diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-12-13 14:41:32 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-02-05 15:42:04 +0000 |
commit | 4a55631e4dc76fb8d668218bf461c45a9abc5b94 (patch) | |
tree | 156d2afe798d188d046b120ea58689448d4c0a7e /ssl | |
parent | 19a68574a9d1f59c355385a1b64cbd443bf49e00 (diff) |
Backport TLS padding extension from master.
(cherry picked from commit 8c6d8c2a498146992123ef5407d7ba01a1e7224d)
Conflicts:
CHANGES
ssl/t1_lib.c
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index e22ebbff85..29ccd833ec 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -662,6 +662,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif +#ifdef TLSEXT_TYPE_padding + /* Add padding to workaround bugs in F5 terminators. + * See https://tools.ietf.org/html/draft-agl-tls-padding-02 + * + * NB: because this code works out the length of all existing + * extensions it MUST always appear last. + */ + { + int hlen = ret - (unsigned char *)s->init_buf->data; + /* The code in s23_clnt.c to build ClientHello messages includes the + * 5-byte record header in the buffer, while the code in s3_clnt.c does + * not. */ + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; + if (hlen > 0xff && hlen < 0x200) + { + hlen = 0x200 - hlen; + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; + + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); + memset(ret, 0, hlen); + ret += hlen; + } + } +#endif + if ((extdatalen = ret-p-2)== 0) return p; |