| diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
| --- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:11:28.314468184 -0800 |
| +++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:23:17.946207727 -0800 |
| @@ -6682,10 +6682,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
| sid->u.ssl3.sessionIDLength = sidBytes.len; |
| PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); |
| |
| + /* Copy Signed Certificate Timestamps, if any. */ |
| + if (ss->xtnData.signedCertTimestamps.data) { |
| + rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, |
| + &ss->xtnData.signedCertTimestamps); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + } |
| + |
| ss->ssl3.hs.isResuming = PR_FALSE; |
| ss->ssl3.hs.ws = wait_server_cert; |
| |
| winner: |
| + /* Clean up the temporary pointer to the handshake buffer. */ |
| + ss->xtnData.signedCertTimestamps.data = NULL; |
| + ss->xtnData.signedCertTimestamps.len = 0; |
| + |
| /* If we will need a ChannelID key then we make the callback now. This |
| * allows the handshake to be restarted cleanly if the callback returns |
| * SECWouldBlock. */ |
| @@ -6711,6 +6723,9 @@ alert_loser: |
| (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| |
| loser: |
| + /* Clean up the temporary pointer to the handshake buffer. */ |
| + ss->xtnData.signedCertTimestamps.data = NULL; |
| + ss->xtnData.signedCertTimestamps.len = 0; |
| errCode = ssl_MapLowLevelError(errCode); |
| return SECFailure; |
| } |
| diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
| --- a/nss/lib/ssl/ssl3ext.c 2014-01-17 18:22:54.945827814 -0800 |
| +++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 18:35:21.798168722 -0800 |
| @@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn |
| PRUint32 maxBytes); |
| static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, |
| SECItem *data); |
| +static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, |
| + PRBool append, |
| + PRUint32 maxBytes); |
| +static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, |
| + PRUint16 ex_type, |
| + SECItem *data); |
| |
| /* |
| * Write bytes. Using this function means the SECItem structure |
| @@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler s |
| { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
| { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
| { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| + { ssl_signed_certificate_timestamp_xtn, |
| + &ssl3_ClientHandleSignedCertTimestampXtn }, |
| { -1, NULL } |
| }; |
| |
| @@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSend |
| { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
| { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
| { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
| - { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
| + { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
| + { ssl_signed_certificate_timestamp_xtn, |
| + &ssl3_ClientSendSignedCertTimestampXtn } |
| /* any extra entries will appear as { 0, NULL } */ |
| }; |
| |
| @@ -2379,3 +2389,65 @@ ssl3_AppendPaddingExtension(sslSocket *s |
| |
| return extensionLen; |
| } |
| + |
| +/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp |
| + * extension for TLS ClientHellos. */ |
| +static PRInt32 |
| +ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, |
| + PRUint32 maxBytes) |
| +{ |
| + PRInt32 extension_length = 2 /* extension_type */ + |
| + 2 /* length(extension_data) */; |
| + |
| + /* Only send the extension if processing is enabled. */ |
| + if (!ss->opt.enableSignedCertTimestamps) |
| + return 0; |
| + |
| + if (append && maxBytes >= extension_length) { |
| + SECStatus rv; |
| + /* extension_type */ |
| + rv = ssl3_AppendHandshakeNumber(ss, |
| + ssl_signed_certificate_timestamp_xtn, |
| + 2); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + /* zero length */ |
| + rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| + ssl_signed_certificate_timestamp_xtn; |
| + } else if (maxBytes < extension_length) { |
| + PORT_Assert(0); |
| + return 0; |
| + } |
| + |
| + return extension_length; |
| +loser: |
| + return -1; |
| +} |
| + |
| +static SECStatus |
| +ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, |
| + SECItem *data) |
| +{ |
| + /* We do not yet know whether we'll be resuming a session or creating |
