diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-11-06 20:45:12 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-11-06 20:49:47 +0000 |
commit | 0467ea68624450ecece4cde0d5803499aaff19c2 (patch) | |
tree | 1b14b6d36894ff113f56f165a0ec1f61e1afc1a6 | |
parent | e0ffd129c16af90eb5e2ce54e57832c0046d1aaf (diff) | |
download | openssl-0467ea68624450ecece4cde0d5803499aaff19c2.tar.gz |
Experimental workaround TLS filler (WTF) extension.
Based on a suggested workaround for the "TLS hang bug" (see FAQ and PR#2771):
if the TLS Client Hello record length value would otherwise be > 255 and less
that 512 pad with a dummy extension containing zeroes so it is at least 512.
To enable it use an unused extension number (for example 0x4242) using
e.g. -DTLSEXT_TYPE_wtf=0x4242
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
-rw-r--r-- | CHANGES | 13 | ||||
-rw-r--r-- | ssl/t1_lib.c | 16 |
2 files changed, 29 insertions, 0 deletions
@@ -4,6 +4,19 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) Experimental workaround TLS filler (WTF) extension. Based on a suggested + workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client + Hello record length value would otherwise be > 255 and less that 512 + pad with a dummy extension containing zeroes so it is at least 512 bytes + long. + + To enable it use an unused extension number (for example 0x4242) using + e.g. -DTLSEXT_TYPE_wtf=0x4242 + + WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. + + [Steve Henson] + *) Experimental encrypt-then-mac support. Experimental support for encrypt then mac from diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 741f102831..d7f5f90712 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1472,6 +1472,22 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha s2n(TLSEXT_TYPE_encrypt_then_mac,ret); s2n(0,ret); #endif +#ifdef TLSEXT_TYPE_wtf + { + /* Work out length which would be used in the TLS record: + * NB this should ALWAYS appear after all other extensions. + */ + int hlen = ret - (unsigned char *)s->init_buf->data - 3; + if (hlen > 0xff && hlen < 0x200) + { + hlen = 0x200 - hlen; + s2n(TLSEXT_TYPE_wtf,ret); + s2n(hlen,ret); + memset(ret, 0, hlen); + ret += hlen; + } + } +#endif if ((extdatalen = ret-p-2) == 0) return p; |