Option to disable padding extension.

Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
(cherry picked from commit 758415b2259fa45d3fe17d8e53ae1341b7b6e482)

Conflicts:

	ssl/t1_lib.c

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index fded0601b566b65ba84769a7ced7df3df7c4a6e3..d8866927a262ab403a74c3930a0068486657a42f 100644 (file)
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -112,6 +112,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some
 broken SSL implementations.  This option has no effect for connections
 using other ciphers.
 
+=item SSL_OP_TLSEXT_PADDING
+
+Adds a padding extension to ensure the ClientHello size is never between
+256 and 511 bytes in length. This is needed as a workaround for some
+implementations.
+
 =item SSL_OP_ALL
 
 All of the above bug workarounds.

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 18ac65cfe51ff25e00109937bd8c71bf71650515..e3715b53f394ff9353f944880c5786b755642e1c 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -658,7 +658,7 @@ struct ssl_session_st
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT                   0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG                0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG             0x00000010L
+#define SSL_OP_TLSEXT_PADDING                          0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER              0x00000020L
 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                  0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
@@ -667,6 +667,8 @@ struct ssl_session_st
 
 /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING                  0x0
+/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG             0x0
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 80397b9c07f54d60f42e9f63d22a6f1a7cd6b3d6..07674405d86e016aae8b27d68c84a5aeb9859a3b 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1468,36 +1468,35 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                        ret += outlen;
                        }
                }
-
-#ifdef TLSEXT_TYPE_padding
        /* Add padding to workaround bugs in F5 terminators.
         * See https://tools.ietf.org/html/draft-agl-tls-padding-03
         *
         * NB: because this code works out the length of all existing
         * extensions it MUST always appear last.
         */
-       {
-       int hlen = ret - (unsigned char *)s->init_buf->data;
-       /* The code in s23_clnt.c to build ClientHello messages includes the
-        * 5-byte record header in the buffer, while the code in s3_clnt.c does
-        * not. */
-       if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
-               hlen -= 5;
-       if (hlen > 0xff && hlen < 0x200)
+       if (s->options & SSL_OP_TLSEXT_PADDING)
                {
-               hlen = 0x200 - hlen;
-               if (hlen >= 4)
-                       hlen -= 4;
-               else
-                       hlen = 0;
+               int hlen = ret - (unsigned char *)s->init_buf->data;
+               /* The code in s23_clnt.c to build ClientHello messages
+                * includes the 5-byte record header in the buffer, while
+                * the code in s3_clnt.c does not.
+                */
+               if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
+                       hlen -= 5;
+               if (hlen > 0xff && hlen < 0x200)
+                       {
+                       hlen = 0x200 - hlen;
+                       if (hlen >= 4)
+                               hlen -= 4;
+                       else
+                               hlen = 0;
 
-               s2n(TLSEXT_TYPE_padding, ret);
-               s2n(hlen, ret);
-               memset(ret, 0, hlen);
-               ret += hlen;
+                       s2n(TLSEXT_TYPE_padding, ret);
+                       s2n(hlen, ret);
+                       memset(ret, 0, hlen);
+                       ret += hlen;
+                       }
                }
-       }
-#endif
 
        if ((extdatalen = ret-p-2) == 0)
                return p;