Certificate Transparency TLS extension patch for NSS

BUG=309578

Review URL: https://codereview.chromium.org/64553002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@236376 0039d316-1c4b-4281-b951-d872f2087c98

10 files changed, 631 insertions, 37 deletions

diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 088252a..b644fc1 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -146,6 +146,10 @@ Patches:
     patches/paddingextension.patch
     patches/paddingextensionall.patch
 
+  * Support the Certificate Transparency (RFC 6962) TLS extension
+    signed_certificate_timestamp (client only).
+    patches/signedcertificatetimestamps.patch
+
 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
 the comments at the top of patches/applypatches.sh for instructions.
 
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index ca05c92..98eea8e 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -71,3 +71,5 @@ patch -p4 < $patches_dir/paddingextension.patch
 patch -p4 < $patches_dir/paddingextensionall.patch
 
 patch -p4 < $patches_dir/channelid2.patch
+
+patch -p5 < $patches_dir/signedcertificatetimestamps.patch
diff --git a/net/third_party/nss/patches/signedcertificatetimestamps.patch b/net/third_party/nss/patches/signedcertificatetimestamps.patch
new file mode 100644
index 0000000..8ac3079
--- /dev/null
+++ b/net/third_party/nss/patches/signedcertificatetimestamps.patch
@@ -0,0 +1,421 @@
+diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
+index 67cc3a7..4cf02aa 100644
+--- a/net/third_party/nss/ssl/ssl.h
++++ b/net/third_party/nss/ssl/ssl.h
+@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
+  */
+ #define SSL_CBC_RANDOM_IV 23
+ #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
++/* Request Signed Certificate Timestamps via TLS extension (client) */
++#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
+ 
+ #ifdef SSL_DEPRECATED_FUNCTION 
+ /* Old deprecated function names */
+@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
+  */
+ SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
+ 
++/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
++ * extension data provided by the TLS server. The return value is a pointer
++ * to an internal SECItem that contains the returned response (as a serialized
++ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only
++ * valid until the callback function that calls SSL_PeerSignedCertTimestamps
++ * (e.g. the authenticate certificate hook, or the handshake callback) returns.
++ *
++ * If no Signed Certificate Timestamps were given by the server then the result
++ * will be empty. If there was an error, then the result will be NULL.
++ *
++ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support
++ * for Signed Certificate Timestamps to a server.
++ *
++ * libssl does not do any parsing or validation of the response itself.
++ */
++SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
++
+ /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
+  * in the fd's data, which may be sent as part of a server side cert_status
+  * handshake message. Parameter |responses| is for the server certificate of
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
+index 0f1eea4..c2d9eeb 100644
+--- a/net/third_party/nss/ssl/ssl3con.c
++++ b/net/third_party/nss/ssl/ssl3con.c
+@@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     sid->u.ssl3.sessionIDLength = sidBytes.len;
+     PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
+ 
++    /* Copy Signed Certificate Timestamps, if any. */
++    if (ss->xtnData.signedCertTimestamps.data) {
++	rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
++			      &ss->xtnData.signedCertTimestamps);
++	if (rv != SECSuccess)
++	    goto loser;
++    }
++
+     ss->ssl3.hs.isResuming = PR_FALSE;
+     ss->ssl3.hs.ws         = wait_server_cert;
+ 
+ winner:
++    /* Clean up the temporary pointer to the handshake buffer. */
++    ss->xtnData.signedCertTimestamps.data = NULL;
++    ss->xtnData.signedCertTimestamps.len = 0;
++
+     /* If we will need a ChannelID key then we make the callback now. This
+      * allows the handshake to be restarted cleanly if the callback returns
+      * SECWouldBlock. */
+@@ -6668,6 +6680,9 @@ alert_loser:
+     (void)SSL3_SendAlert(ss, alert_fatal, desc);
+ 
+ loser:
++    /* Clean up the temporary pointer to the handshake buffer. */
++    ss->xtnData.signedCertTimestamps.data = NULL;
++    ss->xtnData.signedCertTimestamps.len = 0;
