1 diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h 2 index 67cc3a7..4cf02aa 100644 3 --- a/net/third_party/nss/ssl/ssl.h 4 +++ b/net/third_party/nss/ssl/ssl.h 5 @@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); 6 */ 7 #define SSL_CBC_RANDOM_IV 23 8 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ 9 +/* Request Signed Certificate Timestamps via TLS extension (client) */ 10 +#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25 11 12 #ifdef SSL_DEPRECATED_FUNCTION 13 /* Old deprecated function names */ 14 @@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd); 15 */ 16 SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd); 17 18 +/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp 19 + * extension data provided by the TLS server. The return value is a pointer 20 + * to an internal SECItem that contains the returned response (as a serialized 21 + * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only 22 + * valid until the callback function that calls SSL_PeerSignedCertTimestamps 23 + * (e.g. the authenticate certificate hook, or the handshake callback) returns. 24 + * 25 + * If no Signed Certificate Timestamps were given by the server then the result 26 + * will be empty. If there was an error, then the result will be NULL. 27 + * 28 + * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support 29 + * for Signed Certificate Timestamps to a server. 30 + * 31 + * libssl does not do any parsing or validation of the response itself. 32 + */ 33 +SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd); 34 + 35 /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses 36 * in the fd's data, which may be sent as part of a server side cert_status 37 * handshake message. Parameter |responses| is for the server certificate of 38 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c 39 index 0f1eea4..c2d9eeb 100644 40 --- a/net/third_party/nss/ssl/ssl3con.c 41 +++ b/net/third_party/nss/ssl/ssl3con.c 42 @@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 43 sid->u.ssl3.sessionIDLength = sidBytes.len; 44 PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len); 45 46 + /* Copy Signed Certificate Timestamps, if any. */ 47 + if (ss->xtnData.signedCertTimestamps.data) { 48 + rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps, 49 + &ss->xtnData.signedCertTimestamps); 50 + if (rv != SECSuccess) 51 + goto loser; 52 + } 53 + 54 ss->ssl3.hs.isResuming = PR_FALSE; 55 ss->ssl3.hs.ws = wait_server_cert; 56 57 winner: 58 + /* Clean up the temporary pointer to the handshake buffer. */ 59 + ss->xtnData.signedCertTimestamps.data = NULL; 60 + ss->xtnData.signedCertTimestamps.len = 0; 61 + 62 /* If we will need a ChannelID key then we make the callback now. This 63 * allows the handshake to be restarted cleanly if the callback returns 64 * SECWouldBlock. */ 65 @@ -6668,6 +6680,9 @@ alert_loser: 66 (void)SSL3_SendAlert(ss, alert_fatal, desc); 67 68 loser: 69 + /* Clean up the temporary pointer to the handshake buffer. */ 70 + ss->xtnData.signedCertTimestamps.data = NULL; 71 + ss->xtnData.signedCertTimestamps.len = 0; 72 errCode = ssl_MapLowLevelError(errCode); 73 return SECFailure; 74 } 75 diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c 76 index adb81ed..02e104d 100644 77 --- a/net/third_party/nss/ssl/ssl3ext.c 78 +++ b/net/third_party/nss/ssl/ssl3ext.c 79 @@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, 80 PRUint32 maxBytes); 81 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type, 82 SECItem *data); 83 +static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, 84 + PRBool append, 85 + PRUint32 maxBytes); 86 +static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, 87 + PRUint16 ex_type, 88 + SECItem *data); 89 90 /* 91 * Write bytes. Using this function means the SECItem structure 92 @@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 93 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 94 { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 