Support the new supported_signature_algorithms field of the

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /* $Id$ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
@@ skipping 178 matching lines @@
     case ssl_compression_deflate:
         return ss->opt.enableDeflate;
 #endif
     default:
         return PR_FALSE;
     }
 }
 
 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
     ct_RSA_sign,
-    ct_DSS_sign,
 #ifdef NSS_ENABLE_ECC
     ct_ECDSA_sign,
 #endif /* NSS_ENABLE_ECC */
+    ct_DSS_sign,
+};
+
+/* This block is our supported_signature_algorithms value, in wire format.
+ * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+static const PRUint8 supported_signature_algorithms[] = {
+    tls_hash_sha256, tls_sig_rsa,
+    tls_hash_sha384, tls_sig_rsa,
+    tls_hash_sha1,   tls_sig_rsa,
+#ifdef NSS_ENABLE_ECC
+    tls_hash_sha256, tls_sig_ecdsa,
+    tls_hash_sha384, tls_sig_ecdsa,
+    tls_hash_sha1,   tls_sig_ecdsa,
+#endif
+    tls_hash_sha256, tls_sig_dsa,
+    tls_hash_sha1,   tls_sig_dsa,
 };
 
 #define EXPORT_RSA_KEY_LENGTH 64        /* bytes */
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
@@ skipping 3712 matching lines @@
     if (serialized[0] == 0) {
         PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
         return SECFailure;
     }
 
     serialized[1] = sigAndHash->sigAlg;
 
     return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
 }
 
+/* Appends our supported_signature_algorithms value to the current handshake
+ * message. */
+SECStatus
+ssl3_AppendSupportedSignatureAlgorithms(sslSocket *ss)
+{
+    return ssl3_AppendHandshakeVariable(ss, supported_signature_algorithms,
+                                        sizeof supported_signature_algorithms,

[agl, 2013/05/31 12:38:24]

(nit: Other uses of sizeof seem to have parentheses in this file, but up to
you.)

[wtc, 2013/05/31 16:30:55]

This file uses both styles with sizeof. The code in these two functions
was adapted from the certificate_types related code on lines 8577-8578,
which is why it's missing the parentheses (the style preferred by
Nelson Bolyard, the original author of this file).

Most people I work with prefer to use parentheses, so I will try to
use that style in new code.

+                                        2);
+}
+
+/* Returns the size in bytes of our supported_signature_algorithms value. */
+unsigned int
+ssl3_SizeOfSupportedSignatureAlgorithms(void)
+{
+    return sizeof supported_signature_algorithms;

[agl, 2013/05/31 12:38:24]

ditto.

+}
+
 /**************************************************************************
  * Consume Handshake functions.
  *
  * All data used in these functions is protected by two locks,
  * the RecvBufLock and the SSL3HandshakeLock
  **************************************************************************/
 
 /* Read up the next "bytes" number of bytes from the (decrypted) input
  * stream "b" (which is *length bytes long). Copy them into buffer "v".
  * Reduces *length by bytes.  Advances *b by bytes.
@@ skipping 2556 matching lines @@
  * ssl3 Certificate Request message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     PRArenaPool *        arena       = NULL;
     dnameNode *          node;
     PRInt32              remaining;
     PRBool               isTLS       = PR_FALSE;
+    PRBool               isTLS12     = PR_FALSE;
     int                  i;
     int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
     int                  nnames      = 0;
     SECStatus            rv;
     SSL3AlertDescription desc        = illegal_parameter;
     SECItem              cert_types  = {siBuffer, NULL, 0};
+    SECItem              algorithms  = {siBuffer, NULL, 0};
     CERTDistNames        ca_list;
 #ifdef NSS_PLATFORM_CLIENT_AUTH
     CERTCertList *       platform_cert_list = NULL;
     CERTCertListNode *   certNode = NULL;
 #endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
                 SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_cert_request &&
         ss->ssl3.hs.ws != wait_server_key) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
         goto alert_loser;
     }
 
     PORT_Assert(ss->ssl3.clientCertChain == NULL);
     PORT_Assert(ss->ssl3.clientCertificate == NULL);
     PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
     PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
 
