Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index 89eab143140f5aadadd7e5cf8678d9692499f8a8..9f2f10a51994b4721d46d23224d09724e953c49b 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -414,6 +414,7 @@ struct HandshakeState { |
channel_id_sent = false; |
server_cert_chain.Reset(NULL); |
server_cert = NULL; |
+ sct_list_from_tls_extension.clear(); |
resumed_handshake = false; |
ssl_connection_status = 0; |
} |
@@ -443,6 +444,8 @@ struct HandshakeState { |
// always be non-NULL. |
PeerCertificateChain server_cert_chain; |
scoped_refptr<X509Certificate> server_cert; |
+ // SignedCertificateTimestampList received via TLS extension (RFC 6962). |
+ std::string sct_list_from_tls_extension; |
// True if the current handshake was the result of TLS session resumption. |
bool resumed_handshake; |
@@ -754,6 +757,10 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> { |
// Updates the NSS and platform specific certificates. |
void UpdateServerCert(); |
+ // Update the nss_handshake_state_ with SignedCertificateTimestampLists |
+ // received in the handshake, via a TLS extension or (to be implemented) |
+ // OCSP stapling. |
+ void UpdateSignedCertTimestamps(); |
// Updates the nss_handshake_state_ with the negotiated security parameters. |
void UpdateConnectionStatus(); |
// Record histograms for channel id support during full handshakes - resumed |
@@ -1652,6 +1659,7 @@ void SSLClientSocketNSS::Core::HandshakeSucceeded() { |
RecordChannelIDSupportOnNSSTaskRunner(); |
UpdateServerCert(); |
+ UpdateSignedCertTimestamps(); |
UpdateConnectionStatus(); |
UpdateNextProto(); |
@@ -2413,6 +2421,18 @@ void SSLClientSocketNSS::Core::UpdateServerCert() { |
} |
} |
+void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() { |
+ const SECItem* signed_cert_timestamps = |
+ SSL_PeerSignedCertTimestamps(nss_fd_); |
+ |
+ if (!signed_cert_timestamps || !signed_cert_timestamps->len) |
+ return; |
+ |
+ nss_handshake_state_.sct_list_from_tls_extension = std::string( |
+ reinterpret_cast<char*>(signed_cert_timestamps->data), |
+ signed_cert_timestamps->len); |
+} |
+ |
void SSLClientSocketNSS::Core::UpdateConnectionStatus() { |
SSLChannelInfo channel_info; |
SECStatus ok = SSL_GetChannelInfo(nss_fd_, |
@@ -3175,6 +3195,13 @@ int SSLClientSocketNSS::InitializeSSLOptions() { |
} |
#endif |
+ rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, |
+ ssl_config_.signed_cert_timestamps_enabled); |
+ if (rv != SECSuccess) { |
+ LogFailedNSSFunction(net_log_, "SSL_OptionSet", |
+ "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); |
+ } |
+ |
// Chromium patch to libssl |
#ifdef SSL_ENABLE_CACHED_INFO |
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, |
@@ -3320,6 +3347,8 @@ int SSLClientSocketNSS::DoHandshakeComplete(int result) { |
// Done! |
} |
set_channel_id_sent(core_->state().channel_id_sent); |
+ set_signed_cert_timestamps_received( |
+ !core_->state().sct_list_from_tls_extension.empty()); |
LeaveFunction(result); |
return result; |