| Index: net/base/transport_security_state.cc
|
| ===================================================================
|
| --- net/base/transport_security_state.cc (revision 107809)
|
| +++ net/base/transport_security_state.cc (working copy)
|
| @@ -21,6 +21,7 @@
|
| #include "base/json/json_writer.h"
|
| #include "base/logging.h"
|
| #include "base/memory/scoped_ptr.h"
|
| +#include "base/metrics/histogram.h"
|
| #include "base/sha1.h"
|
| #include "base/string_number_conversions.h"
|
| #include "base/string_tokenizer.h"
|
| @@ -248,7 +249,7 @@
|
| continue;
|
| if (*tokenizer.token_begin() != '=')
|
| return false;
|
| - DCHECK(tokenizer.token().length() == 1);
|
| + DCHECK_EQ(tokenizer.token().length(), 1U);
|
| state = AFTER_MAX_AGE_EQUALS;
|
| break;
|
|
|
| @@ -807,12 +808,50 @@
|
| return new_host;
|
| }
|
|
|
| +// |ReportUMAOnPinFailure| uses these to report which domain was associated
|
| +// with the public key pinning failure.
|
| +//
|
| +// DO NOT CHANGE THE ORDERING OF THESE NAMES OR REMOVE ANY OF THEM. Add new
|
| +// domains at the END of the listing (but before DOMAIN_NUM_EVENTS).
|
| +enum SecondLevelDomainName {
|
| + DOMAIN_NOT_PINNED,
|
| +
|
| + DOMAIN_GOOGLE_COM,
|
| + DOMAIN_ANDROID_COM,
|
| + DOMAIN_GOOGLE_ANALYTICS_COM,
|
| + DOMAIN_GOOGLEPLEX_COM,
|
| + DOMAIN_YTIMG_COM,
|
| + DOMAIN_GOOGLEUSERCONTENT_COM,
|
| + DOMAIN_YOUTUBE_COM,
|
| + DOMAIN_GOOGLEAPIS_COM,
|
| + DOMAIN_GOOGLEADSERVICES_COM,
|
| + DOMAIN_GOOGLECODE_COM,
|
| + DOMAIN_APPSPOT_COM,
|
| + DOMAIN_GOOGLESYNDICATION_COM,
|
| + DOMAIN_DOUBLECLICK_NET,
|
| + DOMAIN_GSTATIC_COM,
|
| + DOMAIN_GMAIL_COM,
|
| + DOMAIN_GOOGLEMAIL_COM,
|
| + DOMAIN_GOOGLEGROUPS_COM,
|
| +
|
| + DOMAIN_TORPROJECT_ORG,
|
| +
|
| + DOMAIN_TWITTER_COM,
|
| + DOMAIN_TWIMG_COM,
|
| +
|
| + DOMAIN_AKAMAIHD_NET,
|
| +
|
| + // Boundary value for UMA_HISTOGRAM_ENUMERATION:
|
| + DOMAIN_NUM_EVENTS
|
| +};
|
| +
|
| struct HSTSPreload {
|
| uint8 length;
|
| bool include_subdomains;
|
| char dns_name[30];
|
| bool https_required;
|
| const char* const* required_hashes;
|
| + SecondLevelDomainName second_level_domain_name;
|
| };
|
|
|
| static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
|
| @@ -963,188 +1002,259 @@
|
| // slightly odd form removes the need for additional relocations records.
|
| static const struct HSTSPreload kPreloadedSTS[] = {
|
| // (*.)google.com, iff using SSL must use an acceptable certificate.
|
| - {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
|
| + {12, true, "\006google\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| {25, true, "\013pinningtest\007appspot\003com", false,
|
| - kTestAcceptableCerts },
|
| + kTestAcceptableCerts, DOMAIN_APPSPOT_COM },
|
| // Now we force HTTPS for subtrees of google.com.
|
| - {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
|
| - {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
|
| - {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
|
| - {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
|
| - {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
|
| + {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| {25, true, "\014spreadsheets\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| + kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
|
| {22, false, "\011appengine\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
|
| - {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
|
| - {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
|
| - {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
|
| + kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
|
| + {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| {23, true, "\012talkgadget\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
|
| + kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
|
| + {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| {29, true, "\020hostedtalkgadget\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
|
| + kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
|
| + {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| // Other Google-related domains that must use HTTPS.
|
| - {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
|
| + {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_ANDROID_COM },
|
| {26, true, "\003ssl\020google-analytics\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
|
| - {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
|
| - {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts },
|
| + kGoogleAcceptableCerts, DOMAIN_GOOGLE_ANALYTICS_COM },
|
| + {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| + {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEPLEX_COM },
|
| + {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_COM },
|
| // Other Google-related domains that must use an acceptable certificate
|
| // iff using SSL.
|
| - {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
|
| - {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
|
| - {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
|
| - {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
|
| - {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
|
| - {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
|
| - {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
|
| - {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
|
| - {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
|
| - {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
|
| + {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_YTIMG_COM },
|
| + {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEUSERCONTENT_COM },
|
| + {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_YOUTUBE_COM },
|
| + {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEAPIS_COM },
|
| + {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEADSERVICES_COM },
|
| + {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLECODE_COM },
|
| + {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_APPSPOT_COM },
|
| + {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLESYNDICATION_COM },
|
| + {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts,
|
| + DOMAIN_DOUBLECLICK_NET },
|
| + {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GSTATIC_COM },
|
| // Exclude the learn.doubleclick.net subdomain because it uses a different
|
| // CA.
|
| - {23, true, "\005learn\013doubleclick\003net", false, 0 },
|
| + {23, true, "\005learn\013doubleclick\003net", false, 0, DOMAIN_NOT_PINNED },
|
| // Now we force HTTPS for other sites that have requested it.
|
| - {16, false, "\003www\006paypal\003com", true, 0 },
|
| - {16, false, "\003www\006elanex\003biz", true, 0 },
|
| - {12, true, "\006jottit\003com", true, 0 },
|
| - {19, true, "\015sunshinepress\003org", true, 0 },
|
| - {21, false, "\003www\013noisebridge\003net", true, 0 },
|
| - {10, false, "\004neg9\003org", true, 0 },
|
| - {12, true, "\006riseup\003net", true, 0 },
|
| - {11, false, "\006factor\002cc", true, 0 },
|
| - {22, false, "\007members\010mayfirst\003org", true, 0 },
|
| - {22, false, "\007support\010mayfirst\003org", true, 0 },
|
| - {17, false, "\002id\010mayfirst\003org", true, 0 },
|
| - {20, false, "\005lists\010mayfirst\003org", true, 0 },
|
| - {19, true, "\015splendidbacon\003com", true, 0 },
|
| - {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
|
| - {14, true, "\011ottospora\002nl", true, 0 },
|
| - {25, false, "\003www\017paycheckrecords\003com", true, 0 },
|
| - {14, false, "\010lastpass\003com", true, 0 },
|
| - {18, false, "\003www\010lastpass\003com", true, 0 },
|
| - {14, true, "\010keyerror\003com", true, 0 },
|
| - {13, false, "\010entropia\002de", true, 0 },
|
| - {17, false, "\003www\010entropia\002de", true, 0 },
|
| - {11, true, "\005romab\003com", true, 0 },
|
| - {16, false, "\012logentries\003com", true, 0 },
|
| - {20, false, "\003www\012logentries\003com", true, 0 },
|
| - {12, true, "\006stripe\003com", true, 0 },
|
| - {27, true, "\025cloudsecurityalliance\003org", true, 0 },
|
| - {15, true, "\005login\004sapo\002pt", true, 0 },
|
| - {19, true, "\015mattmccutchen\003net", true, 0 },
|
| - {11, true, "\006betnet\002fr", true, 0 },
|
| - {13, true, "\010uprotect\002it", true, 0 },
|
| - {14, false, "\010squareup\003com", true, 0 },
|
| - {9, true, "\004cert\002se", true, 0 },
|
| - {11, true, "\006crypto\002is", true, 0 },
|
| - {20, true, "\005simon\007butcher\004name", true, 0 },
|
| - {10, true, "\004linx\003net", true, 0 },
|
| - {13, false, "\007dropcam\003com", true, 0 },
|
| - {17, false, "\003www\007dropcam\003com", true, 0 },
|
| - {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
|
| - {13, false, "\007epoxate\003com", true, 0 },
|
| - {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
|
| - {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
|
| - {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
|
| - {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
|
| - {22, true, "\003www\014moneybookers\003com", true, 0 },
|
| - {17, false, "\013ledgerscope\003net", true, 0 },
|
| - {21, false, "\003www\013ledgerscope\003net", true, 0 },
|
| - {10, false, "\004kyps\003net", true, 0 },
|
| - {14, false, "\003www\004kyps\003net", true, 0 },
|
| - {17, true, "\003app\007recurly\003com", true, 0 },
|
| - {17, true, "\003api\007recurly\003com", true, 0 },
|
| - {13, false, "\007greplin\003com", true, 0 },
|
| - {17, false, "\003www\007greplin\003com", true, 0 },
|
| - {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
|
| - {12, true, "\006ubertt\003org", true, 0 },
|