     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+    isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
     rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
     if (rv != SECSuccess)
         goto loser;             /* malformed, alert has been sent */
 
     PORT_Assert(!ss->requestedCertTypes);
     ss->requestedCertTypes = &cert_types;
 
+    if (isTLS12) {
+        rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
+        if (rv != SECSuccess)
+            goto loser;         /* malformed, alert has been sent */
+        /* An empty or odd-length value is invalid.
+         *    SignatureAndHashAlgorithm
+         *      supported_signature_algorithms<2..2^16-2>;
+         */
+        if (algorithms.len == 0 || (algorithms.len & 1) != 0)
+            goto alert_loser;
+    }
+
     arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL)
         goto no_mem;
 
     remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (remaining < 0)
         goto loser;             /* malformed, alert has been sent */
 
     if ((PRUint32)remaining > length)
         goto alert_loser;
@@ skipping 42 matching lines @@
     }
 
     if (length != 0)
         goto alert_loser;       /* malformed */
 
     desc = no_certificate;
     ss->ssl3.hs.ws = wait_hello_done;
 
 #ifdef NSS_PLATFORM_CLIENT_AUTH
     if (ss->getPlatformClientAuthData != NULL) {
-        /* XXX Should pass cert_types in this call!! */
+        /* XXX Should pass cert_types and algorithms in this call!! */
         rv = (SECStatus)(*ss->getPlatformClientAuthData)(
                                         ss->getPlatformClientAuthDataArg,
                                         ss->fd, &ca_list,
                                         &platform_cert_list,
                                         (void**)&ss->ssl3.platformClientKey,
                                         &ss->ssl3.clientCertificate,
                                         &ss->ssl3.clientPrivateKey);
     } else
 #endif
     if (ss->getClientAuthData != NULL) {
-        /* XXX Should pass cert_types in this call!! */
+        /* XXX Should pass cert_types and algorithms in this call!! */
         rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
                                                  ss->fd, &ca_list,
                                                  &ss->ssl3.clientCertificate,
                                                  &ss->ssl3.clientPrivateKey);
     } else {
         rv = SECFailure; /* force it to send a no_certificate alert */
     }
 
     switch (rv) {
     case SECWouldBlock: /* getClientAuthData has put up a dialog box. */
@@ skipping 1853 matching lines @@
 loser:
     if (signed_hash.data != NULL) 
         PORT_Free(signed_hash.data);
     return SECFailure;
 }
 
 
 static SECStatus
 ssl3_SendCertificateRequest(sslSocket *ss)
 {
+    PRBool         isTLS12;
     SECItem *      name;
     CERTDistNames *ca_list;
     const uint8 *  certTypes;
     SECItem *      names        = NULL;
     SECStatus      rv;
     int            length;
     int            i;
     int            calen        = 0;
     int            nnames       = 0;
     int            certTypesLength;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
+    isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
+
     /* ssl3.ca_list is initialized to NULL, and never changed. */
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
         ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
         names = ca_list->names;
         nnames = ca_list->nnames;
     }
 
     for (i = 0, name = names; i < nnames; i++, name++) {
         calen += 2 + name->len;
     }
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
 
     length = 1 + certTypesLength + 2 + calen;
+    if (isTLS12) {
+        length += 2 + ssl3_SizeOfSupportedSignatureAlgorithms();
+    }
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
     if (rv != SECSuccess) {
         return rv;              /* err set by AppendHandshake. */
     }
     rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
     if (rv != SECSuccess) {
         return rv;              /* err set by AppendHandshake. */
     }
+    if (isTLS12) {
+        rv = ssl3_AppendSupportedSignatureAlgorithms(ss);
+        if (rv != SECSuccess) {
+            return rv;          /* err set by AppendHandshake. */
+        }
+    }
     rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
     if (rv != SECSuccess) {
         return rv;              /* err set by AppendHandshake. */
     }
     for (i = 0, name = names; i < nnames; i++, name++) {
         rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
         if (rv != SECSuccess) {
             return rv;          /* err set by AppendHandshake. */
         }
     }
@@ skipping 3335 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */