Commit 01f2f18f authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Option to disable padding extension. 

Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
parent f8aab617

doc/ssl/SSL_CTX_set_options.pod

+6 −0
Original line number Diff line number Diff line
@@ -112,6 +112,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some 
broken SSL implementations.  This option has no effect for connections

using other ciphers.



=item SSL_OP_TLSEXT_PADDING



Adds a padding extension to ensure the ClientHello size is never between

256 and 511 bytes in length. This is needed as a workaround for some

implementations.



=item SSL_OP_ALL



All of the above bug workarounds.

ssl/ssl.h

+3 −1
Original line number Diff line number Diff line
@@ -662,7 +662,7 @@ struct ssl_session_st 
/* Allow initial connection to servers that don't support RI */

#define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L

#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L

#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L

#define SSL_OP_TLSEXT_PADDING				0x00000010L

#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L

#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG			0x00000040L

#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
@@ -671,6 +671,8 @@ struct ssl_session_st 


/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */

#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x0

/* Refers to ancient SSLREF and SSLv2, retained for compatibility */

#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x0



/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added

 * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)

ssl/t1_lib.c

+22 −21
Original line number Diff line number Diff line
@@ -1508,18 +1508,20 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha 
	s2n(TLSEXT_TYPE_encrypt_then_mac,ret);

	s2n(0,ret);

#endif

#ifdef TLSEXT_TYPE_padding



	/* Add padding to workaround bugs in F5 terminators.

	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03

	 *

	 * NB: because this code works out the length of all existing

	 * extensions it MUST always appear last.

	 */

	if (s->options & SSL_OP_TLSEXT_PADDING)

		{

		int hlen = ret - (unsigned char *)s->init_buf->data;

	/* The code in s23_clnt.c to build ClientHello messages includes the

	 * 5-byte record header in the buffer, while the code in s3_clnt.c does

	 * not. */

		/* The code in s23_clnt.c to build ClientHello messages

		 * includes the 5-byte record header in the buffer, while

		 * the code in s3_clnt.c does not.

		 */

		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)

			hlen -= 5;

		if (hlen > 0xff && hlen < 0x200)
@@ -1536,7 +1538,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha 
			ret += hlen;

			}

		}

#endif



	if ((extdatalen = ret-p-2) == 0)

		return p;