Index: net/third_party/nss/patches/signedcertificatetimestamps.patch |
diff --git a/net/third_party/nss/patches/signedcertificatetimestamps.patch b/net/third_party/nss/patches/signedcertificatetimestamps.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..8ac3079f19f042387a022299bfcb098447db122f |
--- /dev/null |
+++ b/net/third_party/nss/patches/signedcertificatetimestamps.patch |
@@ -0,0 +1,421 @@ |
+diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h |
+index 67cc3a7..4cf02aa 100644 |
+--- a/net/third_party/nss/ssl/ssl.h |
++++ b/net/third_party/nss/ssl/ssl.h |
+@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); |
+ */ |
+ #define SSL_CBC_RANDOM_IV 23 |
+ #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
++/* Request Signed Certificate Timestamps via TLS extension (client) */ |
++#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 |
+ |
+ #ifdef SSL_DEPRECATED_FUNCTION |
+ /* Old deprecated function names */ |
+@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd); |
+ */ |
+ SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); |
+ |
++/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp |
++ * extension data provided by the TLS server. The return value is a pointer |
++ * to an internal SECItem that contains the returned response (as a serialized |
++ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only |
++ * valid until the callback function that calls SSL_PeerSignedCertTimestamps |
++ * (e.g. the authenticate certificate hook, or the handshake callback) returns. |
++ * |
++ * If no Signed Certificate Timestamps were given by the server then the result |
++ * will be empty. If there was an error, then the result will be NULL. |
++ * |
++ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support |
++ * for Signed Certificate Timestamps to a server. |
++ * |
++ * libssl does not do any parsing or validation of the response itself. |
++ */ |
++SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); |
++ |
+ /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses |
+ * in the fd's data, which may be sent as part of a server side cert_status |
+ * handshake message. Parameter |responses| is for the server certificate of |
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c |
+index 0f1eea4..c2d9eeb 100644 |
+--- a/net/third_party/nss/ssl/ssl3con.c |
++++ b/net/third_party/nss/ssl/ssl3con.c |
+@@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ sid->u.ssl3.sessionIDLength = sidBytes.len; |
+ PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); |
+ |
++ /* Copy Signed Certificate Timestamps, if any. */ |
++ if (ss->xtnData.signedCertTimestamps.data) { |
++ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, |
++ &ss->xtnData.signedCertTimestamps); |
++ if (rv != SECSuccess) |
++ goto loser; |
++ } |
++ |
+ ss->ssl3.hs.isResuming = PR_FALSE; |
+ ss->ssl3.hs.ws = wait_server_cert; |
+ |
+ winner: |
++ /* Clean up the temporary pointer to the handshake buffer. */ |
++ ss->xtnData.signedCertTimestamps.data = NULL; |
++ ss->xtnData.signedCertTimestamps.len = 0; |
++ |
+ /* If we will need a ChannelID key then we make the callback now. This |
+ * allows the handshake to be restarted cleanly if the callback returns |
+ * SECWouldBlock. */ |
+@@ -6668,6 +6680,9 @@ alert_loser: |
+ (void)SSL3_SendAlert(ss, alert_fatal, desc); |
+ |
+ loser: |
++ /* Clean up the temporary pointer to the handshake buffer. */ |
++ ss->xtnData.signedCertTimestamps.data = NULL; |
++ ss->xtnData.signedCertTimestamps.len = 0; |
+ errCode = ssl_MapLowLevelError(errCode); |
+ return SECFailure; |
+ } |
+diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c |
+index adb81ed..02e104d 100644 |
+--- a/net/third_party/nss/ssl/ssl3ext.c |
++++ b/net/third_party/nss/ssl/ssl3ext.c |
+@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, |
+ PRUint32 maxBytes); |
+ static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, |
