diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:11:28.314468184 -0800
+++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:23:17.946207727 -0800
@@ -6682,10 +6682,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS
sid->u.ssl3.sessionIDLength = sidBytes.len;
PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
+ /* Copy Signed Certificate Timestamps, if any. */
+ if (ss->xtnData.signedCertTimestamps.data) {
+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
+ &ss->xtnData.signedCertTimestamps);
+ if (rv != SECSuccess)
+ goto loser;
+ }
+
ss->ssl3.hs.isResuming = PR_FALSE;
ss->ssl3.hs.ws = wait_server_cert;
winner:
+ /* Clean up the temporary pointer to the handshake buffer. */
+ ss->xtnData.signedCertTimestamps.data = NULL;
+ ss->xtnData.signedCertTimestamps.len = 0;
+
/* If we will need a ChannelID key then we make the callback now. This
* allows the handshake to be restarted cleanly if the callback returns
* SECWouldBlock. */
@@ -6711,6 +6723,9 @@ alert_loser:
(void)SSL3_SendAlert(ss, alert_fatal, desc);
loser:
+ /* Clean up the temporary pointer to the handshake buffer. */
+ ss->xtnData.signedCertTimestamps.data = NULL;
+ ss->xtnData.signedCertTimestamps.len = 0;
errCode = ssl_MapLowLevelError(errCode);
return SECFailure;
}
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
--- a/nss/lib/ssl/ssl3ext.c 2014-01-17 18:22:54.945827814 -0800
+++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 18:35:21.798168722 -0800
@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn
PRUint32 maxBytes);
static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data);
+static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
+ PRBool append,
+ PRUint32 maxBytes);
+static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
+ PRUint16 ex_type,
+ SECItem *data);
/*
* Write bytes. Using this function means the SECItem structure
@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler s
{ ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
{ ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
{ ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
+ { ssl_signed_certificate_timestamp_xtn,
+ &ssl3_ClientHandleSignedCertTimestampXtn },
{ -1, NULL }
};
@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSend
{ ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
{ ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
{ ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
+ { ssl_signed_certificate_timestamp_xtn,
+ &ssl3_ClientSendSignedCertTimestampXtn }
/* any extra entries will appear as { 0, NULL } */
};
@@ -2379,3 +2389,65 @@ ssl3_AppendPaddingExtension(sslSocket *s
return extensionLen;
}
+
+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
+ * extension for TLS ClientHellos. */
+static PRInt32
+ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
+ PRUint32 maxBytes)
+{
+ PRInt32 extension_length = 2 /* extension_type */ +
+ 2 /* length(extension_data) */;
+
+ /* Only send the extension if processing is enabled. */
+ if (!ss->opt.enableSignedCertTimestamps)
+ return 0;
+
+ if (append && maxBytes >= extension_length) {
+ SECStatus rv;
+ /* extension_type */
+ rv = ssl3_AppendHandshakeNumber(ss,
+ ssl_signed_certificate_timestamp_xtn,
+ 2);
+ if (rv != SECSuccess)
+ goto loser;
+ /* zero length */
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ if (rv != SECSuccess)
+ goto loser;
+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+ ssl_signed_certificate_timestamp_xtn;
+ } else if (maxBytes < extension_length) {
+ PORT_Assert(0);
+ return 0;
+ }
+
+ return extension_length;
+loser:
+ return -1;
+}
+
+static SECStatus
+ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
+ SECItem *data)
+{
+ /* We do not yet know whether we'll be resuming a session or creating
+ * a new one, so we keep a pointer to the data in the TLSExtensionData
+ * structure. This pointer is only valid in the scope of
+ * ssl3_HandleServerHello, and, if not resuming a session, the data is
+ * copied once a new session structure has been set up.
+ * All parsing is currently left to the application and we accept
+ * everything, including empty data.
+ */
+ SECItem *scts = &ss->xtnData.signedCertTimestamps;
+ PORT_Assert(!scts->data && !scts->len);
+
+ if (!data->len) {
+ /* Empty extension data: RFC 6962 mandates non-empty contents. */
+ return SECFailure;
+ }
+ *scts = *data;
+ /* Keep track of negotiated extensions. */
+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+ return SECSuccess;
+}
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
--- a/nss/lib/ssl/ssl.h 2014-01-17 18:00:11.213237373 -0800
+++ b/nss/lib/ssl/ssl.h 2014-01-17 18:38:15.791045050 -0800
@@ -181,6 +181,9 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
*/
#define SSL_ENABLE_ALPN 26
+/* Request Signed Certificate Timestamps via TLS extension (client) */
+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27
+
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
@@ -483,6 +486,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertifi
*/
SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
+ * extension data provided by the TLS server. The return value is a pointer
+ * to an internal SECItem that contains the returned response (as a serialized
+ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only
+ * valid until the callback function that calls SSL_PeerSignedCertTimestamps
+ * (e.g. the authenticate certificate hook, or the handshake callback) returns.
+ *
+ * If no Signed Certificate Timestamps were given by the server then the result
+ * will be empty. If there was an error, then the result will be NULL.
+ *
+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support
+ * for Signed Certificate Timestamps to a server.
+ *
+ * libssl does not do any parsing or validation of the response itself.
+ */
+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
+
/* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
* in the fd's data, which may be sent as part of a server side cert_status
* handshake message. Parameter |responses| is for the server certificate of
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:11:28.314468184 -0800
+++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:27:22.540248428 -0800
@@ -337,6 +337,7 @@ typedef struct sslOptionsStr {
unsigned int enableOCSPStapling : 1; /* 25 */
unsigned int enableNPN : 1; /* 26 */
unsigned int enableALPN : 1; /* 27 */
+ unsigned int enableSignedCertTimestamps : 1; /* 28 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@@ -719,6 +720,11 @@ struct sslSessionIDStr {
* resumption handshake to the original handshake. */
SECItem originalHandshakeHash;
+ /* Signed certificate timestamps received in a TLS extension.
+ ** (used only in client).
+ */
+ SECItem signedCertTimestamps;
+
/* This lock is lazily initialized by CacheSID when a sid is first
* cached. Before then, there is no need to lock anything because
* the sid isn't being shared by anything.
@@ -827,6 +833,18 @@ struct TLSExtensionDataStr {
* is beyond ssl3_HandleClientHello function. */
SECItem *sniNameArr;
PRUint32 sniNameArrSize;
+
+ /* Signed Certificate Timestamps extracted from the TLS extension.
+ * (client only).
+ * This container holds a temporary pointer to the extension data,
+ * until a session structure (the sec.ci.sid of an sslSocket) is setup
+ * that can hold a permanent copy of the data
+ * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
+ * The data pointed to by this structure is neither explicitly allocated
+ * nor copied: the pointer points to the handshake message buffer and is
+ * only valid in the scope of ssl3_HandleServerHello.
+ */
+ SECItem signedCertTimestamps;
};
typedef SECStatus (*sslRestartTarget)(sslSocket *);
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
--- a/nss/lib/ssl/sslnonce.c 2014-01-17 18:11:28.314468184 -0800
+++ b/nss/lib/ssl/sslnonce.c 2014-01-17 18:23:17.956207890 -0800
@@ -131,6 +131,9 @@ ssl_DestroySID(sslSessionID *sid)
if (sid->u.ssl3.originalHandshakeHash.data) {
SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
}
+ if (sid->u.ssl3.signedCertTimestamps.data) {
+ SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
+ }
if (sid->u.ssl3.lock) {
PR_DestroyRWLock(sid->u.ssl3.lock);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
--- a/nss/lib/ssl/sslsock.c 2014-01-17 18:04:43.127747463 -0800
+++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:44:09.246889487 -0800
@@ -87,7 +87,8 @@ static sslOptions ssl_defaults = {
PR_TRUE, /* cbcRandomIV */
PR_FALSE, /* enableOCSPStapling */
PR_TRUE, /* enableNPN */
- PR_FALSE /* enableALPN */
+ PR_FALSE, /* enableALPN */
+ PR_FALSE /* enableSignedCertTimestamps */
};
/*
@@ -787,6 +788,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->opt.enableALPN = on;
break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ ss->opt.enableSignedCertTimestamps = on;
+ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -859,6 +864,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break;
case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ on = ss->opt.enableSignedCertTimestamps;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -922,6 +930,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
break;
case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break;
case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ on = ssl_defaults.enableSignedCertTimestamps;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1097,6 +1108,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
ssl_defaults.enableALPN = on;
break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+ ssl_defaults.enableSignedCertTimestamps = on;
+ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@@ -1921,6 +1936,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
return &ss->sec.ci.sid->peerCertStatus;
}
+const SECItem *
+SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
+{
+ sslSocket *ss = ssl_FindSocket(fd);
+
+ if (!ss) {
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
+ SSL_GETPID(), fd));
+ return NULL;
+ }
+
+ if (!ss->sec.ci.sid) {
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+ return NULL;
+ }
+
+ if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ return NULL;
+ }
+ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
+}
+
SECStatus
SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
sslSocket *ss = ssl_FindSocket(fd);
diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
--- a/nss/lib/ssl/sslt.h 2014-01-17 18:10:16.793281867 -0800
+++ b/nss/lib/ssl/sslt.h 2014-01-17 18:23:17.956207890 -0800
@@ -202,6 +202,7 @@ typedef enum {
ssl_signature_algorithms_xtn = 13,
ssl_use_srtp_xtn = 14,
ssl_app_layer_protocol_xtn = 16,
+ ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */
ssl_session_ticket_xtn = 35,
ssl_next_proto_nego_xtn = 13172,
ssl_channel_id_xtn = 30032,
@@ -209,6 +210,6 @@ typedef enum {
ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
} SSLExtensionType;
-#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */
+#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */
#endif /* __sslt_h_ */