Remove the "snionly" concept from the HSTS preload.

The "snionly" tag only applies to preloaded values and only affects
people who are forcing SSLv3 on the command line. (We no longer have the
option in the preferences to disable TLS and the preference has been
renamed so even those who might have set it in the past shouldn't have
it now).

It also complicates pending work to reduce the size of the preload data.

BUG=102779
R=eroman@chromium.org, rsleevi@chromium.org

Review URL: https://codereview.chromium.org/578553004

Cr-Commit-Position: refs/heads/master@{#296821}

1 files changed, 11 insertions, 42 deletions

diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 79ee302..b00bc57 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -100,22 +100,20 @@ TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
 
 TransportSecurityState::Iterator::~Iterator() {}
 
-bool TransportSecurityState::ShouldSSLErrorsBeFatal(const std::string& host,
-                                                    bool sni_enabled) {
+bool TransportSecurityState::ShouldSSLErrorsBeFatal(const std::string& host) {
   DomainState state;
-  if (GetStaticDomainState(host, sni_enabled, &state))
+  if (GetStaticDomainState(host, &state))
     return true;
   return GetDynamicDomainState(host, &state);
 }
 
-bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host,
-                                                bool sni_enabled) {
+bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host) {
   DomainState dynamic_state;
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.ShouldUpgradeToSSL();
 
   DomainState static_state;
-  if (GetStaticDomainState(host, sni_enabled, &static_state) &&
+  if (GetStaticDomainState(host, &static_state) &&
       static_state.ShouldUpgradeToSSL()) {
       return true;
   }
@@ -125,7 +123,6 @@ bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host,
 
 bool TransportSecurityState::CheckPublicKeyPins(
     const std::string& host,
-    bool sni_available,
     bool is_issued_by_known_root,
     const HashValueVector& public_key_hashes,
     std::string* pinning_failure_log) {
@@ -134,12 +131,12 @@ bool TransportSecurityState::CheckPublicKeyPins(
   // * the server's certificate chain chains up to a known root (i.e. not a
   //   user-installed trust anchor); and
   // * the server actually has public key pins.
-  if (!is_issued_by_known_root || !HasPublicKeyPins(host, sni_available)) {
+  if (!is_issued_by_known_root || !HasPublicKeyPins(host)) {
     return true;
   }
 
   bool pins_are_valid = CheckPublicKeyPinsImpl(
-      host, sni_available, public_key_hashes, pinning_failure_log);
+      host, public_key_hashes, pinning_failure_log);
   if (!pins_are_valid) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host);
@@ -149,14 +146,13 @@ bool TransportSecurityState::CheckPublicKeyPins(
   return pins_are_valid;
 }
 
-bool TransportSecurityState::HasPublicKeyPins(const std::string& host,
-                                              bool sni_enabled) {
+bool TransportSecurityState::HasPublicKeyPins(const std::string& host) {
   DomainState dynamic_state;
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.HasPublicKeyPins();
 
   DomainState static_state;
-  if (GetStaticDomainState(host, sni_enabled, &static_state)) {
+  if (GetStaticDomainState(host, &static_state)) {
     if (static_state.HasPublicKeyPins())
       return true;
   }
@@ -735,23 +731,12 @@ bool TransportSecurityState::AddHPKP(const std::string& host,
 }
 
 // static
-bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
-                                                    bool sni_enabled) {
+bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host) {
   std::string canonicalized_host = CanonicalizeHost(host);
   const struct HSTSPreload* entry =
       GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
-  if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
-    return true;
-
-  if (sni_enabled) {
-    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
-                           kNumPreloadedSNISTS);
-    if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
-      return true;
-  }
-
-  return false;
+  return entry && entry->pins.required_hashes == kGoogleAcceptableCerts;
 }
 
 // static
@@ -762,11 +747,6 @@ void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
       GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
   if (!entry) {
-    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
-                           kNumPreloadedSNISTS);
-  }
-
-  if (!entry) {
     // We don't care to report pin failures for dynamic pins.
     return;
   }
@@ -788,7 +768,6 @@ bool TransportSecurityState::IsBuildTimely() {
 
 bool TransportSecurityState::CheckPublicKeyPinsImpl(
     const std::string& host,
-    bool sni_enabled,
     const HashValueVector& hashes,
     std::string* failure_log) {
   DomainState dynamic_state;
@@ -796,7 +775,7 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl(
     return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
 
   DomainState static_state;
-  if (GetStaticDomainState(host, sni_enabled, &static_state))
+  if (GetStaticDomainState(host, &static_state))
     return static_state.CheckPublicKeyPins(hashes, failure_log);
 
   // HasPublicKeyPins should have returned true in order for this method
@@ -805,7 +784,6 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl(
 }
 
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,
-                                                  bool sni_enabled,
                                                   DomainState* out) const {
   DCHECK(CalledOnValidThread());
 
@@ -831,15 +809,6 @@ bool TransportSecurityState::GetStaticDomainState(const std::string& host,
                                       &ret)) {
       return ret;
     }
-    if (sni_enabled && is_build_timely && HasPreload(kPreloadedSNISTS,
-                                                     kNumPreloadedSNISTS,
-                                                     canonicalized_host,
-                                                     i,
-                                                     enable_static_pins_,
-                                                     out,
-                                                     &ret)) {
-      return ret;
-    }
   }
 
   return false;