Certificate Transparency TLS extension patch for NSS

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 6594 matching lines @@
     /* get a new sid */
     ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
     if (sid == NULL) {
         goto alert_loser;       /* memory error is set. */
     }
 
     sid->version = ss->version;
     sid->u.ssl3.sessionIDLength = sidBytes.len;
     PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
 
+    /* Copy Signed Certificate Timestamps, if any. */

[wtc, 2013/11/08 19:51:31]

So if session resumption succeeds, we ignore any Signed Certificate Timestamps
that we have received, correct?

Update: RFC 6962 Sec. 3.3.1 answers my question:

   Session resumption uses the original session information: clients
   SHOULD include the extension type in the ClientHello, but if the
   session is resumed, the server is not expected to process it or
   include the extension in the ServerHello.

I guess this implies if the server still includes the extension in the
ServerHello, the extension is ignored by the client.

[ekasper, 2013/11/18 17:47:18]

Correct.

+    if (ss->xtnData.signedCertTimestamps.data) {
+        rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
+                              &ss->xtnData.signedCertTimestamps);
+        if (rv != SECSuccess)
+            goto loser;
+    }
+
+    /* Clean up the temporary pointer to the handshake buffer. */
+    ss->xtnData.signedCertTimestamps.data = NULL;
+    ss->xtnData.signedCertTimestamps.len = 0;

[wtc, 2013/11/08 19:51:31]

Nit: these three lines can be moved into the preceding if statement.

[ekasper, 2013/11/18 17:47:18]

Actually, uh, they belong to the winner: block below, otherwise the goto winner;
above misses this.

+
     ss->ssl3.hs.isResuming = PR_FALSE;
     ss->ssl3.hs.ws         = wait_server_cert;
 
 winner:
     /* If we will need a ChannelID key then we make the callback now. This
      * allows the handshake to be restarted cleanly if the callback returns
      * SECWouldBlock. */
     if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
         rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
                               &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
         if (rv == SECWouldBlock) {
             ssl3_SetAlwaysBlock(ss);
             return rv;
         }
         if (rv != SECSuccess ||
             ss->ssl3.channelIDPub == NULL ||
             ss->ssl3.channelID == NULL) {
             PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
             desc = internal_error;
             goto alert_loser;
         }
     }
 
     return SECSuccess;
 
 alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
+    /* Clean up the temporary pointer to the handshake buffer. */
+    ss->xtnData.signedCertTimestamps.data = NULL;
+    ss->xtnData.signedCertTimestamps.len = 0;
     errCode = ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
 /* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
  * big-endian integer is > 1 */
 static PRBool
 ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
     unsigned char firstNonZeroByte = 0;
     unsigned int i;
@@ skipping 5909 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */