Distinguish STS observation times from PKP observation times.

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 184 matching lines @@
   enabled_hosts_.clear();
 }
 
 void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
   DCHECK(CalledOnValidThread());
 
   bool dirtied = false;
 
   DomainStateMap::iterator i = enabled_hosts_.begin();
   while (i != enabled_hosts_.end()) {
-    if (i->second.created >= time) {
+    if (i->second.sts_observed >= time && i->second.pkp_observed >= time) {
       dirtied = true;
       enabled_hosts_.erase(i++);
+    } else if (i->second.sts_observed >= time) {
+      dirtied = true;
+      i->second.upgrade_mode = DomainState::MODE_DEFAULT;
+    } else if (i->second.pkp_observed >= time) {
+      dirtied = true;
+      i->second.dynamic_spki_hashes.clear();

[wtc, 2013/07/23 21:31:07]

Should we increment |i| in these two cases?

[palmer, 2013/12/12 01:32:12]

Done.

     } else {
       i++;
     }

[Ryan Sleevi, 2013/07/17 23:32:43]

FWIW, this seems weird.

Imagine the user visits site.example at T0, which sets up HSTS.

- They then revisit the site at T5, updating the observation time.
- They then revisit the site at T10, updating the observation time.
- They choose to clear all history from T6 to T10.
- This will reset site.example to pre-HSTS (which it existed at T0-T5).

That said, this is probably unavoidable. Do you know how we handle cookies? Do
we distinguish create from last_modified? I thought we did, and we only nuked
those created after T6, not those modified after T6.

[palmer, 2013/12/12 01:32:12]

I don't see a way to avoid this, short of keeping a record of every observation
ever (thus bloating the stored TSS).

I don't know how we handle cookies — nor am I sure how we should. :) Nor am I
sure if TSS should be handled the same way as cookies.

I suppose we could rename this method |DeleteAllDynamicDataModifiedAfter|, to
clarify? :\

   }
 
   if (dirtied)
     DirtyNotify();
 }
 
 TransportSecurityState::~TransportSecurityState() {
   DCHECK(CalledOnValidThread());
 }
 
@@ skipping 395 matching lines @@
   base::Time now = base::Time::Now();
   base::TimeDelta max_age;
   TransportSecurityState::DomainState domain_state;
   GetDynamicDomainState(host, &domain_state);
   if (ParseHSTSHeader(value, &max_age, &domain_state.sts_include_subdomains)) {
     // Handle max-age == 0
     if (max_age.InSeconds() == 0)
       domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
     else
       domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
-    domain_state.created = now;
+    domain_state.sts_observed = now;
     domain_state.upgrade_expiry = now + max_age;
     EnableHost(host, domain_state);
     return true;
   }
   return false;
 }
 
 bool TransportSecurityState::AddHPKPHeader(const std::string& host,
                                            const std::string& value,
                                            const SSLInfo& ssl_info) {
   DCHECK(CalledOnValidThread());
 
   base::Time now = base::Time::Now();
   base::TimeDelta max_age;
   TransportSecurityState::DomainState domain_state;
   GetDynamicDomainState(host, &domain_state);
   if (ParseHPKPHeader(value, ssl_info.public_key_hashes,
                       &max_age, &domain_state.pkp_include_subdomains,
                       &domain_state.dynamic_spki_hashes)) {
     // TODO(palmer): http://crbug.com/243865 handle max-age == 0.
-    domain_state.created = now;
+    domain_state.pkp_observed = now;
     domain_state.dynamic_spki_hashes_expiry = now + max_age;
     EnableHost(host, domain_state);
     return true;
   }
   return false;
 }
 
 bool TransportSecurityState::AddHSTS(const std::string& host,
                                      const base::Time& expiry,
                                      bool include_subdomains) {
   DCHECK(CalledOnValidThread());
 
   // Copy-and-modify the existing DomainState for this host (if any).
   TransportSecurityState::DomainState domain_state;
   const std::string canonicalized_host = CanonicalizeHost(host);
   const std::string hashed_host = HashHost(canonicalized_host);
   DomainStateMap::const_iterator i = enabled_hosts_.find(
       hashed_host);
   if (i != enabled_hosts_.end())
     domain_state = i->second;
 
-  domain_state.created = base::Time::Now();
+  domain_state.sts_observed = base::Time::Now();
   domain_state.sts_include_subdomains = include_subdomains;
   domain_state.upgrade_expiry = expiry;
   domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
   EnableHost(host, domain_state);
   return true;
 }
 
 bool TransportSecurityState::AddHPKP(const std::string& host,
                                      const base::Time& expiry,
                                      bool include_subdomains,
                                      const HashValueVector& hashes) {
   DCHECK(CalledOnValidThread());
 
   // Copy-and-modify the existing DomainState for this host (if any).
   TransportSecurityState::DomainState domain_state;
   const std::string canonicalized_host = CanonicalizeHost(host);
   const std::string hashed_host = HashHost(canonicalized_host);
   DomainStateMap::const_iterator i = enabled_hosts_.find(
       hashed_host);
   if (i != enabled_hosts_.end())
     domain_state = i->second;
 
-  domain_state.created = base::Time::Now();
+  domain_state.pkp_observed = base::Time::Now();
   domain_state.pkp_include_subdomains = include_subdomains;
   domain_state.dynamic_spki_hashes_expiry = expiry;
   domain_state.dynamic_spki_hashes = hashes;
   EnableHost(host, domain_state);
   return true;
 }
 
 // static
 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
                                                     bool sni_enabled) {
@@ skipping 124 matching lines @@
 
 
 void TransportSecurityState::AddOrUpdateEnabledHosts(
     const std::string& hashed_host, const DomainState& state) {
   DCHECK(CalledOnValidThread());
   enabled_hosts_[hashed_host] = state;
 }
 
 TransportSecurityState::DomainState::DomainState()
     : upgrade_mode(MODE_DEFAULT),
-      created(base::Time::Now()),
+      sts_observed(base::Time::Now()),
+      pkp_observed(base::Time::Now()),

[wtc, 2013/07/23 21:31:07]

These two base::Time::Now() calls may potentially return different values.
It would be nice to ensure that sts_observed and pkp_observed be initialized
to the same value.

Alternatively, perhaps sts_observed and pkp_observed should just be initialized
to the default base::Time value.

[palmer, 2013/12/12 01:32:12]

Done.

       sts_include_subdomains(false),
       pkp_include_subdomains(false) {
 }
 
 TransportSecurityState::DomainState::~DomainState() {
 }
 
 bool TransportSecurityState::DomainState::CheckPublicKeyPins(
     const HashValueVector& hashes) const {
   // Validate that hashes is not empty. By the time this code is called (in
@@ skipping 37 matching lines @@
   return true;
 }
 
 bool TransportSecurityState::DomainState::HasPublicKeyPins() const {
   return static_spki_hashes.size() > 0 ||
          bad_static_spki_hashes.size() > 0 ||
          dynamic_spki_hashes.size() > 0;
 }
 
 }  // namespace