Certificate Transparency TLS extension patch for NSS

net/third_party/nss/ssl/ssl3ext.c

 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TLS extension code moved here from ssl3ecc.c */
 
 #include "nssrenam.h"
@@ skipping 63 matching lines @@
     PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
                                                    PRUint16 ex_type,
                                                    SECItem *data);
 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
                                                PRUint32 maxBytes);
 static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
                                          PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
                                              SECItem *data);
+static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
+                                                     PRBool append,
+                                                     PRUint32 maxBytes);
+static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
+                                                         PRUint16 ex_type,
+                                                         SECItem *data);
 
 /*
  * Write bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
  * on a shallow copy of the structure.
  */
 static SECStatus
 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
 {
     if (bytes > item->len)
@@ skipping 158 matching lines @@
 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
     /* TODO: add a handler for ssl_ec_point_formats_xtn */
     { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
     { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
+    { ssl_signed_certificate_timestamp_xtn,
+      &ssl3_ClientHandleSignedCertTimestampXtn },
     { -1, NULL }
 };
 
 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { -1, NULL }
 };
 
 /* Tables of functions to format TLS hello extensions, one function per
  * extension.
  * These static tables are for the formatting of client hello extensions.
  * The server's table of hello senders is dynamic, in the socket struct,
  * and sender functions are registered there.
  */
 static const 
 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_server_name_xtn,            &ssl3_SendServerNameXtn        },
     { ssl_renegotiation_info_xtn,     &ssl3_SendRenegotiationInfoXtn },
 #ifdef NSS_ENABLE_ECC
     { ssl_elliptic_curves_xtn,        &ssl3_SendSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,       &ssl3_SendSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,         &ssl3_SendSessionTicketXtn },
     { ssl_next_proto_nego_xtn,        &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_app_layer_protocol_xtn,     &ssl3_ClientSendAppProtoXtn },
     { ssl_use_srtp_xtn,               &ssl3_SendUseSRTPXtn },
     { ssl_channel_id_xtn,             &ssl3_ClientSendChannelIDXtn },
     { ssl_cert_status_xtn,            &ssl3_ClientSendStatusRequestXtn },
-    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn }
+    { ssl_signature_algorithms_xtn,   &ssl3_ClientSendSigAlgsXtn },
+    { ssl_signed_certificate_timestamp_xtn,
+      &ssl3_ClientSendSignedCertTimestampXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static const 
 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static PRBool
@@ skipping 2056 matching lines @@
     if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
         return -1;
     if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
         return -1;
     memset(padding, ' ', paddingLen);
     if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
         return -1;
 
     return extensionLen;
 }
+
+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
+ * extension for TLS ClientHellos. */
+static PRInt32
+ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
+                                      PRUint32 maxBytes)
+{
+    PRInt32 extension_length = 2 /* extension_type */ +
+            2 /* length(extension_data) */;
+
+    /* Only send the extension if processing is enabled. */
+    if (!ss->opt.enableSignedCertTimestamps)
+        return 0;
+
+    if (append && maxBytes >= extension_length) {
+        SECStatus rv;
+        /* extension_type */
+        rv = ssl3_AppendHandshakeNumber(ss,
+                                        ssl_signed_certificate_timestamp_xtn,
+                                        2);
+        if (rv != SECSuccess)
+            goto loser;
+        /* zero length */
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+        if (rv != SECSuccess)
+            goto loser;
+        ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_signed_certificate_timestamp_xtn;
+    } else if (maxBytes < extension_length) {
+        PORT_Assert(0);
+        return 0;
+    }
+
+    return extension_length;
+loser:
+    return -1;
+}
+
+static SECStatus
+ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
+                                        SECItem *data)
+{
+    /* We do not yet know whether we'll be resuming a session or creating
+     * a new one, so we keep a pointer to the data in the TLSExtensionData
+     * structure. This pointer is only valid in the scope of
+     * ssl3_HandleServerHello, and, if not resuming a session, the data is
+     * copied once a new session structure has been set up.
+     * All parsing is currently left to the application and we accept
+     * everything, including empty data.
+     */
+    SECItem *scts = &ss->xtnData.signedCertTimestamps;
+    PORT_Assert(!scts->data && !scts->len);
+
+    if (!data->len) {
+        /* Empty extension data: RFC 6962 mandates non-empty contents. */

[wtc, 2013/11/20 23:05:55]

Ideally we should call PORT_SetError(). But I can't find a suitable error code,
and I found that some other ssl3_*Handle*Xtn functions also fail to set an error
code before returning SECFailure.

+        return SECFailure;
+    }
+    *scts = *data;
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+    return SECSuccess;
+}