Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index 89eab143140f5aadadd7e5cf8678d9692499f8a8..0d6a4a693c8d579425cfac1f40cbff5e3753a1ad 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -414,6 +414,7 @@ struct HandshakeState { |
channel_id_sent = false; |
server_cert_chain.Reset(NULL); |
server_cert = NULL; |
+ sct_list_from_tls_extension.clear(); |
resumed_handshake = false; |
ssl_connection_status = 0; |
} |
@@ -443,6 +444,8 @@ struct HandshakeState { |
// always be non-NULL. |
PeerCertificateChain server_cert_chain; |
scoped_refptr<X509Certificate> server_cert; |
+ // SignedCertificateTimestampList received via TLS extension (RFC 6962). |
+ std::string sct_list_from_tls_extension; |
// True if the current handshake was the result of TLS session resumption. |
bool resumed_handshake; |
@@ -762,6 +765,10 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> { |
// UpdateNextProto gets any application-layer protocol that may have been |
// negotiated by the TLS connection. |
void UpdateNextProto(); |
+ // Update the nss_handshake_state_ with SignedCertificateTimestampLists |
+ // received in the handshake, via a TLS extension or (to be implemented) |
+ // OCSP stapling. |
+ void UpdateSignedCertTimestamps(); |
wtc
2013/11/26 17:32:55
Nit: declare this immediately after UpdateServerCe
ekasper
2013/11/26 19:33:54
Done.
|
//////////////////////////////////////////////////////////////////////////// |
// Methods that are ONLY called on the network task runner: |
@@ -1654,6 +1661,7 @@ void SSLClientSocketNSS::Core::HandshakeSucceeded() { |
UpdateServerCert(); |
UpdateConnectionStatus(); |
UpdateNextProto(); |
+ UpdateSignedCertTimestamps(); |
wtc
2013/11/26 17:32:55
Nit: call this immediately after UpdateServerCert(
ekasper
2013/11/26 19:33:54
Done.
|
// Update the network task runners view of the handshake state whenever |
// a handshake has completed. |
@@ -2519,6 +2527,18 @@ void SSLClientSocketNSS::Core::UpdateNextProto() { |
} |
} |
+void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() { |
+ const SECItem* signed_cert_timestamps = |
+ SSL_PeerSignedCertTimestamps(nss_fd_); |
+ |
+ if (!signed_cert_timestamps || !signed_cert_timestamps->len) |
+ return; |
+ |
+ nss_handshake_state_.sct_list_from_tls_extension = std::string( |
+ reinterpret_cast<char*>(signed_cert_timestamps->data), |
+ signed_cert_timestamps->len); |
wtc
2013/11/26 17:32:55
This should be aligned with reinterpret_cast. (I g
ekasper
2013/11/26 19:33:54
Done. (No reason other than my own sloppiness for
|
+} |
+ |
void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() { |
DCHECK(OnNSSTaskRunner()); |
if (nss_handshake_state_.resumed_handshake) |
@@ -3175,6 +3195,15 @@ int SSLClientSocketNSS::InitializeSSLOptions() { |
} |
#endif |
+ // Chromium patch to libssl. |
+ // TODO(ekasper): does this need a guard? Seems like libssl-only changes |
+ // aren't guarded (ChannelID). |
wtc
2013/11/26 17:32:55
You can remove this whole comment. Correct, we no
ekasper
2013/11/26 19:33:54
Done.
|
+ rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, |
+ ssl_config_.signed_cert_timestamps_enabled); |
+ if (rv != SECSuccess) |
+ LogFailedNSSFunction(net_log_, "SSL_OptionSet", |
+ "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); |
wtc
2013/11/26 17:32:55
Add curly braces (because the if statement's body
ekasper
2013/11/26 19:33:54
Done.
|
+ |
// Chromium patch to libssl |
#ifdef SSL_ENABLE_CACHED_INFO |
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, |
@@ -3320,6 +3349,8 @@ int SSLClientSocketNSS::DoHandshakeComplete(int result) { |
// Done! |
} |
set_channel_id_sent(core_->state().channel_id_sent); |
+ set_signed_cert_timestamps_received( |
+ !core_->state().sct_list_from_tls_extension.empty()); |
LeaveFunction(result); |
return result; |