| + * a new one, so we keep a pointer to the data in the TLSExtensionData |
| + * structure. This pointer is only valid in the scope of |
| + * ssl3_HandleServerHello, and, if not resuming a session, the data is |
| + * copied once a new session structure has been set up. |
| + * All parsing is currently left to the application and we accept |
| + * everything, including empty data. |
| + */ |
| + SECItem *scts = &ss->xtnData.signedCertTimestamps; |
| + PORT_Assert(!scts->data && !scts->len); |
| + |
| + if (!data->len) { |
| + /* Empty extension data: RFC 6962 mandates non-empty contents. */ |
| + return SECFailure; |
| + } |
| + *scts = *data; |
| + /* Keep track of negotiated extensions. */ |
| + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| + return SECSuccess; |
| +} |
| diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
| --- a/nss/lib/ssl/ssl.h 2014-01-17 18:00:11.213237373 -0800 |
| +++ b/nss/lib/ssl/ssl.h 2014-01-17 18:38:15.791045050 -0800 |
| @@ -181,6 +181,9 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF |
| */ |
| #define SSL_ENABLE_ALPN 26 |
| |
| +/* Request Signed Certificate Timestamps via TLS extension (client) */ |
| +#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27 |
| + |
| #ifdef SSL_DEPRECATED_FUNCTION |
| /* Old deprecated function names */ |
| SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); |
| @@ -483,6 +486,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertifi |
| */ |
| SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); |
| |
| +/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp |
| + * extension data provided by the TLS server. The return value is a pointer |
| + * to an internal SECItem that contains the returned response (as a serialized |
| + * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only |
| + * valid until the callback function that calls SSL_PeerSignedCertTimestamps |
| + * (e.g. the authenticate certificate hook, or the handshake callback) returns. |
| + * |
| + * If no Signed Certificate Timestamps were given by the server then the result |
| + * will be empty. If there was an error, then the result will be NULL. |
| + * |
| + * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support |
| + * for Signed Certificate Timestamps to a server. |
| + * |
| + * libssl does not do any parsing or validation of the response itself. |
| + */ |
| +SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); |
| + |
| /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses |
| * in the fd's data, which may be sent as part of a server side cert_status |
| * handshake message. Parameter |responses| is for the server certificate of |
| diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
| --- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:11:28.314468184 -0800 |
| +++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:27:22.540248428 -0800 |
| @@ -337,6 +337,7 @@ typedef struct sslOptionsStr { |
| unsigned int enableOCSPStapling : 1; /* 25 */ |
| unsigned int enableNPN : 1; /* 26 */ |
| unsigned int enableALPN : 1; /* 27 */ |
| + unsigned int enableSignedCertTimestamps : 1; /* 28 */ |
| } sslOptions; |
| |
| typedef enum { sslHandshakingUndetermined = 0, |
| @@ -719,6 +720,11 @@ struct sslSessionIDStr { |
| * resumption handshake to the original handshake. */ |
| SECItem originalHandshakeHash; |
| |
| + /* Signed certificate timestamps received in a TLS extension. |
| + ** (used only in client). |
| + */ |
| + SECItem signedCertTimestamps; |
| + |
| /* This lock is lazily initialized by CacheSID when a sid is first |
| * cached. Before then, there is no need to lock anything because |
| * the sid isn't being shared by anything. |
| @@ -827,6 +833,18 @@ struct TLSExtensionDataStr { |
| * is beyond ssl3_HandleClientHello function. */ |
| SECItem *sniNameArr; |
| PRUint32 sniNameArrSize; |
| + |
| + /* Signed Certificate Timestamps extracted from the TLS extension. |
| + * (client only). |
| + * This container holds a temporary pointer to the extension data, |
| + * until a session structure (the sec.ci.sid of an sslSocket) is setup |
| + * that can hold a permanent copy of the data |
| + * (in sec.ci.sid.u.ssl3.signedCertTimestamps). |
| + * The data pointed to by this structure is neither explicitly allocated |
| + * nor copied: the pointer points to the handshake message buffer and is |