+     errCode = ssl_MapLowLevelError(errCode);
+     return SECFailure;
+ }
+diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
+index adb81ed..02e104d 100644
+--- a/net/third_party/nss/ssl/ssl3ext.c
++++ b/net/third_party/nss/ssl/ssl3ext.c
+@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
+                                          PRUint32 maxBytes);
+ static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
+                                              SECItem *data);
++static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
++						     PRBool append,
++						     PRUint32 maxBytes);
++static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
++							 PRUint16 ex_type,
++							 SECItem *data);
+ 
+ /*
+  * Write bytes.  Using this function means the SECItem structure
+@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
+     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
+     { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
+     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
++    { ssl_signed_certificate_timestamp_xtn,
++      &ssl3_ClientHandleSignedCertTimestampXtn },
+     { -1, NULL }
+ };
+ 
+@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
+     { ssl_use_srtp_xtn,               &ssl3_SendUseSRTPXtn },
+     { ssl_channel_id_xtn,             &ssl3_ClientSendChannelIDXtn },
+     { ssl_cert_status_xtn,            &ssl3_ClientSendStatusRequestXtn },
+-    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn }
++    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn },
++    { ssl_signed_certificate_timestamp_xtn,
++      &ssl3_ClientSendSignedCertTimestampXtn }
+     /* any extra entries will appear as { 0, NULL }    */
+ };
+ 
+@@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
+ 
+     return extensionLen;
+ }
++
++/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
++ * extension for TLS ClientHellos. */
++static PRInt32
++ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
++				      PRUint32 maxBytes)
++{
++    PRInt32 extension_length = 2 /* extension_type */ +
++	    2 /* length(extension_data) */;
++
++    /* Only send the extension if processing is enabled. */
++    if (!ss->opt.enableSignedCertTimestamps)
++	return 0;
++
++    if (append && maxBytes >= extension_length) {
++	SECStatus rv;
++	/* extension_type */
++	rv = ssl3_AppendHandshakeNumber(ss,
++					ssl_signed_certificate_timestamp_xtn,
++					2);
++	if (rv != SECSuccess)
++	    goto loser;
++	/* zero length */
++	rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
++	if (rv != SECSuccess)
++	    goto loser;
++	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
++		ssl_signed_certificate_timestamp_xtn;
++    } else if (maxBytes < extension_length) {
++	PORT_Assert(0);
++	return 0;
++    }
++
++    return extension_length;
++loser:
++    return -1;
++}
++
++static SECStatus
++ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
++					SECItem *data)
++{
++    /* We do not yet know whether we'll be resuming a session or creating
++     * a new one, so we keep a pointer to the data in the TLSExtensionData
++     * structure. This pointer is only valid in the scope of
++     * ssl3_HandleServerHello, and, if not resuming a session, the data is
++     * copied once a new session structure has been set up.
++     * All parsing is currently left to the application and we accept
++     * everything, including empty data.
++     */
++    SECItem *scts = &ss->xtnData.signedCertTimestamps;
++    PORT_Assert(!scts->data && !scts->len);
++
++    if (!data->len) {
++	/* Empty extension data: RFC 6962 mandates non-empty contents. */
++	return SECFailure;
++    }
++    *scts = *data;
++    /* Keep track of negotiated extensions. */
++    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
++    return SECSuccess;
++}
+diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
+index 79aca60..1e4655f 100644
+--- a/net/third_party/nss/ssl/sslimpl.h
++++ b/net/third_party/nss/ssl/sslimpl.h
+@@ -312,29 +312,30 @@ typedef struct sslOptionsStr {
+      * list of supported protocols. */
+     SECItem nextProtoNego;
+ 
+-    unsigned int useSecurity		: 1;  /*  1 */
+-    unsigned int useSocks		: 1;  /*  2 */
+-    unsigned int requestCertificate	: 1;  /*  3 */
+-    unsigned int requireCertificate	: 2;  /*  4-5 */
+-    unsigned int handshakeAsClient	: 1;  /*  6 */
+-    unsigned int handshakeAsServer	: 1;  /*  7 */
+-    unsigned int enableSSL2		: 1;  /*  8 */
+-    unsigned int unusedBit9		: 1;  /*  9 */
