From 01f2f18f3c7e229bd4b1b2e3e150722175c64971 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 1 Jun 2014 16:08:18 +0100 Subject: [PATCH] Option to disable padding extension. Add TLS padding extension to SSL_OP_ALL so it is used with other "bugs" options and can be turned off. This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient option referring to SSLv2 and SSLREF. PR#3336 --- doc/ssl/SSL_CTX_set_options.pod | 6 +++++ ssl/ssl.h | 4 ++- ssl/t1_lib.c | 43 +++++++++++++++++---------------- 3 files changed, 31 insertions(+), 22 deletions(-) diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 4f990b2ea9..e2548c35b8 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -112,6 +112,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers. +=item SSL_OP_TLSEXT_PADDING + +Adds a padding extension to ensure the ClientHello size is never between +256 and 511 bytes in length. This is needed as a workaround for some +implementations. + =item SSL_OP_ALL All of the above bug workarounds. diff --git a/ssl/ssl.h b/ssl/ssl.h index 7d0c7bbe72..950212f867 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -662,7 +662,7 @@ struct ssl_session_st /* Allow initial connection to servers that don't support RI */ #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L +#define SSL_OP_TLSEXT_PADDING 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L @@ -671,6 +671,8 @@ struct ssl_session_st /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 +/* Refers to ancient SSLREF and SSLv2, retained for compatibility */ +#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 0ba37da0a0..c4e27b972b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1508,35 +1508,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha s2n(TLSEXT_TYPE_encrypt_then_mac,ret); s2n(0,ret); #endif -#ifdef TLSEXT_TYPE_padding + /* Add padding to workaround bugs in F5 terminators. * See https://tools.ietf.org/html/draft-agl-tls-padding-03 * * NB: because this code works out the length of all existing * extensions it MUST always appear last. */ - { - int hlen = ret - (unsigned char *)s->init_buf->data; - /* The code in s23_clnt.c to build ClientHello messages includes the - * 5-byte record header in the buffer, while the code in s3_clnt.c does - * not. */ - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; - if (hlen > 0xff && hlen < 0x200) - { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 0; + if (s->options & SSL_OP_TLSEXT_PADDING) + { + int hlen = ret - (unsigned char *)s->init_buf->data; + /* The code in s23_clnt.c to build ClientHello messages + * includes the 5-byte record header in the buffer, while + * the code in s3_clnt.c does not. + */ + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; + if (hlen > 0xff && hlen < 0x200) + { + hlen = 0x200 - hlen; + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); + memset(ret, 0, hlen); + ret += hlen; + } } - } -#endif if ((extdatalen = ret-p-2) == 0) return p; -- 2.25.1