1f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h 2f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index 67cc3a7..4cf02aa 100644 3f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/ssl.h 4f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/ssl.h 5f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); 6f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) */ 7f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) #define SSL_CBC_RANDOM_IV 23 8f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ 9f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+/* Request Signed Certificate Timestamps via TLS extension (client) */ 10f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 11f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 12f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) #ifdef SSL_DEPRECATED_FUNCTION 13f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) /* Old deprecated function names */ 14f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd); 15f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) */ 16f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); 17f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 18f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp 19f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * extension data provided by the TLS server. The return value is a pointer 20f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * to an internal SECItem that contains the returned response (as a serialized 21f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only 22f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * valid until the callback function that calls SSL_PeerSignedCertTimestamps 23f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * (e.g. the authenticate certificate hook, or the handshake callback) returns. 24f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * 25f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * If no Signed Certificate Timestamps were given by the server then the result 26f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * will be empty. If there was an error, then the result will be NULL. 27f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * 28f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support 29f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * for Signed Certificate Timestamps to a server. 30f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * 31f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * libssl does not do any parsing or validation of the response itself. 32f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ */ 33f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); 34f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 35f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses 36f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * in the fd's data, which may be sent as part of a server side cert_status 37f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * handshake message. Parameter |responses| is for the server certificate of 38f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c 39f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index 0f1eea4..c2d9eeb 100644 40f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/ssl3con.c 41f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/ssl3con.c 42f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 43f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) sid->u.ssl3.sessionIDLength = sidBytes.len; 44f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); 45f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 46f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Copy Signed Certificate Timestamps, if any. */ 47f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (ss->xtnData.signedCertTimestamps.data) { 48f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, 49f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ &ss->xtnData.signedCertTimestamps); 50f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (rv != SECSuccess) 51f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ goto loser; 52f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 53f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 54f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ss->ssl3.hs.isResuming = PR_FALSE; 55f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ss->ssl3.hs.ws = wait_server_cert; 56f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 57f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) winner: 58f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Clean up the temporary pointer to the handshake buffer. */ 59f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->xtnData.signedCertTimestamps.data = NULL; 60f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->xtnData.signedCertTimestamps.len = 0; 61f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 62f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) /* If we will need a ChannelID key then we make the callback now. This 63f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * allows the handshake to be restarted cleanly if the callback returns 64f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * SECWouldBlock. */ 65f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -6668,6 +6680,9 @@ alert_loser: 66f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) (void)SSL3_SendAlert(ss, alert_fatal, desc); 67f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 68f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) loser: 69f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Clean up the temporary pointer to the handshake buffer. */ 70f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->xtnData.signedCertTimestamps.data = NULL; 71f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->xtnData.signedCertTimestamps.len = 0; 72f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) errCode = ssl_MapLowLevelError(errCode); 73f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return SECFailure; 74f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 75f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c 76f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index adb81ed..02e104d 100644 77f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/ssl3ext.c 78f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/ssl3ext.c 79f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, 80f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PRUint32 maxBytes); 81f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, 82f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECItem *data); 83f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, 84f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PRBool append, 85f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PRUint32 maxBytes); 86f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, 87f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PRUint16 ex_type, 88f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECItem *data); 89f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 90f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) /* 91f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * Write bytes. Using this function means the SECItem structure 92f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 93f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 94f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 95f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 96f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ { ssl_signed_certificate_timestamp_xtn, 97f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ &ssl3_ClientHandleSignedCertTimestampXtn }, 98f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { -1, NULL } 99f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) }; 100f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 101f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 102f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, 103f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 104f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 105f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } 106f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, 107f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ { ssl_signed_certificate_timestamp_xtn, 108f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ &ssl3_ClientSendSignedCertTimestampXtn } 109f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) /* any extra entries will appear as { 0, NULL } */ 110f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) }; 111f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 112f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, 113f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 114f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return extensionLen; 115f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 116f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 117f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp 118f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * extension for TLS ClientHellos. */ 119f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+static PRInt32 120f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, 121f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PRUint32 maxBytes) 122f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+{ 123f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PRInt32 extension_length = 2 /* extension_type */ + 124f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 2 /* length(extension_data) */; 125f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 126f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Only send the extension if processing is enabled. */ 127f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (!ss->opt.enableSignedCertTimestamps) 128f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return 0; 129f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 130f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (append && maxBytes >= extension_length) { 131f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECStatus rv; 132f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* extension_type */ 133f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ rv = ssl3_AppendHandshakeNumber(ss, 134f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ssl_signed_certificate_timestamp_xtn, 135f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 2); 136f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (rv != SECSuccess) 137f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ goto loser; 138f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* zero length */ 139f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 140f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (rv != SECSuccess) 141f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ goto loser; 142f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 143f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ssl_signed_certificate_timestamp_xtn; 144f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } else if (maxBytes < extension_length) { 145f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PORT_Assert(0); 146f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return 0; 147f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 148f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 149f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return extension_length; 150f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+loser: 151f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return -1; 152f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+} 153f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 154f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+static SECStatus 155f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, 156f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECItem *data) 157f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+{ 158f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* We do not yet know whether we'll be resuming a session or creating 159f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * a new one, so we keep a pointer to the data in the TLSExtensionData 160f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * structure. This pointer is only valid in the scope of 161f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * ssl3_HandleServerHello, and, if not resuming a session, the data is 162f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * copied once a new session structure has been set up. 163f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * All parsing is currently left to the application and we accept 164f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * everything, including empty data. 165f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ */ 166f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECItem *scts = &ss->xtnData.signedCertTimestamps; 167f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PORT_Assert(!scts->data && !scts->len); 168f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 169f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (!data->len) { 170f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Empty extension data: RFC 6962 mandates non-empty contents. */ 171f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return SECFailure; 172f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 173f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ *scts = *data; 174f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Keep track of negotiated extensions. */ 175f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 176f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return SECSuccess; 177f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+} 178f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h 179f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index 79aca60..1e4655f 100644 180f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/sslimpl.h 181f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/sslimpl.h 182f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -312,29 +312,30 @@ typedef struct sslOptionsStr { 183f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * list of supported protocols. */ 184f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECItem nextProtoNego; 185f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 186f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int useSecurity : 1; /* 1 */ 187f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int useSocks : 1; /* 2 */ 188f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int requestCertificate : 1; /* 3 */ 189f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int requireCertificate : 2; /* 4-5 */ 190f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int handshakeAsClient : 1; /* 6 */ 191f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int handshakeAsServer : 1; /* 7 */ 192f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int enableSSL2 : 1; /* 8 */ 193f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int unusedBit9 : 1; /* 9 */ 194f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int unusedBit10 : 1; /* 10 */ 195f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int noCache : 1; /* 11 */ 196f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int fdx : 1; /* 12 */ 197f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int v2CompatibleHello : 1; /* 13 */ 198f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int detectRollBack : 1; /* 14 */ 199f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int noStepDown : 1; /* 15 */ 200f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int bypassPKCS11 : 1; /* 16 */ 201f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int noLocks : 1; /* 17 */ 202f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int enableSessionTickets : 1; /* 18 */ 203f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int enableDeflate : 1; /* 19 */ 204f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int enableRenegotiation : 2; /* 20-21 */ 205f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int requireSafeNegotiation : 1; /* 22 */ 206f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int enableFalseStart : 1; /* 23 */ 207f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int cbcRandomIV : 1; /* 24 */ 208f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- unsigned int enableOCSPStapling : 1; /* 25 */ 209f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int useSecurity : 1; /* 1 */ 210f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int useSocks : 1; /* 2 */ 211f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int requestCertificate : 1; /* 3 */ 212f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int requireCertificate : 2; /* 4-5 */ 213f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int handshakeAsClient : 1; /* 6 */ 214f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int handshakeAsServer : 1; /* 7 */ 215f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableSSL2 : 1; /* 8 */ 216f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int unusedBit9 : 1; /* 9 */ 217f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int unusedBit10 : 1; /* 10 */ 218f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int noCache : 1; /* 11 */ 219f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int fdx : 1; /* 12 */ 220f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int v2CompatibleHello : 1; /* 13 */ 221f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int detectRollBack : 1; /* 14 */ 222f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int noStepDown : 1; /* 15 */ 223f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int bypassPKCS11 : 1; /* 16 */ 224f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int noLocks : 1; /* 17 */ 225f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableSessionTickets : 1; /* 18 */ 226f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableDeflate : 1; /* 19 */ 227f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableRenegotiation : 2; /* 20-21 */ 228f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int requireSafeNegotiation : 1; /* 22 */ 229f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableFalseStart : 1; /* 23 */ 230f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int cbcRandomIV : 1; /* 24 */ 231f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableOCSPStapling : 1; /* 25 */ 232f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ unsigned int enableSignedCertTimestamps : 1; /* 26 */ 233f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } sslOptions; 234f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 235f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) typedef enum { sslHandshakingUndetermined = 0, 236f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -713,6 +714,11 @@ struct sslSessionIDStr { 237f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * negotiated as it's used to bind the ChannelID signature on the 238f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * resumption handshake to the original handshake. */ 239f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECItem originalHandshakeHash; 240f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 241f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Signed certificate timestamps received in a TLS extension. 242f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ** (used only in client). 243f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ */ 244f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECItem signedCertTimestamps; 245f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } ssl3; 246f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } u; 247f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) }; 248f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -804,6 +810,18 @@ struct TLSExtensionDataStr { 249f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) * is beyond ssl3_HandleClientHello function. */ 250f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECItem *sniNameArr; 251f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PRUint32 sniNameArrSize; 252f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 253f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ /* Signed Certificate Timestamps extracted from the TLS extension. 254f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * (client only). 255f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * This container holds a temporary pointer to the extension data, 256f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * until a session structure (the sec.ci.sid of an sslSocket) is setup 257f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * that can hold a permanent copy of the data 258f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * (in sec.ci.sid.u.ssl3.signedCertTimestamps). 259f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * The data pointed to by this structure is neither explicitly allocated 260f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * nor copied: the pointer points to the handshake message buffer and is 261f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ * only valid in the scope of ssl3_HandleServerHello. 