commit 9169c964589694a3dac5fecf6465806fb1f8b22b
author Håvard Molland <haavardm@opera.com> Thu Aug 14 14:42:37 2014 +0200
committer Adam Langley <agl@google.com> Thu Aug 21 16:21:46 2014 +0000
tree b36714b4486985b7b56f469a08b9eb7378383df8
parent c44d2f4cb8a892a603edbbe710fa82bcd30f9cb5

Implement client side of TLS signed certificate stamps extension.

https://crbug.com/389420 and 3.3 in rfc6962.

Change-Id: Ib22bcd4e4bde5a314ed33e123e19a76cdb714da4
Reviewed-on: https://boringssl-review.googlesource.com/1491
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

ssl/t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 855d1d0..d23b41e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1109,6 +1109,16 @@
 		}
 #endif
 
+	if (s->signed_cert_timestamps_enabled && !s->s3->tmp.finish_md_len)
+		{
+		/* The client advertises an empty extension to indicate its support for
+		 * certificate timestamps. */
+		if (limit - ret - 4 < 0)
+			return NULL;
+		s2n(TLSEXT_TYPE_certificate_timestamp,ret);
+		s2n(0,ret);
+		}
+
 	if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
 		{
 		if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
@@ -2234,7 +2244,26 @@
 			s->s3->tlsext_channel_id_valid = 1;
 			s->s3->tlsext_channel_id_new = 1;
 			}
+		else if (type == TLSEXT_TYPE_certificate_timestamp)
+			{
+			if (CBS_len(&extension) == 0)
+				{
+				*out_alert = SSL_AD_DECODE_ERROR;
+				return 0;
+				}
 
+			/* Session resumption uses the original session information. */
+			if (!s->hit)
+				{
+				if (!CBS_stow(&extension,
+					&s->session->tlsext_signed_cert_timestamp_list,
+					&s->session->tlsext_signed_cert_timestamp_list_length))
+					{
+					*out_alert = SSL_AD_INTERNAL_ERROR;
+					return 0;
+					}
+				}
+			}
 		else if (type == TLSEXT_TYPE_renegotiate)
 			{
 			if (!ssl_parse_serverhello_renegotiate_ext(s, &extension, out_alert))