95 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 96 + { ssl_signed_certificate_timestamp_xtn, 97 + &ssl3_ClientHandleSignedCertTimestampXtn }, 98 { -1, NULL } 99 }; 100 101 @@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 102 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, 103 { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 104 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 105 - { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } 106 + { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, 107 + { ssl_signed_certificate_timestamp_xtn, 108 + &ssl3_ClientSendSignedCertTimestampXtn } 109 /* any extra entries will appear as { 0, NULL } */ 110 }; 111 112 @@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, 113 114 return extensionLen; 115 } 116 + 117 +/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp 118 + * extension for TLS ClientHellos. */ 119 +static PRInt32 120 +ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append, 121 + PRUint32 maxBytes) 122 +{ 123 + PRInt32 extension_length = 2 /* extension_type */ + 124 + 2 /* length(extension_data) */; 125 + 126 + /* Only send the extension if processing is enabled. */ 127 + if (!ss->opt.enableSignedCertTimestamps) 128 + return 0; 129 + 130 + if (append && maxBytes >= extension_length) { 131 + SECStatus rv; 132 + /* extension_type */ 133 + rv = ssl3_AppendHandshakeNumber(ss, 134 + ssl_signed_certificate_timestamp_xtn, 135 + 2); 136 + if (rv != SECSuccess) 137 + goto loser; 138 + /* zero length */ 139 + rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 140 + if (rv != SECSuccess) 141 + goto loser; 142 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 143 + ssl_signed_certificate_timestamp_xtn; 144 + } else if (maxBytes < extension_length) { 145 + PORT_Assert(0); 146 + return 0; 147 + } 148 + 149 + return extension_length; 150 +loser: 151 + return -1; 152 +} 153 + 154 +static SECStatus 155 +ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type, 156 + SECItem *data) 157 +{ 158 + /* We do not yet know whether we'll be resuming a session or creating 159 + * a new one, so we keep a pointer to the data in the TLSExtensionData 160 + * structure. This pointer is only valid in the scope of 161 + * ssl3_HandleServerHello, and, if not resuming a session, the data is 162 + * copied once a new session structure has been set up. 163 + * All parsing is currently left to the application and we accept 164 + * everything, including empty data. 165 + */ 166 + SECItem *scts = &ss->xtnData.signedCertTimestamps; 167 + PORT_Assert(!scts->data && !scts->len); 168 + 169 + if (!data->len) { 170 + /* Empty extension data: RFC 6962 mandates non-empty contents. */ 171 + return SECFailure; 172 + } 173 + *scts = *data; 174 + /* Keep track of negotiated extensions. */ 175 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 176 + return SECSuccess; 177 +} 178 diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h 179 index 79aca60..1e4655f 100644 180 --- a/net/third_party/nss/ssl/sslimpl.h 181 +++ b/net/third_party/nss/ssl/sslimpl.h 182 @@ -312,29 +312,30 @@ typedef struct sslOptionsStr { 183 * list of supported protocols. */ 184 SECItem nextProtoNego; 185 186 - unsigned int useSecurity : 1; /* 1 */ 187 - unsigned int useSocks : 1; /* 2 */ 188 - unsigned int requestCertificate : 1; /* 3 */ 189 - unsigned int requireCertificate : 2; /* 4-5 */ 190 - unsigned int handshakeAsClient : 1; /* 6 */ 191 - unsigned int handshakeAsServer : 1; /* 7 */ 192 - unsigned int enableSSL2 : 1; /* 8 */ 193 - unsigned int unusedBit9 : 1; /* 9 */ 194 - unsigned int unusedBit10 : 1; /* 10 */ 195 - unsigned int noCache : 1; /* 11 */ 196 - unsigned int fdx : 1; /* 12 */ 197 - unsigned int v2CompatibleHello : 1; /* 13 */ 198 - unsigned int detectRollBack : 1; /* 14 */ 199 - unsigned int noStepDown : 1; /* 15 */ 200 - unsigned int bypassPKCS11 : 1; /* 16 */ 201 - unsigned int noLocks : 1; /* 17 */ 202 - unsigned int