Index: net/third_party/nss/ssl/ssl.h |
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h |
index 47468a0a289a1b712b2a7acde2a28c73dad4c31b..f8503eb5fba151900def95f59f2e145e5b8356f8 100644 |
--- a/net/third_party/nss/ssl/ssl.h |
+++ b/net/third_party/nss/ssl/ssl.h |
@@ -166,6 +166,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); |
*/ |
#define SSL_CBC_RANDOM_IV 23 |
#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
+/* Request Signed Certificate Timestamps via TLS extension (client) */ |
+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 |
#ifdef SSL_DEPRECATED_FUNCTION |
/* Old deprecated function names */ |
@@ -469,6 +471,24 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd); |
*/ |
SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); |
+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp |
+ * extension data provided by the TLS server. The return value is a pointer |
+ * to an internal SECItem that contains the returned response (as a serialized |
+ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only |
+ * valid until the callback function that calls SSL_PeerSignedCertTimestamps |
+ * (e.g. the authenticate certificate hook, or the handshake callback) returns. |
wtc
2013/11/19 23:52:29
Thank you for improving this comment.
I now see t
ekasper
2013/11/20 16:06:27
Yes, I'm pretty sure this is stricter than current
|
+ * |
+ * If no Signed Certificate Timestamps were given by the server then the result |
+ * will be empty. If there was an error, or if SSLv2 was negotiated, then the |
wtc
2013/11/19 23:52:29
Nit: It's not necessary to mention "or if SSLv2 wa
ekasper
2013/11/20 16:06:27
Done, and I've also made it a handshake error for
|
+ * result will be NULL. |
+ * |
+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support |
+ * for Signed Certificate Timestamps to a server. |
+ * |
+ * libssl does not do any parsing or validation of the response itself. |
+ */ |
+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); |
+ |
/* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses |
* in the fd's data, which may be sent as part of a server side cert_status |
* handshake message. Parameter |responses| is for the server certificate of |