diff options
| author | jsing <> | 2017-08-13 16:28:45 +0000 |
|---|---|---|
| committer | jsing <> | 2017-08-13 16:28:45 +0000 |
| commit | 30ea4f0a44f8383a49db321f0055b9971b9f2d67 (patch) | |
| tree | f5857fe175963dc9140e4475200f531a2d8413dd /src/lib/libssl/t1_lib.c | |
| parent | b5324a99854885ccd0a9dd62023c992d3fae050b (diff) | |
| download | openbsd-30ea4f0a44f8383a49db321f0055b9971b9f2d67.tar.gz openbsd-30ea4f0a44f8383a49db321f0055b9971b9f2d67.tar.bz2 openbsd-30ea4f0a44f8383a49db321f0055b9971b9f2d67.zip | |
Remove support for the TLS padding extension.
This was added as a workaround for broken F5 TLS termination, which then
created issues talking to broken IronPorts. The size of the padding is
hardcoded so it cannot be used in any generic sense.
ok bcook@ beck@ doug@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 36 |
1 files changed, 1 insertions, 35 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index b8b54484ed..c141dcef31 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.132 2017/08/13 16:25:19 jsing Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.133 2017/08/13 16:28:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -720,40 +720,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) | |||
| 720 | } | 720 | } |
| 721 | #endif | 721 | #endif |
| 722 | 722 | ||
| 723 | /* | ||
| 724 | * Add padding to workaround bugs in F5 terminators. | ||
| 725 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 | ||
| 726 | * | ||
| 727 | * Note that this seems to trigger issues with IronPort SMTP | ||
| 728 | * appliances. | ||
| 729 | * | ||
| 730 | * NB: because this code works out the length of all existing | ||
| 731 | * extensions it MUST always appear last. | ||
| 732 | */ | ||
| 733 | if (s->internal->options & SSL_OP_TLSEXT_PADDING) { | ||
| 734 | int hlen = ret - (unsigned char *)s->internal->init_buf->data; | ||
| 735 | |||
| 736 | /* | ||
| 737 | * The code in s23_clnt.c to build ClientHello messages | ||
| 738 | * includes the 5-byte record header in the buffer, while the | ||
| 739 | * code in s3_clnt.c does not. | ||
| 740 | */ | ||
| 741 | if (S3I(s)->hs.state == SSL23_ST_CW_CLNT_HELLO_A) | ||
| 742 | hlen -= 5; | ||
| 743 | if (hlen > 0xff && hlen < 0x200) { | ||
| 744 | hlen = 0x200 - hlen; | ||
| 745 | if (hlen >= 4) | ||
| 746 | hlen -= 4; | ||
| 747 | else | ||
| 748 | hlen = 0; | ||
| 749 | |||
| 750 | s2n(TLSEXT_TYPE_padding, ret); | ||
| 751 | s2n(hlen, ret); | ||
| 752 | memset(ret, 0, hlen); | ||
| 753 | ret += hlen; | ||
| 754 | } | ||
| 755 | } | ||
| 756 | |||
| 757 | if ((extdatalen = ret - p - 2) == 0) | 723 | if ((extdatalen = ret - p - 2) == 0) |
| 758 | return p; | 724 | return p; |
| 759 | 725 | ||