Based on a suggested workaround for the "TLS hang bug" (see FAQ and PR#2771):
if the TLS Client Hello record length value would otherwise be > 255 and less
that 512 pad with a dummy extension containing zeroes so it is at least 512.
To enable it use an unused extension number (for example 0x4242) using
e.g. -DTLSEXT_TYPE_wtf=0x4242
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
+ *) Experimental workaround TLS filler (WTF) extension. Based on a suggested
+ workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client
+ Hello record length value would otherwise be > 255 and less that 512
+ pad with a dummy extension containing zeroes so it is at least 512 bytes
+ long.
+
+ To enable it use an unused extension number (for example 0x4242) using
+ e.g. -DTLSEXT_TYPE_wtf=0x4242
+
+ WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
+
+ [Steve Henson]
+
*) Experimental encrypt-then-mac support.
Experimental support for encrypt then mac from
s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
s2n(0,ret);
#endif
+#ifdef TLSEXT_TYPE_wtf
+ {
+ /* Work out length which would be used in the TLS record:
+ * NB this should ALWAYS appear after all other extensions.
+ */
+ int hlen = ret - (unsigned char *)s->init_buf->data - 3;
+ if (hlen > 0xff && hlen < 0x200)
+ {
+ hlen = 0x200 - hlen;
+ s2n(TLSEXT_TYPE_wtf,ret);
+ s2n(hlen,ret);
+ memset(ret, 0, hlen);
+ ret += hlen;
+ }
+ }
+#endif
if ((extdatalen = ret-p-2) == 0)
return p;
projects / oweals / openssl.git / commitdiff