262f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ */ 263f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECItem signedCertTimestamps; 264f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) }; 265f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 266f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) typedef SECStatus (*sslRestartTarget)(sslSocket *); 267f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c 268f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index eb5004c..1ca19ca 100644 269f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/sslnonce.c 270f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/sslnonce.c 271f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid) 272f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) if (sid->version < SSL_LIBRARY_VERSION_3_0) { 273f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); 274f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); 275f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } else { 276f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (sid->u.ssl3.sessionTicket.ticket.data) { 277f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); 278f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 279f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (sid->u.ssl3.srvName.data) { 280f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); 281f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 282f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (sid->u.ssl3.signedCertTimestamps.data) { 283f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); 284f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 285f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (sid->u.ssl3.originalHandshakeHash.data) { 286f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); 287f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 288f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 289f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 290f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) if (sid->peerID != NULL) 291f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_Free((void *)sid->peerID); /* CONST */ 292f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 293f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid) 294f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) if ( sid->localCert ) { 295f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) CERT_DestroyCertificate(sid->localCert); 296f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 297f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- if (sid->u.ssl3.sessionTicket.ticket.data) { 298f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); 299f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- } 300f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- if (sid->u.ssl3.srvName.data) { 301f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); 302f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- } 303f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- if (sid->u.ssl3.originalHandshakeHash.data) { 304f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); 305f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- } 306f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- 307f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 308f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_ZFree(sid, sizeof(sslSessionID)); 309f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 310f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 311f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c 312f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index b5c17f0..965215d 100644 313f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/sslsock.c 314f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/sslsock.c 315f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = { 316f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PR_FALSE, /* requireSafeNegotiation */ 317f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PR_FALSE, /* enableFalseStart */ 318f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PR_TRUE, /* cbcRandomIV */ 319f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- PR_FALSE /* enableOCSPStapling */ 320f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PR_FALSE, /* enableOCSPStapling */ 321f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PR_FALSE /* enableSignedCertTimestamps */ 322f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) }; 323f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 324f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) /* 325f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) 326f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ss->opt.enableOCSPStapling = on; 327f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) break; 328f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 329f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 330f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ss->opt.enableSignedCertTimestamps = on; 331f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ break; 332f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 333f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) default: 334f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_SetError(SEC_ERROR_INVALID_ARGS); 335f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) rv = SECFailure; 336f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) 337f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; 338f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; 339f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; 340f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 341f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ on = ss->opt.enableSignedCertTimestamps; 342f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ break; 343f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 344f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) default: 345f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_SetError(SEC_ERROR_INVALID_ARGS); 346f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) 347f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) case SSL_ENABLE_OCSP_STAPLING: 348f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) on = ssl_defaults.enableOCSPStapling; 349f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) break; 350f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 351f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ on = ssl_defaults.enableSignedCertTimestamps; 352f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ break; 353f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 354f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) default: 355f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_SetError(SEC_ERROR_INVALID_ARGS); 356f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) 357f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_defaults.enableOCSPStapling = on; 358f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) break; 359f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 360f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 361f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ssl_defaults.enableSignedCertTimestamps = on; 362f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ break; 363f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 364f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) default: 365f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PORT_SetError(SEC_ERROR_INVALID_ARGS); 366f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return SECFailure; 367f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd) 368f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return &ss->sec.ci.sid->peerCertStatus; 369f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 370f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 371f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+const SECItem * 372f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+SSL_PeerSignedCertTimestamps(PRFileDesc *fd) 373f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+{ 374f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ sslSocket *ss = ssl_FindSocket(fd); 375f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 376f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (!ss) { 377f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", 378f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ SSL_GETPID(), fd)); 379f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return NULL; 380f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 381f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 382f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (!ss->sec.ci.sid) { 383f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 384f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return NULL; 385f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 386f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 387f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { 388f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 389f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return NULL; 390f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ } 391f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; 392f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+} 393f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ 394f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SECStatus 395f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { 396f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) sslSocket *ss = ssl_FindSocket(fd); 397f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -3133,4 +3171,3 @@ loser: 398f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 399f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return ss; 400f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } 401f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)- 402f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h 403f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)index b813c04..1f5e2c6 100644 404f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)--- a/net/third_party/nss/ssl/sslt.h 405f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+++ b/net/third_party/nss/ssl/sslt.h 406f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -202,6 +202,7 @@ typedef enum { 407f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_signature_algorithms_xtn = 13, 408f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_use_srtp_xtn = 14, 409f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_app_layer_protocol_xtn = 16, 410f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+ ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */ 411f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_session_ticket_xtn = 35, 412f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_next_proto_nego_xtn = 13172, 413f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_channel_id_xtn = 30032, 414f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)@@ -209,6 +210,6 @@ typedef enum { 415f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ 416f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) } SSLExtensionType; 417f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 418f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)-#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ 419f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)+#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ 420f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 421f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) #endif /* __sslt_h_ */ 422