Certificate Transparency TLS extension patch for NSS

net/third_party/nss/ssl/sslnonce.c

Index: net/third_party/nss/ssl/sslnonce.c
diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c
index a6f734948a3448e9af6f0b9eddc5a103593a63ba..6d330f014df7328b10f311b9d623603ea1f4ca2b 100644
--- a/net/third_party/nss/ssl/sslnonce.c
+++ b/net/third_party/nss/ssl/sslnonce.c
@@ -142,13 +142,19 @@ ssl_DestroySID(sslSessionID *sid)
     if ( sid->localCert ) {
 	CERT_DestroyCertificate(sid->localCert);
     }
-    if (sid->u.ssl3.sessionTicket.ticket.data) {
-	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
-    }
-    if (sid->u.ssl3.srvName.data) {
-	SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+
+    if (sid->version >= SSL_LIBRARY_VERSION_3_0) {

[wtc, 2013/11/08 19:51:31]

We are planning to remove the SSL 2.0 code within twelve months, so I suggest we
not add this sid->version check.

[ekasper, 2013/11/18 17:47:18]

u is a union and u.ssl3 is only valid for a 3.0 session, so I think we need this
check. (In practice this is tail end of the union so should be zeroed for ssl2,
but still.)

[wtc, 2013/11/19 23:52:28]

I see. This makes sense, thanks.

I suggest that we combine this with the if statement on lines 122-125.

[ekasper, 2013/11/20 16:06:27]

Done.

+	if (sid->u.ssl3.sessionTicket.ticket.data) {
+	    SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+	}
+	if (sid->u.ssl3.srvName.data) {
+	    SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+	}
+	if (sid->u.ssl3.signedCertTimestamps.data) {
+	    SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
+	}
     }
-    
+
     PORT_ZFree(sid, sizeof(sslSessionID));
 }