Experimental workaround TLS filler (WTF) extension.

Based on a suggested workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS Client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512. To enable it use an unused extension number (for example 0x4242) using e.g. -DTLSEXT_TYPE_wtf=0x4242 WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
author: Dr. Stephen Henson <steve@openssl.org> 2013-11-06 20:45:12 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2013-11-06 20:49:47 +0000
commit: 0467ea68624450ecece4cde0d5803499aaff19c2 (patch)
tree: 1b14b6d36894ff113f56f165a0ec1f61e1afc1a6 /ssl
parent: e0ffd129c16af90eb5e2ce54e57832c0046d1aaf (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 741f102831..d7f5f90712 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1472,6 +1472,22 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 	s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
 	s2n(0,ret);
 #endif
+#ifdef TLSEXT_TYPE_wtf
+	{
+	/* Work out length which would be used in the TLS record:
+	 * NB this should ALWAYS appear after all other extensions.
+	 */
+	int hlen = ret - (unsigned char *)s->init_buf->data - 3;
+	if (hlen > 0xff && hlen < 0x200)
+		{
+		hlen = 0x200 - hlen;
+		s2n(TLSEXT_TYPE_wtf,ret);
+		s2n(hlen,ret);
+		memset(ret, 0, hlen);
+		ret += hlen;
+		}
+	}
+#endif
 
 	if ((extdatalen = ret-p-2) == 0)
 		return p;
author	Dr. Stephen Henson <steve@openssl.org>	2013-11-06 20:45:12 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2013-11-06 20:49:47 +0000
commit	0467ea68624450ecece4cde0d5803499aaff19c2 (patch)
tree	1b14b6d36894ff113f56f165a0ec1f61e1afc1a6 /ssl
parent	e0ffd129c16af90eb5e2ce54e57832c0046d1aaf (diff)