+-    unsigned int unusedBit10		: 1;  /* 10 */
+-    unsigned int noCache		: 1;  /* 11 */
+-    unsigned int fdx			: 1;  /* 12 */
+-    unsigned int v2CompatibleHello	: 1;  /* 13 */
+-    unsigned int detectRollBack  	: 1;  /* 14 */
+-    unsigned int noStepDown             : 1;  /* 15 */
+-    unsigned int bypassPKCS11           : 1;  /* 16 */
+-    unsigned int noLocks                : 1;  /* 17 */
+-    unsigned int enableSessionTickets   : 1;  /* 18 */
+-    unsigned int enableDeflate          : 1;  /* 19 */
+-    unsigned int enableRenegotiation    : 2;  /* 20-21 */
+-    unsigned int requireSafeNegotiation : 1;  /* 22 */
+-    unsigned int enableFalseStart       : 1;  /* 23 */
+-    unsigned int cbcRandomIV            : 1;  /* 24 */
+-    unsigned int enableOCSPStapling     : 1;  /* 25 */
++    unsigned int useSecurity		    : 1;  /*  1 */
++    unsigned int useSocks		    : 1;  /*  2 */
++    unsigned int requestCertificate	    : 1;  /*  3 */
++    unsigned int requireCertificate	    : 2;  /*  4-5 */
++    unsigned int handshakeAsClient	    : 1;  /*  6 */
++    unsigned int handshakeAsServer	    : 1;  /*  7 */
++    unsigned int enableSSL2		    : 1;  /*  8 */
++    unsigned int unusedBit9		    : 1;  /*  9 */
++    unsigned int unusedBit10		    : 1;  /* 10 */
++    unsigned int noCache		    : 1;  /* 11 */
++    unsigned int fdx			    : 1;  /* 12 */
++    unsigned int v2CompatibleHello	    : 1;  /* 13 */
++    unsigned int detectRollBack  	    : 1;  /* 14 */
++    unsigned int noStepDown                 : 1;  /* 15 */
++    unsigned int bypassPKCS11               : 1;  /* 16 */
++    unsigned int noLocks                    : 1;  /* 17 */
++    unsigned int enableSessionTickets       : 1;  /* 18 */
++    unsigned int enableDeflate              : 1;  /* 19 */
++    unsigned int enableRenegotiation        : 2;  /* 20-21 */
++    unsigned int requireSafeNegotiation     : 1;  /* 22 */
++    unsigned int enableFalseStart           : 1;  /* 23 */
++    unsigned int cbcRandomIV                : 1;  /* 24 */
++    unsigned int enableOCSPStapling	    : 1;  /* 25 */
++    unsigned int enableSignedCertTimestamps : 1;  /* 26 */
+ } sslOptions;
+ 
+ typedef enum { sslHandshakingUndetermined = 0,
+@@ -713,6 +714,11 @@ struct sslSessionIDStr {
+              * negotiated as it's used to bind the ChannelID signature on the
+              * resumption handshake to the original handshake. */
+ 	    SECItem           originalHandshakeHash;
++
++	    /* Signed certificate timestamps received in a TLS extension.
++	    ** (used only in client).
++	    */
++	    SECItem	      signedCertTimestamps;
+ 	} ssl3;
+     } u;
+ };
+@@ -804,6 +810,18 @@ struct TLSExtensionDataStr {
+      * is beyond ssl3_HandleClientHello function. */
+     SECItem *sniNameArr;
+     PRUint32 sniNameArrSize;
++
++    /* Signed Certificate Timestamps extracted from the TLS extension.
++     * (client only).
++     * This container holds a temporary pointer to the extension data,
++     * until a session structure (the sec.ci.sid of an sslSocket) is setup
++     * that can hold a permanent copy of the data
++     * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
++     * The data pointed to by this structure is neither explicitly allocated
++     * nor copied: the pointer points to the handshake message buffer and is
++     * only valid in the scope of ssl3_HandleServerHello.
++     */
++    SECItem signedCertTimestamps;
+ };
+ 
+ typedef SECStatus (*sslRestartTarget)(sslSocket *);
+diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c
+index eb5004c..1ca19ca 100644
+--- a/net/third_party/nss/ssl/sslnonce.c
++++ b/net/third_party/nss/ssl/sslnonce.c
+@@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid)
+     if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+ 	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
+ 	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
++    } else {
++	if (sid->u.ssl3.sessionTicket.ticket.data) {
++	    SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
++	}
++	if (sid->u.ssl3.srvName.data) {
++	    SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
++	}
++	if (sid->u.ssl3.signedCertTimestamps.data) {
++	    SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
++	}
++	if (sid->u.ssl3.originalHandshakeHash.data) {
++	  SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
++	}
+     }
++
+     if (sid->peerID != NULL)
+ 	PORT_Free((void *)sid->peerID);		/* CONST */
+ 
+@@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid)
+     if ( sid->localCert ) {
+ 	CERT_DestroyCertificate(sid->localCert);
+     }
+-    if (sid->u.ssl3.sessionTicket.ticket.data) {
+-	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+-    }
+-    if (sid->u.ssl3.srvName.data) {
+-	SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+-    }
+-    if (sid->u.ssl3.originalHandshakeHash.data) {
+-	SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
+-    }
+-    
++
+     PORT_ZFree(sid, sizeof(sslSessionID));
+ }
+ 
+diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
+index b5c17f0..965215d 100644
+--- a/net/third_party/nss/ssl/sslsock.c
++++ b/net/third_party/nss/ssl/sslsock.c
+@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,   /* requireSafeNegotiation */
+     PR_FALSE,   /* enableFalseStart   */
+     PR_TRUE,    /* cbcRandomIV        */
+-    PR_FALSE    /* enableOCSPStapling */
++    PR_FALSE,   /* enableOCSPStapling */
++    PR_FALSE    /* enableSignedCertTimestamps */
+ };
+ 
+ /*
+@@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
+        ss->opt.enableOCSPStapling = on;
+        break;
+ 
++      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
++       ss->opt.enableSignedCertTimestamps = on;
++       break;
++
+       default:
+ 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ 	rv = SECFailure;
+@@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
+     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
+     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
+     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
++    case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
++       on = ss->opt.enableSignedCertTimestamps;
++       break;
+ 
+     default:
+ 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
+     case SSL_ENABLE_OCSP_STAPLING:
+        on = ssl_defaults.enableOCSPStapling;
+        break;
++    case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
++       on = ssl_defaults.enableSignedCertTimestamps;
++       break;
+ 
+     default:
+ 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
+        ssl_defaults.enableOCSPStapling = on;
+        break;
+ 
++      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
++       ssl_defaults.enableSignedCertTimestamps = on;
++       break;
++
+       default:
+ 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ 	return SECFailure;
+@@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
+     return &ss->sec.ci.sid->peerCertStatus;
+ }
+ 
++const SECItem *
++SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
++{
++    sslSocket *ss = ssl_FindSocket(fd);
++
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
++		SSL_GETPID(), fd));
++       return NULL;
++    }
++
++    if (!ss->sec.ci.sid) {
++       PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
++       return NULL;
++    }
++
++    if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
++	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
++	return NULL;
++    }
++    return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
++}
++
+ SECStatus
+ SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
+     sslSocket *ss = ssl_FindSocket(fd);
+@@ -3133,4 +3171,3 @@ loser:
+     }
+     return ss;
+ }
+-
+diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
+index b813c04..1f5e2c6 100644
+--- a/net/third_party/nss/ssl/sslt.h
++++ b/net/third_party/nss/ssl/sslt.h
+@@ -202,6 +202,7 @@ typedef enum {
+     ssl_signature_algorithms_xtn     = 13,
+     ssl_use_srtp_xtn                 = 14,
+     ssl_app_layer_protocol_xtn       = 16,
++    ssl_signed_certificate_timestamp_xtn = 18,   /* RFC 6962 */
+     ssl_session_ticket_xtn           = 35,
+     ssl_next_proto_nego_xtn          = 13172,
+     ssl_channel_id_xtn               = 30032,
+@@ -209,6 +210,6 @@ typedef enum {
+     ssl_renegotiation_info_xtn       = 0xff01	/* experimental number */
+ } SSLExtensionType;
+ 
+-#define SSL_MAX_EXTENSIONS             11 /* doesn't include ssl_padding_xtn. */
++#define SSL_MAX_EXTENSIONS             12 /* doesn't include ssl_padding_xtn. */
+ 
+ #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 67cc3a7..4cf02aa 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  */
 #define SSL_CBC_RANDOM_IV 23
 #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
+/* Request Signed Certificate Timestamps via TLS extension (client) */
+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
 
 #ifdef SSL_DEPRECATED_FUNCTION 
 /* Old deprecated function names */
@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
  */
 SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
 
+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
+ * extension data provided by the TLS server. The return value is a pointer
+ * to an internal SECItem that contains the returned response (as a serialized
+ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only
+ * valid until the callback function that calls SSL_PeerSignedCertTimestamps
+ * (e.g. the authenticate certificate hook, or the handshake callback) returns.
+ *
+ * If no Signed Certificate Timestamps were given by the server then the result
+ * will be empty. If there was an error, then the result will be NULL.
+ *
+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support
+ * for Signed Certificate Timestamps to a server.
+ *
+ * libssl does not do any parsing or validation of the response itself.
+ */
+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
+
 /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
  * in the fd's data, which may be sent as part of a server side cert_status
  * handshake message. Parameter |responses| is for the server certificate of
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 0f1eea4..c2d9eeb 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     sid->u.ssl3.sessionIDLength = sidBytes.len;
     PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
 
+    /* Copy Signed Certificate Timestamps, if any. */
+    if (ss->xtnData.signedCertTimestamps.data) {
+	rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
+			      &ss->xtnData.signedCertTimestamps);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
     ss->ssl3.hs.isResuming = PR_FALSE;
     ss->ssl3.hs.ws         = wait_server_cert;
 
 winner:
+    /* Clean up the temporary pointer to the handshake buffer. */
+    ss->xtnData.signedCertTimestamps.data = NULL;
+    ss->xtnData.signedCertTimestamps.len = 0;
+
     /* If we will need a ChannelID key then we make the callback now. This
      * allows the handshake to be restarted cleanly if the callback returns
      * SECWouldBlock. */
@@ -6668,6 +6680,9 @@ alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
+    /* Clean up the temporary pointer to the handshake buffer. */
+    ss->xtnData.signedCertTimestamps.data = NULL;
+    ss->xtnData.signedCertTimestamps.len = 0;
     errCode = ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index adb81ed..02e104d 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
                                          PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
                                              SECItem *data);
+static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
+						     PRBool append,
+						     PRUint32 maxBytes);
+static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
+							 PRUint16 ex_type,
+							 SECItem *data);
 
 /*
  * Write bytes.  Using this function means the SECItem structure
@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
     { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
+    { ssl_signed_certificate_timestamp_xtn,
+      &ssl3_ClientHandleSignedCertTimestampXtn },
     { -1, NULL }
 };
 
@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_use_srtp_xtn,               &ssl3_SendUseSRTPXtn },
     { ssl_channel_id_xtn,             &ssl3_ClientSendChannelIDXtn },
     { ssl_cert_status_xtn,            &ssl3_ClientSendStatusRequestXtn },
-    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn }
+    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn },
+    { ssl_signed_certificate_timestamp_xtn,
+      &ssl3_ClientSendSignedCertTimestampXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
@@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
 
     return extensionLen;
 }
+
+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
+ * extension for TLS ClientHellos. */
+static PRInt32
+ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
+				      PRUint32 maxBytes)
+{
+    PRInt32 extension_length = 2 /* extension_type */ +
+	    2 /* length(extension_data) */;
+
+    /* Only send the extension if processing is enabled. */
+    if (!ss->opt.enableSignedCertTimestamps)
+	return 0;
+
+    if (append && maxBytes >= extension_length) {
+	SECStatus rv;
+	/* extension_type */
+	rv = ssl3_AppendHandshakeNumber(ss,
+					ssl_signed_certificate_timestamp_xtn,
+					2);
+	if (rv != SECSuccess)
+	    goto loser;
+	/* zero length */
+	rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+	if (rv != SECSuccess)
+	    goto loser;
+	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+		ssl_signed_certificate_timestamp_xtn;
+    } else if (maxBytes < extension_length) {
+	PORT_Assert(0);
+	return 0;
+    }
+
+    return extension_length;
+loser:
+    return -1;
+}
+
+static SECStatus
+ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
+					SECItem *data)
+{
+    /* We do not yet know whether we'll be resuming a session or creating
+     * a new one, so we keep a pointer to the data in the TLSExtensionData
+     * structure. This pointer is only valid in the scope of
+     * ssl3_HandleServerHello, and, if not resuming a session, the data is
+     * copied once a new session structure has been set up.
+     * All parsing is currently left to the application and we accept
+     * everything, including empty data.
+     */
+    SECItem *scts = &ss->xtnData.signedCertTimestamps;
+    PORT_Assert(!scts->data && !scts->len);
+
+    if (!data->len) {
+	/* Empty extension data: RFC 6962 mandates non-empty contents. */
+	return SECFailure;
+    }
+    *scts = *data;
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+    return SECSuccess;
+}
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 79aca60..1e4655f 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -312,29 +312,30 @@ typedef struct sslOptionsStr {
      * list of supported protocols. */
     SECItem nextProtoNego;
 
