net/third_party/nss/patches/paddingextension.patch

   1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
   2 --- a/nss/lib/ssl/ssl3con.c     2014-01-03 19:03:25.346656907 -0800
   3 +++ b/nss/lib/ssl/ssl3con.c     2014-01-03 19:03:36.916845935 -0800
   4 @@ -4987,6 +4987,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
   5      int              actual_count = 0;
   6      PRBool           isTLS = PR_FALSE;
   7      PRInt32          total_exten_len = 0;
   8 +    unsigned         paddingExtensionLen;
   9      unsigned         numCompressionMethods;
  10      PRInt32          flags;
  11
  12 @@ -5264,6 +5265,20 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  13         length += 1 + ss->ssl3.hs.cookieLen;
  14      }
  15
  16 +    /* A padding extension may be included to ensure that the record containing
  17 +     * the ClientHello doesn't have a length between 256 and 511 bytes
  18 +     * (inclusive). Initial, ClientHello records with such lengths trigger bugs
  19 +     * in F5 devices.
  20 +     *
  21 +     * This is not done for DTLS nor for renegotiation. */
  22 +    if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
  23 +        paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
  24 +        total_exten_len += paddingExtensionLen;
  25 +        length += paddingExtensionLen;
  26 +    } else {
  27 +        paddingExtensionLen = 0;
  28 +    }
  29 +
  30      rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
  31      if (rv != SECSuccess) {
  32         if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
  33 @@ -5398,6 +5413,13 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  34             return SECFailure;
  35         }
  36         maxBytes -= extLen;
  37 +
  38 +       extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
  39 +       if (extLen < 0) {
  40 +           return SECFailure;
  41 +       }
  42 +       maxBytes -= extLen;
  43 +
  44         PORT_Assert(!maxBytes);
  45      }
  46
  47 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
  48 --- a/nss/lib/ssl/ssl3ext.c     2014-01-03 18:58:03.661401846 -0800
  49 +++ b/nss/lib/ssl/ssl3ext.c     2014-01-03 19:03:36.916845935 -0800
  50 @@ -2315,3 +2315,56 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss
  51  loser:
  52      return -1;
  53  }
  54 +
  55 +unsigned int
  56 +ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
  57 +{
  58 +    unsigned int recordLength = 1 /* handshake message type */ +
  59 +                               3 /* handshake message length */ +
  60 +                               clientHelloLength;
  61 +    unsigned int extensionLength;
  62 +
  63 +    if (recordLength < 256 || recordLength >= 512) {
  64 +       return 0;
  65 +    }
  66 +
  67 +     extensionLength = 512 - recordLength;
  68 +     /* Extensions take at least four bytes to encode. */
  69 +     if (extensionLength < 4) {
  70 +        extensionLength = 4;
  71 +     }
  72 +
  73 +     return extensionLength;
  74 +}
  75 +
  76 +/* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
  77 + * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
  78 + * that we don't trigger bugs in F5 products. */
  79 +PRInt32
  80 +ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
  81 +                           PRUint32 maxBytes)
  82 +{
  83 +    unsigned int paddingLen = extensionLen - 4;
  84 +    unsigned char padding[256];
  85 +
  86 +    if (extensionLen == 0) {
  87 +       return 0;
  88 +    }
  89 +
  90 +    if (extensionLen < 4 ||
  91 +       extensionLen > maxBytes ||
  92 +       paddingLen > sizeof(padding)) {
  93 +       PORT_Assert(0);
  94 +       return -1;
  95 +    }
  96 +
  97 +    if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
  98 +       return -1;
  99 +    if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
 100 +       return -1;
 101 +    memset(padding, 0, paddingLen);
 102 +    if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
 103 +       return -1;
 104 +
 105 +    return extensionLen;
 106 +}
 107 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
 108 --- a/nss/lib/ssl/sslimpl.h     2014-01-03 19:03:25.346656907 -0800
 109 +++ b/nss/lib/ssl/sslimpl.h     2014-01-03 19:03:36.916845935 -0800
 110 @@ -237,6 +237,13 @@ extern PRInt32
 111  ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
 112                                 const ssl3HelloExtensionSender *sender);
 113
 114 +extern unsigned int
 115 +ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
 116 +
 117 +extern PRInt32
 118 +ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
 119 +                           PRUint32 maxBytes);
 120 +
 121  /* Socket ops */
 122  struct sslSocketOpsStr {
 123      int         (*connect) (sslSocket *, const PRNetAddr *);
 124 diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
 125 --- a/nss/lib/ssl/sslt.h        2014-01-03 19:02:30.135754914 -0800
 126 +++ b/nss/lib/ssl/sslt.h        2014-01-03 19:03:36.916845935 -0800
 127 @@ -205,9 +205,10 @@ typedef enum {
 128      ssl_session_ticket_xtn           = 35,
 129      ssl_next_proto_nego_xtn          = 13172,
 130      ssl_channel_id_xtn               = 30032,
 131 +    ssl_padding_xtn                  = 35655,
 132      ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
 133  } SSLExtensionType;
 134
 135 -#define SSL_MAX_EXTENSIONS             11
 136 +#define SSL_MAX_EXTENSIONS             11 /* doesn't include ssl_padding_xtn. */
 137
 138  #endif /* __sslt_h_ */