, "\003api\007recurly\003com", true, 0, DOMAIN_RECURLY_COM },
+  {13, false, "\007greplin\003com", true, 0, DOMAIN_GREPLIN_COM },
+  {17, false, "\003www\007greplin\003com", true, 0, DOMAIN_GREPLIN_COM },
+  {27, true, "\006luneta\016nearbuysystems\003com", true, 0,
+      DOMAIN_NEARBUYSYSTEMS_COM },
+  {12, true, "\006ubertt\003org", true, 0, DOMAIN_UBERTT_ORG },
+
+  {13, false, "\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003www\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003api\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003dev\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {22, true, "\010business\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
 
 #if 0
   // Twitter CDN pins disabled in order to track down pinning failures --agl
-  {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
-  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
-  {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
+  {22, true, "\010platform\007twitter\003com", false,
+      kTwitterCDNAcceptableCerts, DOMAIN_TWITTER_COM },
+  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts,
+      DOMAIN_TWIMG_COM },
+  {23, true, "\010twimg0-a\010akamaihd\003net", false,
+      kTwitterCDNAcceptableCerts, DOMAIN_AKAMAIHD_NET },
 #endif
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
 static const struct HSTSPreload kPreloadedSNISTS[] = {
   // These SNI-only domains must always use HTTPS.
-  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
-  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
-  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
-  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
+  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GMAIL_COM },
+  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEMAIL_COM },
+  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GMAIL_COM },
+  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEMAIL_COM },
   // These SNI-only domains must use an acceptable certificate iff using
   // HTTPS.
-  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts,
+     DOMAIN_GOOGLE_ANALYTICS_COM },
   // www. requires SNI.
-  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
+  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEGROUPS_COM },
 };
 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
-// Returns true if there is an HSTSPreload entry for the host in |entries|, and
-// if its |required_hashes| member is identical (by address) to |certs|.
-static bool ScanForHostAndCerts(
+// Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
+// or NULL if there is none. Prefers exact hostname matches to those that
+// match only because HSTSPreload.include_subdomains is true.
+//
+// |canonicalized_host| should be the hostname as canonicalized by
+// CanonicalizeHost.
+static const struct HSTSPreload* GetHSTSPreload(
     const std::string& canonicalized_host,
     const struct HSTSPreload* entries,
-    size_t num_entries,
-    const char* const certs[]) {
-  bool hit = false;
+    size_t num_entries) {
+  const struct HSTSPreload* hit = NULL;
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     for (size_t j = 0; j < num_entries; j++) {
-      const struct HSTSPreload& entry = entries[j];
-
-      if (i != 0 && !entry.include_subdomains)
+      const struct HSTSPreload* entry = entries + j;
+
+      if (i != 0 && !entry->include_subdomains)
         continue;
 
-      if (entry.length == canonicalized_host.size() - i &&
-          memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
-        hit = entry.required_hashes == certs;
-        // Return immediately upon exact match:
+      if (entry->length == canonicalized_host.size() - i &&
+          memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
+        // Return immediately upon exact match.
         if (i == 0)
-          return hit;
+          return entry;
+        hit = entry;
       }
     }
   }
 
   return hit;
 }
 
 // static
 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
                                                     bool sni_available) {
   std::string canonicalized_host = CanonicalizeHost(host);
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
-  if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
-                          kGoogleAcceptableCerts)) {
+  if (entry && entry->required_hashes == kGoogleAcceptableCerts)
     return true;
-  }
 
   if (sni_available) {
-    if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
-                            kGoogleAcceptableCerts)) {
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);
+    if (entry && entry->required_hashes == kGoogleAcceptableCerts)
       return true;
-    }
   }
 
   return false;
 }
 
+// static
+void TransportSecurityState::ReportUMAPinFailure(const std::string& host,
+                                                 bool sni_available) {
+  std::string canonicalized_host = CanonicalizeHost(host);
+
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
+
+  if (!entry && sni_available)
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);

[wtc, 2011/10/25 00:49:57]

Nit: put curly braces around the "if" body because it is
two lines (even though one statement).

+
+  if (!entry)
+    return;
+
+  UMA_HISTOGRAM_ENUMERATION(kPinFailure, entry->low_res_name,
+                            DOMAIN_NUM_EVENTS);

[wtc, 2011/10/25 00:49:57]

I checked with jar, the father of Histogram.

Here you did the right thing: by passing the largest sample + 1
as the third argument, you will be able to add new values
to the *end* of the LowResolutionDomainName enum type in
the future without breaking this histogram.

+}
 
 // IsPreloadedSTS returns true if the canonicalized hostname should always be
 // considered to have STS enabled.
 bool TransportSecurityState::IsPreloadedSTS(
     const std::string& canonicalized_host,
     bool sni_available,
     DomainState* out) {
   DCHECK(CalledOnValidThread());
 
   out->preloaded = true;
@@ skipping 66 matching lines @@
   }
 
   LOG(ERROR) << "Rejecting public key chain for domain " << domain
              << ". Validated chain: " << HashesToBase64String(hashes)
              << ", expected: " << HashesToBase64String(public_key_hashes);
 
   return false;
 }
 
 }  // namespace