| + * only valid in the scope of ssl3_HandleServerHello. |
| + */ |
| + SECItem signedCertTimestamps; |
| }; |
| |
| typedef SECStatus (*sslRestartTarget)(sslSocket *); |
| diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c |
| --- a/nss/lib/ssl/sslnonce.c 2014-01-17 18:11:28.314468184 -0800 |
| +++ b/nss/lib/ssl/sslnonce.c 2014-01-17 18:23:17.956207890 -0800 |
| @@ -131,6 +131,9 @@ ssl_DestroySID(sslSessionID *sid) |
| if (sid->u.ssl3.originalHandshakeHash.data) { |
| SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); |
| } |
| + if (sid->u.ssl3.signedCertTimestamps.data) { |
| + SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); |
| + } |
| |
| if (sid->u.ssl3.lock) { |
| PR_DestroyRWLock(sid->u.ssl3.lock); |
| diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
| --- a/nss/lib/ssl/sslsock.c 2014-01-17 18:04:43.127747463 -0800 |
| +++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:44:09.246889487 -0800 |
| @@ -87,7 +87,8 @@ static sslOptions ssl_defaults = { |
| PR_TRUE, /* cbcRandomIV */ |
| PR_FALSE, /* enableOCSPStapling */ |
| PR_TRUE, /* enableNPN */ |
| - PR_FALSE /* enableALPN */ |
| + PR_FALSE, /* enableALPN */ |
| + PR_FALSE /* enableSignedCertTimestamps */ |
| }; |
| |
| /* |
| @@ -787,6 +788,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
| ss->opt.enableALPN = on; |
| break; |
| |
| + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| + ss->opt.enableSignedCertTimestamps = on; |
| + break; |
| + |
| default: |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| rv = SECFailure; |
| @@ -859,6 +864,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
| case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
| case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break; |
| case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break; |
| + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| + on = ss->opt.enableSignedCertTimestamps; |
| + break; |
| |
| default: |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| @@ -922,6 +930,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
| break; |
| case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break; |
| case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break; |
| + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| + on = ssl_defaults.enableSignedCertTimestamps; |
| + break; |
| |
| default: |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| @@ -1097,6 +1108,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
| ssl_defaults.enableALPN = on; |
| break; |
| |
| + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
| + ssl_defaults.enableSignedCertTimestamps = on; |
| + break; |
| + |
| default: |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| @@ -1921,6 +1936,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc |
| return &ss->sec.ci.sid->peerCertStatus; |
| } |
| |
| +const SECItem * |
| +SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
| +{ |
| + sslSocket *ss = ssl_FindSocket(fd); |
| + |
| + if (!ss) { |
| + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
| + SSL_GETPID(), fd)); |
| + return NULL; |
| + } |
| + |
| + if (!ss->sec.ci.sid) { |
| + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
| + return NULL; |
| + } |
| + |
| + if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { |
| + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
| + return NULL; |
| + } |
| + return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
| +} |
| + |
| SECStatus |
| SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
| sslSocket *ss = ssl_FindSocket(fd); |
| diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h |
| --- a/nss/lib/ssl/sslt.h 2014-01-17 18:10:16.793281867 -0800 |
| +++ b/nss/lib/ssl/sslt.h 2014-01-17 18:23:17.956207890 -0800 |
| @@ -202,6 +202,7 @@ typedef enum { |
| ssl_signature_algorithms_xtn = 13, |
| ssl_use_srtp_xtn = 14, |
| ssl_app_layer_protocol_xtn = 16, |
| + ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */ |
| ssl_session_ticket_xtn = 35, |
| ssl_next_proto_nego_xtn = 13172, |
| ssl_channel_id_xtn = 30032, |
| @@ -209,6 +210,6 @@ typedef enum { |
| ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
| } SSLExtensionType; |
| |
| -#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ |
| +#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ |
| |
| #endif /* __sslt_h_ */ |