+ SECItem *data); |
++static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, |
++ PRBool append, |
++ PRUint32 maxBytes); |
++static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, |
++ PRUint16 ex_type, |
++ SECItem *data); |
+ |
+ /* |
+ * Write bytes. Using this function means the SECItem structure |
+@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
+ { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
+ { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
+ { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
++ { ssl_signed_certificate_timestamp_xtn, |
++ &ssl3_ClientHandleSignedCertTimestampXtn }, |
+ { -1, NULL } |
+ }; |
+ |
+@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
+- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
++ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
++ { ssl_signed_certificate_timestamp_xtn, |
++ &ssl3_ClientSendSignedCertTimestampXtn } |
+ /* any extra entries will appear as { 0, NULL } */ |
+ }; |
+ |
+@@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, |
+ |
+ return extensionLen; |
+ } |
++ |
++/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp |
++ * extension for TLS ClientHellos. */ |
++static PRInt32 |
++ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, |
++ PRUint32 maxBytes) |
++{ |
++ PRInt32 extension_length = 2 /* extension_type */ + |
++ 2 /* length(extension_data) */; |
++ |
++ /* Only send the extension if processing is enabled. */ |
++ if (!ss->opt.enableSignedCertTimestamps) |
++ return 0; |
++ |
++ if (append && maxBytes >= extension_length) { |
++ SECStatus rv; |
++ /* extension_type */ |
++ rv = ssl3_AppendHandshakeNumber(ss, |
++ ssl_signed_certificate_timestamp_xtn, |
++ 2); |
++ if (rv != SECSuccess) |
++ goto loser; |
++ /* zero length */ |
++ rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
++ if (rv != SECSuccess) |
++ goto loser; |
++ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
++ ssl_signed_certificate_timestamp_xtn; |
++ } else if (maxBytes < extension_length) { |
++ PORT_Assert(0); |
++ return 0; |
++ } |
++ |
++ return extension_length; |
++loser: |
++ return -1; |
++} |
++ |
++static SECStatus |
++ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, |
++ SECItem *data) |
++{ |
++ /* We do not yet know whether we'll be resuming a session or creating |
++ * a new one, so we keep a pointer to the data in the TLSExtensionData |
++ * structure. This pointer is only valid in the scope of |
++ * ssl3_HandleServerHello, and, if not resuming a session, the data is |
++ * copied once a new session structure has been set up. |
++ * All parsing is currently left to the application and we accept |
++ * everything, including empty data. |
++ */ |
++ SECItem *scts = &ss->xtnData.signedCertTimestamps; |
++ PORT_Assert(!scts->data && !scts->len); |
++ |
++ if (!data->len) { |
++ /* Empty extension data: RFC 6962 mandates non-empty contents. */ |
++ return SECFailure; |
++ } |
++ *scts = *data; |
++ /* Keep track of negotiated extensions. */ |
++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
++ return SECSuccess; |
++} |
+diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h |
+index 79aca60..1e4655f 100644 |
+--- a/net/third_party/nss/ssl/sslimpl.h |
++++ b/net/third_party/nss/ssl/sslimpl.h |
+@@ -312,29 +312,30 @@ typedef struct sslOptionsStr { |
+ * list of supported protocols. */ |
+ SECItem nextProtoNego; |
+ |
+- unsigned int useSecurity : 1; /* 1 */ |
+- unsigned int useSocks : 1; /* 2 */ |
+- unsigned int requestCertificate : 1; /* 3 */ |
+- unsigned int requireCertificate : 2; /* 4-5 */ |
+- unsigned int handshakeAsClient : 1; /* 6 */ |
+- unsigned int handshakeAsServer : 1; /* 7 */ |
+- unsigned int enableSSL2 : 1; /* 8 */ |
+- unsigned int unusedBit9 : 1; /* 9 */ |
+- unsigned int unusedBit10 : 1; /* 10 */ |
+- unsigned int noCache : 1; /* 11 */ |
+- unsigned int fdx : 1; /* 12 */ |
+- unsigned int v2CompatibleHello : 1; /* 13 */ |