| + {16, false, "\003www\006paypal\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {16, false, "\003www\006elanex\003biz", true, 0, DOMAIN_NOT_PINNED },
|
| + {12, true, "\006jottit\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {19, true, "\015sunshinepress\003org", true, 0, DOMAIN_NOT_PINNED },
|
| + {21, false, "\003www\013noisebridge\003net", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {10, false, "\004neg9\003org", true, 0, DOMAIN_NOT_PINNED },
|
| + {12, true, "\006riseup\003net", true, 0, DOMAIN_NOT_PINNED },
|
| + {11, false, "\006factor\002cc", true, 0, DOMAIN_NOT_PINNED },
|
| + {22, false, "\007members\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
|
| + {22, false, "\007support\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
|
| + {17, false, "\002id\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
|
| + {20, false, "\005lists\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
|
| + {19, true, "\015splendidbacon\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {28, false, "\016aladdinschools\007appspot\003com", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {14, true, "\011ottospora\002nl", true, 0, DOMAIN_NOT_PINNED },
|
| + {25, false, "\003www\017paycheckrecords\003com", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {14, false, "\010lastpass\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {18, false, "\003www\010lastpass\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {14, true, "\010keyerror\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {13, false, "\010entropia\002de", true, 0, DOMAIN_NOT_PINNED },
|
| + {17, false, "\003www\010entropia\002de", true, 0, DOMAIN_NOT_PINNED },
|
| + {11, true, "\005romab\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {16, false, "\012logentries\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {20, false, "\003www\012logentries\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {12, true, "\006stripe\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {27, true, "\025cloudsecurityalliance\003org", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {15, true, "\005login\004sapo\002pt", true, 0, DOMAIN_NOT_PINNED },
|
| + {19, true, "\015mattmccutchen\003net", true, 0, DOMAIN_NOT_PINNED },
|
| + {11, true, "\006betnet\002fr", true, 0, DOMAIN_NOT_PINNED },
|
| + {13, true, "\010uprotect\002it", true, 0, DOMAIN_NOT_PINNED },
|
| + {14, false, "\010squareup\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {9, true, "\004cert\002se", true, 0, DOMAIN_NOT_PINNED },
|
| + {11, true, "\006crypto\002is", true, 0, DOMAIN_NOT_PINNED },
|
| + {20, true, "\005simon\007butcher\004name", true, 0, DOMAIN_NOT_PINNED },
|
| + {10, true, "\004linx\003net", true, 0, DOMAIN_NOT_PINNED },
|
| + {13, false, "\007dropcam\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {17, false, "\003www\007dropcam\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {13, false, "\007epoxate\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {16, false, "\012torproject\003org", true, kTorAcceptableCerts,
|
| + DOMAIN_TORPROJECT_ORG },
|
| + {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts,
|
| + DOMAIN_TORPROJECT_ORG },
|
| + {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts,
|
| + DOMAIN_TORPROJECT_ORG },
|
| + {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts,
|
| + DOMAIN_TORPROJECT_ORG },
|
| + {22, true, "\003www\014moneybookers\003com", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {17, false, "\013ledgerscope\003net", true, 0, DOMAIN_NOT_PINNED },
|
| + {21, false, "\003www\013ledgerscope\003net", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {10, false, "\004kyps\003net", true, 0, DOMAIN_NOT_PINNED },
|
| + {14, false, "\003www\004kyps\003net", true, 0, DOMAIN_NOT_PINNED },
|
| + {17, true, "\003app\007recurly\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {17, true, "\003api\007recurly\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {13, false, "\007greplin\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {17, false, "\003www\007greplin\003com", true, 0, DOMAIN_NOT_PINNED },
|
| + {27, true, "\006luneta\016nearbuysystems\003com", true, 0,
|
| + DOMAIN_NOT_PINNED },
|
| + {12, true, "\006ubertt\003org", true, 0, DOMAIN_NOT_PINNED },
|
|
|
| - {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {13, false, "\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {17, true, "\003www\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {17, true, "\003api\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {17, true, "\003dev\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {22, true, "\010business\007twitter\003com", kTwitterHSTS,
|
| + kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
|
|
|
| #if 0
|
| // Twitter CDN pins disabled in order to track down pinning failures --agl
|
| - {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
|
| - {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
|
| - {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
|
| + {22, true, "\010platform\007twitter\003com", false,
|
| + kTwitterCDNAcceptableCerts, DOMAIN_TWITTER_COM },
|
| + {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts,
|
| + DOMAIN_TWIMG_COM },
|
| + {23, true, "\010twimg0-a\010akamaihd\003net", false,
|
| + kTwitterCDNAcceptableCerts, DOMAIN_AKAMAIHD_NET },
|
| #endif
|
| };
|
| static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
|
|
|
| static const struct HSTSPreload kPreloadedSNISTS[] = {
|
| // These SNI-only domains must always use HTTPS.
|
| - {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
|
| - {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
|
| - {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
|
| - {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
|
| + {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GMAIL_COM },
|
| + {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEMAIL_COM },
|
| + {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GMAIL_COM },
|
| + {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEMAIL_COM },
|
| // These SNI-only domains must use an acceptable certificate iff using
|
| // HTTPS.
|
| - {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
|
| + {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLE_ANALYTICS_COM },
|
| // www. requires SNI.
|
| - {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
|
| + {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts,
|
| + DOMAIN_GOOGLEGROUPS_COM },
|
| };
|
| static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
|
|
|
| -// Returns true if there is an HSTSPreload entry for the host in |entries|, and
|
| -// if its |required_hashes| member is identical (by address) to |certs|.
|
| -static bool ScanForHostAndCerts(
|
| +// Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
|
| +// or NULL if there is none. Prefers exact hostname matches to those that
|
| +// match only because HSTSPreload.include_subdomains is true.
|
| +//
|
| +// |canonicalized_host| should be the hostname as canonicalized by
|
| +// CanonicalizeHost.
|
| +static const struct HSTSPreload* GetHSTSPreload(
|
| const std::string& canonicalized_host,
|
| const struct HSTSPreload* entries,
|
| - size_t num_entries,
|
| - const char* const certs[]) {
|
| - bool hit = false;
|
| -
|
| + size_t num_entries) {
|
| for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
|
| for (size_t j = 0; j < num_entries; j++) {
|
| - const struct HSTSPreload& entry = entries[j];
|
| + const struct HSTSPreload* entry = entries + j;
|
|
|
| - if (i != 0 && !entry.include_subdomains)
|
| + if (i != 0 && !entry->include_subdomains)
|
| continue;
|
|
|
| - if (entry.length == canonicalized_host.size() - i &&
|
| - memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
|
| - hit = entry.required_hashes == certs;
|
| - // Return immediately upon exact match:
|
| - if (i == 0)
|
| - return hit;
|
| + if (entry->length == canonicalized_host.size() - i &&
|
| + memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
|
| + return entry;
|
| }
|
| }
|
| }
|
|
|
| - return hit;
|
| + return NULL;
|
| }
|
|
|
| // static
|
| bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
|
| bool sni_available) {
|
| std::string canonicalized_host = CanonicalizeHost(host);
|
| + const struct HSTSPreload* entry =
|
| + GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
|
|
|
| - if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
|
| - kGoogleAcceptableCerts)) {
|
| + if (entry && entry->required_hashes == kGoogleAcceptableCerts)
|
| return true;
|
| - }
|
|
|
| if (sni_available) {
|
| - if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
|
| - kGoogleAcceptableCerts)) {
|
| + entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
|
| + kNumPreloadedSNISTS);
|
| + if (entry && entry->required_hashes == kGoogleAcceptableCerts)
|
| return true;
|
| - }
|
| }
|
|
|
| return false;
|
| }
|
|
|
| +// static
|
| +void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
|
| + std::string canonicalized_host = CanonicalizeHost(host);
|
|
|
| + const struct HSTSPreload* entry =
|
| + GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
|
| +
|
| + if (!entry) {
|
| + entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
|
| + kNumPreloadedSNISTS);
|
| + }
|
| +
|
| + DCHECK(entry);
|
| + DCHECK(entry->required_hashes);
|
| + DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
|
| +
|
| + UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
|
| + entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
|
| +}
|
| +
|
| // IsPreloadedSTS returns true if the canonicalized hostname should always be
|
| // considered to have STS enabled.
|
| bool TransportSecurityState::IsPreloadedSTS(
|
|
|
Chromium Code Reviews
Issue 8364023:
Report second-level domains for UMA on pin failure. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/