Certificate Transparency TLS extension patch for NSS

net/third_party/nss/ssl/ssl3ext.c

 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TLS extension code moved here from ssl3ecc.c */
 
 #include "nssrenam.h"
@@ skipping 63 matching lines @@
     PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
                                                    PRUint16 ex_type,
                                                    SECItem *data);
 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
                                                PRUint32 maxBytes);
 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
                                          PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
                                              SECItem *data);
+static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
+                                                     PRBool append,
+                                                     PRUint32 maxBytes);
+static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
+                                                         PRUint16 ex_type,
+                                                         SECItem *data);
 
 /*
  * Write bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
  * on a shallow copy of the structure.
  */
 static SECStatus
 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
 {
     if (bytes > item->len)
@@ skipping 158 matching lines @@
 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
     /* TODO: add a handler for ssl_ec_point_formats_xtn */
     { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
     { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
+    { ssl_signed_certificate_timestamp_xtn,
+      &ssl3_ClientHandleSignedCertTimestampXtn },
     { -1, NULL }
 };
 
 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { -1, NULL }
 };
 
 /* Tables of functions to format TLS hello extensions, one function per
  * extension.
  * These static tables are for the formatting of client hello extensions.
  * The server's table of hello senders is dynamic, in the socket struct,
  * and sender functions are registered there.
  */
 static const 
 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_server_name_xtn,            &ssl3_SendServerNameXtn        },
     { ssl_renegotiation_info_xtn,     &ssl3_SendRenegotiationInfoXtn },
 #ifdef NSS_ENABLE_ECC
     { ssl_elliptic_curves_xtn,        &ssl3_SendSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,       &ssl3_SendSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,         &ssl3_SendSessionTicketXtn },
     { ssl_next_proto_nego_xtn,        &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_app_layer_protocol_xtn,     &ssl3_ClientSendAppProtoXtn },
     { ssl_use_srtp_xtn,               &ssl3_SendUseSRTPXtn },
     { ssl_channel_id_xtn,             &ssl3_ClientSendChannelIDXtn },
     { ssl_cert_status_xtn,            &ssl3_ClientSendStatusRequestXtn },
-    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn }
+    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn },
+    { ssl_signed_certificate_timestamp_xtn,
+      &ssl3_ClientSendSignedCertTimestampXtn },

[wtc, 2013/11/08 19:51:31]

Nit: omit the comma (,).

[ekasper, 2013/11/18 17:47:18]

Done.

     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static const 
 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static PRBool
@@ skipping 1989 matching lines @@
     } else if (maxBytes < extension_length) {
         PORT_Assert(0);
         return 0;
     }
 
     return extension_length;
 
 loser:
     return -1;
 }
+
+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
+ * extension for TLS ClientHellos. */
+static PRInt32
+ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
+                                      PRUint32 maxBytes)
+{
+    /* Only send the extension if processing is enabled. */
+    if (!ss->opt.enableSignedCertTimestamps)
+        return 0;
+
+    PRInt32 extension_length = 2 /* extension_type */ +
+            2 /* length(extension_data) */;

[wtc, 2013/11/08 19:51:31]

IMPORTANT: move the variable declaration to the beginning of the function.
Unfortunately Visual C++ still doesn't support this C99 feature.

[ekasper, 2013/11/18 17:47:18]

Done, thanks for catching this.

+
+    if (append && maxBytes >= extension_length) {
+        SECStatus rv;
+        /* extension_type */
+        rv = ssl3_AppendHandshakeNumber(ss,
+                                        ssl_signed_certificate_timestamp_xtn,
+                                        2);
+        if (rv != SECSuccess)
+            goto loser;
+        /* zero length */
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+        if (rv != SECSuccess)
+            goto loser;
+        ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_signed_certificate_timestamp_xtn;
+    } else if (maxBytes < extension_length) {
+        PORT_Assert(0);
+        return 0;
+    }
+
+    return extension_length;
+loser:
+    return -1;
+}
+
+static SECStatus
+ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
+                                        SECItem *data)
+{
+    /* We do not yet know whether we'll be reusing a session or creating

[wtc, 2013/11/08 19:51:31]

Nit: reusing => resuming

[ekasper, 2013/11/18 17:47:18]

I actually meant "reusing" (as in reusing the structure). But both work, so
done.

+     * a new one, so we keep a pointer to the data in the TLSExtensionData
+     * structure. This pointer is only valid in the scope of
+     * ssl3_HandleServerHello, and, if not resuming a session, a copy of the
+     * data is made once a new session has been set up.

[wtc, 2013/11/08 19:51:31]

Nit: "a copy of the data is made" => "the data is copied"

[ekasper, 2013/11/18 17:47:18]

Done.

+     * All parsing is currently left to the application and we accept
+     * everything, including empty data.
+     */
+    SECItem *scts = &ss->xtnData.signedCertTimestamps;
+    PORT_Assert(!scts->data && !scts->len);
+    *scts = *data;
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+    return SECSuccess;
+}