diff options
Diffstat (limited to 'net/third_party/nss')
| -rw-r--r-- | net/third_party/nss/README.chromium | 4 | ||||
| -rwxr-xr-x | net/third_party/nss/patches/applypatches.sh | 2 | ||||
| -rw-r--r-- | net/third_party/nss/patches/signedcertificatetimestamps.patch | 421 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl.h | 19 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 15 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/ssl3ext.c | 74 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslimpl.h | 64 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslnonce.c | 25 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslsock.c | 41 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslt.h | 3 |
10 files changed, 631 insertions, 37 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index 088252a..b644fc1 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -146,6 +146,10 @@ Patches: patches/paddingextension.patch patches/paddingextensionall.patch + * Support the Certificate Transparency (RFC 6962) TLS extension + signed_certificate_timestamp (client only). + patches/signedcertificatetimestamps.patch + Apply the patches to NSS by running the patches/applypatches.sh script. Read the comments at the top of patches/applypatches.sh for instructions. diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh index ca05c92..98eea8e 100755 --- a/net/third_party/nss/patches/applypatches.sh +++ b/net/third_party/nss/patches/applypatches.sh @@ -71,3 +71,5 @@ patch -p4 < $patches_dir/paddingextension.patch patch -p4 < $patches_dir/paddingextensionall.patch patch -p4 < $patches_dir/channelid2.patch + +patch -p5 < $patches_dir/signedcertificatetimestamps.patch diff --git a/net/third_party/nss/patches/signedcertificatetimestamps.patch b/net/third_party/nss/patches/signedcertificatetimestamps.patch new file mode 100644 index 0000000..8ac3079 --- /dev/null +++ b/net/third_party/nss/patches/signedcertificatetimestamps.patch @@ -0,0 +1,421 @@ +diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h +index 67cc3a7..4cf02aa 100644 +--- a/net/third_party/nss/ssl/ssl.h ++++ b/net/third_party/nss/ssl/ssl.h +@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); + */ + #define SSL_CBC_RANDOM_IV 23 + #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ ++/* Request Signed Certificate Timestamps via TLS extension (client) */ ++#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 + + #ifdef SSL_DEPRECATED_FUNCTION + /* Old deprecated function names */ +@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd); + */ + SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); + ++/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp ++ * extension data provided by the TLS server. The return value is a pointer ++ * to an internal SECItem that contains the returned response (as a serialized ++ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only ++ * valid until the callback function that calls SSL_PeerSignedCertTimestamps ++ * (e.g. the authenticate certificate hook, or the handshake callback) returns. ++ * ++ * If no Signed Certificate Timestamps were given by the server then the result ++ * will be empty. If there was an error, then the result will be NULL. ++ * ++ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support ++ * for Signed Certificate Timestamps to a server. ++ * ++ * libssl does not do any parsing or validation of the response itself. ++ */ ++SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); ++ + /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses + * in the fd's data, which may be sent as part of a server side cert_status + * handshake message. Parameter |responses| is for the server certificate of +diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c +index 0f1eea4..c2d9eeb 100644 +--- a/net/third_party/nss/ssl/ssl3con.c ++++ b/net/third_party/nss/ssl/ssl3con.c +@@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) + sid->u.ssl3.sessionIDLength = sidBytes.len; + PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); + ++ /* Copy Signed Certificate Timestamps, if any. */ ++ if (ss->xtnData.signedCertTimestamps.data) { ++ rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, ++ &ss->xtnData.signedCertTimestamps); ++ if (rv != SECSuccess) ++ goto loser; ++ } ++ + ss->ssl3.hs.isResuming = PR_FALSE; + ss->ssl3.hs.ws = wait_server_cert; + + winner: ++ /* Clean up the temporary pointer to the handshake buffer. */ ++ ss->xtnData.signedCertTimestamps.data = NULL; ++ ss->xtnData.signedCertTimestamps.len = 0; ++ + /* If we will need a ChannelID key then we make the callback now. This + * allows the handshake to be restarted cleanly if the callback returns + * SECWouldBlock. */ +@@ -6668,6 +6680,9 @@ alert_loser: + (void)SSL3_SendAlert(ss, alert_fatal, desc); + + loser: ++ /* Clean up the temporary pointer to the handshake buffer. */ ++ ss->xtnData.signedCertTimestamps.data = NULL; ++ ss->xtnData.signedCertTimestamps.len = 0; + errCode = ssl_MapLowLevelError(errCode); + return SECFailure; + } +diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c +index adb81ed..02e104d 100644 +--- a/net/third_party/nss/ssl/ssl3ext.c ++++ b/net/third_party/nss/ssl/ssl3ext.c +@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, + PRUint32 maxBytes); + static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, + SECItem *data); ++static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, ++ PRBool append, ++ PRUint32 maxBytes); ++static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, ++ PRUint16 ex_type, ++ SECItem *data); + + /* + * Write bytes. Using this function means the SECItem structure +@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { + { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, ++ { ssl_signed_certificate_timestamp_xtn, ++ &ssl3_ClientHandleSignedCertTimestampXtn }, + { -1, NULL } + }; + +@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { + { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, +- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } ++ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, ++ { ssl_signed_certificate_timestamp_xtn, ++ &ssl3_ClientSendSignedCertTimestampXtn } + /* any extra entries will appear as { 0, NULL } */ + }; + +@@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, + + return extensionLen; + } ++ ++/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp ++ * extension for TLS ClientHellos. */ ++static PRInt32 ++ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, ++ PRUint32 maxBytes) ++{ ++ PRInt32 extension_length = 2 /* extension_type */ + ++ 2 /* length(extension_data) */; ++ ++ /* Only send the extension if processing is enabled. */ ++ if (!ss->opt.enableSignedCertTimestamps) ++ return 0; ++ ++ if (append && maxBytes >= extension_length) { ++ SECStatus rv; ++ /* extension_type */ ++ rv = ssl3_AppendHandshakeNumber(ss, ++ ssl_signed_certificate_timestamp_xtn, ++ 2); ++ if (rv != SECSuccess) ++ goto loser; ++ /* zero length */ ++ rv = ssl3_AppendHandshakeNumber(ss, 0, 2); ++ if (rv != SECSuccess) ++ goto loser; ++ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = ++ ssl_signed_certificate_timestamp_xtn; ++ } else if (maxBytes < extension_length) { ++ PORT_Assert(0); ++ return 0; ++ } ++ ++ return extension_length; ++loser: ++ return -1; ++} ++ ++static SECStatus ++ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, ++ SECItem *data) ++{ ++ /* We do not yet know whether we'll be resuming a session or creating ++ * a new one, so we keep a pointer to the data in the TLSExtensionData ++ * structure. This pointer is only valid in the scope of ++ * ssl3_HandleServerHello, and, if not resuming a session, the data is ++ * copied once a new session structure has been set up. ++ * All parsing is currently left to the application and we accept ++ * everything, including empty data. ++ */ ++ SECItem *scts = &ss->xtnData.signedCertTimestamps; ++ PORT_Assert(!scts->data && !scts->len); ++ ++ if (!data->len) { ++ /* Empty extension data: RFC 6962 mandates non-empty contents. */ ++ return SECFailure; ++ } ++ *scts = *data; ++ /* Keep track of negotiated extensions. */ ++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; ++ return SECSuccess; ++} +diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h +index 79aca60..1e4655f 100644 +--- a/net/third_party/nss/ssl/sslimpl.h ++++ b/net/third_party/nss/ssl/sslimpl.h +@@ -312,29 +312,30 @@ typedef struct