+- unsigned int detectRollBack : 1; /* 14 */ |
+- unsigned int noStepDown : 1; /* 15 */ |
+- unsigned int bypassPKCS11 : 1; /* 16 */ |
+- unsigned int noLocks : 1; /* 17 */ |
+- unsigned int enableSessionTickets : 1; /* 18 */ |
+- unsigned int enableDeflate : 1; /* 19 */ |
+- unsigned int enableRenegotiation : 2; /* 20-21 */ |
+- unsigned int requireSafeNegotiation : 1; /* 22 */ |
+- unsigned int enableFalseStart : 1; /* 23 */ |
+- unsigned int cbcRandomIV : 1; /* 24 */ |
+- unsigned int enableOCSPStapling : 1; /* 25 */ |
++ unsigned int useSecurity : 1; /* 1 */ |
++ unsigned int useSocks : 1; /* 2 */ |
++ unsigned int requestCertificate : 1; /* 3 */ |
++ unsigned int requireCertificate : 2; /* 4-5 */ |
++ unsigned int handshakeAsClient : 1; /* 6 */ |
++ unsigned int handshakeAsServer : 1; /* 7 */ |
++ unsigned int enableSSL2 : 1; /* 8 */ |
++ unsigned int unusedBit9 : 1; /* 9 */ |
++ unsigned int unusedBit10 : 1; /* 10 */ |
++ unsigned int noCache : 1; /* 11 */ |
++ unsigned int fdx : 1; /* 12 */ |
++ unsigned int v2CompatibleHello : 1; /* 13 */ |
++ unsigned int detectRollBack : 1; /* 14 */ |
++ unsigned int noStepDown : 1; /* 15 */ |
++ unsigned int bypassPKCS11 : 1; /* 16 */ |
++ unsigned int noLocks : 1; /* 17 */ |
++ unsigned int enableSessionTickets : 1; /* 18 */ |
++ unsigned int enableDeflate : 1; /* 19 */ |
++ unsigned int enableRenegotiation : 2; /* 20-21 */ |
++ unsigned int requireSafeNegotiation : 1; /* 22 */ |
++ unsigned int enableFalseStart : 1; /* 23 */ |
++ unsigned int cbcRandomIV : 1; /* 24 */ |
++ unsigned int enableOCSPStapling : 1; /* 25 */ |
++ unsigned int enableSignedCertTimestamps : 1; /* 26 */ |
+ } sslOptions; |
+ |
+ typedef enum { sslHandshakingUndetermined = 0, |
+@@ -713,6 +714,11 @@ struct sslSessionIDStr { |
+ * negotiated as it's used to bind the ChannelID signature on the |
+ * resumption handshake to the original handshake. */ |
+ SECItem originalHandshakeHash; |
++ |
++ /* Signed certificate timestamps received in a TLS extension. |
++ ** (used only in client). |
++ */ |
++ SECItem signedCertTimestamps; |
+ } ssl3; |
+ } u; |
+ }; |
+@@ -804,6 +810,18 @@ struct TLSExtensionDataStr { |
+ * is beyond ssl3_HandleClientHello function. */ |
+ SECItem *sniNameArr; |
+ PRUint32 sniNameArrSize; |
++ |
++ /* Signed Certificate Timestamps extracted from the TLS extension. |
++ * (client only). |
++ * This container holds a temporary pointer to the extension data, |
++ * until a session structure (the sec.ci.sid of an sslSocket) is setup |
++ * that can hold a permanent copy of the data |
++ * (in sec.ci.sid.u.ssl3.signedCertTimestamps). |
++ * The data pointed to by this structure is neither explicitly allocated |
++ * nor copied: the pointer points to the handshake message buffer and is |
++ * only valid in the scope of ssl3_HandleServerHello. |
++ */ |
++ SECItem signedCertTimestamps; |
+ }; |
+ |
+ typedef SECStatus (*sslRestartTarget)(sslSocket *); |
+diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c |
+index eb5004c..1ca19ca 100644 |
+--- a/net/third_party/nss/ssl/sslnonce.c |
++++ b/net/third_party/nss/ssl/sslnonce.c |
+@@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid) |
+ if (sid->version < SSL_LIBRARY_VERSION_3_0) { |
+ SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); |
+ SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); |
++ } else { |
++ if (sid->u.ssl3.sessionTicket.ticket.data) { |
++ SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); |
++ } |
++ if (sid->u.ssl3.srvName.data) { |
++ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); |
++ } |
++ if (sid->u.ssl3.signedCertTimestamps.data) { |
++ SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); |
++ } |
++ if (sid->u.ssl3.originalHandshakeHash.data) { |
++ SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); |
++ } |
+ } |
++ |
+ if (sid->peerID != NULL) |
+ PORT_Free((void *)sid->peerID); /* CONST */ |