-    unsigned int useSecurity		: 1;  /*  1 */
-    unsigned int useSocks		: 1;  /*  2 */
-    unsigned int requestCertificate	: 1;  /*  3 */
-    unsigned int requireCertificate	: 2;  /*  4-5 */
-    unsigned int handshakeAsClient	: 1;  /*  6 */
-    unsigned int handshakeAsServer	: 1;  /*  7 */
-    unsigned int enableSSL2		: 1;  /*  8 */
-    unsigned int unusedBit9		: 1;  /*  9 */
-    unsigned int unusedBit10		: 1;  /* 10 */
-    unsigned int noCache		: 1;  /* 11 */
-    unsigned int fdx			: 1;  /* 12 */
-    unsigned int v2CompatibleHello	: 1;  /* 13 */
-    unsigned int detectRollBack  	: 1;  /* 14 */
-    unsigned int noStepDown             : 1;  /* 15 */
-    unsigned int bypassPKCS11           : 1;  /* 16 */
-    unsigned int noLocks                : 1;  /* 17 */
-    unsigned int enableSessionTickets   : 1;  /* 18 */
-    unsigned int enableDeflate          : 1;  /* 19 */
-    unsigned int enableRenegotiation    : 2;  /* 20-21 */
-    unsigned int requireSafeNegotiation : 1;  /* 22 */
-    unsigned int enableFalseStart       : 1;  /* 23 */
-    unsigned int cbcRandomIV            : 1;  /* 24 */
-    unsigned int enableOCSPStapling     : 1;  /* 25 */
+    unsigned int useSecurity		    : 1;  /*  1 */
+    unsigned int useSocks		    : 1;  /*  2 */
+    unsigned int requestCertificate	    : 1;  /*  3 */
+    unsigned int requireCertificate	    : 2;  /*  4-5 */
+    unsigned int handshakeAsClient	    : 1;  /*  6 */
+    unsigned int handshakeAsServer	    : 1;  /*  7 */
+    unsigned int enableSSL2		    : 1;  /*  8 */
+    unsigned int unusedBit9		    : 1;  /*  9 */
+    unsigned int unusedBit10		    : 1;  /* 10 */
+    unsigned int noCache		    : 1;  /* 11 */
+    unsigned int fdx			    : 1;  /* 12 */
+    unsigned int v2CompatibleHello	    : 1;  /* 13 */
+    unsigned int detectRollBack  	    : 1;  /* 14 */
+    unsigned int noStepDown                 : 1;  /* 15 */
+    unsigned int bypassPKCS11               : 1;  /* 16 */
+    unsigned int noLocks                    : 1;  /* 17 */
+    unsigned int enableSessionTickets       : 1;  /* 18 */
+    unsigned int enableDeflate              : 1;  /* 19 */
+    unsigned int enableRenegotiation        : 2;  /* 20-21 */
+    unsigned int requireSafeNegotiation     : 1;  /* 22 */
+    unsigned int enableFalseStart           : 1;  /* 23 */
+    unsigned int cbcRandomIV                : 1;  /* 24 */
+    unsigned int enableOCSPStapling	    : 1;  /* 25 */
+    unsigned int enableSignedCertTimestamps : 1;  /* 26 */
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -713,6 +714,11 @@ struct sslSessionIDStr {
              * negotiated as it's used to bind the ChannelID signature on the
              * resumption handshake to the original handshake. */
 	    SECItem           originalHandshakeHash;
+
+	    /* Signed certificate timestamps received in a TLS extension.
+	    ** (used only in client).
+	    */
+	    SECItem	      signedCertTimestamps;
 	} ssl3;
     } u;
 };
@@ -804,6 +810,18 @@ struct TLSExtensionDataStr {
      * is beyond ssl3_HandleClientHello function. */
     SECItem *sniNameArr;
     PRUint32 sniNameArrSize;
+
+    /* Signed Certificate Timestamps extracted from the TLS extension.
+     * (client only).
+     * This container holds a temporary pointer to the extension data,
+     * until a session structure (the sec.ci.sid of an sslSocket) is setup
+     * that can hold a permanent copy of the data
+     * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
+     * The data pointed to by this structure is neither explicitly allocated
+     * nor copied: the pointer points to the handshake message buffer and is
+     * only valid in the scope of ssl3_HandleServerHello.
+     */
+    SECItem signedCertTimestamps;
 };
 
