Index: net/third_party/nss/ssl/sslsock.c |
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c |
index 072fad5ba0b3fdcab9368d8326dda4f1eb332232..8072f2334cfbf66d23ee95a30b181d030357b84e 100644 |
--- a/net/third_party/nss/ssl/sslsock.c |
+++ b/net/third_party/nss/ssl/sslsock.c |
@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = { |
PR_FALSE, /* requireSafeNegotiation */ |
PR_FALSE, /* enableFalseStart */ |
PR_TRUE, /* cbcRandomIV */ |
- PR_FALSE /* enableOCSPStapling */ |
+ PR_FALSE, /* enableOCSPStapling */ |
+ PR_FALSE /* enableSignedCertTimestamps */ |
}; |
/* |
@@ -863,6 +864,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
ss->opt.enableOCSPStapling = on; |
break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ ss->opt.enableSignedCertTimestamps = on; |
+ break; |
+ |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
rv = SECFailure; |
@@ -933,6 +938,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ on = ss->opt.enableSignedCertTimestamps; |
+ break; |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
@@ -994,6 +1002,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
case SSL_ENABLE_OCSP_STAPLING: |
on = ssl_defaults.enableOCSPStapling; |
break; |
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
+ ssl_defaults.enableSignedCertTimestamps = on; |
wtc
2013/11/08 19:51:31
BUG: this should be
on = ssl_defaults.enableSi
ekasper
2013/11/18 17:47:18
Yikes, I appear to have completely botched this fi
|
+ break; |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
@@ -1991,6 +2002,28 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
return &ss->sec.ci.sid->peerCertStatus; |
} |
+const SECItem * |
+SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
+{ |
+ sslSocket *ss = ssl_FindSocket(fd); |
+ |
+ if (!ss) { |
+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
+ SSL_GETPID(), fd)); |
+ return NULL; |
+ } |
+ |
+ if (!ss->sec.ci.sid) { |
+ PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
+ return NULL; |
+ } |
+ |
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
+ return NULL; |
wtc
2013/11/08 19:51:31
Please add:
PORT_SetError(SSL_ERROR_FEATURE_NO
ekasper
2013/11/18 17:47:18
Strictly speaking yes, but I think it's nicer to a
wtc
2013/11/19 23:52:28
Yes, it does. Thanks.
To make it clear it's the u
ekasper
2013/11/20 16:06:27
Done.
|
+ } |
+ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
+} |
+ |
SECStatus |
SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
sslSocket *ss = ssl_FindSocket(fd); |
@@ -3131,4 +3164,3 @@ loser: |
} |
return ss; |
} |
- |