+ |
+@@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid) |
+ if ( sid->localCert ) { |
+ CERT_DestroyCertificate(sid->localCert); |
+ } |
+- if (sid->u.ssl3.sessionTicket.ticket.data) { |
+- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); |
+- } |
+- if (sid->u.ssl3.srvName.data) { |
+- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); |
+- } |
+- if (sid->u.ssl3.originalHandshakeHash.data) { |
+- SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); |
+- } |
+- |
++ |
+ PORT_ZFree(sid, sizeof(sslSessionID)); |
+ } |
+ |
+diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c |
+index b5c17f0..965215d 100644 |
+--- a/net/third_party/nss/ssl/sslsock.c |
++++ b/net/third_party/nss/ssl/sslsock.c |
+@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = { |
+ PR_FALSE, /* requireSafeNegotiation */ |
+ PR_FALSE, /* enableFalseStart */ |
+ PR_TRUE, /* cbcRandomIV */ |
+- PR_FALSE /* enableOCSPStapling */ |
++ PR_FALSE, /* enableOCSPStapling */ |
++ PR_FALSE /* enableSignedCertTimestamps */ |
+ }; |
+ |
+ /* |
+@@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
+ ss->opt.enableOCSPStapling = on; |
+ break; |
+ |
++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
++ ss->opt.enableSignedCertTimestamps = on; |
++ break; |
++ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
+@@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
+ case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
+ case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
+ case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
++ on = ss->opt.enableSignedCertTimestamps; |
++ break; |
+ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+@@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
+ case SSL_ENABLE_OCSP_STAPLING: |
+ on = ssl_defaults.enableOCSPStapling; |
+ break; |
++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
++ on = ssl_defaults.enableSignedCertTimestamps; |
++ break; |
+ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+@@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) |
+ ssl_defaults.enableOCSPStapling = on; |
+ break; |
+ |
++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: |
++ ssl_defaults.enableSignedCertTimestamps = on; |
++ break; |
++ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+@@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd) |
+ return &ss->sec.ci.sid->peerCertStatus; |
+ } |
+ |
++const SECItem * |
++SSL_PeerSignedCertTimestamps(PRFileDesc *fd) |
++{ |
++ sslSocket *ss = ssl_FindSocket(fd); |
++ |
++ if (!ss) { |
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", |
++ SSL_GETPID(), fd)); |
++ return NULL; |
++ } |
++ |
++ if (!ss->sec.ci.sid) { |
++ PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
++ return NULL; |
++ } |
++ |
++ if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { |
++ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
++ return NULL; |
++ } |
++ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; |
++} |
++ |
+ SECStatus |
+ SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { |
+ sslSocket *ss = ssl_FindSocket(fd); |
+@@ -3133,4 +3171,3 @@ loser: |
+ } |
+ return ss; |
+ } |
+- |
+diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h |
+index b813c04..1f5e2c6 100644 |
+--- a/net/third_party/nss/ssl/sslt.h |
++++ b/net/third_party/nss/ssl/sslt.h |
+@@ -202,6 +202,7 @@ typedef enum { |
+ ssl_signature_algorithms_xtn = 13, |
+ ssl_use_srtp_xtn = 14, |
+ ssl_app_layer_protocol_xtn = 16, |
++ ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */ |
+ ssl_session_ticket_xtn = 35, |
+ ssl_next_proto_nego_xtn = 13172, |
+ ssl_channel_id_xtn = 30032, |
+@@ -209,6 +210,6 @@ typedef enum { |
+ ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
+ } SSLExtensionType; |
+ |
+-#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ |
++#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ |
+ |
+ #endif /* __sslt_h_ */ |