enableSessionTickets : 1; /* 18 */ 203 - unsigned int enableDeflate : 1; /* 19 */ 204 - unsigned int enableRenegotiation : 2; /* 20-21 */ 205 - unsigned int requireSafeNegotiation : 1; /* 22 */ 206 - unsigned int enableFalseStart : 1; /* 23 */ 207 - unsigned int cbcRandomIV : 1; /* 24 */ 208 - unsigned int enableOCSPStapling : 1; /* 25 */ 209 + unsigned int useSecurity : 1; /* 1 */ 210 + unsigned int useSocks : 1; /* 2 */ 211 + unsigned int requestCertificate : 1; /* 3 */ 212 + unsigned int requireCertificate : 2; /* 4-5 */ 213 + unsigned int handshakeAsClient : 1; /* 6 */ 214 + unsigned int handshakeAsServer : 1; /* 7 */ 215 + unsigned int enableSSL2 : 1; /* 8 */ 216 + unsigned int unusedBit9 : 1; /* 9 */ 217 + unsigned int unusedBit10 : 1; /* 10 */ 218 + unsigned int noCache : 1; /* 11 */ 219 + unsigned int fdx : 1; /* 12 */ 220 + unsigned int v2CompatibleHello : 1; /* 13 */ 221 + unsigned int detectRollBack : 1; /* 14 */ 222 + unsigned int noStepDown : 1; /* 15 */ 223 + unsigned int bypassPKCS11 : 1; /* 16 */ 224 + unsigned int noLocks : 1; /* 17 */ 225 + unsigned int enableSessionTickets : 1; /* 18 */ 226 + unsigned int enableDeflate : 1; /* 19 */ 227 + unsigned int enableRenegotiation : 2; /* 20-21 */ 228 + unsigned int requireSafeNegotiation : 1; /* 22 */ 229 + unsigned int enableFalseStart : 1; /* 23 */ 230 + unsigned int cbcRandomIV : 1; /* 24 */ 231 + unsigned int enableOCSPStapling : 1; /* 25 */ 232 + unsigned int enableSignedCertTimestamps : 1; /* 26 */ 233 } sslOptions; 234 235 typedef enum { sslHandshakingUndetermined = 0, 236 @@ -713,6 +714,11 @@ struct sslSessionIDStr { 237 * negotiated as it's used to bind the ChannelID signature on the 238 * resumption handshake to the original handshake. */ 239 SECItem originalHandshakeHash; 240 + 241 + /* Signed certificate timestamps received in a TLS extension. 242 + ** (used only in client). 243 + */ 244 + SECItem signedCertTimestamps; 245 } ssl3; 246 } u; 247 }; 248 @@ -804,6 +810,18 @@ struct TLSExtensionDataStr { 249 * is beyond ssl3_HandleClientHello function. */ 250 SECItem *sniNameArr; 251 PRUint32 sniNameArrSize; 252 + 253 + /* Signed Certificate Timestamps extracted from the TLS extension. 254 + * (client only). 255 + * This container holds a temporary pointer to the extension data, 256 + * until a session structure (the sec.ci.sid of an sslSocket) is setup 257 + * that can hold a permanent copy of the data 258 + * (in sec.ci.sid.u.ssl3.signedCertTimestamps). 259 + * The data pointed to by this structure is neither explicitly allocated 260 + * nor copied: the pointer points to the handshake message buffer and is 261 + * only valid in the scope of ssl3_HandleServerHello. 262 + */ 263 + SECItem signedCertTimestamps; 264 }; 265 266 typedef SECStatus (*sslRestartTarget)(sslSocket *); 267 diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c 268 index eb5004c..1ca19ca 100644 269 --- a/net/third_party/nss/ssl/sslnonce.c 270 +++ b/net/third_party/nss/ssl/sslnonce.c 271 @@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid) 272 if (sid->version < SSL_LIBRARY_VERSION_3_0) { 273 SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); 274 SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); 275 + } else { 276 + if (sid->u.ssl3.sessionTicket.ticket.data) { 277 + SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); 278 + } 279 + if (sid->u.ssl3.srvName.data) { 280 + SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); 281 + } 282 + if (sid->u.ssl3.signedCertTimestamps.data) { 283 + SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); 284 + } 285 + if (sid->u.ssl3.originalHandshakeHash.data) { 286 + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); 287 + } 288 } 289 + 290 if (sid->peerID != NULL) 291 PORT_Free((void *)sid->peerID); /* CONST */ 292 293 @@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid) 294 if ( sid->localCert ) { 295 CERT_DestroyCertificate(sid->localCert); 296 } 297 - if (sid->u.ssl3.sessionTicket.ticket.data) { 298 - SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); 299 - } 300 - if (sid->u.ssl3.srvName.data) { 301 - SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); 302 - } 303 - if (sid->u.ssl3.originalHandshakeHash.data) { 304 - SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); 305 - } 306 - 307 + 308 PORT_ZFree(sid, sizeof(sslSessionID)); 309 } 310 311 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c 312 index b5c17f0..965215d 100644 313 --- a/net/third_party/nss/ssl/sslsock.c 314 +++ b/net/third_party/nss/ssl/sslsock.c 315 @@ -173,7 +173,8 @@ static sslOptions ssl_defaults = { 316 PR_FALSE, /* requireSafeNegotiation */ 317 PR_FALSE, /* enableFalseStart */ 318 PR_TRUE, /* cbcRandomIV */ 319 - PR_FALSE /* enableOCSPStapling */ 320 + PR_FALSE, /* enableOCSPStapling */ 321 + PR_FALSE /* enableSignedCertTimestamps */ 322 }; 323 324 /* 325 @@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) 326 ss->opt.enableOCSPStapling = on; 327 break; 328 329 + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 330 + ss->opt.enableSignedCertTimestamps = on; 331 + break; 332 + 333 default: 334 PORT_SetError(SEC_ERROR_INVALID_ARGS); 335 rv = SECFailure; 336 @@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) 337 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; 338 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; 339 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; 340 + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 341 + on = ss->opt.enableSignedCertTimestamps; 342 + break; 343 344 default: 345 PORT_SetError(SEC_ERROR_INVALID_ARGS); 346 @@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) 347 case SSL_ENABLE_OCSP_STAPLING: 348 on = ssl_defaults.enableOCSPStapling; 349 break; 350 + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 351 + on = ssl_defaults.enableSignedCertTimestamps; 352 + break; 353 354 default: 355 PORT_SetError(SEC_ERROR_INVALID_ARGS); 356 @@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) 357 ssl_defaults.enableOCSPStapling = on; 358 break; 359 360 + case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 361 + ssl_defaults.enableSignedCertTimestamps = on; 362 + break; 363 + 364 default: 365 PORT_SetError(SEC_ERROR_INVALID_ARGS); 366 return SECFailure; 367 @@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd) 368 return &ss->sec.ci.sid->peerCertStatus; 369 } 370 371 +const SECItem * 372 +SSL_PeerSignedCertTimestamps(PRFileDesc *fd) 373 +{ 374 + sslSocket *ss = ssl_FindSocket(fd); 375 + 376 + if (!ss) { 377 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", 378 + SSL_GETPID(), fd)); 379 + return NULL; 380 + } 381 + 382 + if (!ss->sec.ci.sid) { 383 + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 384 + return NULL; 385 + } 386 + 387 + if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) { 388 + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 389 + return NULL; 390 + } 391 + return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; 392 +} 393 + 394 SECStatus 395 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { 396 sslSocket *ss = ssl_FindSocket(fd); 397 @@ -3133,4 +3171,3 @@ loser: 398 } 399 return ss; 400 } 401 - 402 diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h 403 index b813c04..1f5e2c6 100644 404 --- a/net/third_party/nss/ssl/sslt.h 405 +++ b/net/third_party/nss/ssl/sslt.h 406 @@ -202,6 +202,7 @@ typedef enum { 407 ssl_signature_algorithms_xtn = 13, 408 ssl_use_srtp_xtn = 14, 409 ssl_app_layer_protocol_xtn = 16, 410 + ssl_signed_certificate_timestamp_xtn = 18, /* RFC 6962 */ 411 ssl_session_ticket_xtn = 35, 412 ssl_next_proto_nego_xtn = 13172, 413 ssl_channel_id_xtn = 30032, 414 @@ -209,6 +210,6 @@ typedef enum { 415 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ 416 } SSLExtensionType; 417 418 -#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ 419 +#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ 420 421 #endif /* __sslt_h_ */ 422
