diff --git a/CHANGES b/CHANGES index 1df12173dee728e12338d08fe7cda99cb1192b38..2602cfac968e83848d95003a58839278ee1dfd16 100644 --- a/CHANGES +++ b/CHANGES @@ -4,19 +4,6 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] - *) Experimental workaround TLS filler (WTF) extension. Based on a suggested - workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client - Hello record length value would otherwise be > 255 and less that 512 - pad with a dummy extension containing zeroes so it is at least 512 bytes - long. - - To enable it use an unused extension number (for example 0x4242) using - e.g. -DTLSEXT_TYPE_wtf=0x4242 - - WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. - - [Steve Henson] - *) Experimental encrypt-then-mac support. Experimental support for encrypt then mac from @@ -286,6 +273,25 @@ Changes between 1.0.1e and 1.0.2 [xx XXX xxxx] + *) TLS pad extension: draft-agl-tls-padding-02 + + Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the + TLS client Hello record length value would otherwise be > 255 and + less that 512 pad with a dummy extension containing zeroes so it + is at least 512 bytes long. + + To enable it use an unused extension number (for example chrome uses + 35655) using: + + e.g. -DTLSEXT_TYPE_padding=35655 + + Since the extension is ignored the actual number doesn't matter as long + as it doesn't clash with any existing extension. + + This will be updated when the extension gets an official number. + + [Adam Langley, Steve Henson] + *) Add functions to allocate and set the fields of an ECDSA_METHOD structure. [Douglas E. Engert, Steve Henson] diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8b7cce65f308963191cb582294b3458e4093587c..8dbd00323305e508d8e9a5fe3f2ee82e61703acc 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1472,17 +1472,30 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha s2n(TLSEXT_TYPE_encrypt_then_mac,ret); s2n(0,ret); #endif -#ifdef TLSEXT_TYPE_wtf - { - /* Work out length which would be used in the TLS record: - * NB this should ALWAYS appear after all other extensions. +#ifdef TLSEXT_TYPE_padding + /* Add padding to workaround bugs in F5 terminators. + * See https://tools.ietf.org/html/draft-agl-tls-padding-02 + * + * NB: because this code works out the length of all existing + * extensions it MUST always appear last. */ - int hlen = ret - (unsigned char *)s->init_buf->data - 3; + { + int hlen = ret - (unsigned char *)s->init_buf->data; + /* The code in s23_clnt.c to build ClientHello messages includes the + * 5-byte record header in the buffer, while the code in s3_clnt.c does + * not. */ + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; if (hlen > 0xff && hlen < 0x200) { hlen = 0x200 - hlen; - s2n(TLSEXT_TYPE_wtf,ret); - s2n(hlen,ret); + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; + + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); memset(ret, 0, hlen); ret += hlen; }