sslOptionsStr { + * list of supported protocols. */ + SECItem nextProtoNego; + +- unsigned int useSecurity : 1; /* 1 */ +- unsigned int useSocks : 1; /* 2 */ +- unsigned int requestCertificate : 1; /* 3 */ +- unsigned int requireCertificate : 2; /* 4-5 */ +- unsigned int handshakeAsClient : 1; /* 6 */ +- unsigned int handshakeAsServer : 1; /* 7 */ +- unsigned int enableSSL2 : 1; /* 8 */ +- unsigned int unusedBit9 : 1; /* 9 */ +- unsigned int unusedBit10 : 1; /* 10 */ +- unsigned int noCache : 1; /* 11 */ +- unsigned int fdx : 1; /* 12 */ +- unsigned int v2CompatibleHello : 1; /* 13 */ +- unsigned int detectRollBack : 1; /* 14 */ +- unsigned int noStepDown : 1; /* 15 */ +- unsigned int bypassPKCS11 : 1; /* 16 */ +- unsigned int noLocks : 1; /* 17 */ +- unsigned int enableSessionTickets : 1; /* 18 */ +- unsigned int enableDeflate : 1; /* 19 */ +- unsigned int enableRenegotiation : 2; /* 20-21 */ +- unsigned int requireSafeNegotiation : 1; /* 22 */ +- unsigned int enableFalseStart : 1; /* 23 */ +- unsigned int cbcRandomIV : 1; /* 24 */ +- unsigned int enableOCSPStapling : 1; /* 25 */ ++ unsigned int useSecurity : 1; /* 1 */ ++ unsigned int useSocks : 1; /* 2 */ ++ unsigned int requestCertificate : 1; /* 3 */ ++ unsigned int requireCertificate : 2; /* 4-5 */ ++ unsigned int handshakeAsClient : 1; /* 6 */ ++ unsigned int handshakeAsServer : 1; /* 7 */ ++ unsigned int enableSSL2 : 1; /* 8 */ ++ unsigned int unusedBit9 : 1; /* 9 */ ++ unsigned int unusedBit10 : 1; /* 10 */ ++ unsigned int noCache : 1; /* 11 */ ++ unsigned int fdx : 1; /* 12 */ ++ unsigned int v2CompatibleHello : 1; /* 13 */ ++ unsigned int detectRollBack : 1; /* 14 */ ++ unsigned int noStepDown : 1; /* 15 */ ++ unsigned int bypassPKCS11 : 1; /* 16 */ ++ unsigned int noLocks : 1; /* 17 */ ++ unsigned int enableSessionTickets : 1; /* 18 */ ++ unsigned int enableDeflate : 1; /* 19 */ ++ unsigned int enableRenegotiation : 2; /* 20-21 */ ++ unsigned int requireSafeNegotiation : 1; /* 22 */ ++ unsigned int enableFalseStart : 1; /* 23 */ ++ unsigned int cbcRandomIV : 1; /* 24 */ ++ unsigned int enableOCSPStapling : 1; /* 25 */ ++ unsigned int enableSignedCertTimestamps : 1; /* 26 */ + } sslOptions; + + typedef enum { sslHandshakingUndetermined = 0, +@@ -713,6 +714,11 @@ struct sslSessionIDStr { + * negotiated as it's used to bind the ChannelID signature on the + * resumption handshake to the original handshake. */ + SECItem originalHandshakeHash; ++ ++ /* Signed certificate timestamps received in a TLS extension. ++ ** (used only in client). ++ */ ++ SECItem signedCertTimestamps; + } ssl3; + } u; + }; +@@ -804,6 +810,18 @@ struct TLSExtensionDataStr { + * is beyond ssl3_HandleClientHello function. */ + SECItem *sniNameArr; + PRUint32 sniNameArrSize; ++ ++ /* Signed Certificate Timestamps extracted from the TLS extension. ++ * (client only). ++ * This container holds a temporary pointer to the extension data, ++ * until a session structure (the sec.ci.sid of an sslSocket) is setup ++ * that can hold a permanent copy of the data ++ * (in sec.ci.sid.u.ssl3.signedCertTimestamps). ++ * The data pointed to by this structure is neither explicitly allocated ++ * nor copied: the pointer points to the handshake message buffer and is ++ * only valid in the scope of ssl3_HandleServerHello. ++ */ ++ SECItem signedCertTimestamps; + }; + + typedef SECStatus (*sslRestartTarget)(sslSocket *); +diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c +index eb5004c..1ca19ca 100644 +--- a/net/third_party/nss/ssl/sslnonce.c ++++ b/net/third_party/nss/ssl/sslnonce.c +@@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid) + if (sid->version < SSL_LIBRARY_VERSION_3_0) { + SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); + SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); ++ } else { ++ if (sid->u.ssl3.sessionTicket.ticket.data) { ++ SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); ++ } ++ if (sid->u.ssl3.srvName.data) { ++ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); ++ } ++ if (sid->u.ssl3.signedCertTimestamps.data) { ++ SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); ++ } ++ if (sid->u.ssl3.originalHandshakeHash.data) { ++ SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); ++ } + } ++ + if (sid->peerID != NULL) + PORT_Free((void *)sid->peerID); /* CONST */ + +@@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid) + if ( sid->localCert ) { + CERT_DestroyCertificate(sid->localCert); + } +- if (sid->u.ssl3.sessionTicket.ticket.data) { +- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); +- } +- if (sid->u.ssl3.srvName.data) { +- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); +- } +- if (sid->u.ssl3.originalHandshakeHash.data) { +- SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); +- } +- ++ + PORT_ZFree(sid, sizeof(sslSessionID)); + } + +diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c +index b5c17f0..965215d 100644 +--- a/net/third_party/nss/ssl/sslsock.c ++++ b/net/third_party/nss/ssl/sslsock.c +@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ +- PR_FALSE /* enableOCSPStapling */ ++ PR_FALSE, /* enableOCSPStapling */ ++ PR_FALSE /* enableSignedCertTimestamps */ + }; + + /* +@@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) + ss->opt.enableOCSPStapling = on; + break; + ++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: ++ ss->opt.enableSignedCertTimestamps = on; ++ break; ++ + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; +@@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) + case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; + case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; ++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: ++ on = ss->opt.enableSignedCertTimestamps; ++ break; + + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) + case SSL_ENABLE_OCSP_STAPLING: + on = ssl_defaults.enableOCSPStapling; + break; ++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: ++ on = ssl_defaults.enableSignedCertTimestamps; ++ break; + + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) + ssl_defaults.enableOCSPStapling = on; + break; + ++ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: ++ ssl_defaults.enableSignedCertTimestamps = on; ++ break; ++ + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +@@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd) + return &ss->sec.ci.sid->peerCertStatus; + } + ++const SECItem * ++SSL_PeerSignedCertTimestamps(PRFileDesc *fd) ++{ ++ sslSocket *ss = ssl_FindSocket(fd); ++ ++ if (!ss) { ++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", ++ SSL_GETPID(), fd)); ++ return NULL; ++ } ++ ++ if (!ss->sec.ci.sid) { ++ PORT_SetError(SEC_ERROR_NOT_INITIALIZED); ++ return NULL; ++ } ++ ++ if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { ++ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); ++ return NULL; ++ } ++ return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; ++} ++ + SECStatus + SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { + sslSocket *ss = ssl_FindSocket(fd); +@@ -3133,4 +3171,3 @@ loser: + } + return ss; + } +- +diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h +index b813c04..1f5e2c6 100644 +--- a/net/third_party/nss/ssl/sslt.h ++++ b/net/third_party/nss/ssl/sslt.h +@@ -202,6 +202,7 @@ typedef enum { + ssl_signature_algorithms_xtn = 13, + ssl_use_srtp_xtn = 14, + ssl_app_layer_protocol_xtn = 16, ++ ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */ + ssl_session_ticket_xtn = 35, + ssl_next_proto_nego_xtn = 13172, + ssl_channel_id_xtn = 30032, +@@ -209,6 +210,6 @@ typedef enum { + ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ + } SSLExtensionType; + +-#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ ++#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ + + #endif /* __sslt_h_ */ diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h index 67cc3a7..4cf02aa 100644 --- a/net/third_party/nss/ssl/ssl.h +++ b/net/third_party/nss/ssl/ssl.h @@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); */ #define SSL_CBC_RANDOM_IV 23 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ +/* Request Signed Certificate Timestamps via TLS extension (client) */ +#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ @@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd); */ SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); +/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp + * extension data provided by the TLS server. The return value is a pointer + * to an internal SECItem that contains the returned response (as a serialized + * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only + * valid until the callback function that calls SSL_PeerSignedCertTimestamps + * (e.g. the authenticate certificate hook, or the handshake callback) returns. + * + * If no Signed Certificate Timestamps were given by the server then the result + * will be empty. If there was an error, then the result will be NULL. + * + * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support + * for Signed Certificate Timestamps to a server. + * + * libssl does not do any parsing or validation of the response itself. + */ +SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); + /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses * in the fd's data, which may be sent as part of a server side cert_status * handshake message. Parameter |responses| is for the server certificate of diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 0f1eea4..c2d9eeb 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) sid->u.ssl3.sessionIDLength = sidBytes.len; PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); + /* Copy Signed Certificate Timestamps, if any. */ + if (ss->xtnData.signedCertTimestamps.data) { + rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, + &ss->xtnData.signedCertTimestamps); + if (rv != SECSuccess) + goto loser; + } + ss->ssl3.hs.isResuming = PR_FALSE; ss->ssl3.hs.ws = wait_server_cert; winner: + /* Clean up the temporary pointer to the handshake buffer. */ + ss->xtnData.signedCertTimestamps.data = NULL; + ss->xtnData.signedCertTimestamps.len = 0; + /* If we will need a ChannelID key then we make the callback now. This * allows the handshake to be restarted cleanly if the callback returns * SECWouldBlock. */ @@ -6668,6 +6680,9 @@ alert_loser: (void)SSL3_SendAlert(ss, alert_fatal, desc); loser: + /* Clean up the temporary pointer to the handshake buffer. */ + ss->xtnData.signedCertTimestamps.data = NULL; + ss->xtnData.signedCertTimestamps.len = 0; errCode = ssl_MapLowLevelError(errCode); return SECFailure; } diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c index adb81ed..02e104d 100644 --- a/net/third_party/nss/ssl/ssl3ext.c +++ b/net/third_party/nss/ssl/ssl3ext.c @@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes); static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data); +static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, + PRBool append, + PRUint32 maxBytes); +static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, + PRUint16 ex_type, + SECItem *data); /* * Write bytes. Using this function means the SECItem structure @@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, + { ssl_signed_certificate_timestamp_xtn, + &ssl3_ClientHandleSignedCertTimestampXtn }, { -1, NULL } }; @@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, - { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } + { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, + { ssl_signed_certificate_timestamp_xtn, + &ssl3_ClientSendSignedCertTimestampXtn } /* any extra entries will appear as { 0, NULL } */ }; @@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, return extensionLen; } + +/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp + * extension for TLS ClientHellos. */ +static PRInt32 +ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, + PRUint32 maxBytes) +{ + PRInt32 extension_length = 2 /* extension_type */ + + 2 /* length(extension_data) */; + + /* Only send the extension if processing is enabled. */ + if (!ss->opt.enableSignedCertTimestamps) + return 0; + + if (append && maxBytes >= extension_length) { + SECStatus rv; + /* extension_type */ + rv = ssl3_AppendHandshakeNumber(ss, + ssl_signed_certificate_timestamp_xtn, + 2); + if (rv != SECSuccess) + goto loser; + /* zero length */ + rv = ssl3_AppendHandshakeNumber(ss, 0, 2); + if (rv != SECSuccess) + goto loser; + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = + ssl_signed_certificate_timestamp_xtn; + } else if (maxBytes < extension_length) { + PORT_Assert(0); + return 0; + } + + return extension_length; +loser: + return -1; +} + +static SECStatus +ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, + SECItem *data) +{ + /* We do not yet know whether we'll be resuming a session or creating + * a new one, so we keep a pointer to the data in the TLSExtensionData + * structure. This pointer is only valid in the scope of + * ssl3_HandleServerHello, and, if not resuming a session, the data is + * copied once a new session structure has been set up. + * All parsing is currently left to the application and we accept + * everything, including empty data. + */ + SECItem *scts = &ss->xtnData.signedCertTimestamps; + PORT_Assert(!scts->data && !scts->len); + + if (!data->len) { + /* Empty extension data: RFC 6962 mandates non-empty contents. */ + return SECFailure; + } + *scts = *data; + /* Keep track of negotiated extensions. */ + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; + return SECSuccess; +} diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h index 79aca60..1e4655f 100644 --- a/net/third_party/nss/ssl/sslimpl.h +++ b/net/third_party/nss/ssl/sslimpl.h @@ -312,29 +312,30 @@ typedef struct sslOptionsStr { * list of supported protocols. */ SECItem nextProtoNego; - unsigned int useSecurity : 1; /* 1 */ - unsigned int useSocks : 1; /* 2 */ - unsigned int requestCertificate : 1; /* 3 */ - unsigned int requireCertificate : 2; /* 4-5 */ - unsigned int handshakeAsClient : 1; /* 6 */ - unsigned int handshakeAsServer : 1; /* 7 */ - unsigned int enableSSL2 : 1; /* 8 */ - unsigned int unusedBit9 : 1; /* 9 */ - unsigned int unusedBit10 : 1; /* 10 */ - unsigned int noCache : 1; /* 11 */ - unsigned int fdx : 1; /* 12 */ - unsigned int v2CompatibleHello : 1; /* 13 */ - unsigned int detectRollBack : 1; /* 14 */ - unsigned int noStepDown : 1; /* 15 */ - unsigned int bypassPKCS11 : 1; /* 16 */ - unsigned int noLocks : 1; /* 17 */ - unsigned int enableSessionTickets : 1; /* 18 */ - unsigned int enableDeflate : 1; /* 19 */ - unsigned int enableRenegotiation : 2; /* 20-21 */ - unsigned int requireSafeNegotiation : 1; /* 22 */ - unsigned int enableFalseStart : 1; /* 23 */ - unsigned int cbcRandomIV : 1; /* 24 */ - unsigned int enableOCSPStapling : 1; /* 25 */ + unsigned int useSecurity : 1; /* 1 */ + unsigned int useSocks : 1; /* 2 */ + unsigned int requestCertificate : 1; /* 3 */ + unsigned int requireCertificate : 2; /* 4-5 */ + unsigned int handshakeAsClient : 1; /* 6 */ + unsigned int handshakeAsServer : 1; /* 7 */ + unsigned int enableSSL2 : 1; /* 8 */ + unsigned int unusedBit9 : 1; /* 9 */ + unsigned int unusedBit10 : 1; /* 10 */ + unsigned int noCache : 1; /* 11 */ + unsigned int fdx : 1; /* 12 */ + unsigned int v2CompatibleHello : 1; /* 13 */ + unsigned int detectRollBack : 1; /* 14 */ + unsigned int noStepDown : 1; /* 15 */ + unsigned int bypassPKCS11 : 1; /* 16 */ + unsigned int noLocks : 1; /* 17 */ + unsigned int enableSessionTickets : 1; /* 18 */ + unsigned int enableDeflate : 1; /* 19 */ + unsigned int enableRenegotiation : 2; /* 20-21 */ + unsigned int requireSafeNegotiation : 1; /* 22 */ + unsigned int enableFalseStart : 1; /* 23 */ + unsigned int cbcRandomIV : 1; /* 24 */ + unsigned int enableOCSPStapling : 1; /* 25 */ + unsigned int enableSignedCertTimestamps : 1; /* 26 */ } sslOptions; typedef enum { sslHandshakingUndetermined = 0, @@ -713,6 +714,11 @@ struct sslSessionIDStr { * negotiated as it's used to bind the ChannelID signature on the * resumption handshake to the original handshake. */ SECItem originalHandshakeHash; + + /* Signed certificate timestamps received in a TLS extension. + ** (used only in client). + */ + SECItem signedCertTimestamps; } ssl3; } u; }; @@ -804,6 +810,18 @@ struct TLSExtensionDataStr { * is beyond ssl3_HandleClientHello function. */ SECItem *sniNameArr; PRUint32 sniNameArrSize; + + /* Signed Certificate Timestamps extracted from the TLS extension. + * (client only). + * This container holds a temporary pointer to the extension data, + * until a session structure (the sec.ci.sid of an sslSocket) is setup + * that can hold a permanent copy of the data + * (in sec.ci.sid.u.ssl3.signedCertTimestamps). + * The data pointed to by this structure is neither explicitly allocated + * nor copied: the pointer points