Distinguish STS observation times from PKP observation times.

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 184 matching lines @@
   enabled_hosts_.clear();
 }
 
 void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
   DCHECK(CalledOnValidThread());
 
   bool dirtied = false;
 
   DomainStateMap::iterator i = enabled_hosts_.begin();
   while (i != enabled_hosts_.end()) {
-    if (i->second.created >= time) {
+    if (i->second.sts_observed >= time && i->second.pkp_observed >= time) {
       dirtied = true;
       enabled_hosts_.erase(i++);
+    } else if (i->second.sts_observed >= time) {
+      dirtied = true;
+      i->second.upgrade_mode = DomainState::MODE_DEFAULT;
+      i++;
+    } else if (i->second.pkp_observed >= time) {
+      dirtied = true;
+      i->second.dynamic_spki_hashes.clear();
+      i++;
     } else {
       i++;
     }

[wtc, 2013/12/12 23:20:44]

Since we do |i++| in all cases, this can be written as a for loop.

[palmer, 2013/12/13 01:42:42]

Actually, that exposed a bug: when we do enabled_hosts_.erase, we were
invalidating |i|. New version avoids that.

[wtc, 2013/12/13 02:35:04]

Ah, I remember this issue, and your original code is a trick to avoid this
problem. When we do
    enabled_hosts_.erase(i++);

three things happen in this order:
    1. |i| is incremented.
    2. A copy of the old value of |i| is created and
       passed to enabled_hosts_.erase.
    3. enabled_hosts_.erase invalidates the old value
       of |i|.

I'd prefer that we go back to the old code. We can simplify it as follows:

  while (i != enabled_hosts_.end()) {
    if (i->second.sts_observed >= time && i->second.pkp_observed >= time) {
      dirtied = true;
      enabled_hosts_.erase(i++);
      continue;
    }

    if (i->second.sts_observed >= time) {
      dirtied = true;
      i->second.upgrade_mode = DomainState::MODE_DEFAULT;
    } else if (i->second.pkp_observed >= time) {
      dirtied = true;
      i->second.dynamic_spki_hashes.clear();
    }
    ++i;  // Note the pre-increment operator for efficiency.
  }

   }
 
   if (dirtied)
     DirtyNotify();
 }
 
 TransportSecurityState::~TransportSecurityState() {
   DCHECK(CalledOnValidThread());
 }
 
@@ skipping 386 matching lines @@
   base::Time now = base::Time::Now();
   base::TimeDelta max_age;
   TransportSecurityState::DomainState domain_state;
   GetDynamicDomainState(host, &domain_state);
   if (ParseHSTSHeader(value, &max_age, &domain_state.sts_include_subdomains)) {
     // Handle max-age == 0
     if (max_age.InSeconds() == 0)
       domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
     else
       domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
-    domain_state.created = now;
+    domain_state.sts_observed = now;
     domain_state.upgrade_expiry = now + max_age;
     EnableHost(host, domain_state);
     return true;
   }
   return false;
 }
 
 bool TransportSecurityState::AddHPKPHeader(const std::string& host,
                                            const std::string& value,
                                            const SSLInfo& ssl_info) {
   DCHECK(CalledOnValidThread());
 
   base::Time now = base::Time::Now();
   base::TimeDelta max_age;
   TransportSecurityState::DomainState domain_state;
   GetDynamicDomainState(host, &domain_state);
   if (ParseHPKPHeader(value, ssl_info.public_key_hashes,
                       &max_age, &domain_state.pkp_include_subdomains,
                       &domain_state.dynamic_spki_hashes)) {
     // TODO(palmer): http://crbug.com/243865 handle max-age == 0.
-    domain_state.created = now;
+    domain_state.pkp_observed = now;
     domain_state.dynamic_spki_hashes_expiry = now + max_age;
     EnableHost(host, domain_state);
     return true;
   }
   return false;
 }
 
 bool TransportSecurityState::AddHSTS(const std::string& host,
                                      const base::Time& expiry,
                                      bool include_subdomains) {
   DCHECK(CalledOnValidThread());
 
   // Copy-and-modify the existing DomainState for this host (if any).
   TransportSecurityState::DomainState domain_state;
   const std::string canonicalized_host = CanonicalizeHost(host);
   const std::string hashed_host = HashHost(canonicalized_host);
   DomainStateMap::const_iterator i = enabled_hosts_.find(
       hashed_host);
   if (i != enabled_hosts_.end())
     domain_state = i->second;
 
-  domain_state.created = base::Time::Now();
+  domain_state.sts_observed = base::Time::Now();
   domain_state.sts_include_subdomains = include_subdomains;
   domain_state.upgrade_expiry = expiry;
   domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
   EnableHost(host, domain_state);
   return true;
 }
 
 bool TransportSecurityState::AddHPKP(const std::string& host,
                                      const base::Time& expiry,
                                      bool include_subdomains,
                                      const HashValueVector& hashes) {
   DCHECK(CalledOnValidThread());
 
   // Copy-and-modify the existing DomainState for this host (if any).
   TransportSecurityState::DomainState domain_state;
   const std::string canonicalized_host = CanonicalizeHost(host);
   const std::string hashed_host = HashHost(canonicalized_host);
   DomainStateMap::const_iterator i = enabled_hosts_.find(
       hashed_host);
   if (i != enabled_hosts_.end())
     domain_state = i->second;
 
-  domain_state.created = base::Time::Now();
+  domain_state.pkp_observed = base::Time::Now();
   domain_state.pkp_include_subdomains = include_subdomains;
   domain_state.dynamic_spki_hashes_expiry = expiry;
   domain_state.dynamic_spki_hashes = hashes;
   EnableHost(host, domain_state);
   return true;
 }
 
 // static
 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
                                                     bool sni_enabled) {
@@ skipping 124 matching lines @@
 
 
 void TransportSecurityState::AddOrUpdateEnabledHosts(
     const std::string& hashed_host, const DomainState& state) {
   DCHECK(CalledOnValidThread());
   enabled_hosts_[hashed_host] = state;
 }
 
 TransportSecurityState::DomainState::DomainState()
     : upgrade_mode(MODE_DEFAULT),
-      created(base::Time::Now()),
       sts_include_subdomains(false),
       pkp_include_subdomains(false) {
+  base::Time now(base::Time::Now());
+  sts_observed = now;
+  pkp_observed = now;
 }
 
 TransportSecurityState::DomainState::~DomainState() {
 }
 
 bool TransportSecurityState::DomainState::CheckPublicKeyPins(
     const HashValueVector& hashes) const {
   // Validate that hashes is not empty. By the time this code is called (in
   // production), that should never happen, but it's good to be defensive.
   // And, hashes *can* be empty in some test scenarios.
@@ skipping 35 matching lines @@
   return true;
 }
 
 bool TransportSecurityState::DomainState::HasPublicKeyPins() const {
   return static_spki_hashes.size() > 0 ||
          bad_static_spki_hashes.size() > 0 ||
          dynamic_spki_hashes.size() > 0;
 }
 
 }  // namespace