Certificate Transparency TLS extension patch for NSS

net/third_party/nss/ssl/sslimpl.h

Index: net/third_party/nss/ssl/sslimpl.h
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 614eed145ecf3a35994c46b1b7cabbd141cf1b51..c17cc23cac606a8f4dbb580fd449e6a2a9de1956 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -305,29 +305,30 @@ typedef struct sslOptionsStr {
      * list of supported protocols. */
     SECItem nextProtoNego;
 
-    unsigned int useSecurity		: 1;  /*  1 */
-    unsigned int useSocks		: 1;  /*  2 */
-    unsigned int requestCertificate	: 1;  /*  3 */
-    unsigned int requireCertificate	: 2;  /*  4-5 */
-    unsigned int handshakeAsClient	: 1;  /*  6 */
-    unsigned int handshakeAsServer	: 1;  /*  7 */
-    unsigned int enableSSL2		: 1;  /*  8 */
-    unsigned int unusedBit9		: 1;  /*  9 */
-    unsigned int unusedBit10		: 1;  /* 10 */
-    unsigned int noCache		: 1;  /* 11 */
-    unsigned int fdx			: 1;  /* 12 */
-    unsigned int v2CompatibleHello	: 1;  /* 13 */
-    unsigned int detectRollBack  	: 1;  /* 14 */
-    unsigned int noStepDown             : 1;  /* 15 */
-    unsigned int bypassPKCS11           : 1;  /* 16 */
-    unsigned int noLocks                : 1;  /* 17 */
-    unsigned int enableSessionTickets   : 1;  /* 18 */
-    unsigned int enableDeflate          : 1;  /* 19 */
-    unsigned int enableRenegotiation    : 2;  /* 20-21 */
-    unsigned int requireSafeNegotiation : 1;  /* 22 */
-    unsigned int enableFalseStart       : 1;  /* 23 */
-    unsigned int cbcRandomIV            : 1;  /* 24 */
-    unsigned int enableOCSPStapling     : 1;  /* 25 */
+    unsigned int useSecurity		    : 1;  /*  1 */
+    unsigned int useSocks		    : 1;  /*  2 */
+    unsigned int requestCertificate	    : 1;  /*  3 */
+    unsigned int requireCertificate	    : 2;  /*  4-5 */
+    unsigned int handshakeAsClient	    : 1;  /*  6 */
+    unsigned int handshakeAsServer	    : 1;  /*  7 */
+    unsigned int enableSSL2		    : 1;  /*  8 */
+    unsigned int unusedBit9		    : 1;  /*  9 */
+    unsigned int unusedBit10		    : 1;  /* 10 */
+    unsigned int noCache		    : 1;  /* 11 */
+    unsigned int fdx			    : 1;  /* 12 */
+    unsigned int v2CompatibleHello	    : 1;  /* 13 */
+    unsigned int detectRollBack  	    : 1;  /* 14 */
+    unsigned int noStepDown                 : 1;  /* 15 */
+    unsigned int bypassPKCS11               : 1;  /* 16 */
+    unsigned int noLocks                    : 1;  /* 17 */
+    unsigned int enableSessionTickets       : 1;  /* 18 */
+    unsigned int enableDeflate              : 1;  /* 19 */
+    unsigned int enableRenegotiation        : 2;  /* 20-21 */
+    unsigned int requireSafeNegotiation     : 1;  /* 22 */
+    unsigned int enableFalseStart           : 1;  /* 23 */
+    unsigned int cbcRandomIV                : 1;  /* 24 */
+    unsigned int enableOCSPStapling	    : 1;  /* 25 */
+    unsigned int enableSignedCertTimestamps : 1;  /* 26 */
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -698,6 +699,10 @@ struct sslSessionIDStr {
 	     */
 	    NewSessionTicket  sessionTicket;
             SECItem           srvName;
+	    /* Signed certificate timestamps received in a TLS extension.

[wtc, 2013/11/08 19:51:31]

Nit: add a blank line before this line.

[ekasper, 2013/11/18 17:47:18]

Done.

+	    ** (used only in client).
+	    */
+	    SECItem	      signedCertTimestamps;
 	} ssl3;
     } u;
 };
@@ -789,6 +794,15 @@ struct TLSExtensionDataStr {
      * is beyond ssl3_HandleClientHello function. */
     SECItem *sniNameArr;
     PRUint32 sniNameArrSize;
+    /* Signed Certificate Timestamps extracted from the TLS extension.

[wtc, 2013/11/08 19:51:31]

Nit: add a blank line before this line.

[ekasper, 2013/11/18 17:47:18]

Done.

+     * (client only).
+     * This container holds a temporary pointer to the extension data,
+     * until a session is setup that can hold a permanent copy of the data.

[wtc, 2013/11/08 19:51:31]

Is the 'signedCertTimestamps' SECItem on line 705 the permanent copy of the
data?

Nit: change "a session" to "a session ID" (which means the NSS sslSessionID
structure). Or we can be precise and use "ss->sec.ci.sid".

[ekasper, 2013/11/18 17:47:18]

Yup.
Changed to more precise wording.

+     * The data pointed to by this structure is neither explicitly allocated
+     * nor copied: the pointer points to the handshake message buffer and is
+     * only valid in the scope of ssl3_HandleServerHello.
+     */
+    SECItem signedCertTimestamps;
 };
 
 typedef SECStatus (*sslRestartTarget)(sslSocket *);