 typedef SECStatus (*sslRestartTarget)(sslSocket *);
diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c
index eb5004c..1ca19ca 100644
--- a/net/third_party/nss/ssl/sslnonce.c
+++ b/net/third_party/nss/ssl/sslnonce.c
@@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid)
     if (sid->version < SSL_LIBRARY_VERSION_3_0) {
 	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
 	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
+    } else {
+	if (sid->u.ssl3.sessionTicket.ticket.data) {
+	    SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+	}
+	if (sid->u.ssl3.srvName.data) {
+	    SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+	}
+	if (sid->u.ssl3.signedCertTimestamps.data) {
+	    SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
+	}
+	if (sid->u.ssl3.originalHandshakeHash.data) {
+	  SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
+	}
     }
+
     if (sid->peerID != NULL)
 	PORT_Free((void *)sid->peerID);		/* CONST */
 
@@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid)
     if ( sid->localCert ) {
 	CERT_DestroyCertificate(sid->localCert);
     }
-    if (sid->u.ssl3.sessionTicket.ticket.data) {
-	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
-    }
-    if (sid->u.ssl3.srvName.data) {
-	SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
-    }
-    if (sid->u.ssl3.originalHandshakeHash.data) {
-	SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
-    }
-    
+
     PORT_ZFree(sid, sizeof(sslSessionID));
 }
 
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
index b5c17f0..965215d 100644
--- a/net/third_party/nss/ssl/sslsock.c
+++ b/net/third_party/nss/ssl/sslsock.c
@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = {
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
     PR_TRUE,    /* cbcRandomIV        */
-    PR_FALSE    /* enableOCSPStapling */
+    PR_FALSE,   /* enableOCSPStapling */
+    PR_FALSE    /* enableSignedCertTimestamps */
 };
 
 /*
@@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
        ss->opt.enableOCSPStapling = on;
        break;
 
+      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+       ss->opt.enableSignedCertTimestamps = on;
+       break;
+
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
@@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
+    case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+       on = ss->opt.enableSignedCertTimestamps;
+       break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
     case SSL_ENABLE_OCSP_STAPLING:
        on = ssl_defaults.enableOCSPStapling;
        break;
+    case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+       on = ssl_defaults.enableSignedCertTimestamps;
+       break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
        ssl_defaults.enableOCSPStapling = on;
        break;
 
+      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
+       ssl_defaults.enableSignedCertTimestamps = on;
+       break;
+
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
@@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
     return &ss->sec.ci.sid->peerCertStatus;
 }
 
+const SECItem *
+SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
+{
+    sslSocket *ss = ssl_FindSocket(fd);
+
+    if (!ss) {
+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
+		SSL_GETPID(), fd));
+       return NULL;
+    }
+
+    if (!ss->sec.ci.sid) {
+       PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+       return NULL;
+    }
+
+    if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
+	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+	return NULL;
+    }
+    return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
+}
+
 SECStatus
 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
     sslSocket *ss = ssl_FindSocket(fd);
@@ -3133,4 +3171,3 @@ loser:
     }
     return ss;
 }
-
diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
index b813c04..1f5e2c6 100644
--- a/net/third_party/nss/ssl/sslt.h
+++ b/net/third_party/nss/ssl/sslt.h
@@ -202,6 +202,7 @@ typedef enum {
     ssl_signature_algorithms_xtn     = 13,
     ssl_use_srtp_xtn                 = 14,
     ssl_app_layer_protocol_xtn       = 16,
+    ssl_signed_certificate_timestamp_xtn = 18,   /* RFC 6962 */
     ssl_session_ticket_xtn           = 35,
     ssl_next_proto_nego_xtn          = 13172,
     ssl_channel_id_xtn               = 30032,
@@ -209,6 +210,6 @@ typedef enum {
     ssl_renegotiation_info_xtn       = 0xff01	/* experimental number */
 } SSLExtensionType;
 
-#define SSL_MAX_EXTENSIONS             11 /* doesn't include ssl_padding_xtn. */
+#define SSL_MAX_EXTENSIONS             12 /* doesn't include ssl_padding_xtn. */
 
 #endif /* __sslt_h_ */