1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
2 --- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:40:14.493586151 -0700
3 +++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:42:42.035748760 -0700
4 @@ -6544,6 +6544,9 @@ ssl3_HandleCertificateRequest(sslSocket
6 goto loser; /* malformed, alert has been sent */
8 + PORT_Assert(!ss->requestedCertTypes);
9 + ss->requestedCertTypes = &cert_types;
12 rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
14 @@ -6743,6 +6746,7 @@ loser:
15 PORT_SetError(errCode);
18 + ss->requestedCertTypes = NULL;
20 PORT_FreeArena(arena, PR_FALSE);
21 #ifdef NSS_PLATFORM_CLIENT_AUTH
22 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
23 --- a/nss/lib/ssl/ssl.h 2013-07-31 12:40:53.784162112 -0700
24 +++ b/nss/lib/ssl/ssl.h 2013-07-31 12:41:57.515096255 -0700
25 @@ -732,6 +732,16 @@ SSL_IMPORT SECStatus SSL_ReHandshakeWith
27 PRIntervalTime timeout);
29 +/* Returns a SECItem containing the certificate_types field of the
30 +** CertificateRequest message. Each byte of the data is a TLS
31 +** ClientCertificateType value, and they are ordered from most preferred to
32 +** least. This function should only be called from the
33 +** SSL_GetClientAuthDataHook callback, and will return NULL if called at any
34 +** other time. The returned value is valid only until the callback returns, and
35 +** should not be freed.
37 +SSL_IMPORT const SECItem *
38 +SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd);
40 #ifdef SSL_DEPRECATED_FUNCTION
42 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
43 --- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:40:14.503586299 -0700
44 +++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:41:57.515096255 -0700
45 @@ -1168,6 +1168,10 @@ struct sslSocketStr {
46 unsigned int sizeCipherSpecs;
47 const unsigned char * preferredCipher;
49 + /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */
50 + /* Will be NULL at all other times. */
51 + const SECItem *requestedCertTypes;
53 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
56 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
57 --- a/nss/lib/ssl/sslsock.c 2013-07-31 12:40:53.784162112 -0700
58 +++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:41:57.515096255 -0700
59 @@ -1933,6 +1933,20 @@ SSL_HandshakeResumedSession(PRFileDesc *
64 +SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd)
66 + sslSocket *ss = ssl_FindSocket(fd);
69 + SSL_DBG(("%d: SSL[%d]: bad socket in "
70 + "SSL_GetRequestedClientCertificateTypes", SSL_GETPID(), fd));
74 + return ss->requestedCertTypes;
77 /************************************************************************/
78 /* The following functions are the TOP LEVEL SSL functions.
79 ** They all get called through the NSPRIOMethods table below.
80 @@ -2995,6 +3009,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
81 sc->serverKeyBits = 0;
82 ss->certStatusArray[i] = NULL;
84 + ss->requestedCertTypes = NULL;
85 ss->stepDownKeyPair = NULL;
86 ss->dbHandle = CERT_GetDefaultCertDB();