Update to pad extension.

Fix padding calculation for different SSL_METHOD types. Use the
standard name as used in draft-agl-tls-padding-02

diff --git a/CHANGES b/CHANGES
index 1df12173dee728e12338d08fe7cda99cb1192b38..2602cfac968e83848d95003a58839278ee1dfd16 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,19 +4,6 @@
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
 
-  *) Experimental workaround TLS filler (WTF) extension. Based on a suggested
-     workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client
-     Hello record length value would otherwise be > 255 and less that 512
-     pad with a dummy extension containing zeroes so it is at least 512 bytes
-     long.
-
-     To enable it use an unused extension number (for example 0x4242) using
-     e.g. -DTLSEXT_TYPE_wtf=0x4242
-
-     WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
- 
-     [Steve Henson]
-
   *) Experimental encrypt-then-mac support.
     
      Experimental support for encrypt then mac from
@@ -286,6 +273,25 @@
 
  Changes between 1.0.1e and 1.0.2 [xx XXX xxxx]
 
+  *) TLS pad extension: draft-agl-tls-padding-02
+
+     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+     TLS client Hello record length value would otherwise be > 255 and
+     less that 512 pad with a dummy extension containing zeroes so it
+     is at least 512 bytes long.
+
+     To enable it use an unused extension number (for example chrome uses
+     35655) using:
+
+     e.g. -DTLSEXT_TYPE_padding=35655
+
+     Since the extension is ignored the actual number doesn't matter as long
+     as it doesn't clash with any existing extension.
+
+     This will be updated when the extension gets an official number.
+
+     [Adam Langley, Steve Henson]
+
   *) Add functions to allocate and set the fields of an ECDSA_METHOD
      structure.
      [Douglas E. Engert, Steve Henson]

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8b7cce65f308963191cb582294b3458e4093587c..8dbd00323305e508d8e9a5fe3f2ee82e61703acc 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1472,17 +1472,30 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
        s2n(0,ret);
 #endif
-#ifdef TLSEXT_TYPE_wtf
-       {
-       /* Work out length which would be used in the TLS record:
-        * NB this should ALWAYS appear after all other extensions.
+#ifdef TLSEXT_TYPE_padding
+       /* Add padding to workaround bugs in F5 terminators.
+        * See https://tools.ietf.org/html/draft-agl-tls-padding-02
+        *
+        * NB: because this code works out the length of all existing
+        * extensions it MUST always appear last.
         */
-       int hlen = ret - (unsigned char *)s->init_buf->data - 3;
+       {
+       int hlen = ret - (unsigned char *)s->init_buf->data;
+       /* The code in s23_clnt.c to build ClientHello messages includes the
+        * 5-byte record header in the buffer, while the code in s3_clnt.c does
+        * not. */
+       if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
+               hlen -= 5;
        if (hlen > 0xff && hlen < 0x200)
                {
                hlen = 0x200 - hlen;
-               s2n(TLSEXT_TYPE_wtf,ret);
-               s2n(hlen,ret);
+               if (hlen >= 4)
+                       hlen -= 4;
+               else
+                       hlen = 0;
+
+               s2n(TLSEXT_TYPE_padding, ret);
+               s2n(hlen, ret);
                memset(ret, 0, hlen);
                ret += hlen;
                }