diff options
author | jsing <> | 2014-09-21 17:11:04 +0000 |
---|---|---|
committer | jsing <> | 2014-09-21 17:11:04 +0000 |
commit | c8c9d3c3e1b177e5460971854d7f727626d4b049 (patch) | |
tree | e5cbc90250f990364220e3f3a9e5eaf4714c2bdf /src/lib/libssl/t1_lib.c | |
parent | 841b225a53e89adbf4f8b877083b372f9adc0c07 (diff) | |
download | openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.gz openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.bz2 openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.zip |
Move the TLS padding extension under an SSL_OP_TLSEXT_PADDING option, which
is off by default (instead of being enabled unconditionally).
The TLS padding extension was added as a workaround for a bug in F5 SSL
terminators, however appears to trigger bugs in IronPort SMTP appliances.
Now the SSL client gets to choose which of these devices it wants to
trigger bugs in...
Ported from OpenSSL.
Discussed with many.
ok miod@
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r-- | src/lib/libssl/t1_lib.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index c25f10bfab..87a65e3db2 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -635,18 +635,24 @@ skip_ext: | |||
635 | } | 635 | } |
636 | #endif | 636 | #endif |
637 | 637 | ||
638 | #ifdef TLSEXT_TYPE_padding | 638 | /* |
639 | /* Add padding to workaround bugs in F5 terminators. | 639 | * Add padding to workaround bugs in F5 terminators. |
640 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 | 640 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 |
641 | * | 641 | * |
642 | * Note that this seems to trigger issues with IronPort SMTP | ||
643 | * appliances. | ||
644 | * | ||
642 | * NB: because this code works out the length of all existing | 645 | * NB: because this code works out the length of all existing |
643 | * extensions it MUST always appear last. | 646 | * extensions it MUST always appear last. |
644 | */ | 647 | */ |
645 | { | 648 | if (s->options & SSL_OP_TLSEXT_PADDING) { |
646 | int hlen = ret - (unsigned char *)s->init_buf->data; | 649 | int hlen = ret - (unsigned char *)s->init_buf->data; |
647 | /* The code in s23_clnt.c to build ClientHello messages includes the | 650 | |
648 | * 5-byte record header in the buffer, while the code in s3_clnt.c does | 651 | /* |
649 | * not. */ | 652 | * The code in s23_clnt.c to build ClientHello messages |
653 | * includes the 5-byte record header in the buffer, while the | ||
654 | * code in s3_clnt.c does not. | ||
655 | */ | ||
650 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) | 656 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) |
651 | hlen -= 5; | 657 | hlen -= 5; |
652 | if (hlen > 0xff && hlen < 0x200) { | 658 | if (hlen > 0xff && hlen < 0x200) { |
@@ -662,7 +668,6 @@ skip_ext: | |||
662 | ret += hlen; | 668 | ret += hlen; |
663 | } | 669 | } |
664 | } | 670 | } |
665 | #endif | ||
666 | 671 | ||
667 | if ((extdatalen = ret - p - 2) == 0) | 672 | if ((extdatalen = ret - p - 2) == 0) |
668 | return p; | 673 | return p; |