Certificate Transparency TLS extension patch for NSS

net/third_party/nss/ssl/ssl.h

Index: net/third_party/nss/ssl/ssl.h
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 47468a0a289a1b712b2a7acde2a28c73dad4c31b..dac483ae1bf42b7420a02c3e37fda34b5bc9148f 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -166,6 +166,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  */
 #define SSL_CBC_RANDOM_IV 23
 #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
+/* Request Signed Certificate Timestamps via TLS extension (client) */
+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
 
 #ifdef SSL_DEPRECATED_FUNCTION 
 /* Old deprecated function names */
@@ -469,6 +471,21 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
  */
 SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
 
+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
+ * extension data provided by the TLS server. The return value is a pointer

[wtc, 2013/11/08 19:51:31]

Should we mention the extension data is a SignedCertificateTimestampList?

[ekasper, 2013/11/18 17:47:18]

Can't hurt! Done.

+ * to an internal SECItem that contains the returned response; it is only valid
+ * until the callback function that calls SSL_PeerSignedCertTimestamps returns.

[wtc, 2013/11/08 19:51:31]

Please be explicit which callback function you are referring to. I guess it is
the SSLAuthCertificate callback?

[ekasper, 2013/11/18 17:47:18]

I believe the precise callback doesn't matter but normally you'd call it from
AuthCertificate or HandshakeCallback so I've made that explicit. This is similar
to how PeerStapledOCSPResponses are handled (tstclnt calls this from both
hooks).

+ *
+ * If no Signed Certificate Timestamps were given by the server then the result
+ * will be empty. If there was an error, then the result will be NULL.
+ *
+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to enable Signed
+ * Certificate Timestamps to be provided by a server.

[wtc, 2013/11/08 19:51:31]

Nit: change "to enable Signed Certificate Timestamps to be provided by a server"
to "to request Signed Certificate Timestamps from a server" or "to indicate
support for Signed Certificate Timestamps to a server".

[ekasper, 2013/11/18 17:47:18]

That's much better, thanks. Done. I chose "indicate support" because the server
is not obliged to honour the request.

+ *
+ * libssl does not do any parsing or validation of the response itself.
+ */
+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
+
 /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
  * in the fd's data, which may be sent as part of a server side cert_status
  * handshake message. Parameter |responses| is for the server certificate of