to the handshake message buffer and is + * only valid in the scope of ssl3_HandleServerHello. + */ + SECItem signedCertTimestamps; }; typedef SECStatus (*sslRestartTarget)(sslSocket *); diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c index eb5004c..1ca19ca 100644 --- a/net/third_party/nss/ssl/sslnonce.c +++ b/net/third_party/nss/ssl/sslnonce.c @@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid) if (sid->version < SSL_LIBRARY_VERSION_3_0) { SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); + } else { + if (sid->u.ssl3.sessionTicket.ticket.data) { + SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); + } + if (sid->u.ssl3.srvName.data) { + SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); + } + if (sid->u.ssl3.signedCertTimestamps.data) { + SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); + } + if (sid->u.ssl3.originalHandshakeHash.data) { + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); + } } + if (sid->peerID != NULL) PORT_Free((void *)sid->peerID); /* CONST */ @@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid) if ( sid->localCert ) { CERT_DestroyCertificate(sid->localCert); } - if (sid->u.ssl3.sessionTicket.ticket.data) { - SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); - } - if (sid->u.ssl3.srvName.data) { - SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); - } - if (sid->u.ssl3.originalHandshakeHash.data) { - SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); - } - + PORT_ZFree(sid, sizeof(sslSessionID)); } diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c index b5c17f0..965215d 100644 --- a/net/third_party/nss/ssl/sslsock.c +++ b/net/third_party/nss/ssl/sslsock.c @@ -173,7 +173,8 @@ static sslOptions ssl_defaults = { PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE, /* cbcRandomIV */ - PR_FALSE /* enableOCSPStapling */ + PR_FALSE, /* enableOCSPStapling */ + PR_FALSE /* enableSignedCertTimestamps */ }; /* @@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) ss->opt.enableOCSPStapling = on; break; + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: + ss->opt.enableSignedCertTimestamps = on; + break; + default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; @@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: + on = ss->opt.enableSignedCertTimestamps; + break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) case SSL_ENABLE_OCSP_STAPLING: on = ssl_defaults.enableOCSPStapling; break; + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: + on = ssl_defaults.enableSignedCertTimestamps; + break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) ssl_defaults.enableOCSPStapling = on; break; + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: + ssl_defaults.enableSignedCertTimestamps = on; + break; + default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; @@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd) return &ss->sec.ci.sid->peerCertStatus; } +const SECItem * +SSL_PeerSignedCertTimestamps(PRFileDesc *fd) +{ + sslSocket *ss = ssl_FindSocket(fd); + + if (!ss) { + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", + SSL_GETPID(), fd)); + return NULL; + } + + if (!ss->sec.ci.sid) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return NULL; + } + + if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); + return NULL; + } + return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; +} + SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { sslSocket *ss = ssl_FindSocket(fd); @@ -3133,4 +3171,3 @@ loser: } return ss; } - diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h index b813c04..1f5e2c6 100644 --- a/net/third_party/nss/ssl/sslt.h +++ b/net/third_party/nss/ssl/sslt.h @@ -202,6 +202,7 @@ typedef enum { ssl_signature_algorithms_xtn = 13, ssl_use_srtp_xtn = 14, ssl_app_layer_protocol_xtn = 16, + ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */ ssl_session_ticket_xtn = 35, ssl_next_proto_nego_xtn = 13172, ssl_channel_id_xtn = 30032, @@ -209,6 +210,6 @@ typedef enum { ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ } SSLExtensionType; -#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ +#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ #endif /* __sslt_h_ */ |