Move the TLS padding extension under an SSL_OP_TLSEXT_PADDING option, which

is off by default (instead of being enabled unconditionally). The TLS padding extension was added as a workaround for a bug in F5 SSL terminators, however appears to trigger bugs in IronPort SMTP appliances. Now the SSL client gets to choose which of these devices it wants to trigger bugs in... Ported from OpenSSL. Discussed with many. ok miod@
author: jsing <> 2014-09-21 17:11:04 +0000
committer: jsing <> 2014-09-21 17:11:04 +0000
commit: c8c9d3c3e1b177e5460971854d7f727626d4b049 (patch)
tree: e5cbc90250f990364220e3f3a9e5eaf4714c2bdf /src
parent: 841b225a53e89adbf4f8b877083b372f9adc0c07 (diff)
download: openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.gz
openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.bz2
openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.zip
4 files changed, 36 insertions, 20 deletions
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 857709f7c5..1851cd9525 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -514,7 +514,7 @@ struct ssl_session_st {
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
+#define SSL_OP_TLSEXT_PADDING                           0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x00000080L
@@ -524,6 +524,9 @@ struct ssl_session_st {
 /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x0
+/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
 * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
 * the workaround is not needed.
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index c25f10bfab..87a65e3db2 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -635,18 +635,24 @@ skip_ext:
        }
 #endif
-#ifdef TLSEXT_TYPE_padding
+        /*
-        /* Add padding to workaround bugs in F5 terminators.
+         * Add padding to workaround bugs in F5 terminators.
         * See https://tools.ietf.org/html/draft-agl-tls-padding-03
         *
+         * Note that this seems to trigger issues with IronPort SMTP
+         * appliances.
+         *
         * NB: because this code works out the length of all existing
         * extensions it MUST always appear last.
         */
-        {
+        if (s->options & SSL_OP_TLSEXT_PADDING) {
                int hlen = ret - (unsigned char *)s->init_buf->data;
-        /* The code in s23_clnt.c to build ClientHello messages includes the
-         * 5-byte record header in the buffer, while the code in s3_clnt.c does
+                /*
-         * not. */
+                 * The code in s23_clnt.c to build ClientHello messages
+                 * includes the 5-byte record header in the buffer, while the
+                 * code in s3_clnt.c does not.
+                 */
                if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
                        hlen -= 5;
                if (hlen > 0xff && hlen < 0x200) {
@@ -662,7 +668,6 @@ skip_ext:
                        ret += hlen;
                }
        }
-#endif
        if ((extdatalen = ret - p - 2) == 0)
                return p;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 857709f7c5..1851cd9525 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -514,7 +514,7 @@ struct ssl_session_st {
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
+#define SSL_OP_TLSEXT_PADDING                           0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x00000080L
@@ -524,6 +524,9 @@ struct ssl_session_st {
 /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x0
+/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
 * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
 * the workaround is not needed.
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index c25f10bfab..87a65e3db2 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -635,18 +635,24 @@ skip_ext:
        }
 #endif
-#ifdef TLSEXT_TYPE_padding
+        /*
-        /* Add padding to workaround bugs in F5 terminators.
+         * Add padding to workaround bugs in F5 terminators.
         * See https://tools.ietf.org/html/draft-agl-tls-padding-03
         *
+         * Note that this seems to trigger issues with IronPort SMTP
+         * appliances.
+         *
         * NB: because this code works out the length of all existing
         * extensions it MUST always appear last.
         */
-        {
+        if (s->options & SSL_OP_TLSEXT_PADDING) {
                int hlen = ret - (unsigned char *)s->init_buf->data;
-        /* The code in s23_clnt.c to build ClientHello messages includes the
-         * 5-byte record header in the buffer, while the code in s3_clnt.c does
+                /*
-         * not. */
+                 * The code in s23_clnt.c to build ClientHello messages
+                 * includes the 5-byte record header in the buffer, while the
+                 * code in s3_clnt.c does not.
+                 */
                if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
                        hlen -= 5;
                if (hlen > 0xff && hlen < 0x200) {
@@ -662,7 +668,6 @@ skip_ext:
                        ret += hlen;
                }
        }
-#endif
        if ((extdatalen = ret - p - 2) == 0)
                return p;
author	jsing <>	2014-09-21 17:11:04 +0000
committer	jsing <>	2014-09-21 17:11:04 +0000
commit	c8c9d3c3e1b177e5460971854d7f727626d4b049 (patch)
tree	e5cbc90250f990364220e3f3a9e5eaf4714c2bdf /src
parent	841b225a53e89adbf4f8b877083b372f9adc0c07 (diff)
download	openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.gz openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.tar.bz2 openbsd-c8c9d3c3e1b177e5460971854d7f727626d4b049.zip

diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 857709f7c5..1851cd9525 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */	1	/* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -514,7 +514,7 @@ struct ssl_session_st {
514	/* Allow initial connection to servers that don't support RI */	514	/* Allow initial connection to servers that don't support RI */
515	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L	515	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
516	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L	516	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
517	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L	517	#define SSL_OP_TLSEXT_PADDING 0x00000010L
518	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L	518	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
519	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L	519	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
520	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L	520	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
@@ -524,6 +524,9 @@ struct ssl_session_st {
524	/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */	524	/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
525	#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0	525	#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
526		526
		527	/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
		528	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
		529
527	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added	530	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
528	* in OpenSSL 0.9.6d. Usually (depending on the application protocol)	531	* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
529	* the workaround is not needed.	532	* the workaround is not needed.


diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index c25f10bfab..87a65e3db2 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -635,18 +635,24 @@ skip_ext:
635	}	635	}
636	#endif	636	#endif
637		637
638	#ifdef TLSEXT_TYPE_padding	638	/*
639	/* Add padding to workaround bugs in F5 terminators.	639	* Add padding to workaround bugs in F5 terminators.
640	* See https://tools.ietf.org/html/draft-agl-tls-padding-03	640	* See https://tools.ietf.org/html/draft-agl-tls-padding-03
641	*	641	*
		642	* Note that this seems to trigger issues with IronPort SMTP
		643	* appliances.
		644	*
642	* NB: because this code works out the length of all existing	645	* NB: because this code works out the length of all existing
643	* extensions it MUST always appear last.	646	* extensions it MUST always appear last.
644	*/	647	*/
645	{	648	if (s->options & SSL_OP_TLSEXT_PADDING) {
646	int hlen = ret - (unsigned char *)s->init_buf->data;	649	int hlen = ret - (unsigned char *)s->init_buf->data;
647	/* The code in s23_clnt.c to build ClientHello messages includes the	650
648	* 5-byte record header in the buffer, while the code in s3_clnt.c does	651	/*
649	* not. */	652	* The code in s23_clnt.c to build ClientHello messages
		653	* includes the 5-byte record header in the buffer, while the
		654	* code in s3_clnt.c does not.
		655	*/
650	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)	656	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
651	hlen -= 5;	657	hlen -= 5;
652	if (hlen > 0xff && hlen < 0x200) {	658	if (hlen > 0xff && hlen < 0x200) {
@@ -662,7 +668,6 @@ skip_ext:
662	ret += hlen;	668	ret += hlen;
663	}	669	}
664	}	670	}
665	#endif
666		671
667	if ((extdatalen = ret - p - 2) == 0)	672	if ((extdatalen = ret - p - 2) == 0)
668	return p;	673	return p;


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 857709f7c5..1851cd9525 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */	1	/* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -514,7 +514,7 @@ struct ssl_session_st {
514	/* Allow initial connection to servers that don't support RI */	514	/* Allow initial connection to servers that don't support RI */
515	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L	515	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
516	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L	516	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
517	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L	517	#define SSL_OP_TLSEXT_PADDING 0x00000010L
518	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L	518	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
519	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L	519	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
520	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L	520	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
@@ -524,6 +524,9 @@ struct ssl_session_st {
524	/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */	524	/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
525	#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0	525	#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
526		526
		527	/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
		528	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
		529
527	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added	530	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
528	* in OpenSSL 0.9.6d. Usually (depending on the application protocol)	531	* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
529	* the workaround is not needed.	532	* the workaround is not needed.


diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index c25f10bfab..87a65e3db2 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -635,18 +635,24 @@ skip_ext:
635	}	635	}
636	#endif	636	#endif
637		637
638	#ifdef TLSEXT_TYPE_padding	638	/*
639	/* Add padding to workaround bugs in F5 terminators.	639	* Add padding to workaround bugs in F5 terminators.
640	* See https://tools.ietf.org/html/draft-agl-tls-padding-03	640	* See https://tools.ietf.org/html/draft-agl-tls-padding-03
641	*	641	*
		642	* Note that this seems to trigger issues with IronPort SMTP
		643	* appliances.
		644	*
642	* NB: because this code works out the length of all existing	645	* NB: because this code works out the length of all existing
643	* extensions it MUST always appear last.	646	* extensions it MUST always appear last.
644	*/	647	*/
645	{	648	if (s->options & SSL_OP_TLSEXT_PADDING) {
646	int hlen = ret - (unsigned char *)s->init_buf->data;	649	int hlen = ret - (unsigned char *)s->init_buf->data;
647	/* The code in s23_clnt.c to build ClientHello messages includes the	650
648	* 5-byte record header in the buffer, while the code in s3_clnt.c does	651	/*
649	* not. */	652	* The code in s23_clnt.c to build ClientHello messages
		653	* includes the 5-byte record header in the buffer, while the
		654	* code in s3_clnt.c does not.
		655	*/
650	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)	656	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
651	hlen -= 5;	657	hlen -= 5;
652	if (hlen > 0xff && hlen < 0x200) {	658	if (hlen > 0xff && hlen < 0x200) {
@@ -662,7 +668,6 @@ skip_ext:
662	ret += hlen;	668	ret += hlen;
663	}	669	}
664	}	670	}
665	#endif
666		671
667	if ((extdatalen = ret - p - 2) == 0)	672	if ((extdatalen = ret - p - 2) == 0)
668	return p;	673	return p;