Add support for fetching Certificate Transparency SCTs over a TLS extension

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 89eab143140f5aadadd7e5cf8678d9692499f8a8..0d6a4a693c8d579425cfac1f40cbff5e3753a1ad 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -414,6 +414,7 @@ struct HandshakeState {
     channel_id_sent = false;
     server_cert_chain.Reset(NULL);
     server_cert = NULL;
+    sct_list_from_tls_extension.clear();
     resumed_handshake = false;
     ssl_connection_status = 0;
   }
@@ -443,6 +444,8 @@ struct HandshakeState {
   // always be non-NULL.
   PeerCertificateChain server_cert_chain;
   scoped_refptr<X509Certificate> server_cert;
+  // SignedCertificateTimestampList received via TLS extension (RFC 6962).
+  std::string sct_list_from_tls_extension;
 
   // True if the current handshake was the result of TLS session resumption.
   bool resumed_handshake;
@@ -762,6 +765,10 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
   // UpdateNextProto gets any application-layer protocol that may have been
   // negotiated by the TLS connection.
   void UpdateNextProto();
+  // Update the nss_handshake_state_ with SignedCertificateTimestampLists
+  // received in the handshake, via a TLS extension or (to be implemented)
+  // OCSP stapling.
+  void UpdateSignedCertTimestamps();

[wtc, 2013/11/26 17:32:55]

Nit: declare this immediately after UpdateServerCert() because they are related.

[ekasper, 2013/11/26 19:33:54]

Done.

 
   ////////////////////////////////////////////////////////////////////////////
   // Methods that are ONLY called on the network task runner:
@@ -1654,6 +1661,7 @@ void SSLClientSocketNSS::Core::HandshakeSucceeded() {
   UpdateServerCert();
   UpdateConnectionStatus();
   UpdateNextProto();
+  UpdateSignedCertTimestamps();

[wtc, 2013/11/26 17:32:55]

Nit: call this immediately after UpdateServerCert() because they are related.

[ekasper, 2013/11/26 19:33:54]

Done.

 
   // Update the network task runners view of the handshake state whenever
   // a handshake has completed.
@@ -2519,6 +2527,18 @@ void SSLClientSocketNSS::Core::UpdateNextProto() {
   }
 }
 
+void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() {
+  const SECItem* signed_cert_timestamps =
+      SSL_PeerSignedCertTimestamps(nss_fd_);
+
+  if (!signed_cert_timestamps || !signed_cert_timestamps->len)
+    return;
+
+  nss_handshake_state_.sct_list_from_tls_extension = std::string(
+      reinterpret_cast<char*>(signed_cert_timestamps->data),
+                              signed_cert_timestamps->len);

[wtc, 2013/11/26 17:32:55]

This should be aligned with reinterpret_cast. (I guess you want to highlight the
common "signed_cert_timestamps->" part of these two arguments.

[ekasper, 2013/11/26 19:33:54]

Done. (No reason other than my own sloppiness for the bad indent.)

+}
+
 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
   DCHECK(OnNSSTaskRunner());
   if (nss_handshake_state_.resumed_handshake)
@@ -3175,6 +3195,15 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
   }
 #endif
 
+  // Chromium patch to libssl.
+  // TODO(ekasper): does this need a guard? Seems like libssl-only changes
+  // aren't guarded (ChannelID).

[wtc, 2013/11/26 17:32:55]

You can remove this whole comment. Correct, we no longer add #ifdef guard for
libssl-only changes.

[ekasper, 2013/11/26 19:33:54]

Done.

+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
+                     ssl_config_.signed_cert_timestamps_enabled);
+  if (rv != SECSuccess)
+    LogFailedNSSFunction(net_log_, "SSL_OptionSet",
+                         "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");

[wtc, 2013/11/26 17:32:55]

Add curly braces (because the if statement's body spans multiple lines).

[ekasper, 2013/11/26 19:33:54]

Done.

+
 // Chromium patch to libssl
 #ifdef SSL_ENABLE_CACHED_INFO
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO,
@@ -3320,6 +3349,8 @@ int SSLClientSocketNSS::DoHandshakeComplete(int result) {
     // Done!
   }
   set_channel_id_sent(core_->state().channel_id_sent);
+  set_signed_cert_timestamps_received(
+      !core_->state().sct_list_from_tls_extension.empty());
 
   LeaveFunction(result);
   return result;